AB#2333: Add AMD SNP-based attestation

Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2025-09-17 11:34:45 -04:00 · 2022-08-19 12:26:29 +02:00 · 2022-08-19 12:26:29 +02:00 · 7c5556864b
commit 7c5556864b
parent 0a3a4e9c7f
9 changed files with 663 additions and 47 deletions
--- a/internal/attestation/azure/imds.go
+++ b/internal/attestation/azure/imds.go
@ -0,0 +1,43 @@
+package azure
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+)
+
+// Modified version of bootstrapper/cloudprovider/azure/imds.go
+
+const (
+	imdsVcekURL = "http://169.254.169.254/metadata/THIM/amd/certification"
+)
+
+type imdsClient struct {
+	client *http.Client
+}
+
+// Retrieve retrieves instance metadata from the azure imds API.
+func (c imdsClient) getVcek(ctx context.Context) (vcekResponse, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, imdsVcekURL, http.NoBody)
+	if err != nil {
+		return vcekResponse{}, err
+	}
+	req.Header.Add("Metadata", "True")
+	resp, err := c.client.Do(req)
+	if err != nil {
+		return vcekResponse{}, err
+	}
+	defer resp.Body.Close()
+
+	var res vcekResponse
+	if err := json.NewDecoder(resp.Body).Decode(&res); err != nil {
+		return vcekResponse{}, err
+	}
+
+	return res, nil
+}
+
+type vcekResponse struct {
+	VcekCert         string
+	CertificateChain string
+}