mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00

History

Adrian Stobbe a813760f96 config: automatically upload new Azure SNP versions to API + sign version with release key (#1854 ) * sign version with release key and remove version from fetcher interface * extend azure-reporter GH action to upload updated version values to the Attestation API		2023-06-02 12:10:22 +02:00
..
BUILD.bazel	api: restructure api pkg (#1851 )	2023-06-02 09:19:23 +02:00
Dockerfile	deps: update ubuntu:20.04 Docker digest to db8bf6f (#1692 )	2023-04-27 17:50:20 +02:00
README.md	AB#2413: Add workflow for snp-report-verify	2022-09-21 10:58:10 +02:00
verify.go	config: automatically upload new Azure SNP versions to API + sign version with release key (#1854 )	2023-06-02 12:10:22 +02:00

README.md

Obtain current Azure SNP ID key digest & firmware versions

On Azure, Constellation verifies that the SNP attestation report contains Azure's ID key digest. Additionally, some firmware security version numbers (SVNs) are validated. Currently, the only way to verify the digest's origin is to perform guest attestation with the help of the Microsoft Azure Attestation (MAA) service. There's a sample on how to do this, but it's not straightforward. So we created tooling to make things easier.

Perform the following steps to get the ID key digest & firmware versions:

Create an Ubuntu CVM on Azure with secure boot enabled and ssh into it.

Run

docker run --rm --privileged -v/sys/kernel/security:/sys/kernel/security ghcr.io/edgelesssys/constellation/azure-snp-reporter

This executes the guest attestation and prints the JWT received from the MAA. (It's the long base64 blob.)

Copy the JWT and run on your local trusted machine:
```
go run verify.go <jwt>
```
On success it prints the ID key digest and relevant firmware SVNs.