diff --git a/go.mod b/go.mod index 29b13b5320..a70ad5f1b3 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/edgelesssys/nunki go 1.21 require ( - github.com/google/go-sev-guest v0.10.0 + github.com/google/go-sev-guest v0.10.2-0.20240126023144-76997c0b1210 github.com/spf13/afero v1.11.0 github.com/spf13/cobra v1.8.0 github.com/stretchr/testify v1.8.4 @@ -13,8 +13,8 @@ require ( google.golang.org/grpc v1.60.1 google.golang.org/protobuf v1.32.0 gopkg.in/yaml.v3 v3.0.1 - k8s.io/api v0.29.0 - k8s.io/apimachinery v0.29.0 + k8s.io/api v0.29.1 + k8s.io/apimachinery v0.29.1 k8s.io/utils v0.0.0-20240102154912-e7106e64919e ) diff --git a/go.sum b/go.sum index 9fba26afb0..a5e9f8b42d 100644 --- a/go.sum +++ b/go.sum @@ -16,8 +16,8 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-configfs-tsm v0.2.2 h1:YnJ9rXIOj5BYD7/0DNnzs8AOp7UcvjfTvt215EWcs98= github.com/google/go-configfs-tsm v0.2.2/go.mod h1:EL1GTDFMb5PZQWDviGfZV9n87WeGTR/JUg13RfwkgRo= -github.com/google/go-sev-guest v0.10.0 h1:5gAM9zPaBzgKoGEdiWJU/uNXY97LjwBG0rrRf2Ul0uE= -github.com/google/go-sev-guest v0.10.0/go.mod h1:/5hrgGWqG7+MPTXKhQz+v9ZE+Eh4MCBdItCNwgshlrk= +github.com/google/go-sev-guest v0.10.2-0.20240126023144-76997c0b1210 h1:PTC8sKRH6u2XAsnQfn4V8sCKLIvsCPGKMW4TVti2Cdk= +github.com/google/go-sev-guest v0.10.2-0.20240126023144-76997c0b1210/go.mod h1:/5hrgGWqG7+MPTXKhQz+v9ZE+Eh4MCBdItCNwgshlrk= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -120,10 +120,10 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A= -k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA= -k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o= -k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis= +k8s.io/api v0.29.1 h1:DAjwWX/9YT7NQD4INu49ROJuZAAAP/Ijki48GUPzxqw= +k8s.io/api v0.29.1/go.mod h1:7Kl10vBRUXhnQQI8YR/R327zXC8eJ7887/+Ybta+RoQ= +k8s.io/apimachinery v0.29.1 h1:KY4/E6km/wLBguvCZv8cKTeOwwOBqFNjwJIdMkMbbRc= +k8s.io/apimachinery v0.29.1/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= diff --git a/internal/attestation/snp/issuer.go b/internal/attestation/snp/issuer.go index 80dd850b37..29ba4c7da9 100644 --- a/internal/attestation/snp/issuer.go +++ b/internal/attestation/snp/issuer.go @@ -49,7 +49,11 @@ func (i *Issuer) Issue(_ context.Context, ownPublicKey []byte, nonce []byte) (re reportData := constructReportData(ownPublicKey, nonce) - reportRaw, err := client.GetRawReport(snpGuestDevice, reportData) + quoteProvider, err := client.GetQuoteProvider() + if err != nil { + return nil, fmt.Errorf("issuer: getting quote provider: %w", err) + } + reportRaw, err := quoteProvider.GetRawQuote(reportData) if err != nil { return nil, fmt.Errorf("issuer: getting raw report: %w", err) } diff --git a/internal/attestation/snp/validator.go b/internal/attestation/snp/validator.go index 171b587d58..fba45da3f1 100644 --- a/internal/attestation/snp/validator.go +++ b/internal/attestation/snp/validator.go @@ -91,21 +91,17 @@ func (v *Validator) Validate(ctx context.Context, attDocRaw []byte, nonce []byte } v.logger.Info("Report decoded", "reportRaw", hex.EncodeToString(reportRaw)) - report, err := abi.ReportToProto(reportRaw) - if err != nil { - return fmt.Errorf("converting report to proto: %w", err) - } - - // Report signature verification. - verifyOpts := verify.DefaultOptions() verifyOpts.CheckRevocations = true verifyOpts.Getter = v.kdsGetter - attestation, err := verify.GetAttestationFromReport(report, verifyOpts) + attestation, err := constructReportWithCertChain(reportRaw, verify.DefaultOptions()) if err != nil { - return fmt.Errorf("getting attestation from report: %w", err) + return fmt.Errorf("converting report to proto: %w", err) } + + // Report signature verification. + if err := verify.SnpAttestation(attestation, verifyOpts); err != nil { return fmt.Errorf("verifying report: %w", err) } @@ -114,7 +110,7 @@ func (v *Validator) Validate(ctx context.Context, attDocRaw []byte, nonce []byte // Validate the report data. reportDataExpected := constructReportData(peerPublicKey, nonce) - validateOpts, err := v.validateOptsGen.SNPValidateOpts(report) + validateOpts, err := v.validateOptsGen.SNPValidateOpts(attestation.Report) if err != nil { return fmt.Errorf("generating validation options: %w", err) } @@ -128,7 +124,7 @@ func (v *Validator) Validate(ctx context.Context, attDocRaw []byte, nonce []byte for _, callbacker := range v.callbackers { if err := callbacker.ValidateCallback( - ctx, report, v.OID(), reportRaw, nonce, peerPublicKey, + ctx, attestation.Report, v.OID(), reportRaw, nonce, peerPublicKey, ); err != nil { return fmt.Errorf("callback failed: %w", err) } @@ -137,3 +133,17 @@ func (v *Validator) Validate(ctx context.Context, attDocRaw []byte, nonce []byte v.logger.Info("Validate finished successfully") return nil } + +func constructReportWithCertChain(reportRaw []byte, verifyOpts *verify.Options) (*sevsnp.Attestation, error) { + if len(reportRaw) >= (abi.ReportSize + abi.CertTableEntrySize) { + // got extended report (report + cert chain) + return abi.ReportCertsToProto(reportRaw) + } + // got report only, need to fetch cert chain + report, err := abi.ReportToProto(reportRaw) + if err != nil { + return nil, fmt.Errorf("converting report to proto: %w", err) + } + + return verify.GetAttestationFromReport(report, verifyOpts) +} diff --git a/packages/default.nix b/packages/default.nix index 83e034d71e..6f08980ea6 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -42,7 +42,7 @@ rec { src = goFiles; proxyVendor = true; - vendorHash = "sha256-mpRigbkv18fnnLvaWfPIiAqhFo5lMvNNAXhbX2ghq+I="; + vendorHash = "sha256-loFLYZzVyglL+o8cnfzspGjFM1SchxZcDUk1RUIm4oE="; prePatch = '' install -D ${genpolicy.settings-dev}/genpolicy-settings.json cli/assets/genpolicy-settings.json