Documentation
¶
Overview ¶
Package validate is for checking attestation report properties other than signature verification.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func RawSnpAttestation ¶
RawSnpAttestation validates fields of a raw attestation report against expectations. Does not check the attestation certificates or signature.
func SnpAttestation ¶
func SnpAttestation(attestation *spb.Attestation, options *Options) error
SnpAttestation validates fields of the protobuf representation of an attestation report against expectations. Does not check the attestation certificates or signature.
Types ¶
type Options ¶
type Options struct {
// GuestPolicy is the maximum of acceptable guest policies.
GuestPolicy abi.SnpPolicy
// MinimumGuestSvn is the minimum guest security version number.
MinimumGuestSvn uint32
// ReportData is the expected REPORT_DATA field. Must be nil or 64 bytes long. Not checked if nil.
ReportData []byte
// HostData is the expected HOST_DATA field. Must be nil or 32 bytes long. Not checked if nil.
HostData []byte
// ImageID is the expected IMAGE_ID field. Must be nil or 16 bytes long. Not checked if nil.
ImageID []byte
// FamilyID is the expected FAMILY_ID field. Must be nil or 16 bytes long. Not checked if nil.
FamilyID []byte
// ReportID is the expected REPORT_ID field. Must be nil or 32 bytes long. Not checked if nil.
ReportID []byte
// ReportIDMA is the expected REPORT_ID_MA field. Must be nil or 32 bytes long. Not checked if nil.
ReportIDMA []byte
// Measurement is the expected MEASUREMENT field. Must be nil or 48 bytes long. Not checked if nil.
Measurement []byte
// ChipID is the expected CHIP_ID field. Must be nil or 64 bytes long. Not checked if nil.
ChipID []byte
// MinimumBuild is the minimum firmware build version reported in the attestation report.
MinimumBuild uint8
// MinimumVersion is the minimum firmware API version reported in the attestation report,
// where the MSB is the major number and the LSB is the minor number.
MinimumVersion uint16
// MinimumTCB is the component-wise minimum TCB reported in the attestation report. This
// does not include the LaunchTCB.
MinimumTCB kds.TCBParts
// MinimumLaunchTCB is the component-wise minimum for the attestation report LaunchTCB.
MinimumLaunchTCB kds.TCBParts
// PermitProvisionalFirmware if true, allows the committed TCB, build, and API values to be less
// than or equal to the current values. If false, committed and current values must be equal.
PermitProvisionalFirmware bool
// PlatformInfo is the maximum of acceptable PLATFORM_INFO data. Not checked if nil.
PlatformInfo *abi.SnpPlatformInfo
// RequireAuthorKey if true, will not validate a report without AUTHOR_KEY_EN equal to 1.
// Implies RequireIDBlock is true.
RequireAuthorKey bool
// VMPL is the expected VMPL value, 0-3. Unchecked if nil.
VMPL *int
// RequireIDBlock if true, will not validate a report if it does not have an ID_KEY_DIGEST that
// is trusted through all keys in TrustedIDKeys or TrustedIDKeyHashes, or any ID key whose hash
// was signed by a key in TrustedAuthorKeys or TrustedIDKeyHashes. No signatures are checked,
// since presence in the attestation report implies that the AMD firmware successfully verified
// the signature at VM launch. If false, ID_KEY_DIGEST and AUTHOR_KEY_DIGEST are not checked.
RequireIDBlock bool
// Certificates of keys that are permitted to sign ID keys. Any ID key signed by a trusted author
// key is implicitly trusted. Not required if TrustedAuthorKeyHashes is provided.
TrustedAuthorKeys []*x509.Certificate
// TrustedAuthorKeys is an array of SHA-384 hashes of trusted author keys's public key in SEV-SNP
// API format. Not required if TrustedAuthorKeys is provided.
TrustedAuthorKeyHashes [][]byte
// Certificates of keys that are permitted to sign IDBlocks. Not required if TrustedIDKeyHashes is
// provided.
TrustedIDKeys []*x509.Certificate
// TrustedIDKeyHashes is an array of SHA-384 hashes of trusted ID signer keys's public key in
// SEV-SNP API format. Not required if TrustedIDKeys is provided.
TrustedIDKeyHashes [][]byte
}
Options represents verification options for an SEV-SNP attestation report.
Source Files
Click to show internal directories.
Click to hide internal directories.