Open fitzthum opened 5 months ago
@fitzthum We have also experienced a similar issue for AMD "genoa" platform where we found that the cert-chain is null in the attestation report. We communicated with the KDS to fetch the cert-chain for the verification in order to complete our use case. We can submit a pull request to enable this functionality. What do you think?
Sure. Note that @niteeshkd has a PR for Kata to allow us to specify the cert chain from the host side.
I think we could also add support to the verifier to download the VCEK if it is not provided. Note that the ARK/ASK/ASVK are hard-coded into the verifier but we don't yet have the Genoa certs there. It should be easy to add them.
I think @AdithyaKrishnan might be working on something in this area, but if you already have the code you should post it.
I think this would be an excellent feature. I will follow-up with @AdithyaKrishnan to see what the status of the Genoa certificates are.
We hit the same Genoa issue. Additionally, the chain KDS provides for Milan and Genoa omits the ASVK. We'll follow the approaches by @salmanyam or @AdithyaKrishnan if they have already addressed those issues. Or I might bring a workaround to ignore ASVK and adapt Genoa certs, instead of the fundamental fix of changing load_milan_cert_chain() to load_cert_chain() and adding the fallback.
@hashimotor-ntt We have a working solution for Genoa, and we trying to implement our solution universal, at least a solution that works for both Genoa and Milan. We are currently testing the solution, and experiencing a minor issue on Milan. As soon as we fix the issue, we will submit a PR.
If the cert chain does not include the extended report, we should connect to the KDS to get it.