From ad991fd38b1d3dda226c5216b8092cfe8a4d7ce3 Mon Sep 17 00:00:00 2001
From: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Date: Mon, 15 Apr 2024 12:03:38 +0200
Subject: [PATCH] snp: use correct cert

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---
 internal/attestation/gcp/snp/issuer.go    |  4 ++--
 internal/attestation/gcp/snp/validator.go | 14 +++++++-------
 internal/attestation/snp/snp.go           |  2 +-
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/internal/attestation/gcp/snp/issuer.go b/internal/attestation/gcp/snp/issuer.go
index 0ceb5e9601d..ab68c3edebd 100644
--- a/internal/attestation/gcp/snp/issuer.go
+++ b/internal/attestation/gcp/snp/issuer.go
@@ -62,8 +62,8 @@ func getInstanceInfo(_ context.Context, _ io.ReadWriteCloser, extraData []byte)
 	if len(extraData) > 64 {
 		return nil, fmt.Errorf("extra data too long: %d, should be 64 bytes at most", len(extraData))
 	}
-	extraData64 := make([]byte, 64)
-	copy(extraData64, extraData)
+	var extraData64 [64]byte
+	copy(extraData64[:], extraData)
 
 	device, err := sevclient.OpenDevice()
 	if err != nil {
diff --git a/internal/attestation/gcp/snp/validator.go b/internal/attestation/gcp/snp/validator.go
index cd72366d7e8..c7505778dad 100644
--- a/internal/attestation/gcp/snp/validator.go
+++ b/internal/attestation/gcp/snp/validator.go
@@ -68,21 +68,21 @@ func NewValidator(cfg *config.GCPSEVSNP, log attestation.Logger) (*Validator, er
 
 // getTrustedKey returns TPM endorsement key provided through the GCE metadata API.
 func (v *Validator) getTrustedKey(ctx context.Context, attDoc vtpm.AttestationDocument, extraData []byte) (crypto.PublicKey, error) {
-	ekPub, err := v.gceKeyGetter(ctx, attDoc, nil)
-	if err != nil {
-		return nil, fmt.Errorf("getting TPM endorsement key: %w", err)
-	}
-
 	if len(extraData) > 64 {
 		return nil, fmt.Errorf("extra data too long: %d, should be 64 bytes at most", len(extraData))
 	}
-	extraData64 := make([]byte, 64)
-	copy(extraData64, extraData)
+	var extraData64 [64]byte
+	copy(extraData64[:], extraData)
 
 	if err := v.reportValidator.validate(attDoc, (*x509.Certificate)(&v.cfg.AMDSigningKey), (*x509.Certificate)(&v.cfg.AMDRootKey), [64]byte(extraData64), v.cfg, v.log); err != nil {
 		return nil, fmt.Errorf("validating SNP report: %w", err)
 	}
 
+	ekPub, err := v.gceKeyGetter(ctx, attDoc, nil)
+	if err != nil {
+		return nil, fmt.Errorf("getting TPM endorsement key: %w", err)
+	}
+
 	return ekPub, nil
 }
 
diff --git a/internal/attestation/snp/snp.go b/internal/attestation/snp/snp.go
index 4079aa78ee8..c341e31fa9a 100644
--- a/internal/attestation/snp/snp.go
+++ b/internal/attestation/snp/snp.go
@@ -137,7 +137,7 @@ func (a *InstanceInfo) AttestationWithCerts(getter trust.HTTPSGetter,
 		logger.Info("Using cached ASK certificate")
 		att.CertificateChain.AskCert = fallbackCerts.ask.Raw
 	}
-	if att.CertificateChain.ArkCert == nil && fallbackCerts.ark != nil {
+	if fallbackCerts.ark != nil {
 		logger.Info("Using cached ARK certificate")
 		att.CertificateChain.ArkCert = fallbackCerts.ark.Raw
 	}