kds

package

v0.8.0 Latest Latest Go to latest Published: Sep 11, 2023 License: Apache-2.0 Imports: 12 Imported by: 7

Documentation ¶

Overview ¶

Package kds defines values specified for the AMD Key Distribution Service.

Index ¶

Variables
func CrlLinkByKey(product string, key abi.ReportSigner) string
func CrlLinkByRole(product, role string) string
func ParseProductCertChain(pems []byte) ([]byte, []byte, error)
func ParseProductName(productName string, key abi.ReportSigner) (*pb.SevProduct, error)
func ProductCertChainURL(s abi.ReportSigner, product string) string
func ProductName(product *pb.SevProduct) string
func ProductString(product *pb.SevProduct) string
func TCBPartsLE(tcb0, tcb1 TCBParts) bool
func VCEKCertURL(product string, hwid []byte, tcb TCBVersion) string
func VLEKCertURL(product string, tcb TCBVersion) string
type CertFunction
- func ParseProductCertChainURL(kdsurl string) (string, CertFunction, error)
type Extensions
- func CertificateExtensions(cert *x509.Certificate, key abi.ReportSigner) (*Extensions, error)
- func VcekCertificateExtensions(cert *x509.Certificate) (*Extensions, error)
- func VlekCertificateExtensions(cert *x509.Certificate) (*Extensions, error)
type TCBParts
- func DecomposeTCBVersion(tcb TCBVersion) TCBParts
type TCBVersion
- func ComposeTCBParts(parts TCBParts) (TCBVersion, error)
type VCEKCert
- func ParseVCEKCertURL(kdsurl string) (VCEKCert, error)
type VLEKCert
- func ParseVLEKCertURL(kdsurl string) (VLEKCert, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// OidStructVersion is the x509v3 extension for V[CL]EK certificate struct version.
	OidStructVersion = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 1})
	// OidProductName1 is the x509v3 extension for V[CL]EK certificate product name.
	OidProductName1 = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 2})
	// OidBlSpl is the x509v3 extension for V[CL]EK certificate bootloader security patch level.
	OidBlSpl = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 3, 1})
	// OidTeeSpl is the x509v3 extension for V[CL]EK certificate TEE security patch level.
	OidTeeSpl = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 3, 2})
	// OidSnpSpl is the x509v3 extension for V[CL]EK certificate SNP security patch level.
	OidSnpSpl = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 3, 3})
	// OidSpl4 is the x509v3 extension for V[CL]EK certificate reserved security patch level.
	OidSpl4 = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 3, 4})
	// OidSpl5 is the x509v3 extension for V[CL]EK certificate reserved security patch level.
	OidSpl5 = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 3, 5})
	// OidSpl6 is the x509v3 extension for V[CL]EK certificate reserved security patch level.
	OidSpl6 = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 3, 6})
	// OidSpl7 is the x509v3 extension for V[CL]EK certificate reserved security patch level.
	OidSpl7 = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 3, 7})
	// OidUcodeSpl is the x509v3 extension for V[CL]EK microcode security patch level.
	OidUcodeSpl = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 3, 8})
	// OidHwid is the x509v3 extension for VCEK certificate associated hardware identifier.
	OidHwid = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 4})
	// OidCspID is the x509v3 extension for a VLEK certificate's Cloud Service Provider's
	// origin TLS key's certificate's subject key's CommonName.
	OidCspID = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 3704, 1, 5})
)

Functions ¶

func CrlLinkByKey ¶ added in v0.8.0

func CrlLinkByKey(product string, key abi.ReportSigner) string

CrlLinkByKey returns the CRL distribution point for the given key type's product. If key is VlekReportSigner, then we use the vlek endpoint. The ASK and ARK are both on the vcek endpoint.

func CrlLinkByRole ¶ added in v0.8.0

func CrlLinkByRole(product, role string) string

CrlLinkByRole returns the CRL distribution point for the given key role's product. If role is "ASVK", then we use the vlek endpoint. The ASK and ARK are both on the vcek endpoint.

func ParseProductCertChain ¶

func ParseProductCertChain(pems []byte) ([]byte, []byte, error)

ParseProductCertChain returns the DER-formatted certificates represented by the body of the ProductCertChain (cert_chain) endpoint, ASK and ARK in that order.

func ParseProductName ¶ added in v0.7.1

func ParseProductName(productName string, key abi.ReportSigner) (*pb.SevProduct, error)

ParseProductName returns the KDS project input value, and the model, stepping numbers represented by a given V[CL]EK productName extension value, or an error.

func ProductCertChainURL ¶

func ProductCertChainURL(s abi.ReportSigner, product string) string

ProductCertChainURL returns the AMD KDS URL for retrieving the ARK and AS(V)K certificates on the given product in ??? format.

func ProductName ¶ added in v0.7.1

func ProductName(product *pb.SevProduct) string

ProductName returns the expected productName extension value for the product associated with an attestation report proto.

func ProductString ¶ added in v0.7.1

func ProductString(product *pb.SevProduct) string

ProductString returns the KDS product argument to use for the product associated with an attestation report proto.

func TCBPartsLE ¶ added in v0.6.2

func TCBPartsLE(tcb0, tcb1 TCBParts) bool

TCBPartsLE returns true iff all TCB components of tcb0 are <= the corresponding tcb1 components.

func VCEKCertURL ¶

func VCEKCertURL(product string, hwid []byte, tcb TCBVersion) string

VCEKCertURL returns the AMD KDS URL for retrieving the VCEK on a given product at a given TCB version. The hwid is the CHIP_ID field in an attestation report.

func VLEKCertURL ¶ added in v0.8.0

func VLEKCertURL(product string, tcb TCBVersion) string

VLEKCertURL returns the GET URL for retrieving a VLEK certificate, but without the necessary CSP secret in the HTTP headers that makes the request validate to the KDS.

Types ¶

type CertFunction ¶ added in v0.8.0

type CertFunction int

CertFunction is an enumeration of which endorsement key type is getting certified.

const (
	// UnknownCertFunction represents an unknown endpoint for parsing KDS URLs.
	UnknownCertFunction CertFunction = iota
	// VcekCertFunction represents the vcek endpoints for parsing KDS URLs.
	VcekCertFunction
	// VlekCertFunction represents the vlek endpoints for parsing KDS URLs.
	VlekCertFunction
)

func ParseProductCertChainURL ¶ added in v0.4.0

func ParseProductCertChainURL(kdsurl string) (string, CertFunction, error)

ParseProductCertChainURL returns the product name and either "vcek" or "vlek" for a KDS cert_chain url, or an error if the input is not a KDS cert_chain url.

type Extensions ¶ added in v0.8.0

type Extensions struct {
	StructVersion uint8
	ProductName   string
	// The host driver knows the difference between primary and secondary HWID.
	// Primary vs secondary is irrelevant to verification. Must be nil or
	// abi.ChipIDSize long.
	HWID       []byte
	TCBVersion TCBVersion
	CspID      string
}

Extensions represents the information stored in the KDS-specified x509 extensions of a V{C,L}EK certificate.

func CertificateExtensions ¶ added in v0.8.0

func CertificateExtensions(cert *x509.Certificate, key abi.ReportSigner) (*Extensions, error)

CertificateExtensions returns the x509v3 extensions from the KDS specification interpreted into a struct type.

func VcekCertificateExtensions ¶

func VcekCertificateExtensions(cert *x509.Certificate) (*Extensions, error)

VcekCertificateExtensions returns the x509v3 extensions from the KDS specification of a VCEK certificate interpreted into a struct type.

func VlekCertificateExtensions ¶ added in v0.8.0

func VlekCertificateExtensions(cert *x509.Certificate) (*Extensions, error)

VlekCertificateExtensions returns the x509v3 extensions from the KDS specification of a VLEK certificate interpreted into a struct type.

type TCBParts ¶

type TCBParts struct {
	// BlSpl is the bootloader security patch level.
	BlSpl uint8
	// TeeSpl is the TEE security patch level.
	TeeSpl uint8
	// Spl4 is reserved.
	Spl4 uint8
	// Spl5 is reserved.
	Spl5 uint8
	// Spl6 is reserved.
	Spl6 uint8
	// Spl7 is reserved.
	Spl7 uint8
	// SnpSpl is the SNP security patch level.
	SnpSpl uint8
	// UcodeSpl is the microcode security patch level.
	UcodeSpl uint8
}

TCBParts represents all TCB field values in a given uint64 representation of an AMD secure processor firmware TCB version.

func DecomposeTCBVersion ¶

func DecomposeTCBVersion(tcb TCBVersion) TCBParts

DecomposeTCBVersion interprets the byte components of the AMD representation of the platform security patch levels into a struct.

type TCBVersion ¶

type TCBVersion uint64

TCBVersion is a 64-bit bitfield of different security patch levels of AMD firmware and microcode.

func ComposeTCBParts ¶

func ComposeTCBParts(parts TCBParts) (TCBVersion, error)

ComposeTCBParts returns an SEV-SNP TCB_VERSION from OID mapping values. The spl4-spl7 fields are reserved, but the KDS specification designates them as 4 byte-sized fields.

type VCEKCert ¶ added in v0.4.0

type VCEKCert struct {
	Product string
	HWID    []byte
	TCB     uint64
}

VCEKCert represents the attestation report components represented in a KDS VCEK certificate request URL.

func ParseVCEKCertURL ¶ added in v0.4.0

func ParseVCEKCertURL(kdsurl string) (VCEKCert, error)

ParseVCEKCertURL returns the attestation report components represented in the given KDS VCEK certificate request URL.

type VLEKCert ¶ added in v0.8.0

type VLEKCert struct {
	Product string
	TCB     uint64
}

VLEKCert represents the attestation report components represented in a KDS VLEK certificate request URL.

func ParseVLEKCertURL ¶ added in v0.8.0

func ParseVLEKCertURL(kdsurl string) (VLEKCert, error)

ParseVLEKCertURL returns the attestation report components represented in the given KDS VLEK certificate request URL.

Source Files ¶

View all Source files

kds.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL