search

google / go-sev-guest

go-sev-guest offers a library to wrap the /dev/sev-guest device in Linux, as well as a library for attestation verification of fundamental components of an attestation report.
Apache License 2.0
46 stars 19 forks source link

fix: Use reported TCB when fetching VCEK #73

Closed msanft closed 1 year ago

msanft commented 1 year ago

Proposed Change

Use the ReportedTCB when querying the AMD KDS for the VCEK certificate, as per the specification:

The firmware maintains a TCB_VERSION called the ReportedTcb. ReportedTcb is used to derive the VCEK that signs the attestation report.

Additional Info

I've added no tests regarding this, since I don't know how a test could look like without adding additional testdata. If you are fine with adding additional testdata, I can add a test for the case of an report with mismatching CurrentTCB and ReportedTCB, which should trigger the bug from the issue mentioned below.

This fixes #72

deeglaze commented 1 year ago

Thanks for the report and fix!

deeglaze commented 1 year ago

No fixed schedule. I've cut v0.7.1 for you.

On Thu, Aug 31, 2023 at 10:59 PM Moritz Sanft @.***> wrote:

Hey @deeglaze https://github.com/deeglaze, thank you so much for the quick approval. Is there a fixed schedule for releases? If not, is there any chance you could trigger a new release soon?

— Reply to this email directly, view it on GitHub https://github.com/google/go-sev-guest/pull/73#issuecomment-1702209138, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFL4HCQLFXW7GVN4CUE4MDXYF2TXANCNFSM6AAAAAA4F5ATGY . You are receiving this because you were mentioned.Message ID: @.***>