attestation: add TDX validator #768
Conversation
msanft
force-pushed
the
msanft/tdx-validator
branch
from
275274c to
7aa2786
Compare
There should not be (at least not intentionally) any validations missing. The only thing that's missing related to validation is the options generator which takes a set of reference values and transforms them into something that can be understood by the TDX library. As this is required to use the validator implemented in this PR by design (i.e. since no other type implements the required interface, as of now), I don't think leaving a TODO for that makes much sense. The certificate extension mechanism I talk about in the PR description refers to the embedding of SNP attestation data into the certificate issued by the mesh authority, which, to my understanding, is not integral to an MVP for TDX attestation. Since it'll require quite a lot of code, and I want to keep my PRs easy to review, I simply opted not to do that in this PR. |
msanft
force-pushed
the
msanft/tdx-validator
branch
from
7aa2786 to
871fd1a
Compare
| quote := &tdx.QuoteV4{} | ||
| if err := proto.Unmarshal(attDocRaw, quote); err != nil { |
There was a problem hiding this comment.
Why does the Issuer return a marshalled proto quote, instead of just the raw quote?
There was a problem hiding this comment.
I'm not sure actually. I think the raw report should even be shorter, as it's non-self-describing too
msanft
force-pushed
the
msanft/tdx-validator
branch
2 times, most recently
from
f10c6a7 to
f8c3549
Compare
msanft
force-pushed
the
msanft/tdx-trusted-measurement-embedding
branch
4 times, most recently
from
1b3d3c0 to
fda28a4
Compare
msanft
force-pushed
the
msanft/tdx-validator
branch
2 times, most recently
from
6840d6a to
40d9d6d
Compare
|
What's the status of this PR? |
Theoretically we could rebase and merge this already, without actually using the validator. However, since #783 looks ok to be reviewed and merged too (which I expected to not be the case this fast), i'd advocate to merge that one first. |
msanft
force-pushed
the
msanft/tdx-validator
branch
from
40d9d6d to
757133e
Compare
|
CI is not happy yet. |
The TDX validator will also require a mechanism to store certificates, and as we have such code already present for SNP, just use it for both.
This adds a basic implementation of a TDX-capable validator. It's not yet used throughout the code, and it doesn't implement certificate extensions yet.
This aligns the code structure and error messages of the SNP validator to those of the TDX validator.
Freax13
force-pushed
the
msanft/tdx-validator
branch
from
757133e to
1d2dc39
Compare
|
Rebased onto main. |
This adds a preliminary TDX validator. It is not yet used throughout the code, nor does it implement certificate extensions like the SNP one does. But to not have the PR size explode, and since this is an independent component, I opted to put it into a separate PR with this.
Sent a review request to @daniel-weisse for the
go-tdx-guestcode.