Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity
bdba9d8ba6
constellation/hack/azure-snp-report-verify
History
Malte Poll bdba9d8ba6
bazel: add build files for go (#1186) 
* build: correct toolchain order
* build: gazelle-update-repos
* build: use pregenerated proto for dependencies
* update bazeldnf
* deps: tpm simulator
* Update Google trillian module
* cli: add stamping as alternative build info source
* bazel: add go_test wrappers, mark special tests and select testing deps
* deps: add libvirt deps
* deps: go-libvirt patches
* deps: cloudflare circl patches
* bazel: add go_test wrappers, mark special tests and select testing deps
* bazel: keep gazelle overrides
* bazel: cleanup bazelrc
* bazel: switch CMakeLists.txt to use bazel
* bazel: fix injection of version information via stamping
* bazel: commit all build files
* dev-docs: document bazel usage
* deps: upgrade zig-cc for go 1.20
* bazel: update Perl for macOS arm64 & Linux arm64 support
* bazel: use static perl toolchain for OpenSSL
* bazel: use static protobuf (protoc) toolchain
* deps: add git and go to nix deps

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-09 15:23:42 +01:00
..
BUILD.bazel bazel: add build files for go (#1186) 2023-03-09 15:23:42 +01:00
Dockerfile deps: update ubuntu:20.04 Docker digest to 9fa30fc (#1363) 2023-03-07 18:18:41 +01:00
README.md AB#2413: Add workflow for snp-report-verify 2022-09-21 10:58:10 +02:00
verify.go Document exported funcs,types,interfaces and enable check. (#475) 2022-11-09 15:57:54 +01:00

README.md

Obtain current Azure SNP ID key digest & firmware versions

On Azure, Constellation verifies that the SNP attestation report contains Azure's ID key digest. Additionally, some firmware security version numbers (SVNs) are validated. Currently, the only way to verify the digest's origin is to perform guest attestation with the help of the Microsoft Azure Attestation (MAA) service. There's a sample on how to do this, but it's not straightforward. So we created tooling to make things easier.

Perform the following steps to get the ID key digest & firmware versions:

  1. Create an Ubuntu CVM on Azure with secure boot enabled and ssh into it.
  2. Run 
    docker run --rm --privileged -v/sys/kernel/security:/sys/kernel/security ghcr.io/edgelesssys/constellation/azure-snp-reporter
    This executes the guest attestation and prints the JWT received from the MAA. (It's the long base64 blob.)
  3. Copy the JWT and run on your local trusted machine: 
    go run verify.go <jwt>
    On success it prints the ID key digest and relevant firmware SVNs.