verifier: Change logic to check the attestation report version

confidential-containers / trustee

Attestation and Secret Delivery Components

Apache License 2.0

68 stars 89 forks source link

verifier: Change logic to check the attestation report version #590

Closed AdithyaKrishnan closed 4 days ago

AdithyaKrishnan commented 1 week ago

Fixes Issue #589

Change the check condition to handle multiple attestation report versions.

deeglaze commented 1 week ago

Do you plan on updating fetch_vcek_from_kds to determine which kds product endpoint to try based on the CPUID information in the attestation report? That plus the fact that KDS gets the ProductName wrong in its VCEK cert extensions (for complicated reasons that should be fixed for Turin and later) is the reason why they changed the attestation report.

AdithyaKrishnan commented 1 week ago

Do you plan on updating fetch_vcek_from_kds to determine which kds product endpoint to try based on the CPUID information in the attestation report? That plus the fact that KDS gets the ProductName wrong in its VCEK cert extensions (for complicated reasons that should be fixed for Turin and later) is the reason why they changed the attestation report.

Not in this PR but might have a new PR in the future to do the same.

AdithyaKrishnan commented 4 days ago

LGTM. See Ding's comments

Addressed all issues. Please merge PR if appropriate.