Open fitzthum opened 5 months ago
salmanyam
commented
3 months ago @fitzthum We have also experienced a similar issue for AMD "genoa" platform where we found that the cert-chain is null in the attestation report. We communicated with the KDS to fetch the cert-chain for the verification in order to complete our use case. We can submit a pull request to enable this functionality. What do you think?
fitzthum
commented
3 months ago Sure. Note that @niteeshkd has a PR for Kata to allow us to specify the cert chain from the host side.
I think we could also add support to the verifier to download the VCEK if it is not provided. Note that the ARK/ASK/ASVK are hard-coded into the verifier but we don't yet have the Genoa certs there. It should be easy to add them.
I think @AdithyaKrishnan might be working on something in this area, but if you already have the code you should post it.
larrydewey
commented
3 months ago I think this would be an excellent feature. I will follow-up with @AdithyaKrishnan to see what the status of the Genoa certificates are.
hashimotor-ntt
commented
2 weeks ago We hit the same Genoa issue. Additionally, the chain KDS provides for Milan and Genoa omits the ASVK. We'll follow the approaches by @salmanyam or @AdithyaKrishnan if they have already addressed those issues. Or I might bring a workaround to ignore ASVK and adapt Genoa certs, instead of the fundamental fix of changing load_milan_cert_chain() to load_cert_chain() and adding the fallback.
salmanyam
commented
2 weeks ago @hashimotor-ntt We have a working solution for Genoa, and we trying to implement our solution universal, at least a solution that works for both Genoa and Milan. We are currently testing the solution, and experiencing a minor issue on Milan. As soon as we fix the issue, we will submit a PR.
If the cert chain does not include the extended report, we should connect to the KDS to get it.