Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cli: print vcek certificate extensions and snp attestation report during verify #2140

Merged
merged 3 commits into from
Jul 31, 2023
Merged

cli: print vcek certificate extensions and snp attestation report during verify #2140

merged 3 commits into from
Jul 31, 2023

Conversation

katexochen
Copy link
Member

@katexochen katexochen commented Jul 26, 2023
edited
Loading

Proposed change(s)

  • Adding additional output to the verify command:
    • The extensions of the VCEK are know parsed and printed.
    • The AMD SEV-SNP report is now parsed and printed.

Example output:

diff --git a/output_old.txt b/output_new.txt
index f3894c23..5510f212 100644
--- a/output_old.txt
+++ b/output_new.txt
@@ -45,6 +45,17 @@ Attestation Document:
 		Not After: 2030-05-02 17:50:16 +0000 UTC
 		Signature Algorithm: SHA384-RSAPSS
 		Public Key Algorithm: ECDSA
+		Struct version: 0
+		Product name: Milan-B0
+		Secure Processor bootloader SVN: 3
+		Secure Processor operating system SVN: 0
+		SVN 4 (reserved): 0
+		SVN 5 (reserved): 0
+		SVN 6 (reserved): 0
+		SVN 7 (reserved): 0
+		SEV-SNP firmware SVN: 8
+		Microcode SVN: 115
+		Hardware ID: 0x094a46eea5fde950946e4b4743d496aa7a51ac48ad37886afcc46af66918048dea499528f61ad55afbd4febe276ddc9c6632930fd12e0e2c8a88724b5c51dfd7
 	Raw Certificate chain:
 		-----BEGIN CERTIFICATE-----
 		MIIGiTCCBDigAwIBAgIDAQABMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
@@ -136,5 +147,75 @@ Attestation Document:
 		Not After: 2045-10-22 17:23:05 +0000 UTC
 		Signature Algorithm: SHA384-RSAPSS
 		Public Key Algorithm: RSA
+	SNP Report:
+		Version: 2
+		Guest SVN: 5
+		Policy:
+			ABI Minor: 31
+			ABI Major: 0
+			Symmetric Multithreading enabled: true
+			Migration agent enabled: false
+			Debugging enabled (host decryption of VM): false
+			Single socket enabled: false
+		Family ID: 01000000000000000000000000000000
+		Image ID: 02000000000000000000000000000000
+		VMPL: 0
+		Signature Algorithm: 1
+		Current TCB:
+			Secure Processor bootloader SVN: 3
+			Secure Processor operating system SVN: 0
+			SVN 4 (reserved): 0
+			SVN 5 (reserved): 0
+			SVN 6 (reserved): 0
+			SVN 7 (reserved): 0
+			SEV-SNP firmware SVN: 8
+			Microcode SVN: 206
+		Platform Info:
+			Symmetric Multithreading enabled (SMT): true
+			Transparent secure memory encryption (TSME): false
+		Author Key ID: 0
+		Report Data: 8d9419058a1892bb994907d2fcf668500f9022a4908d169d2752ad0ebe98ca6a0000000000000000000000000000000000000000000000000000000000000000
+		Measurement: 43abf28f1124609aa3d187952d2a1a74f703f0bce6a4f7d7d0206459604707cf8b5f8b360c57c4b176461d5f542e2b06
+		Host Data: 0000000000000000000000000000000000000000000000000000000000000000
+		ID Key Digest: 0356215882a825279a85b300b0b742931d113bf7e32dde2e50ffde7ec743ca491ecdd7f336dc28a6e0b2bb57af7a44a3
+		Author Key Digest: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+		Report ID: 9d75319462b77e8eb29d8999b4710de412e5389245e2e58ed1896a4f35d0083b
+		Report ID MA: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+		Reported TCB:
+			Secure Processor bootloader SVN: 3
+			Secure Processor operating system SVN: 0
+			SVN 4 (reserved): 0
+			SVN 5 (reserved): 0
+			SVN 6 (reserved): 0
+			SVN 7 (reserved): 0
+			SEV-SNP firmware SVN: 8
+			Microcode SVN: 115
+		Chip ID: 094a46eea5fde950946e4b4743d496aa7a51ac48ad37886afcc46af66918048dea499528f61ad55afbd4febe276ddc9c6632930fd12e0e2c8a88724b5c51dfd7
+		Committed TCB:
+			Secure Processor bootloader SVN: 3
+			Secure Processor operating system SVN: 0
+			SVN 4 (reserved): 0
+			SVN 5 (reserved): 0
+			SVN 6 (reserved): 0
+			SVN 7 (reserved): 0
+			SEV-SNP firmware SVN: 8
+			Microcode SVN: 115
+		Current Build: 4
+		Current Minor: 52
+		Current Major: 1
+		Committed Build: 4
+		Committed Minor: 52
+		Committed Major: 1
+		Launch TCB:
+			Secure Processor bootloader SVN: 3
+			Secure Processor operating system SVN: 0
+			SVN 4 (reserved): 0
+			SVN 5 (reserved): 0
+			SVN 6 (reserved): 0
+			SVN 7 (reserved): 0
+			SEV-SNP firmware SVN: 8
+			Microcode SVN: 115
+		Signature:
+			3065023100c3efb7284f2f0587e2327ecc1ba9db1d2966dfa52e7c780a133c18d9732188eb3228ed708454ad9a8b753f1a24efa4cb02300c8ee2de1f3ed84dcb9a65ea5a0d3795ca82515b857d0da04927f65b806e4b138cd6a43cc489888a25abc72d9c9a1609
 
 Verification OK

Checklist

  • Update docs
  • Add labels (e.g., for changelog category)
  • Is PR title adequate for changelog?
  • Link to Milestone

@katexochen katexochen added the feature This introduces new functionality label Jul 26, 2023
@katexochen katexochen added this to the v2.10.0 milestone Jul 26, 2023
@edgelesssys edgelesssys deleted a comment from netlify bot Jul 26, 2023
@msanft msanft changed the title verify: print VCEK certificate extensions and SNP attestation report verify: print vcek certificate extensions and snp attestation report Jul 27, 2023
@msanft
Copy link
Contributor

msanft commented Jul 27, 2023

constellation/dev-docs/workflows/pull-request.md

Line 41 in a3184af

and `<title>` is all lower case (except proper names, including acronyms).

msanft
msanft approved these changes Jul 28, 2023
View reviewed changes
Copy link
Contributor

@msanft msanft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

works as expected🚀

cli/internal/cmd/verify.go Outdated Show resolved Hide resolved
derpsteb
derpsteb approved these changes Jul 28, 2023
View reviewed changes
Copy link
Member

@derpsteb derpsteb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍
Works fine against an existing Azure cluster.

Something that might be useful to add at some point: add a flag to print the structs as json/yaml so the CLI's output can be parsed more easily. But since we don't keep an eye on output parseability for other commands I don't see a need here.

@katexochen katexochen merged commit 372aa0f into main Jul 31, 2023
4 checks passed
@katexochen katexochen deleted the feat/verify/snp-output branch July 31, 2023 06:18
@elchead elchead changed the title verify: print vcek certificate extensions and snp attestation report cli: print vcek certificate extensions and snp attestation report during verify Aug 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@msanft msanft msanft approved these changes

@derpsteb derpsteb derpsteb approved these changes

@3u13r 3u13r Awaiting requested review from 3u13r

@daniel-weisse daniel-weisse Awaiting requested review from daniel-weisse

Assignees
No one assigned
Labels
feature This introduces new functionality
Projects
None yet
Milestone
v2.10.0
Development

Successfully merging this pull request may close these issues.
3 participants
@katexochen @msanft @derpsteb