diff --git a/.github/actions/e2e_verify/action.yml b/.github/actions/e2e_verify/action.yml index f1f448680..c0406d2c2 100644 --- a/.github/actions/e2e_verify/action.yml +++ b/.github/actions/e2e_verify/action.yml @@ -66,18 +66,14 @@ runs: forwarderPID=$! sleep 5 - verifyOut=$(constellation verify --cluster-id "${clusterID}" --force --node-endpoint localhost:9090) - - kill $forwarderPID - - if [[ ${{ inputs.cloudProvider }} != "azure" ]]; then - continue + if [[ ${{ inputs.cloudProvider }} == "azure" ]]; then + echo "Extracting Azure TCB versions for API update" + constellation verify --cluster-id "${clusterID}" --force --node-endpoint localhost:9090 -o json > "snp-report-${node}.json" + else + constellation verify --cluster-id "${clusterID}" --force --node-endpoint localhost:9090 fi - echo "Extracting TCB versions for API update" - startMAAToken="Microsoft Azure Attestation Token:" - endMAAToken="Verification OK" - sed -n "/${startMAAToken}/,/${endMAAToken}/ { /${startMAAToken}/d; /${endMAAToken}/d; p }" <<< "${verifyOut}" > "maa-claims-${node}.json" + kill $forwarderPID done - name: Login to AWS @@ -94,8 +90,8 @@ runs: COSIGN_PASSWORD: ${{ inputs.cosignPassword }} COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} run: | - for file in $(ls maa-claims-*.json); do + for file in $(ls snp-report-*.json); do path=$(realpath "${file}") cat "${path}" - bazel run //internal/api/attestationconfigapi/cli -- --maa-claims-path "${path}" + bazel run //internal/api/attestationconfigapi/cli -- --snp-report-path "${path}" done diff --git a/bazel/toolchains/go_module_deps.bzl b/bazel/toolchains/go_module_deps.bzl index 2d7683cee..405fc9196 100644 --- a/bazel/toolchains/go_module_deps.bzl +++ b/bazel/toolchains/go_module_deps.bzl @@ -2480,8 +2480,9 @@ def go_dependencies(): build_file_generation = "on", build_file_proto_mode = "disable_global", importpath = "github.com/google/go-sev-guest", - sum = "h1:XlvpFmmyMGvXmCIBTScYt7AX3ClvW8gfFN3SBCRVuKY=", - version = "v0.9.1", + replace = "github.com/google/go-sev-guest", + sum = "h1:6o4Z/vQqNUH+cEagfx1Ez5ElK70iZulEXZwmLnRo44I=", + version = "v0.0.0-20230928233922-2dcbba0a4b9d", ) go_repository( name = "com_github_google_go_tdx_guest", diff --git a/cli/internal/cmd/verify.go b/cli/internal/cmd/verify.go index 856de315e..90e31b15a 100644 --- a/cli/internal/cmd/verify.go +++ b/cli/internal/cmd/verify.go @@ -712,18 +712,26 @@ func newCertificates(certTypeName string, cert []byte, log debugLog) (certs []ve if err != nil { return certs, fmt.Errorf("parsing VCEK certificate extensions: %w", err) } + certPEM := pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE", + Bytes: cert.Raw, + }) certs = append(certs, verify.Certificate{ - Certificate: cert, - CertTypeName: certTypeName, - StructVersion: vcekExts.StructVersion, - ProductName: vcekExts.ProductName, - TCBVersion: newTCBVersion(vcekExts.TCBVersion), - HardwareID: vcekExts.HWID, + CertificatePEM: string(certPEM), + CertTypeName: certTypeName, + StructVersion: vcekExts.StructVersion, + ProductName: vcekExts.ProductName, + TCBVersion: newTCBVersion(vcekExts.TCBVersion), + HardwareID: vcekExts.HWID, }) } else { + certPEM := pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE", + Bytes: cert.Raw, + }) certs = append(certs, verify.Certificate{ - Certificate: cert, - CertTypeName: certTypeName, + CertificatePEM: string(certPEM), + CertTypeName: certTypeName, }) } i++ @@ -783,7 +791,7 @@ func newSNPReport(reportBytes []byte) (res verify.SNPReport, err error) { SignerInfo: verify.SignerInfo{ AuthorKey: signerInfo.AuthorKeyEn, MaskChipKey: signerInfo.MaskChipKey, - SigningKey: signerInfo.SigningKey, + SigningKey: signerInfo.SigningKey.String(), }, ReportData: report.ReportData, Measurement: report.Measurement, diff --git a/go.mod b/go.mod index fdb46dd7b..b8cc8aea9 100644 --- a/go.mod +++ b/go.mod @@ -33,6 +33,7 @@ replace ( replace ( github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/v2/api => ./operators/constellation-node-operator/api + github.com/google/go-sev-guest => github.com/google/go-sev-guest v0.0.0-20230928233922-2dcbba0a4b9d github.com/google/go-tpm => github.com/thomasten/go-tpm v0.0.0-20230629092004-f43f8e2a59eb github.com/google/go-tpm-tools => github.com/msanft/go-tpm-tools v0.0.0-20231009082622-266280269413 github.com/martinjungblut/go-cryptsetup => github.com/daniel-weisse/go-cryptsetup v0.0.0-20230705150314-d8c07bd1723c diff --git a/go.sum b/go.sum index 92e883757..2fb3c9d57 100644 --- a/go.sum +++ b/go.sum @@ -574,8 +574,8 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-containerregistry v0.15.2 h1:MMkSh+tjSdnmJZO7ljvEqV1DjfekB6VUEAZgy3a+TQE= github.com/google/go-containerregistry v0.15.2/go.mod h1:wWK+LnOv4jXMM23IT/F1wdYftGWGr47Is8CG+pmHK1Q= -github.com/google/go-sev-guest v0.9.1 h1:XlvpFmmyMGvXmCIBTScYt7AX3ClvW8gfFN3SBCRVuKY= -github.com/google/go-sev-guest v0.9.1/go.mod h1:hc1R4R6f8+NcJwITs0L90fYWTsBpd1Ix+Gur15sqHDs= +github.com/google/go-sev-guest v0.0.0-20230928233922-2dcbba0a4b9d h1:6o4Z/vQqNUH+cEagfx1Ez5ElK70iZulEXZwmLnRo44I= +github.com/google/go-sev-guest v0.0.0-20230928233922-2dcbba0a4b9d/go.mod h1:hc1R4R6f8+NcJwITs0L90fYWTsBpd1Ix+Gur15sqHDs= github.com/google/go-tdx-guest v0.2.2 h1:MgHcWLCEHVpqR0LXxtgJq2uG0oNNszV8+5XYtKs7+Yg= github.com/google/go-tdx-guest v0.2.2/go.mod h1:a8EIh1l5x7jmIrrOuH//xWn6y4Sk4yupwmMcJE006RI= github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus= diff --git a/internal/api/attestationconfigapi/cli/BUILD.bazel b/internal/api/attestationconfigapi/cli/BUILD.bazel index d1eefcc55..a64c3fdbd 100644 --- a/internal/api/attestationconfigapi/cli/BUILD.bazel +++ b/internal/api/attestationconfigapi/cli/BUILD.bazel @@ -19,11 +19,14 @@ go_library( deps = [ "//internal/api/attestationconfigapi", "//internal/constants", + "//internal/file", "//internal/logger", "//internal/staticupload", + "//internal/verify", "@com_github_aws_aws_sdk_go//aws", "@com_github_aws_aws_sdk_go_v2_service_s3//:s3", "@com_github_aws_aws_sdk_go_v2_service_s3//types", + "@com_github_spf13_afero//:afero", "@com_github_spf13_cobra//:cobra", "@org_uber_go_zap//:zap", ], @@ -31,9 +34,13 @@ go_library( go_test( name = "cli_test", - srcs = ["delete_test.go"], + srcs = [ + "delete_test.go", + "main_test.go", + ], embed = [":cli_lib"], deps = [ + "//internal/verify", "@com_github_stretchr_testify//assert", "@com_github_stretchr_testify//require", ], diff --git a/internal/api/attestationconfigapi/cli/delete.go b/internal/api/attestationconfigapi/cli/delete.go index 05df3e6dd..3622b0d98 100644 --- a/internal/api/attestationconfigapi/cli/delete.go +++ b/internal/api/attestationconfigapi/cli/delete.go @@ -73,12 +73,12 @@ func runDelete(cmd *cobra.Command, _ []string) (retErr error) { if err != nil { return fmt.Errorf("getting testing flag: %w", err) } - _, distribution := getEnvironment(testing) + apiCfg := getAPIEnvironment(testing) cfg := staticupload.Config{ Bucket: bucket, Region: region, - DistributionID: distribution, + DistributionID: apiCfg.distribution, } client, clientClose, err := attestationconfigapi.NewClient(cmd.Context(), cfg, []byte(cosignPwd), []byte(privateKey), false, 1, log) @@ -113,13 +113,13 @@ func runRecursiveDelete(cmd *cobra.Command, _ []string) (retErr error) { if err != nil { return fmt.Errorf("getting testing flag: %w", err) } - _, distribution := getEnvironment(testing) + apiCfg := getAPIEnvironment(testing) log := logger.New(logger.PlainLog, zap.DebugLevel).Named("attestationconfigapi") client, closeFn, err := staticupload.New(cmd.Context(), staticupload.Config{ Bucket: bucket, Region: region, - DistributionID: distribution, + DistributionID: apiCfg.distribution, }, log) if err != nil { return fmt.Errorf("create static upload client: %w", err) diff --git a/internal/api/attestationconfigapi/cli/e2e/test.sh.in b/internal/api/attestationconfigapi/cli/e2e/test.sh.in index 5382b6725..1b501d3fd 100755 --- a/internal/api/attestationconfigapi/cli/e2e/test.sh.in +++ b/internal/api/attestationconfigapi/cli/e2e/test.sh.in @@ -31,53 +31,95 @@ registerExitHandler "rm -rf $tmpdir" ${configapi_cli} delete recursive --region "$region" --bucket "$bucket" # the high version numbers ensure that it's newer than the current latest value -readonly current_claim_path="$tmpdir/currentMaaClaim.json" -cat << EOF > "$current_claim_path" +readonly current_report_path="$tmpdir/currentSnpReport.json" +cat << EOF > "$current_report_path" { - "x-ms-isolation-tee": { - "x-ms-sevsnpvm-tee-svn": 1, - "x-ms-sevsnpvm-snpfw-svn": 1, - "x-ms-sevsnpvm-microcode-svn": 1, - "x-ms-sevsnpvm-bootloader-svn": 1 + "snp_report": { + "reported_tcb": { + "bootloader": 1, + "tee": 1, + "snp": 1, + "microcode": 1 + }, + "committed_tcb": { + "bootloader": 1, + "tee": 1, + "snp": 1, + "microcode": 1 + }, + "launch_tcb": { + "bootloader": 1, + "tee": 1, + "snp": 1, + "microcode": 1 + } } } EOF # upload a fake latest version for the fetcher -${configapi_cli} --force --maa-claims-path "$current_claim_path" --upload-date "2000-01-01-01-01" --region "$region" --bucket "$bucket" +${configapi_cli} --force --snp-report-path "$current_report_path" --upload-date "2000-01-01-01-01" --region "$region" --bucket "$bucket" # the high version numbers ensure that it's newer than the current latest value -readonly claim_path="$tmpdir/maaClaim.json" -cat << EOF > "$claim_path" +readonly report_path="$tmpdir/snpReport.json" +cat << EOF > "$report_path" { - "x-ms-isolation-tee": { - "x-ms-sevsnpvm-tee-svn": 255, - "x-ms-sevsnpvm-snpfw-svn": 255, - "x-ms-sevsnpvm-microcode-svn": 255, - "x-ms-sevsnpvm-bootloader-svn": 255 + "snp_report": { + "reported_tcb": { + "bootloader": 255, + "tee": 255, + "snp": 255, + "microcode": 255 + }, + "committed_tcb": { + "bootloader": 255, + "tee": 255, + "snp": 255, + "microcode": 255 + }, + "launch_tcb": { + "bootloader": 255, + "tee": 255, + "snp": 255, + "microcode": 255 + } } } EOF # has an older version -readonly older_claim_path="$tmpdir/maaClaimOld.json" -cat << EOF > "$older_claim_path" +readonly older_report_path="$tmpdir/snpReportOld.json" +cat << EOF > "$older_report_path" { - "x-ms-isolation-tee": { - "x-ms-sevsnpvm-tee-svn": 255, - "x-ms-sevsnpvm-snpfw-svn": 255, - "x-ms-sevsnpvm-microcode-svn": 254, - "x-ms-sevsnpvm-bootloader-svn": 255 + "snp_report": { + "reported_tcb": { + "bootloader": 255, + "tee": 255, + "snp": 255, + "microcode": 254 + }, + "committed_tcb": { + "bootloader": 255, + "tee": 255, + "snp": 255, + "microcode": 254 + }, + "launch_tcb": { + "bootloader": 255, + "tee": 255, + "snp": 255, + "microcode": 254 + } } } EOF # report 3 versions with different dates to fill the reporter cache readonly date_oldest="2023-02-01-03-04" -${configapi_cli} --maa-claims-path "$older_claim_path" --upload-date "$date_oldest" --region "$region" --bucket "$bucket" --cache-window-size 3 +${configapi_cli} --snp-report-path "$older_report_path" --upload-date "$date_oldest" --region "$region" --bucket "$bucket" --cache-window-size 3 readonly date_older="2023-02-02-03-04" -${configapi_cli} --maa-claims-path "$older_claim_path" --upload-date "$date_older" --region "$region" --bucket "$bucket" --cache-window-size 3 +${configapi_cli} --snp-report-path "$older_report_path" --upload-date "$date_older" --region "$region" --bucket "$bucket" --cache-window-size 3 readonly date="2023-02-03-03-04" -${configapi_cli} --maa-claims-path "$claim_path" --upload-date "$date" --region "$region" --bucket "$bucket" --cache-window-size 3 +${configapi_cli} --snp-report-path "$report_path" --upload-date "$date" --region "$region" --bucket "$bucket" --cache-window-size 3 # expect that $date_oldest is served as latest version baseurl="https://d33dzgxuwsgbpw.cloudfront.net/constellation/v1/attestation/azure-sev-snp" diff --git a/internal/api/attestationconfigapi/cli/main.go b/internal/api/attestationconfigapi/cli/main.go index 111bcaee6..59b5bc18f 100644 --- a/internal/api/attestationconfigapi/cli/main.go +++ b/internal/api/attestationconfigapi/cli/main.go @@ -15,7 +15,6 @@ Any version update is then pushed to the API. package main import ( - "encoding/json" "errors" "fmt" "os" @@ -23,11 +22,13 @@ import ( "github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi" "github.com/edgelesssys/constellation/v2/internal/constants" + "github.com/edgelesssys/constellation/v2/internal/file" "github.com/edgelesssys/constellation/v2/internal/logger" "github.com/edgelesssys/constellation/v2/internal/staticupload" - "go.uber.org/zap" - + "github.com/edgelesssys/constellation/v2/internal/verify" + "github.com/spf13/afero" "github.com/spf13/cobra" + "go.uber.org/zap" ) const ( @@ -67,7 +68,7 @@ func newRootCmd() *cobra.Command { PreRunE: envCheck, RunE: runCmd, } - rootCmd.Flags().StringP("maa-claims-path", "t", "", "File path to a json file containing the MAA claims.") + rootCmd.Flags().StringP("snp-report-path", "t", "", "File path to a file containing the Constellation verify output.") rootCmd.Flags().StringP("upload-date", "d", "", "upload a version with this date as version name.") rootCmd.Flags().BoolP("force", "f", false, "Use force to manually push a new latest version."+ " The version gets saved to the cache but the version selection logic is skipped.") @@ -75,7 +76,7 @@ func newRootCmd() *cobra.Command { rootCmd.PersistentFlags().StringP("region", "r", awsRegion, "region of the targeted bucket.") rootCmd.PersistentFlags().StringP("bucket", "b", awsBucket, "bucket targeted by all operations.") rootCmd.PersistentFlags().Bool("testing", false, "upload to S3 test bucket.") - must(rootCmd.MarkFlagRequired("maa-claims-path")) + must(rootCmd.MarkFlagRequired("snp-report-path")) rootCmd.AddCommand(newDeleteCmd()) return rootCmd } @@ -104,17 +105,20 @@ func runCmd(cmd *cobra.Command, _ []string) (retErr error) { DistributionID: flags.distribution, } - log.Infof("Reading MAA claims from file: %s", flags.maaFilePath) - maaClaimsBytes, err := os.ReadFile(flags.maaFilePath) - if err != nil { - return fmt.Errorf("reading MAA claims file: %w", err) + log.Infof("Reading SNP report from file: %s", flags.snpReportPath) + + fs := file.NewHandler(afero.NewOsFs()) + var report verify.Report + if err := fs.ReadJSON(flags.snpReportPath, &report); err != nil { + return fmt.Errorf("reading snp report: %w", err) } - var maaTCB maaTokenTCBClaims - if err = json.Unmarshal(maaClaimsBytes, &maaTCB); err != nil { - return fmt.Errorf("unmarshalling MAA claims file: %w", err) + snpReport := report.SNPReport + if !allEqual(snpReport.LaunchTCB, snpReport.CommittedTCB, snpReport.ReportedTCB) { + return fmt.Errorf("TCB versions are not equal: \nLaunchTCB:%+v\nCommitted TCB:%+v\nReportedTCB:%+v", + snpReport.LaunchTCB, snpReport.CommittedTCB, snpReport.ReportedTCB) } - inputVersion := maaTCB.ToAzureSEVSNPVersion() - log.Infof("Input version: %+v", inputVersion) + inputVersion := convertTCBVersionToAzureVersion(snpReport.LaunchTCB) + log.Infof("Input report: %+v", inputVersion) client, clientClose, err := attestationconfigapi.NewClient(ctx, cfg, []byte(cosignPwd), []byte(privateKey), false, flags.cacheWindowSize, log) @@ -129,7 +133,7 @@ func runCmd(cmd *cobra.Command, _ []string) (retErr error) { return fmt.Errorf("creating client: %w", err) } - latestAPIVersionAPI, err := attestationconfigapi.NewFetcherWithCustomCDNAndCosignKey(flags.url, constants.CosignPublicKeyDev).FetchAzureSEVSNPVersionLatest(ctx) + latestAPIVersionAPI, err := attestationconfigapi.NewFetcherWithCustomCDNAndCosignKey(flags.url, flags.cosignPublicKey).FetchAzureSEVSNPVersionLatest(ctx) if err != nil { if errors.Is(err, attestationconfigapi.ErrNoVersionsFound) { log.Infof("No versions found in API, but assuming that we are uploading the first version.") @@ -148,9 +152,34 @@ func runCmd(cmd *cobra.Command, _ []string) (retErr error) { return nil } +func allEqual(args ...verify.TCBVersion) bool { + if len(args) < 2 { + return true + } + + firstArg := args[0] + for _, arg := range args[1:] { + if arg != firstArg { + return false + } + } + + return true +} + +func convertTCBVersionToAzureVersion(tcb verify.TCBVersion) attestationconfigapi.AzureSEVSNPVersion { + return attestationconfigapi.AzureSEVSNPVersion{ + Bootloader: tcb.Bootloader, + TEE: tcb.TEE, + SNP: tcb.SNP, + Microcode: tcb.Microcode, + } +} + type config struct { - maaFilePath string + snpReportPath string uploadDate time.Time + cosignPublicKey string region string bucket string distribution string @@ -160,7 +189,7 @@ type config struct { } func parseCliFlags(cmd *cobra.Command) (config, error) { - maaFilePath, err := cmd.Flags().GetString("maa-claims-path") + snpReportFilePath, err := cmd.Flags().GetString("snp-report-path") if err != nil { return config{}, fmt.Errorf("getting maa claims path: %w", err) } @@ -191,7 +220,7 @@ func parseCliFlags(cmd *cobra.Command) (config, error) { if err != nil { return config{}, fmt.Errorf("getting testing flag: %w", err) } - url, distribution := getEnvironment(testing) + apiCfg := getAPIEnvironment(testing) force, err := cmd.Flags().GetBool("force") if err != nil { @@ -203,41 +232,29 @@ func parseCliFlags(cmd *cobra.Command) (config, error) { return config{}, fmt.Errorf("getting cache window size: %w", err) } return config{ - maaFilePath: maaFilePath, + snpReportPath: snpReportFilePath, uploadDate: uploadDate, + cosignPublicKey: apiCfg.cosignPublicKey, region: region, bucket: bucket, - url: url, - distribution: distribution, + url: apiCfg.url, + distribution: apiCfg.distribution, force: force, cacheWindowSize: cacheWindowSize, }, nil } -func getEnvironment(testing bool) (url string, distributionID string) { +type apiConfig struct { + url string + distribution string + cosignPublicKey string +} + +func getAPIEnvironment(testing bool) apiConfig { if testing { - return "https://d33dzgxuwsgbpw.cloudfront.net", "ETZGUP1CWRC2P" - } - return constants.CDNRepositoryURL, constants.CDNDefaultDistributionID -} - -// maaTokenTCBClaims describes the TCB information in a MAA token. -type maaTokenTCBClaims struct { - IsolationTEE struct { - TEESvn uint8 `json:"x-ms-sevsnpvm-tee-svn"` - SNPFwSvn uint8 `json:"x-ms-sevsnpvm-snpfw-svn"` - MicrocodeSvn uint8 `json:"x-ms-sevsnpvm-microcode-svn"` - BootloaderSvn uint8 `json:"x-ms-sevsnpvm-bootloader-svn"` - } `json:"x-ms-isolation-tee"` -} - -func (c maaTokenTCBClaims) ToAzureSEVSNPVersion() attestationconfigapi.AzureSEVSNPVersion { - return attestationconfigapi.AzureSEVSNPVersion{ - TEE: c.IsolationTEE.TEESvn, - SNP: c.IsolationTEE.SNPFwSvn, - Microcode: c.IsolationTEE.MicrocodeSvn, - Bootloader: c.IsolationTEE.BootloaderSvn, + return apiConfig{url: "https://d33dzgxuwsgbpw.cloudfront.net", distribution: "ETZGUP1CWRC2P", cosignPublicKey: constants.CosignPublicKeyDev} } + return apiConfig{url: constants.CDNRepositoryURL, distribution: constants.CDNDefaultDistributionID, cosignPublicKey: constants.CosignPublicKeyReleases} } func must(err error) { diff --git a/internal/api/attestationconfigapi/cli/main_test.go b/internal/api/attestationconfigapi/cli/main_test.go new file mode 100644 index 000000000..c1c1f0935 --- /dev/null +++ b/internal/api/attestationconfigapi/cli/main_test.go @@ -0,0 +1,32 @@ +/* +Copyright (c) Edgeless Systems GmbH + +SPDX-License-Identifier: AGPL-3.0-only +*/ +package main + +import ( + "testing" + + "github.com/edgelesssys/constellation/v2/internal/verify" + "github.com/stretchr/testify/assert" +) + +func TestAllEqual(t *testing.T) { + // Test case 1: One input arg + assert.True(t, allEqual(verify.TCBVersion{Bootloader: 1, Microcode: 2, SNP: 3, TEE: 4}), "Expected allEqual to return true for one input arg, but got false") + + // Test case 2: Three input args that are equal + assert.True(t, allEqual( + verify.TCBVersion{Bootloader: 1, Microcode: 2, SNP: 3, TEE: 4}, + verify.TCBVersion{Bootloader: 1, Microcode: 2, SNP: 3, TEE: 4}, + verify.TCBVersion{Bootloader: 1, Microcode: 2, SNP: 3, TEE: 4}, + ), "Expected allEqual to return true for three equal input args, but got false") + + // Test case 3: Three input args where second and third element are different + assert.False(t, allEqual( + verify.TCBVersion{Bootloader: 2, Microcode: 2, SNP: 3, TEE: 4}, + verify.TCBVersion{Bootloader: 2, Microcode: 2, SNP: 3, TEE: 4}, + verify.TCBVersion{Bootloader: 2, Microcode: 3, SNP: 3, TEE: 4}, + ), "Expected allEqual to return false for three input args with different second and third elements, but got true") +} diff --git a/internal/verify/verify.go b/internal/verify/verify.go index 086c4c7eb..4b7bb53c9 100644 --- a/internal/verify/verify.go +++ b/internal/verify/verify.go @@ -13,9 +13,6 @@ the attestationconfigapi upload tool through JSON serialization. package verify import ( - "crypto/x509" - "fmt" - "github.com/golang-jwt/jwt/v5" ) @@ -29,12 +26,12 @@ type Report struct { // Certificate contains the certificate data and additional information. type Certificate struct { - *x509.Certificate `json:"certificate"` - CertTypeName string `json:"cert_type_name"` - StructVersion uint8 `json:"struct_version"` - ProductName string `json:"product_name"` - HardwareID []byte `json:"hardware_id"` - TCBVersion TCBVersion `json:"tcb_version"` + CertificatePEM string `json:"certificate"` + CertTypeName string `json:"cert_type_name"` + StructVersion uint8 `json:"struct_version"` + ProductName string `json:"product_name"` + HardwareID []byte `json:"hardware_id"` + TCBVersion TCBVersion `json:"tcb_version"` } // TCBVersion contains the TCB version data. @@ -57,9 +54,9 @@ type PlatformInfo struct { // SignerInfo contains the signer information. type SignerInfo struct { - AuthorKey bool `json:"author_key_en"` - MaskChipKey bool `json:"mask_chip_key"` - SigningKey fmt.Stringer `json:"signing_key"` + AuthorKey bool `json:"author_key_en"` + MaskChipKey bool `json:"mask_chip_key"` + SigningKey string `json:"signing_key"` } // SNPReport contains the SNP report data.