go-sev-guest offers a library to wrap the /dev/sev-guest device in Linux, as well as a library for attestation verification of fundamental components of an attestation report.
Apache License 2.0
52
stars
19
forks
source link
Add KDS clock skew option to allow "future certs" #44
The KDS server system time is part of the VCEK certificates it generates and signs. It's possible for noticeable clock drift to lead to failed certificate verification despite having "fresh" certificates.
This patch adds a new DefaultOptions() function to provide a recommended Getter function and recommended allowable clock skew between the verifying system and AMD KDS.
With this change comes a mild refactor to some exported but uncommon functions to allow them more flexibility as we add options that can change their behavior.
GetAttestationFromReport's second argument is now a whole Options
struct rather than just the Getter.
GetCrlAndCheckRoot similarly takes a whole Options instead of just
the Getter.
X509Options takes a time.Time object to represent the current time.
VcekNotRevoked loses its second Getter argument and gains an
*Options as its third argument.
The Golang x509 certificate verifier has a CurrentTime option to verify certificates against. If it's the zero time, then the library uses the system time with time.Now(). The added behavior for tolerating clock skew will use time.Sleep() for the difference in time if the added Now option is zero in order for system time to catch up. If Now is provided and is within the threshold amount of time to tolerate a certificate from the future, then we amend the CurrentTime to the certificate's NotBefore attribute to ensure that part of the certificate verifies.
The KDS server system time is part of the VCEK certificates it generates and signs. It's possible for noticeable clock drift to lead to failed certificate verification despite having "fresh" certificates.
This patch adds a new DefaultOptions() function to provide a recommended Getter function and recommended allowable clock skew between the verifying system and AMD KDS.
With this change comes a mild refactor to some exported but uncommon functions to allow them more flexibility as we add options that can change their behavior.
The Golang x509 certificate verifier has a CurrentTime option to verify certificates against. If it's the zero time, then the library uses the system time with time.Now(). The added behavior for tolerating clock skew will use time.Sleep() for the difference in time if the added Now option is zero in order for system time to catch up. If Now is provided and is within the threshold amount of time to tolerate a certificate from the future, then we amend the CurrentTime to the certificate's NotBefore attribute to ensure that part of the certificate verifies.