mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-29 01:16:12 -05:00
30f2b332b3
* api: rename AttestationVersionRepo to Client * api: move client into separate subpkg for clearer import paths. * api: rename configapi -> attestationconfig * api: rename versionsapi -> versions * api: rename sut to client * api: split versionsapi client and make it public * api: split versionapi fetcher and make it public * config: move attestationversion type to config * api: fix attestationconfig client test Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com> |
||
---|---|---|
.. | ||
BUILD.bazel | ||
Dockerfile | ||
README.md | ||
verify.go |
Obtain current Azure SNP ID key digest & firmware versions
On Azure, Constellation verifies that the SNP attestation report contains Azure's ID key digest. Additionally, some firmware security version numbers (SVNs) are validated. Currently, the only way to verify the digest's origin is to perform guest attestation with the help of the Microsoft Azure Attestation (MAA) service. There's a sample on how to do this, but it's not straightforward. So we created tooling to make things easier.
Perform the following steps to get the ID key digest & firmware versions:
- Create an Ubuntu CVM on Azure with secure boot enabled and ssh into it.
- Run
This executes the guest attestation and prints the JWT received from the MAA. (It's the long base64 blob.)docker run --rm --privileged -v/sys/kernel/security:/sys/kernel/security ghcr.io/edgelesssys/constellation/azure-snp-reporter
- Copy the JWT and run on your local trusted machine:
On success it prints the ID key digest and relevant firmware SVNs.go run verify.go <jwt>