attestation: use KDS as fallback if THIM retrieval fails

edgelesssys · Apr 25, 2024 · d79864a · d79864a
1 parent ed4561e
commit d79864a
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 6 deletions.
diff --git a/internal/attestation/snp/issuer.go b/internal/attestation/snp/issuer.go
@@ -71,14 +71,16 @@ func (i *Issuer) Issue(_ context.Context, ownPublicKey []byte, nonce []byte) (re
 	i.logger.Info("Retrieved report", "reportRaw", hex.EncodeToString(reportRaw))
 
 	// Get cert chain from THIM
+	var certChain *spb.CertificateChain
 	thimRaw, err := i.thimGetter.GetCertification()
 	if err != nil {
-		return nil, fmt.Errorf("issuer: getting cert chain from THIM: %w", err)
-	}
-	i.logger.Info("Retrieved THIM certification", "thim", thimRaw)
-	certChain, err := thimRaw.Proto()
-	if err != nil {
-		return nil, fmt.Errorf("issuer: converting THIM cert chain: %w", err)
+		i.logger.Info("Could not retrieve THIM certification", "error", err)
+	} else {
+		i.logger.Info("Retrieved THIM certification", "thim", thimRaw)
+		certChain, err = thimRaw.Proto()
+		if err != nil {
+			return nil, fmt.Errorf("issuer: converting THIM cert chain: %w", err)
+		}
 	}
 
 	// Get SNP product info from cpuid

diff --git a/internal/attestation/snp/validator.go b/internal/attestation/snp/validator.go
@@ -102,6 +102,16 @@ func (v *Validator) Validate(ctx context.Context, attDocRaw []byte, nonce []byte
 	verifyOpts.CheckRevocations = true
 	verifyOpts.Getter = v.kdsGetter
 
+	var att *sevsnp.Attestation
+	if attestation.CertificateChain == nil {
+		v.logger.Info("No THIM certificate found, using KDS instead")
+		att, err = verify.GetAttestationFromReport(attestation.Report, verifyOpts)
+		if err != nil {
+			return fmt.Errorf("converting report to proto: %w", err)
+		}
+		attestation.CertificateChain = att.CertificateChain
+	}
+
 	// Report signature verification.
 
 	if err := verify.SnpAttestation(attestation, verifyOpts); err != nil {