[release/v1.2] attestation.snp: reflect dependency of validators on productLine in verify.Options #1097
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #1082 to
release/v1.2.Original description:
Our reference values of SNP attestation have a hard dependency on the productLine used during attestation. This includes the derivation of trustedRoots, as well as the trustedMeasurements. By design, we start a validator configured with specific verifyOpts for each reference value.
This led to the error "VCEK could not be verified by any trusted roots", because validators configured with the wrong productLine tried to fulfill the attestation verification. Therefore this PR adds the explicit setting of the productLine in verifyOpts, to reflect the dependency of our reference values on the productLine. As expected we then run into the error below prior to validation, which reveals that a validator is configured for the wrong productLine:
time=2024-12-18T10:46:20.815Z level=ERROR msg="Validation failed" mesh-authority.validator.tee-type=snp mesh-authority.validator.nonce=6881501f40cebdb1492a87316e5a11cbb1bb9dfc2939240a9df098dacdab8b6a mesh-authority.validator.error="verifying report: expected product name SEV_PRODUCT_MILAN, got SEV_PRODUCT_GENOA"Logging considerations were moved to #1095