search

google / go-sev-guest

go-sev-guest offers a library to wrap the /dev/sev-guest device in Linux, as well as a library for attestation verification of fundamental components of an attestation report.
Apache License 2.0
52 stars 19 forks source link

Verify guest report #43

Closed pegahnikbakht closed 1 year ago

pegahnikbakht commented 1 year ago

How verify function needs to be run by having the binary report and which files should be provided, can you provide the example command?

deeglaze commented 1 year ago

Are you looking to use the libraries or the CLI tools?

The report binary is not enough to verify it, since you need the versioned chip endorsement key certificate. The verify library can download that for you, but that depends on AMD's service that's not beholden to customer reliability requirements. You're best off gathering certificates at the time of acquiring the report by using the GetExtendedReport function. The host machine will need to have installed the cached certificates to be delivered to the VM. That's the machine operator's job.

If you just have the raw report, say report_bytes, you can use the library function verify.SnpReport(report_bytes, &verify.Options{}) to use the built-in AMD root certificates and the default network fetcher to get the certificates from AMD's service.

The check CLI tool has examples in its README