deeglaze
commented
8 months ago No, secure defaults. I’d be willing to update the readme or wiki with info
On Wed, Feb 28, 2024 at 18:10 Chong Cai @.***> wrote:
@.**** approved this pull request.
In verify/verify.go https://github.com/google/go-sev-guest/pull/116#discussion_r1506908117:
@@ -47,7 +48,9 @@ const ( var ( // ErrMissingVlek is returned when attempting to verify a VLEK-signed report that doesn't also // have its VLEK certificate attached.
- ErrMissingVlek = errors.New("report signed with VLEK, but VLEK certificate is missing")
- ErrMissingVlek = errors.New("report signed with VLEK, but VLEK certificate is missing")
- workaroundStepping = flag.Bool("workaround_kds_productname", false, "If true, don't compare "+
If this is default to false, users will still run into issues unless they explicitly set this flag. Shall this be default to true until the issue is addressed?
— Reply to this email directly, view it on GitHub https://github.com/google/go-sev-guest/pull/116#pullrequestreview-1907804426, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFL4HA42CJDS73VA5SIP3DYV7PRTAVCNFSM6AAAAABD64OM3OVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTSMBXHAYDINBSGY . You are receiving this because you authored the thread.Message ID: @.***>
Given the CPUID mismatch between machine and certificate, any verification failures that see "0x0 is not 0x1" should add
--workaround_kds_productname=trueto skip Stepping comparisons.There is some confusion in the KDS specification between
product_namethat's used in the URL, andproductNamethat's used in the VCEK certificate extensions. I've changed the disparate uses ofproduct,productString, andproductNameto instead always have the following meaning:productshould only mean*spb.SevProductproductStringis deprecated. UseproductLinefor the name of the family and model without stepping, e.g., Milan, Genoa.productNameshould only mean the decoded IA5String value of certificate extension 1.3.6.1.4.1.3704.1.2.