From d79864ab68af0531c7819e579e737a56ac4850b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Wei=C3=9Fe?= <david.weisse@gmx.net>
Date: Thu, 25 Apr 2024 15:45:31 +0200
Subject: [PATCH] attestation: use KDS as fallback if THIM retrieval fails

---
 internal/attestation/snp/issuer.go    | 14 ++++++++------
 internal/attestation/snp/validator.go | 10 ++++++++++
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/internal/attestation/snp/issuer.go b/internal/attestation/snp/issuer.go
index 6c70d09765..387e9e1cd3 100644
--- a/internal/attestation/snp/issuer.go
+++ b/internal/attestation/snp/issuer.go
@@ -71,14 +71,16 @@ func (i *Issuer) Issue(_ context.Context, ownPublicKey []byte, nonce []byte) (re
 	i.logger.Info("Retrieved report", "reportRaw", hex.EncodeToString(reportRaw))
 
 	// Get cert chain from THIM
+	var certChain *spb.CertificateChain
 	thimRaw, err := i.thimGetter.GetCertification()
 	if err != nil {
-		return nil, fmt.Errorf("issuer: getting cert chain from THIM: %w", err)
-	}
-	i.logger.Info("Retrieved THIM certification", "thim", thimRaw)
-	certChain, err := thimRaw.Proto()
-	if err != nil {
-		return nil, fmt.Errorf("issuer: converting THIM cert chain: %w", err)
+		i.logger.Info("Could not retrieve THIM certification", "error", err)
+	} else {
+		i.logger.Info("Retrieved THIM certification", "thim", thimRaw)
+		certChain, err = thimRaw.Proto()
+		if err != nil {
+			return nil, fmt.Errorf("issuer: converting THIM cert chain: %w", err)
+		}
 	}
 
 	// Get SNP product info from cpuid
diff --git a/internal/attestation/snp/validator.go b/internal/attestation/snp/validator.go
index 86e43de94c..b4e7f84d82 100644
--- a/internal/attestation/snp/validator.go
+++ b/internal/attestation/snp/validator.go
@@ -102,6 +102,16 @@ func (v *Validator) Validate(ctx context.Context, attDocRaw []byte, nonce []byte
 	verifyOpts.CheckRevocations = true
 	verifyOpts.Getter = v.kdsGetter
 
+	var att *sevsnp.Attestation
+	if attestation.CertificateChain == nil {
+		v.logger.Info("No THIM certificate found, using KDS instead")
+		att, err = verify.GetAttestationFromReport(attestation.Report, verifyOpts)
+		if err != nil {
+			return fmt.Errorf("converting report to proto: %w", err)
+		}
+		attestation.CertificateChain = att.CertificateChain
+	}
+
 	// Report signature verification.
 
 	if err := verify.SnpAttestation(attestation, verifyOpts); err != nil {