Add SEVSNP plugin for Veraison server #307
Conversation
|
I think the linters and integration tests are failing because I bumped go version to 1.24.1. ratsd needs it. Let me try to fix that |
Signed-off-by: Jagannathan Raman <[email protected]>
jraman567
force-pushed
the
sevsnp-plugin
branch
3 times, most recently
from
231f4f5 to
1106e48
Compare
define SEV-SNP scheme for Veraison. Switch to CoRIM version v1.1.3-0.20250307044607-0bbdd6c78526 Signed-off-by: Jagannathan Raman <[email protected]>
store the trust anchors and reference values in the CoMID's "Attest Key Triple" and "Reference Value Triple" formats. Signed-off-by: Jagannathan Raman <[email protected]>
accept CoRIM endorsements, reference values & trust anchors, and save them in the database. Signed-off-by: Jagannathan Raman <[email protected]>
implement parts of the store handler that synthesize keys from trust anchors and reference values. Signed-off-by: Jagannathan Raman <[email protected]>
Implement an evidence handler to extract claims from the evidence token and store them in an internal representation format ( CoRIM for SEV-SNP). Additionally, implement the GetLevel interface for HCLogger, which was introduced with v1.5.0. Signed-off-by: Jagannathan Raman <[email protected]>
Update the store handler to get Trust Anchor and Reference Value keys from evidence. Add helper routines to parse the TSM report's auxblob to extract AMD keys. Signed-off-by: Jagannathan Raman <[email protected]>
Implement the ValidateEvidenceIntegrity routine of the EvidenceHandler interface. Ensure the root key in auxblob matches the ARK in provisioned trust anchors. Confirm the integrity of the certificate chain in the auxblob and the validity of the signature in the evidence. Signed-off-by: Jagannathan Raman <[email protected]>
Implement the AppraiseEvidence routine in the EvidenceHandler interface to confirm the claims match with the evidence. Signed-off-by: Jagannathan Raman <[email protected]>
Add unit tests for endorsement, evidence and storage handlers Signed-off-by: Jagannathan Raman <[email protected]>
|
golangci-lint version 1.64.2 introduces support for golang 1.24. Bumping up its version fixes the linters CI error. |
| return evM.Val.Digests.CompareAgainstReference(*refM.Val.Digests) | ||
| } | ||
|
|
||
| // ToDo: Add SVN comparison |
There was a problem hiding this comment.
How do I compare the SVN claim against the reference? comid.Measurement.Val.SVN loses its type information when we serialize/de-serialize. As such, I cannot use type assertion to check if it's of type TaggedSVN or TaggedMinSVN. I tried the following, but it doesn't work - I get an "unknown evidence SVN type" error:
// SVN comparison
if refM.Val.SVN != nil {
if evM.Val.SVN == nil {
log.Debugf("evidence doesn't have SVN")
return false
}
if c, ok := evM.Val.SVN.Value.(comid.TaggedSVN); ok {
if r, ok := refM.Val.SVN.Value.(comid.TaggedSVN); ok {
return c.CompareAgainstRefSVN(r)
} else if r, ok := refM.Val.SVN.Value.(comid.TaggedMinSVN); ok {
return c.CompareAgainstRefMinSVN(r)
} else {
log.Debugf("unknown refVal SVN type")
return false
}
} else if _, ok := evM.Val.SVN.Value.(comid.TaggedMinSVN); ok {
log.Debugf("can't compare TaggedMinSVN against anything")
return false
} else {
log.Debugf("unknown evidence SVN type")
return false
}
}
There was a problem hiding this comment.
I think you should be type-asserting pionters to types, rather than types, so evM.Val.SVN.Value.(*comid.TaggedSVN) etc.
| "github.com/google/go-sev-guest/proto/sevsnp" | ||
| "github.com/google/go-sev-guest/verify" | ||
| "github.com/google/go-sev-guest/verify/trust" | ||
| sevsnpParser "github.com/jraman567/go-gen-ref/cmd/sevsnp" |
There was a problem hiding this comment.
I need to merge github.com/jraman567/go-gen-ref with github.com/veraison/gen-corim. It's in my pipeline but has the overhead of refactoring gen-corim.
|
|
||
| const ( | ||
| SchemeName = "SEVSNP" | ||
| EndorsementMediaTypeRV = "application/corim-unsigned+cbor; profile=\"http://amd.com/2024/snp-corim-profile\"" |
There was a problem hiding this comment.
@thomas-fossati, I was referring to this during last week's meeting. SEVSNP profile says that the profile tag is amd.com,2024:snp-corim-profile. How do I convert this to URI?
I would also appreciate your thoughts on EndorsementMediaTypeTA. Do I need to register somewhere?
There was a problem hiding this comment.
@thomas-fossati, I was referring to this during last week's meeting. SEVSNP profile says that the profile tag is amd.com,2024:snp-corim-profile. How do I convert this to URI?
tag:amd.com,2024:snp-corim-profile is already a URI (in fact, a "tag URI”), so you can use it as-is, no need to convert it:
const (
SchemeName = "SEVSNP"
EndorsementMediaTypeRV = `application/corim-unsigned+cbor; profile="tag:amd.com,2024:snp-corim-profile"`
)
|
Thank you for the great work: I request you add the README.md similar to, here and also add a link to any profile documentation you may have for the reader of this profile! |
This PR implements the SEVSNP scheme for Veraison.
I'll be on vacation until March 20, with limited network access, so please expect a delay in my response. I'm looking forward to addressing your comments when I'm back. Cheers.