Documentation
¶
Overview ¶
Package verify includes logic and embedded AMD keys to check attestation report signatures.
Index ¶
- Variables
- func GetAttestationFromReport(report *spb.Report, options *Options) (*spb.Attestation, error)
- func GetAttestationFromReportContext(ctx context.Context, report *spb.Report, options *Options) (*spb.Attestation, error)
- func GetAttestationWithCerts(attestation *spb.Attestation, options *Options) error
- func GetAttestationWithCertsContext(ctx context.Context, attestation *spb.Attestation, options *Options) error
- func GetCrlAndCheckRoot(r *trust.AMDRootCerts, opts *Options) (*x509.RevocationList, error)
- func GetCrlAndCheckRootContext(ctx context.Context, r *trust.AMDRootCerts, opts *Options) (*x509.RevocationList, error)
- func RawSnpReport(rawReport []byte, options *Options) error
- func RawSnpReportContext(ctx context.Context, rawReport []byte, options *Options) error
- func SnpAttestation(attestation *spb.Attestation, options *Options) error
- func SnpAttestationContext(ctx context.Context, attestation *spb.Attestation, options *Options) error
- func SnpProtoReportSignature(report *spb.Report, vcek *x509.Certificate) error
- func SnpReport(report *spb.Report, options *Options) error
- func SnpReportContext(ctx context.Context, report *spb.Report, options *Options) error
- func SnpReportSignature(report []byte, vcek *x509.Certificate) error
- func VcekNotRevoked(r *trust.AMDRootCerts, cert *x509.Certificate, options *Options) error
- func VcekNotRevokedContext(ctx context.Context, r *trust.AMDRootCerts, _ *x509.Certificate, ...) error
- type CRLUnavailableErr
- type Options
Constants ¶
This section is empty.
Variables ¶
var ( // ErrMissingVlek is returned when attempting to verify a VLEK-signed report that doesn't also // have its VLEK certificate attached. ErrMissingVlek = errors.New("report signed with VLEK, but VLEK certificate is missing") )
Functions ¶
func GetAttestationFromReport ¶
GetAttestationFromReport uses AMD's Key Distribution Service (KDS) to download the certificate chain for the VCEK that supposedly signed the given report, and returns the Attestation representation of their combination. If getter is nil, uses Golang's http.Get.
func GetAttestationFromReportContext ¶
func GetAttestationFromReportContext(ctx context.Context, report *spb.Report, options *Options) (*spb.Attestation, error)
GetAttestationFromReportContext behaves like GetAttestationFromReport but forwards the context to the HTTPSGetter.
func GetAttestationWithCerts ¶
func GetAttestationWithCerts(attestation *spb.Attestation, options *Options) error
func GetCrlAndCheckRoot ¶
func GetCrlAndCheckRoot(r *trust.AMDRootCerts, opts *Options) (*x509.RevocationList, error)
GetCrlAndCheckRoot downloads the given cert's CRL from one of the distribution points and verifies that the CRL is valid and doesn't revoke an intermediate key.
func GetCrlAndCheckRootContext ¶
func GetCrlAndCheckRootContext(ctx context.Context, r *trust.AMDRootCerts, opts *Options) (*x509.RevocationList, error)
GetCrlAndCheckRootContext behaves like GetCrlAndCheckRoot but forwards the context to the HTTPSGetter.
func RawSnpReport ¶
RawSnpReport verifies the raw bytes representation of an attestation report's signature based on the report's SignatureAlgo and uses the AMD Key Distribution Service to download the report's corresponding VCEK certificate.
func RawSnpReportContext ¶
RawSnpReportContext behaves like RawSnpReport but forwards the context to the HTTPSGetter.
func SnpAttestation ¶
func SnpAttestation(attestation *spb.Attestation, options *Options) error
SnpAttestation verifies the protobuf representation of an attestation report's signature based on the report's SignatureAlgo, provided the certificate chain is valid.
func SnpAttestationContext ¶
func SnpAttestationContext(ctx context.Context, attestation *spb.Attestation, options *Options) error
SnpAttestationContext behaves like SnpAttestation but forwards the context to the HTTPSGetter.
func SnpProtoReportSignature ¶
func SnpProtoReportSignature(report *spb.Report, vcek *x509.Certificate) error
SnpProtoReportSignature verifies the protobuf representation of an attestation report's signature based on the report's SignatureAlgo.
func SnpReport ¶
SnpReport verifies the protobuf representation of an attestation report's signature based on the report's SignatureAlgo and uses the AMD Key Distribution Service to download the report's corresponding VCEK certificate.
func SnpReportContext ¶
SnpReportContext behaves like SnpReport but forwards the context to the HTTPSGetter.
func SnpReportSignature ¶
func SnpReportSignature(report []byte, vcek *x509.Certificate) error
SnpReportSignature verifies the attestation report's signature based on the report's SignatureAlgo.
func VcekNotRevoked ¶
func VcekNotRevoked(r *trust.AMDRootCerts, cert *x509.Certificate, options *Options) error
VcekNotRevoked will consult the online CRL listed in the VCEK certificate for whether this cert has been revoked. Returns nil if not revoked, error on any problem.
func VcekNotRevokedContext ¶
func VcekNotRevokedContext(ctx context.Context, r *trust.AMDRootCerts, _ *x509.Certificate, options *Options) error
VcekNotRevokedContext behaves like VcekNotRevoked but forwards the context to the HTTPSGetter.
Types ¶
type CRLUnavailableErr ¶
type CRLUnavailableErr struct {
// contains filtered or unexported fields
}
CRLUnavailableErr represents a problem with fetching the CRL from the network. This type is special to allow for easy "fail open" semantics for CRL unavailability. See Adam Langley's write-up on CRLs and network unreliability https://www.imperialviolet.org/2014/04/19/revchecking.html
type Options ¶
type Options struct {
// CheckRevocations set to true if the verifier should retrieve the CRL from the network and check
// if the VCEK or ASK have been revoked according to the ARK.
CheckRevocations bool
// DisableCertFetching set to true if SnpAttestation should not connect to the AMD KDS to fill in
// any missing certificates in an attestation's certificate chain. Uses Getter if false.
DisableCertFetching bool
// Getter takes a URL and returns the body of its contents. By default uses http.Get and returns
// the body. If Getter implements trust.ContextHTTPSGetter, GetContext will be preferred over Get.
Getter trust.HTTPSGetter
// Now is the time at which to verify the validity of certificates. If unset, uses time.Now().
Now time.Time
// TrustedRoots specifies the ARK and ASK certificates to trust when checking the VCEK. If nil,
// then verification will fall back on embedded AMD-published root certificates.
// Maps the product name to an array of allowed roots.
TrustedRoots map[string][]*trust.AMDRootCerts
// Product is a forced value for the attestation product name when verifying or retrieving
// VCEK certificates. An attestation should carry the product of the reporting
// machine. Only used for v2 attestation reports.
Product *spb.SevProduct
}
Options represents verification options for an SEV-SNP attestation report.
func DefaultOptions ¶
func DefaultOptions() *Options
DefaultOptions returns a useful default verification option setting
func RootOfTrustToOptions ¶
func RootOfTrustToOptions(rot *cpb.RootOfTrust) (*Options, error)
RootOfTrustToOptions translates the RootOfTrust message into the Options type needed for driving an attestation verification.
Source Files
Directories