search

AMDESE / sev-guest

Tools, scripts, and configuration files necessary to demonstrate an end-to-end remote attestation example with SEV-SNP.
Apache License 2.0
56 stars 28 forks source link

Attestation-report #9

Open pegahnikbakht opened 2 years ago

pegahnikbakht commented 2 years ago

Hi,

In the setup for ssh-key-excahnge example, I do not see the steps to gain the attestation report, which steps should be followed for the attestation in ssh-key-excahnge example?

jlarrew commented 2 years ago

Hi pegahnikbakht,

The guest can retrieve the attestation report using sev-guest-get-report, like so:

$ sev-guest get-report report.bin

The SNP attestation report allows for 512-bits of guest-supplied information to be included in the report. The recommended protocol for remote attestation is for the guest to generate a fresh public/private key pair and include the hash of the public portion of the key in the (signed) attestation report. The guest then sends both the attestation report and the public key to the other party. The sev-guest utility will hash the contents of the file specified with the -f option, like so:

$ sev-guest get-report -f ssh-key.pem report.bin

The other party can trust the provided public key if all of the following tests pass:

  1. The signature on the attestation report validates correctly using the public portion of the VCEK for the platform.
  2. The fingerprint of the guest Identity Key (supplied during guest launch) in the report matches the expected value.
  3. The fingerprint of the public key received with the report matches the guest-supplied information in the report.

I'll update the documentation to clarify this. Thanks for the report!

Sincerely, Jesse

pegahnikbakht commented 2 years ago

@jlarrew Hi again, Thanks for the answer, we are getting an error execlp: No such file or directory while running ./sev-guest get-report report.bin Do you know why this is happening?

jlarrew commented 2 years ago

Hi pegahnikbakht,

This happens because execlp() is looking for the sev-guest-get-report binary in your PATH and can't find it. If you build a debian package (make guest-deb) and install it, then everything will work as intended. If you prefer to run the programs from the source directory, then you can simply execute sev-guest-get-report directly. (The sev-guest binary is just a wrapper that execs the appropriate sub command.)

I hope this helps!

Sincerely, Jesse

pegahnikbakht commented 2 years ago

Thanks we manage to run sev-guest-get-report directly and get the report. I think I close this issue. Thanks for the help again.

pegahnikbakht commented 2 years ago

Hi,

I have one more question regarding this issue, in the attestation report that we got from the guest, some of fields are zero like: Family ID, Image ID, report data, host data, ID key digest, and author key digest. One more thing is that it shows the "signature algorithm: 1 (invalid): as invalid. Do you know why these values are zero and why the signature algorithm is invalid and how we can get valid values for them?

Thanks in advance for the help. Pegah