constellation/hack/azure-snp-report-verify/README.md

# Obtain current Azure SNP ID key digest & firmware versions

On Azure, Constellation verifies that the SNP attestation report contains Azure's ID key digest.
Additionally, some firmware security version numbers (SVNs) are validated.
Currently, the only way to verify the digest's origin is to perform guest attestation with the help of the Microsoft Azure Attestation (MAA) service.
There's a [sample](https://github.com/Azure/confidential-computing-cvm-guest-attestation) on how to do this, but it's not straightforward.
So we created tooling to make things easier.

Perform the following steps to get the ID key digest & firmware versions:

1. Create an Ubuntu CVM on Azure with secure boot enabled and ssh into it.
2. Run
   ```
   docker run --rm --privileged -v/sys/kernel/security:/sys/kernel/security ghcr.io/edgelesssys/constellation/azure-snp-reporter
   ```
   This executes the guest attestation and prints the JWT received from the MAA. (It's the long base64 blob.)
3. Copy the JWT and run **on your local trusted machine**:
   ```
   go run verify.go <jwt>
   ```
   On success it prints the ID key digest and relevant firmware SVNs.
AB#2413: Add workflow for snp-report-verify * Extend azure-snp-report-verify to also report fw SVNs. * Add workflow based on azure-cvm to get maa-jwt and verify it on a second runner. 2022-09-21 04:47:38 -04:00			`# Obtain current Azure SNP ID key digest & firmware versions`
add tooling to obtain Azure ID key digest 2022-08-30 06:28:15 -04:00
			`On Azure, Constellation verifies that the SNP attestation report contains Azure's ID key digest.`
AB#2413: Add workflow for snp-report-verify * Extend azure-snp-report-verify to also report fw SVNs. * Add workflow based on azure-cvm to get maa-jwt and verify it on a second runner. 2022-09-21 04:47:38 -04:00			`Additionally, some firmware security version numbers (SVNs) are validated.`
			`Currently, the only way to verify the digest's origin is to perform guest attestation with the help of the Microsoft Azure Attestation (MAA) service.`
add tooling to obtain Azure ID key digest 2022-08-30 06:28:15 -04:00			`There's a [sample](https://github.com/Azure/confidential-computing-cvm-guest-attestation) on how to do this, but it's not straightforward.`
			`So we created tooling to make things easier.`

AB#2413: Add workflow for snp-report-verify * Extend azure-snp-report-verify to also report fw SVNs. * Add workflow based on azure-cvm to get maa-jwt and verify it on a second runner. 2022-09-21 04:47:38 -04:00			`Perform the following steps to get the ID key digest & firmware versions:`
add tooling to obtain Azure ID key digest 2022-08-30 06:28:15 -04:00
			`1. Create an Ubuntu CVM on Azure with secure boot enabled and ssh into it.`
			`2. Run`
			```
AB#2413: Add workflow for snp-report-verify * Extend azure-snp-report-verify to also report fw SVNs. * Add workflow based on azure-cvm to get maa-jwt and verify it on a second runner. 2022-09-21 04:47:38 -04:00			`docker run --rm --privileged -v/sys/kernel/security:/sys/kernel/security ghcr.io/edgelesssys/constellation/azure-snp-reporter`
add tooling to obtain Azure ID key digest 2022-08-30 06:28:15 -04:00			```
			`This executes the guest attestation and prints the JWT received from the MAA. (It's the long base64 blob.)`
			`3. Copy the JWT and run on your local trusted machine:`
			```
			`go run verify.go <jwt>`
			```
AB#2413: Add workflow for snp-report-verify * Extend azure-snp-report-verify to also report fw SVNs. * Add workflow based on azure-cvm to get maa-jwt and verify it on a second runner. 2022-09-21 04:47:38 -04:00			`On success it prints the ID key digest and relevant firmware SVNs.`