pcs

package
v0.2403.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 29, 2024 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	CertificationDataPPIDCleartext        = 1
	CertificationDataPPIDEncryptedRSA2048 = 2
	CertificationDataPPIDEncryptedRSA3072 = 3
	CertificationDataPCKLeafCertificate   = 4
	CertificationDataPCKCertificateChain  = 5
	CertificationDataQEReport             = 6
	CertificationDataPlatformManifest     = 7
)
View Source 
const (
	// TCBKindPlatform is the platform TCB kind (e.g. the CPU/microcode/config).
	TCBKindPlatform = 0
	// TCBKindEnclave is the enclave TCB kind (e.g. the QE).
	TCBKindEnclave = 1
)
View Source 
const (

	// DefaultMinTCBEvaluationDataNumber is the default minimum TCB evaluation data number.
	DefaultMinTCBEvaluationDataNumber = 12 // As of 2022-08-01.

)
View Source 
const TdEnclaveIdentityContext = "oasis-core/tdx: TD enclave identity"

TdEnclaveIdentityContext is the TD enclave identity conversion context.

View Source 
const TimestampFormat = "2006-01-02T15:04:05.999999999Z"

TimestampFormat is the format of the TCB timestamp, suitable for use with time.Parse.

Workaround for https://github.com/golang/go/issues/21990

Variables

View Source 
var (
	// PCK_SGX_Extensions is the ASN1 Object Identifier for the SGX Extensions X509 extension.
	PCK_SGX_Extensions = asn1.ObjectIdentifier{1, 2, 840, 113741, 1, 13, 1} // nolint: revive

	// PCK_SGX_Extensions_FMSPC is the ASN1 Object Identifier for the FMSPC SGX Extension.
	PCK_SGX_Extensions_FMSPC = asn1.ObjectIdentifier{1, 2, 840, 113741, 1, 13, 1, 4} // nolint: revive

	// PCK_SGX_Extensions_TCB is the ASN1 Object Identifier for the TCB SGX Extension.
	PCK_SGX_Extensions_TCB = asn1.ObjectIdentifier{1, 2, 840, 113741, 1, 13, 1, 2} // nolint: revive
)
View Source 
var IntelTrustRoots = func() *x509.CertPool {
	pool := x509.NewCertPool()
	if raw := []byte(pcsTrustRootCert); !pool.AppendCertsFromPEM(raw) {

		_, _, err := CertFromPEM(raw)
		panic("sgx/pcs: invalid Intel trust root cert: " + err.Error())
	}
	return pool
}()

IntelTrustRoots are Intel's PCS signing root certificates.

View Source 
var QEVendorID_Intel = []byte{0x93, 0x9a, 0x72, 0x33, 0xf7, 0x9c, 0x4c, 0xa9, 0x94, 0x0a, 0x0d, 0xb3, 0x95, 0x7f, 0x06, 0x07} // nolint: revive

QEVendorID_Intel is the Quoting Enclave vendor ID for Intel (939A7233F79C4CA9940A0DB3957F0607).

View Source 
var TDX_MrSigner_Intel [48]byte // nolint: revive

TDX_MrSigner_Intel is the TDX module MRSIGNER for Intel (000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000).

Functions

func BuildMrSignerBlacklist 

func BuildMrSignerBlacklist(allowTestKeys bool)

BuildMrSignerBlacklist builds the MRSIGNER blacklist.

func CertFromPEM 

func CertFromPEM(raw []byte) (*x509.Certificate, []byte, error)

func NewMockQuote added in v0.2400.0 

func NewMockQuote(rawReport []byte) ([]byte, error)

NewMockQuote generates a mock quote from the given report, after doing some light sanity checking on the report.

This is only useful for runtimes with quote verification disabled at compile time (ie: built with `OASIS_UNSAFE_SKIP_AVR_VERIFY=1`).

func SetAllowDebugEnclaves 

func SetAllowDebugEnclaves()

SetAllowDebugEnclaves will enable running and communicating with enclaves with debug flag enabled in report body for the remainder of the process' lifetime.

func SetSkipVerify added in v0.2400.0 

func SetSkipVerify()

SetSkipVerify will disable quote signature verification for the remainder of the process' lifetime.

func SetUnsafeLaxVerify added in v0.2300.11 

func SetUnsafeLaxVerify()

SetUnsafeLaxVerify enables the unsafe, more lax TCB status verification.

OutOfDate and OutOfDateConfigurationNeeded TCB statuses will be treated as valid.

func UnsetAllowDebugEnclaves 

func UnsetAllowDebugEnclaves()

UnsetAllowDebugEnclaves will disable running and communicating with enclaves with debug flag enabled in report body for the remainder of the process' lifetime.

Types

type AttestationKeyType 

type AttestationKeyType uint16

AttestationKeyType is the attestation key type. 

const (
	// AttestationKeyECDSA_P256 is the ECDSA-P256 attestation key type.
	AttestationKeyECDSA_P256 AttestationKeyType = 2 // nolint: revive
)

func (AttestationKeyType) String 

func (kt AttestationKeyType) String() string

String returns a string representation of the attestation key type.

type CertificationData 

type CertificationData interface {
	// CertificationDataType returns the certification data type.
	CertificationDataType() CertificationDataType
}

CertificationData is the data required to verify the QE Report signature.

type CertificationDataType 

type CertificationDataType uint16

CertificationDataType is the type of data required to verify the QE Report signature in the QuoteSignature data structure.

func (CertificationDataType) String 

func (ct CertificationDataType) String() string

type CertificationData_PCKCertificateChain 

type CertificationData_PCKCertificateChain struct {
	CertificateChain []*x509.Certificate
}

CertificationData_PCKCertificateChain is the PCK certificate chain certification data.

func (*CertificationData_PCKCertificateChain) CertificationDataType 

func (cd *CertificationData_PCKCertificateChain) CertificationDataType() CertificationDataType

CertificationDataType returns the certification data type.

func (*CertificationData_PCKCertificateChain) UnmarshalBinary 

func (cd *CertificationData_PCKCertificateChain) UnmarshalBinary(data []byte) error

UnmarshalBinary decodes CertificationData_PCKCertificateChain from a byte array.

type CertificationData_PPID 

type CertificationData_PPID struct {
	PPID   [384]byte
	CPUSVN [16]byte
	PCESVN uint16
	PCEID  uint16
	// contains filtered or unexported fields
}

CertificationData_PPID is the PPID certification data.

func (*CertificationData_PPID) CertificationDataType 

func (cd *CertificationData_PPID) CertificationDataType() CertificationDataType

CertificationDataType returns the certification data type.

func (*CertificationData_PPID) UnmarshalBinary 

func (cd *CertificationData_PPID) UnmarshalBinary(data []byte) error

UnmarshalBinary decodes CertificationData_PPID from a byte array.

type CertificationData_QEReport added in v0.2403.0 

type CertificationData_QEReport struct {
	QEReport           SgxReport
	QEReportSignature  SignatureECDSA_P256
	AuthenticationData []byte
	CertificationData  CertificationData
}

CertificationData_QEReport is the QE report certification data that contains nested certification data. This kind is implicit in v3 quotes and explicit via an additional envelope in v4 quotes.

func (*CertificationData_QEReport) CertificationDataType added in v0.2403.0 

func (qe *CertificationData_QEReport) CertificationDataType() CertificationDataType

CertificationDataType returns the certification data type.

func (*CertificationData_QEReport) UnmarshalBinary added in v0.2403.0 

func (qe *CertificationData_QEReport) UnmarshalBinary(data []byte) error

UnmarshalBinary decodes CertificationData_QEReport from a byte array.

type Client 

type Client interface {
	// GetTCBBundle retrieves the signed TCB artifacts needed to verify a quote.
	GetTCBBundle(ctx context.Context, teeType TeeType, fmspc []byte, update UpdateType) (*TCBBundle, error)

	// GetPCKCertificateChain retrieves the PCK certificate chain for the given platform data or PPID.
	//
	// If platform data is provided, it is used instead of the encrypted PPID for certificate retrieval.
	GetPCKCertificateChain(ctx context.Context, platformData []byte, encPpid [384]byte, cpusvn [16]byte, pcesvn uint16, pceid uint16) ([]*x509.Certificate, error)
}

Client is an Intel SGX PCS client interface.

func NewHTTPClient 

func NewHTTPClient(cfg *HTTPClientConfig) (Client, error)

NewHTTPClient returns a new PCS HTTP endpoint.

type EnclaveTCBLevel 

type EnclaveTCBLevel struct {
	TCB struct {
		ISVSVN uint16 `json:"isvsvn"`
	} `json:"tcb"`
	Date        string    `json:"tcbDate"`
	Status      TCBStatus `json:"tcbStatus"`
	AdvisoryIDs []string  `json:"advisoryIDs"`
}

EnclaveTCBLevel is the enclave TCB level.

type HTTPClientConfig 

type HTTPClientConfig struct {
	// SubscriptionKey is the Intel PCS API key used for client authentication (needed for PCK
	// certificate retrieval).
	SubscriptionKey string
}

HTTPClientConfig is the Intel SGX PCS client configuration.

type PCKInfo 

type PCKInfo struct {
	PublicKey  *ecdsa.PublicKey
	FMSPC      []byte
	TCBCompSVN [16]int32
	PCESVN     uint16
	CPUSVN     [16]byte
}

PCKInfo contains information extracted from the PCK certificate.

type QEIdentity 

type QEIdentity struct {
	ID                      string            `json:"id"`
	Version                 int               `json:"version"`
	IssueDate               string            `json:"issueDate"`
	NextUpdate              string            `json:"nextUpdate"`
	TCBEvaluationDataNumber uint32            `json:"tcbEvaluationDataNumber"`
	MiscSelect              string            `json:"miscselect"`
	MiscSelectMask          string            `json:"miscselectMask"`
	Attributes              string            `json:"attributes"`
	AttributesMask          string            `json:"attributesMask"`
	MRSIGNER                string            `json:"mrsigner"`
	ISVProdID               uint16            `json:"isvprodid"`
	TCBLevels               []EnclaveTCBLevel `json:"tcbLevels"`
	AdvisoryIDs             []int             `json:"advisoryIDs,omitempty"`
}

QEIdentity is the Quoting Enclave identity.

type Quote 

type Quote struct {
	// contains filtered or unexported fields
}

Quote is an enclave quote.

func (*Quote) Header 

func (q *Quote) Header() QuoteHeader

Header returns the quote header.

func (*Quote) Signature 

func (q *Quote) Signature() QuoteSignature

Signature returns the quote signature.

func (*Quote) UnmarshalBinary 

func (q *Quote) UnmarshalBinary(data []byte) error

UnmarshalBinary decodes a Quote from a byte array.

func (*Quote) UnmarshalBinaryWithTrailing added in v0.2403.0 

func (q *Quote) UnmarshalBinaryWithTrailing(data []byte, allowTrailing bool) (int, error)

UnmarshalBinaryWithTrailing decodes a Quote from a byte array, optionally allowing trailing data.

Returns the length of the decoded quote.

func (*Quote) Verify 

func (q *Quote) Verify(policy *QuotePolicy, ts time.Time, tcb *TCBBundle) (*sgx.VerifiedQuote, error)

Verify verifies the quote.

In case of successful verification it returns the TCB level.

type QuoteBundle 

type QuoteBundle struct {
	// Quote is the raw attestation quote.
	Quote []byte `json:"quote"`

	// TCB is the TCB bundle required to verify an attestation quote.
	TCB TCBBundle `json:"tcb"`
}

QuoteBundle is an attestation quote together with the TCB bundle required for its verification.

func (*QuoteBundle) Verify 

func (bnd *QuoteBundle) Verify(policy *QuotePolicy, ts time.Time) (*sgx.VerifiedQuote, error)

Verify verifies the quote bundle.

In case of successful verification it returns the verified quote.

type QuoteHeader 

type QuoteHeader interface {
	// Version returns the quote version.
	Version() uint16

	// TeeType returns the TEE type.
	TeeType() TeeType

	// QEVendorID returns the QE vendor ID.
	QEVendorID() []byte

	// AttestationKeyType returns the quote attestation key type.
	AttestationKeyType() AttestationKeyType

	// ReportBodyLength returns the length of the report body field.
	ReportBodyLength() int

	// Raw returns the raw quote header bytes.
	Raw() []byte
}

QuoteHeader is the quote header interface.

type QuoteHeaderV3 added in v0.2403.0 

type QuoteHeaderV3 struct {
	// contains filtered or unexported fields
}

QuoteHeaderV3 is a V3 quote header.

func (*QuoteHeaderV3) AttestationKeyType added in v0.2403.0 

func (qh *QuoteHeaderV3) AttestationKeyType() AttestationKeyType

AttestationKeyType returns the quote attestation key type.

func (*QuoteHeaderV3) QEVendorID added in v0.2403.0 

func (qh *QuoteHeaderV3) QEVendorID() []byte

QEVendorID returns the QE vendor ID.

func (*QuoteHeaderV3) Raw added in v0.2403.0 

func (qh *QuoteHeaderV3) Raw() []byte

Raw returns the raw quote header bytes.

func (*QuoteHeaderV3) ReportBodyLength added in v0.2403.0 

func (qh *QuoteHeaderV3) ReportBodyLength() int

ReportBodyLength returns the length of the report body field.

func (*QuoteHeaderV3) TeeType added in v0.2403.0 

func (qh *QuoteHeaderV3) TeeType() TeeType

TeeType returns the TEE type.

func (*QuoteHeaderV3) UnmarshalBinary added in v0.2403.0 

func (qh *QuoteHeaderV3) UnmarshalBinary(data []byte) error

UnmarshalBinary decodes QuoteHeaderV3 from a byte array.

func (*QuoteHeaderV3) Version added in v0.2403.0 

func (qh *QuoteHeaderV3) Version() uint16

Version returns the quote version.

type QuoteHeaderV4 added in v0.2403.0 

type QuoteHeaderV4 struct {
	// contains filtered or unexported fields
}

QuoteHeaderV4 is a V4 quote header.

func (*QuoteHeaderV4) AttestationKeyType added in v0.2403.0 

func (qh *QuoteHeaderV4) AttestationKeyType() AttestationKeyType

AttestationKeyType returns the quote attestation key type.

func (*QuoteHeaderV4) QEVendorID added in v0.2403.0 

func (qh *QuoteHeaderV4) QEVendorID() []byte

QEVendorID returns the QE vendor ID.

func (*QuoteHeaderV4) Raw added in v0.2403.0 

func (qh *QuoteHeaderV4) Raw() []byte

Raw returns the raw quote header bytes.

func (*QuoteHeaderV4) ReportBodyLength added in v0.2403.0 

func (qh *QuoteHeaderV4) ReportBodyLength() int

ReportBodyLength returns the length of the report body field.

func (*QuoteHeaderV4) TeeType added in v0.2403.0 

func (qh *QuoteHeaderV4) TeeType() TeeType

TeeType returns the TEE type.

func (*QuoteHeaderV4) UnmarshalBinary added in v0.2403.0 

func (qh *QuoteHeaderV4) UnmarshalBinary(data []byte) error

UnmarshalBinary decodes QuoteHeaderV4 from a byte array.

func (*QuoteHeaderV4) Version added in v0.2403.0 

func (qh *QuoteHeaderV4) Version() uint16

Version returns the quote version.

type QuotePolicy 

type QuotePolicy struct {
	// Disabled specifies whether PCS quotes are disabled and will always be rejected.
	Disabled bool `json:"disabled,omitempty" yaml:"disabled,omitempty"`

	// TCBValidityPeriod is the validity (in days) of the TCB collateral.
	TCBValidityPeriod uint16 `json:"tcb_validity_period" yaml:"tcb_validity_period"`

	// MinTCBEvaluationDataNumber is the minimum TCB evaluation data number that is considered to be
	// valid. TCB bundles containing smaller values will be invalid.
	MinTCBEvaluationDataNumber uint32 `json:"min_tcb_evaluation_data_number" yaml:"min_tcb_evaluation_data_number"`

	// FMSPCBlacklist is a list of hexadecimal encoded FMSPCs specifying which processor
	// packages and platform instances are blocked.
	FMSPCBlacklist []string `json:"fmspc_blacklist,omitempty" yaml:"fmspc_blacklist,omitempty"`

	// TDX is an optional TDX-specific policy. In case this is nil, TDX quotes are disallowed.
	TDX *TdxQuotePolicy `json:"tdx,omitempty" yaml:"tdx,omitempty"`
}

QuotePolicy is the quote validity policy.

type QuoteService added in v0.2403.0 

type QuoteService interface {
	// ResolveQuote resolves a given raw quote into a full bundle with the required collateral.
	ResolveQuote(ctx context.Context, rawQuote []byte, quotePolicy *QuotePolicy) (*QuoteBundle, error)
}

QuoteService is a service for resolving raw quotes into quote bundles that include all of the needed collateral.

func NewCachingQuoteService added in v0.2403.0 

func NewCachingQuoteService(
	client Client,
	store *persistent.CommonStore,
) QuoteService

NewCachingQuoteService creates a new caching quote service.

type QuoteSignature 

type QuoteSignature interface {
	// AttestationKeyType returns the type of the attestation key used in this quote signature.
	AttestationKeyType() AttestationKeyType

	// Verify verifies the quote signature of the header and ISV report.
	Verify(
		header QuoteHeader,
		reportBody ReportBody,
		ts time.Time,
		tcb *TCBBundle,
		policy *QuotePolicy,
	) error
}

QuoteSignature is a quote signature.

type QuoteSignatureECDSA_P256 

type QuoteSignatureECDSA_P256 struct {
	// contains filtered or unexported fields
}

QuoteSignatureECDSA_P256 is an ECDSA-P256 quote signature.

func (*QuoteSignatureECDSA_P256) AttestationKeyType 

func (qs *QuoteSignatureECDSA_P256) AttestationKeyType() AttestationKeyType

AttestationKeyType returns the type of the attestation key used in this quote signature.

func (*QuoteSignatureECDSA_P256) CertificationData 

func (qs *QuoteSignatureECDSA_P256) CertificationData() CertificationData

CertificationData returns the certification data.

func (*QuoteSignatureECDSA_P256) UnmarshalBinary 

func (qs *QuoteSignatureECDSA_P256) UnmarshalBinary(version uint16, data []byte) error

UnmarshalBinary decodes QuoteSignatureECDSA_P256 from a byte array.

func (*QuoteSignatureECDSA_P256) Verify 

func (qs *QuoteSignatureECDSA_P256) Verify(
	header QuoteHeader,
	reportBody ReportBody,
	ts time.Time,
	tcb *TCBBundle,
	policy *QuotePolicy,
) error

Verify verifies the quote signature.

func (*QuoteSignatureECDSA_P256) VerifyPCK 

func (qs *QuoteSignatureECDSA_P256) VerifyPCK(ts time.Time) (*PCKInfo, error)

VerifyPCK verifies the PCK certificate and returns the extracted information.

type ReportBody 

type ReportBody interface {
	// ReportData is the user-supplied report data.
	ReportData() []byte

	// AsEnclaveIdentity converts the report body into an enclave identity.
	AsEnclaveIdentity() sgx.EnclaveIdentity

	// Raw returns the raw report body.
	Raw() []byte
}

ReportBody is the report body contained in the quote.

type SGXExtension 

type SGXExtension struct {
	Id    asn1.ObjectIdentifier // nolint: revive
	Value asn1.RawValue
}

SGXExtension is an ASN1 SGX extension.

type SgxReport added in v0.2403.0 

type SgxReport struct {
	// contains filtered or unexported fields
}

SgxReport is an SGX enclave report body.

func (*SgxReport) AsEnclaveIdentity added in v0.2403.0 

func (r *SgxReport) AsEnclaveIdentity() sgx.EnclaveIdentity

AsEnclaveIdentity converts the report body into an enclave identity.

func (*SgxReport) MarshalBinary added in v0.2403.0 

func (r *SgxReport) MarshalBinary() ([]byte, error)

MarshalBinary encodes SgxReport into byte array.

func (*SgxReport) Raw added in v0.2403.0 

func (r *SgxReport) Raw() []byte

Raw returns the raw report body.

func (*SgxReport) ReportData added in v0.2403.0 

func (r *SgxReport) ReportData() []byte

ReportData is the user-supplied report data.

func (*SgxReport) UnmarshalBinary added in v0.2403.0 

func (r *SgxReport) UnmarshalBinary(data []byte) error

UnmarshalBinary decodes SgxReport from a byte array.

type SignatureECDSA_P256 

type SignatureECDSA_P256 [64]byte // nolint: revive

SignatureECDSA_P256 is an ECDSA-P256 signature in the form r || s.

func (*SignatureECDSA_P256) UnmarshalHex 

func (ec *SignatureECDSA_P256) UnmarshalHex(data string) error

UnmarshalHex decodes the signature from a hex-encoded string.

func (*SignatureECDSA_P256) Verify 

func (ec *SignatureECDSA_P256) Verify(pk *ecdsa.PublicKey, hash []byte) bool

Verify verifies the signature of hash using the passed public key.

type SignedQEIdentity 

type SignedQEIdentity struct {
	EnclaveIdentity json.RawMessage `cbor:"enclave_identity" json:"enclaveIdentity"`
	Signature       string          `cbor:"signature" json:"signature"`
}

SignedQEIdentity is the signed Quoting Enclave identity.

type SignedTCBInfo 

type SignedTCBInfo struct {
	TCBInfo   json.RawMessage `cbor:"tcb_info" json:"tcbInfo"`
	Signature string          `cbor:"signature" json:"signature"`
}

SignedTCBInfo is the signed TCB info structure.

type TCBBundle 

type TCBBundle struct {
	TCBInfo      SignedTCBInfo    `json:"tcb_info"`
	QEIdentity   SignedQEIdentity `json:"qe_id"`
	Certificates []byte           `json:"certs"`
}

TCBBundle contains all the required components to verify a quote's TCB.

func (*TCBBundle) Verify added in v0.2300.0 

func (bnd *TCBBundle) Verify(
	teeType TeeType,
	ts time.Time,
	policy *QuotePolicy,
	fmspc []byte,
	sgxCompSvn [16]int32,
	tdxCompSvn *[16]byte,
	pcesvn uint16,
	qe *SgxReport,
) error

Verify verifies the TCB info and the QE identity corresponding to the passed SVN information.

type TCBComponent added in v0.2300.0 

type TCBComponent struct {
	SVN      int32  `json:"svn"`
	Category string `json:"category,omitempty"`
	Type     string `json:"type,omitempty"`
}

TCBComponent is a TCB component.

type TCBInfo 

type TCBInfo struct {
	ID                      string              `json:"id"`
	Version                 int                 `json:"version"`
	IssueDate               string              `json:"issueDate"`
	NextUpdate              string              `json:"nextUpdate"`
	FMSPC                   string              `json:"fmspc"`
	PCEID                   string              `json:"pceId"`
	TCBType                 int                 `json:"tcbType"`
	TCBEvaluationDataNumber uint32              `json:"tcbEvaluationDataNumber"`
	TDXModule               TDXModule           `json:"tdxModule,omitempty"`
	TDXModuleIdentities     []TDXModuleIdentity `json:"tdxModuleIdentities,omitempty"`
	TCBLevels               []TCBLevel          `json:"tcbLevels"`
}

TCBInfo is the TCB info body.

type TCBKind 

type TCBKind uint8

TCBKind is the kind of the TCB.

func (TCBKind) String 

func (tk TCBKind) String() string

String returns a string representation of the TCB kind.

type TCBLevel 

type TCBLevel struct {
	TCB struct {
		PCESVN        uint16           `json:"pcesvn"`
		SGXComponents [16]TCBComponent `json:"sgxtcbcomponents"`
		TDXComponents [16]TCBComponent `json:"tdxtcbcomponents,omitempty"`
	} `json:"tcb"`
	Date        string    `json:"tcbDate"`
	Status      TCBStatus `json:"tcbStatus"`
	AdvisoryIDs []string  `json:"advisoryIDs,omitempty"`
}

TCBLevel is a platform TCB level.

type TCBOutOfDateError 

type TCBOutOfDateError struct {
	Kind        TCBKind
	Status      TCBStatus
	AdvisoryIDs []string
}

TCBOutOfDateError is an error saying that the TCB of the platform or enclave is out of date.

func (*TCBOutOfDateError) Error 

func (tle *TCBOutOfDateError) Error() string

Error returns the error message.

type TCBStatus 

type TCBStatus int

TCBStatus is the TCB status. 

const (
	StatusUpToDate TCBStatus
	StatusSWHardeningNeeded
	StatusConfigurationNeeded
	StatusConfigurationAndSWHardeningNeeded
	StatusOutOfDate
	StatusOutOfDateConfigurationNeeded
	StatusRevoked
)

func (*TCBStatus) MarshalText 

func (s *TCBStatus) MarshalText() ([]byte, error)

MarshalText implements the encoding.TextMarshaler interface.

func (TCBStatus) String 

func (s TCBStatus) String() string

String returns the string representation of the TCB status.

func (*TCBStatus) UnmarshalText 

func (s *TCBStatus) UnmarshalText(text []byte) error

UnmarshalText implements the encoding.TextUnmarshaler interface.

type TDXModule added in v0.2300.0 

type TDXModule struct {
	MRSIGNER       string `json:"mrsigner"`
	Attributes     string `json:"attributes"`
	AttributesMask string `json:"attributesMask"`
}

TDXModule is a representation of the properties of Intel's TDX SEAM module.

type TDXModuleIdentity added in v0.2403.0 

type TDXModuleIdentity struct {
	ID        string            `json:"id"`
	TCBLevels []EnclaveTCBLevel `json:"tcbLevels"`
	TDXModule
}

TDXModuleIdentity is a representation of the identity of the Intel's TDX SEAM module in case the platform supports more than one TDX SEAM module.

type TdAttributes added in v0.2403.0 

type TdAttributes uint64

TdAttributes are the TDX TD attributes. 

const (
	TdAttributeDebug         TdAttributes = 0b00000000_00000000_00000000_00000000_00000000_00000000_00000000_00000001
	TdAttributeSeptVeDisable TdAttributes = 0b00000000_00000000_00000000_00000000_00010000_00000000_00000000_00000000
	TdAttributePKS           TdAttributes = 0b00000000_00000000_00000000_00000000_01000000_00000000_00000000_00000000
	TdAttributeKL            TdAttributes = 0b00000000_00000000_00000000_00000000_10000000_00000000_00000000_00000000
	TdAttributePerfmon       TdAttributes = 0b10000000_00000000_00000000_00000000_00000000_00000000_00000000_00000000

	TdAttributeReserved TdAttributes = ^(TdAttributeDebug |
		TdAttributeSeptVeDisable |
		TdAttributePKS |
		TdAttributeKL |
		TdAttributePerfmon)
)

func (TdAttributes) Contains added in v0.2403.0 

func (a TdAttributes) Contains(flag TdAttributes) bool

Contains returns value of given flag attribute of the Report.

func (*TdAttributes) UnmarshalBinary added in v0.2403.0 

func (a *TdAttributes) UnmarshalBinary(data []byte) error

UnmarshalBinary decodes TdAttributes from a byte array.

type TdReport added in v0.2403.0 

type TdReport struct {
	// contains filtered or unexported fields
}

TdReport is a TDX TD report body.

func (*TdReport) AsEnclaveIdentity added in v0.2403.0 

func (r *TdReport) AsEnclaveIdentity() sgx.EnclaveIdentity

AsEnclaveIdentity converts the report body into an enclave identity.

func (*TdReport) Raw added in v0.2403.0 

func (r *TdReport) Raw() []byte

Raw returns the raw report body.

func (*TdReport) ReportData added in v0.2403.0 

func (r *TdReport) ReportData() []byte

ReportData is the user-supplied report data.

func (*TdReport) UnmarshalBinary added in v0.2403.0 

func (r *TdReport) UnmarshalBinary(data []byte) error

UnmarshalBinary decodes TdReport from a byte array.

type TdxModulePolicy added in v0.2403.0 

type TdxModulePolicy struct {
	// MrSeam is the optional allowed measurement of the TDX Module. In case it is nil, ANY
	// measurement is allowed and only the signer is checked.
	MrSeam *[48]byte `json:"mr_seam,omitempty" yaml:"mr_seam,omitempty"`

	// MrSignerSeam is the allowed signer of the TDX Module (zero for Intel).
	MrSignerSeam [48]byte `json:"mr_signer_seam" yaml:"mr_signer_seam"`
}

TdxModulePolicy is the TDX module policy.

func (*TdxModulePolicy) Matches added in v0.2403.0 

func (mp *TdxModulePolicy) Matches(report *TdReport) bool

Matches returns true iff the TDX module in the given report matches this module policy.

type TdxQuotePolicy added in v0.2403.0 

type TdxQuotePolicy struct {
	// AllowedTdxModules are the allowed TDX modules. Empty to allow ANY Intel-signed module.
	AllowedTdxModules []TdxModulePolicy `json:"allowed_tdx_modules,omitempty" yaml:"allowed_tdx_modules,omitempty"`
}

TdxQuotePolicy is the TDX-specific quote policy.

func (*TdxQuotePolicy) Verify added in v0.2403.0 

func (tp *TdxQuotePolicy) Verify(report *TdReport) error

Verify verifies whether the TDX policy is satisfied for the given report.

type TeeType added in v0.2403.0 

type TeeType uint32

TeeType is the TEE type. 

const (
	TeeTypeSGX TeeType = 0x00000000
	TeeTypeTDX TeeType = 0x00000081
)

func (TeeType) String added in v0.2403.0 

func (tt TeeType) String() string

String returns a string representation of the TEE type.

type UpdateType added in v0.2300.10 

type UpdateType string

UpdateType is the type of update to TCB info. 

const (
	// UpdateStandard indicates standard access to updated TCB Info provided as part of a TCB
	// recovery event.
	UpdateStandard UpdateType = "standard"
	// UpdateEarly indicates an early access to updated TCB Info provided as part of a TCB recovery
	// event.
	UpdateEarly UpdateType = "early"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.