From 8e7f4cd046af1ce1aef5afaa5941ae4da2612505 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Tue, 25 Jul 2023 17:36:06 +0200 Subject: [PATCH] verify: print VCEK extension values Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- cli/internal/cmd/BUILD.bazel | 1 + cli/internal/cmd/verify.go | 23 +++++++++++++++++++++++ go.mod | 2 +- 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/cli/internal/cmd/BUILD.bazel b/cli/internal/cmd/BUILD.bazel index 1de9c2346..ddbf6ecd5 100644 --- a/cli/internal/cmd/BUILD.bazel +++ b/cli/internal/cmd/BUILD.bazel @@ -83,6 +83,7 @@ go_library( "//internal/versions", "//operators/constellation-node-operator/api/v1alpha1", "//verify/verifyproto", + "@com_github_google_go_sev_guest//kds", "@com_github_google_uuid//:uuid", "@com_github_mattn_go_isatty//:go-isatty", "@com_github_siderolabs_talos_pkg_machinery//config/encoder", diff --git a/cli/internal/cmd/verify.go b/cli/internal/cmd/verify.go index ae260faf5..a8620b5d1 100644 --- a/cli/internal/cmd/verify.go +++ b/cli/internal/cmd/verify.go @@ -30,6 +30,7 @@ import ( "github.com/edgelesssys/constellation/v2/internal/file" "github.com/edgelesssys/constellation/v2/internal/grpc/dialer" "github.com/edgelesssys/constellation/v2/verify/verifyproto" + "github.com/google/go-sev-guest/kds" "github.com/spf13/afero" "github.com/spf13/cobra" "google.golang.org/grpc" @@ -317,6 +318,28 @@ func (f *attestationDocFormatterImpl) parseCerts(b *strings.Builder, certTypeNam b.WriteString(fmt.Sprintf("\t\tSignature Algorithm: %s\n", cert.SignatureAlgorithm)) b.WriteString(fmt.Sprintf("\t\tPublic Key Algorithm: %s\n", cert.PublicKeyAlgorithm)) + if certTypeName == "VCEK certificate" { + // Extensions documented in Table 8 and Table 9 of + // https://www.amd.com/system/files/TechDocs/57230.pdf + vcekExts, err := kds.VcekCertificateExtensions(cert) + if err != nil { + return fmt.Errorf("parsing VCEK certificate extensions: %w", err) + } + + b.WriteString(fmt.Sprintf("\t\tStruct version: %d\n", vcekExts.StructVersion)) + b.WriteString(fmt.Sprintf("\t\tProduct name: %s\n", vcekExts.ProductName)) + tcb := kds.DecomposeTCBVersion(vcekExts.TCBVersion) + b.WriteString(fmt.Sprintf("\t\tSecure Processor bootloader SVN: %d\n", tcb.BlSpl)) + b.WriteString(fmt.Sprintf("\t\tSecure Processor operating system SVN: %d\n", tcb.TeeSpl)) + b.WriteString(fmt.Sprintf("\t\tSVN 4 (reserved): %d\n", tcb.Spl4)) + b.WriteString(fmt.Sprintf("\t\tSVN 5 (reserved): %d\n", tcb.Spl5)) + b.WriteString(fmt.Sprintf("\t\tSVN 6 (reserved): %d\n", tcb.Spl6)) + b.WriteString(fmt.Sprintf("\t\tSVN 7 (reserved): %d\n", tcb.Spl7)) + b.WriteString(fmt.Sprintf("\t\tSEV-SNP firmware SVN: %d\n", tcb.SnpSpl)) + b.WriteString(fmt.Sprintf("\t\tMicrocode SVN: %d\n", tcb.UcodeSpl)) + b.WriteString(fmt.Sprintf("\t\tHardware ID: %#x\n", vcekExts.HWID)) + } + i++ } diff --git a/go.mod b/go.mod index 95f091cc4..82de65b8d 100644 --- a/go.mod +++ b/go.mod @@ -232,7 +232,7 @@ require ( github.com/google/go-attestation v0.5.0 // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/go-containerregistry v0.15.2 // indirect - github.com/google/go-sev-guest v0.6.1 // indirect + github.com/google/go-sev-guest v0.6.1 github.com/google/go-tspi v0.3.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/logger v1.1.1 // indirect