The library currently uses the CurrentTCB values of a report when querying the AMD KDS for the VCEK certificate, as opposed to the AMD SEV-SNP ABI spec, which says:

The firmware maintains a TCB_VERSION called the ReportedTcb. ReportedTcb is used to derive
the VCEK that signs the attestation report.

When ReportedTCB != CurrentTCB, this results in a signature verification error when checking the report's signature with the VCEK certificate's public key here:

I reported the issue that #44 works around to AMD. They said they'll change KDS's behavior, but it may take a few months given everything else going on. Once the back-dating is in, we shouldn't need the skew behavior in PR44. We should keep the API signature changes though.

Hey there!

If abi.SevProduct() is called in a guest with a malfunctioning SEV-SNP device, this results in the cpuid() call to error with a nil-pointer exception as follows (line numbers based on v0.8.0 this library):

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x411ded9]
goroutine 170 [running]:
github.com/google/go-sev-guest/abi.SevProduct()
external/com_github_google_go_sev_guest/abi/abi.go:810 +0x19
github.com/google/go-sev-guest/client.(*LinuxDevice).Product(0xc00068c580?)
external/com_github_google_go_sev_guest/client/client_linux.go:124 +0xf
github.com/google/go-sev-guest/client.GetExtendedReportAtVmpl({0x15728d0, 0xc000c59a10}, {0xca, 0xcb, 0x75, 0x2, 0xfd, 0x96, 0x8, 0x32, ...}, ...)
external/com_github_google_go_sev_guest/client/client.go:180 +0xf9
github.com/google/go-sev-guest/client.GetExtendedReport(...)
external/com_github_google_go_sev_guest/client/client.go:186

While I still need to figure out what in cpuid exactly causes this failure (haven't got to read into the spec of CPUID yet), I think an easy approach would be to recover from the panic and return an error in that case that could be passed on to the caller, which would lead to an early failure and thus be my personal favorite. Otherwise, falling back to the DefaultSevProduct might be an option too if the function's signature should be kept as is.

Feel free to let me know your thoughts on this and I will be happy to implement it!

When the guest kernel patches are fixed to remove the uninitialized memory from the response, we can remove our check for EIO to avoid doing anything to the firmware error value. Added in PR#3

Hi there,

In addition to SEV-SNP, the legacy SEV also produces a guest report, even though it's coming from the hypervisor. The report from the legacy SEV can be obtained from ATTESTATION ioctl from the hypervisor, and it contains a signature from PEK. Is there a plan to support the validate and verify for the legacy SEV report in this project?

In the trust package, there is a certificate cache in the global state:

This causes tests with multiple test cases to be flaky, as potential errors are not reached if a successful request was cached before and ClearProductCertCache() was not called. The certificate cache should rather be scoped to an object, implementing GetProductChain() as a method. If you are fine with this, I will implement it.

Liunx kernel 6.1 incorporates @pgonda's IV reuse crypto fix, which deletes the VMPCK when the host VMM returns any error. The x86/urgent follow-up to retry commands when throttled to avoid deleting the VMPCK is not in 6.1 yet.

While not a panacea, we can self-throttle in this library as a workaround until that throttling awareness fix is in.

	min, err := kds.ComposeTCBParts(options.MinimumTCB)
	if err != nil {
		return fmt.Errorf("option MinimumTCB error: %v", err)
	}
	if kds.TCBVersion(report.GetCurrentTcb()) < min {
		return fmt.Errorf("firmware's current TCB %x is less than required %x",
			report.GetCurrentTcb(), min)
	}

This treats the TCB_VERSION as a single number instead of an array of lower bounds for each kind of SPL. This means the accidental position of one SPL can mask a version mismatch in a lower order version. For example, [2, 1] is greater than [1, 3], but you don't want to allow a lower SPL for the number on the right because the number on the left is higher.

We should treat the minimum TCB_VERSION as a piecewise minimum.

do we have a tool to generate an id block?

unfortunately i can't really figure out the structure from the sev doc.

as far as i understand this

is the result of secure processor already doing its thing with the idblock and not the input format

How verify function needs to be run by having the binary report and which files should be provided, can you provide the example command?

For some reason, github.com/google/go-tpm-tools depends on this package and causes build to fail on 32bits architectures:

../../go/pkg/mod/github.com/google/[email protected]/abi/amdsp.go:105:53: cannot use 0x100000000 (untyped int constant 4294967296) as SevFirmwareStatus value in constant declaration (overflows)

This is blocking the whole build and is a bit problematic.

A way to fix this is to modify https://github.com/google/go-sev-guest/blob/main/abi/amdsp.go#L21C1-L21C27

type SevFirmwareStatus int

To

type SevFirmwareStatus int64

I tested with GOARCH=386 go build ./... and confirmed there are no other issues preventing building this repository.

Hey 👋

I was trying to use 0.7.0 in order to verify an SNP attestation report on AWS. I know now that VLEK is used instead of VCEK and found #67. I will comment there as well once I played around with it :)

While using 0.7.0 I got a somewhat confusing error. The error I got was timeout while downloading the VCEK. So I wasted quite a bit of time debugging (non existing network issues). What was actually happening is that the library was trying to fetch https://kdsintf.amd.com/vcek/v1/Milan/00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000?blSPL=3&teeSPL=0&snpSPL=10&ucodeSPL=207 and AMD correctly responded with 404. Currently everything >300 is handled the same. I think we could narrow down the status code a bit and / or inform users about the underlying error while retrying.

AMD seems to honor the status codes documented in Chapter 4.1. So we could test for HTTP 429 and error early otherwise?

Let me know what you think. I am open to put in a PR as well.

bee858a#diff-11eac54c87d256754b194b9fc9f84436b29b78da33c6104ba962067db5199d0eL174-L176

I think it is better not to arbitrarily change function signatures, especially within a minor version change, such as this breaking change occurring from v0.7.0 to v0.7.1. It is better to annotate the change with a comment like Deprecated: use xxx instead, so that other developers can understand how to modify their code after upgrading.

Thanks

Dear Sir/Madam, Currently the repository is empty please add some files or README.md file to get more knowledge on this one. So that we can contribute to the project 👍🏻

Here's an article to get more info on readme file : README File – Everything you Need to Know

Hi,there.

d.Product() returns product name SevProduct_SEV_PRODUCT_UNKNOWN while I'm using model Milan for sure. Do i need to run a command like snphost import to set CPU id value for my guests?

Currently, GetAttestationFromReport doesn't allow specifying a certificate chain, and fillInAttestation is private. Does this have any particular reason? Otherwise, one is not allowed to specify a partially present certificate chain (e.g. only ARK) and have the rest filled in. While changing adding an additional parameter to GetAttestationFromReport would be a breaking change, an additional method could be added (e.g. GetAttestationFromReportAndCertChain) to take both a report and a cert chain and fill in only the missing certificates, or the fillInAttestation method could be made public.

when using the structure from https://github.com/AMDESE/linux-svsm

i'm setting the certs using https://github.com/AMDESE/sev-guest

as hinted in

AMDESE/linux-svsm#14

which works fine with sev-guest-get-report but not with this lib.

pressumably svsm doesnt implement the right call?
can we just assume a default size if it fails?

We should be able to use Github actions to build the attest/check CLI tools and include them in their own release tarball. While it's not a signed package in a Google-endorsed package repository, it's something to reduce the cost of adoption.

Hey,

currently the Report type does not parse the nested types it includes. For example the TCB versions included are parsed as uint64 and require another function to parse the included data from the field.

How do you feel about accepting a contribution that would change the existing Report type to a nested type that includes subtypes like TCBParts? It seems to me like this would change the layout of the lib in a few places, hence the question.

Best,
Otto

Using go-tpm-tools/client introduces go-sev-guest/abi as dependency. This in turn depends on glog which leaks as shown below. Sadly, glog is also unmaintained, so there's no way for us to provide a fix. Is it possible to replace glog with klog? The interface seems to be similar.

goleak: Errors on successful test run: found unexpected goroutines:
[Goroutine 19 in state chan receive, with github.com/golang/glog.(*loggingT).flushDaemon on top of the stack:
goroutine 19 [chan receive]:
github.com/golang/glog.(*loggingT).flushDaemon(0x0?)
	/home/euler/go/pkg/mod/github.com/golang/[email protected]/glog.go:882 +0x6a
created by github.com/golang/glog.init.0
	/home/euler/go/pkg/mod/github.com/golang/[email protected]/glog.go:410 +0x1bf

Im getting the below error when trying to obtain the report for the device using GetExtendedReport. What could be causing this?

error querying certificate length: invalid argument

So far Ive done client.OpenDevice() under the /dev/sev path to get the device. Then tried to call client.GetExtendedReport(device, reportData) which returns the above error.

Hi @deeglaze, I'm currently trying to embed this repo to my snp attestation workflow. When using GetExtendedReport(), it seems that i should first set ark/ask/vcek on host platform. So I have the following questions:

1. How to get vcek on host? Since chip_id and tcb_version are required to derive vcek from amd sev kds. As far as I know, they are presented in attestation report, but the report cannot be directly accessed by host.
2. How to set ark/ask/vcek on host? Is there any tool available now?(I found a rust repo snphost)

The VLEK key type was added in the API revision of November 2022 (primarily an AWS-requested feature), but we don't have proper support for the key type in our KDS cert validation or in the change to the 32-bits that include AUTHOR_KEY_EN. This issue should be closed when we have fake SEV device VLEK support, unit tests, cert chain proto representation of the cert type, and ensure that VLEK/VCEK keys are only acceptable for report types that embed that key type in the report.

While we could pun the VCEK field with the VLEK, it's not the cleanest solution. I think I'd prefer separate fields in the certificate chain representation.

When there are more SEV-SNP products than just "Milan", we'll need a way to determine what kind of machine produced an attestation report. This can either be deduced from the guest context at collection time through CPUID, an a priori option at verification time, or some unknown third option where we can determine the product from attestation report contents itself. This will be useful for collecting certificates from the KDS using just an attestation report.

It would be good to update this to include subsequent hardware models.