Merge pull request #2 from deeglaze/main

Export methods for testing externally

Author: deeglaze

README.md

@@ -73,13 +73,34 @@ verify.SnpAttestation(myAttestation, &verify.Options{})
 
 #### `Options` type
 
-This type contains two fields: `CheckRevocations bool`, and `Getter
-HTTPSGetter`. If `CheckRevocations` is true, then `Getter` must be non-nil and
-implement the `HTTPSGetter` interface.
+This type contains three fields:
+
+*   `CheckRevocations bool`: if true, then `SnpAttestation` will download the
+    certificate revocation list (CRL) and check for revocations.
+*   `Getter HTTPSGetter`: must be non-`nil` if `CheckRevocations` is true.
+*   `TrustedRoots map[string][]*AMDRootCerts`: if `nil`, uses the library's embedded certificates.
+     Maps a platform name to all allowed root certifications for that platform (e.g., Milan).
 
 The `HTTPSGetter` interface consists of a single method `Get(url string)
 ([]byte, error)` that should return the body of the HTTPS response.
 
+
+#### `AMDRootCerts` type
+
+This type has 6 fields, the first 3 of which are mandatory:
+
+*   `Platform string`: the name of the platform this bundle is for (e.g., `"Milan"`).
+*   `AskX509 *x509.Certificate`: an X.509 representation of the AMD SEV Signer intermediate key (ASK)'s certificate.
+*   `ArkX509 *x509.Certificate`: an X.509 representation of the AMD SEV Root key (ARK)'s certificate.
+*   `AskSev *abi.AskCert`: if non-`nil`, will cross-check with
+    `AskX509`. Represents the information present in the AMD SEV certificate
+    format for the ASK.
+*   `ArkSev *abi.AskCert`: if non-`nil`, will cross-check with
+    `ArkX509`. Represents the information present in the AMD SEV certificate
+    format for the ARK.
+*   `CRL *x509.RevocationList`: the certificate revocation list signed by the ARK.
+    Will be populated if `SnpAttestation` is called with `CheckRevocations: true`.
+
 ## License
 
 go-sev-guest is released under the Apache 2.0 license.

testing/test_cases.go

@@ -90,7 +90,7 @@ var oneReport = `
 // We can't sign the report with AMD keys, and verification isn't the client's responsibility, so
 // we keep the signature zeros.
 // Similarly, we leave the randomly-generated fields zero.
-func testRawReport(userData [64]byte) [abi.ReportSize]byte {
+func TestRawReport(userData [64]byte) [abi.ReportSize]byte {
 	var r [abi.ReportSize]byte
 	// Set Version to 2
 	binary.LittleEndian.PutUint32(r[0x00:0x04], 2)
@@ -127,8 +127,8 @@ type TestCase struct {
 
 // TestCases returns common test cases for get_report.
 func TestCases() []TestCase {
-	zeroRaw := testRawReport(userZeros)
-	oneRaw := testRawReport(userZeros1)
+	zeroRaw := TestRawReport(userZeros)
+	oneRaw := TestRawReport(userZeros1)
 	return []TestCase{
 		{
 			Name:        "zeros",

verify/verify.go

@@ -73,22 +73,21 @@ type AMDRootCerts struct {
 	// ArkX509 is an X.509 certificate for the AMD root key (ARK).
 	ArkX509 *x509.Certificate
 	// AskSev is the AMD certificate representation of the AMD signing key that certifies
-	// versioned chip endoresement keys.
+	// versioned chip endoresement keys. If present, the information must match AskX509.
 	AskSev *abi.AskCert
 	// ArkSev is the AMD certificate representation of the self-signed AMD root key that
-	// certifies the AMD signing key.
+	// certifies the AMD signing key. If present, the information must match ArkX509.
 	ArkSev *abi.AskCert
 	// Protects concurrent updates to CRL.
 	mu sync.Mutex
 	// CRL is the certificate revocation list for this AMD platform. Populated once, only when a
 	// revocation is checked.
-	CRL                  *x509.RevocationList
-	noCrossCheckTestOnly bool
+	CRL *x509.RevocationList
 }
 
 // DefaultRootCerts holds AMD's SEV API certificate format for ASK and ARK keys as published here
 // https://developer.amd.com/wp-content/resources/ask_ark_milan.cert
-var DefaultRootCerts AMDRootCerts
+var DefaultRootCerts map[string]*AMDRootCerts
 
 // Unmarshal populates ASK and ARK certificates from AMD SEV format certificates in data.
 func (r *AMDRootCerts) Unmarshal(data []byte) error {
@@ -161,7 +160,11 @@ func (r *AMDRootCerts) X509Options() *x509.VerifyOptions {
 
 // Parse ASK, ARK certificates from the embedded AMD certificate file.
 func init() {
-	DefaultRootCerts.Unmarshal(askArkMilanBytes)
+	milanCerts := new(AMDRootCerts)
+	milanCerts.Unmarshal(askArkMilanBytes)
+	DefaultRootCerts = map[string]*AMDRootCerts{
+		"Milan": milanCerts,
+	}
 }
 
 func askVerifiedBy(signee, signer *abi.AskCert, signeeName, signerName string) error {
@@ -276,7 +279,7 @@ func (r *AMDRootCerts) validateRootX509(x *x509.Certificate, version int, role,
 // cryptographic signatures.
 func (r *AMDRootCerts) ValidateAskX509() error {
 	if r == nil {
-		r = &DefaultRootCerts
+		r = DefaultRootCerts["Milan"]
 	}
 	var cn string
 	if r.Platform != "" {
@@ -285,21 +288,17 @@ func (r *AMDRootCerts) ValidateAskX509() error {
 	if err := r.validateRootX509(r.AskX509, askX509Version, "ASK", cn); err != nil {
 		return err
 	}
-	askSev := r.AskSev
-	if askSev == nil {
-		askSev = DefaultRootCerts.AskSev
-	}
-	if r.noCrossCheckTestOnly {
-		return nil
+	if r.AskSev != nil {
+		return crossCheckSevX509(r.AskSev, r.AskX509)
 	}
-	return crossCheckSevX509(askSev, r.AskX509)
+	return nil
 }
 
 // ValidateArkX509 checks expected metadata about the ARK X.509 certificate. It does not verify the
 // cryptographic signatures.
 func (r *AMDRootCerts) ValidateArkX509() error {
 	if r == nil {
-		r = &DefaultRootCerts
+		r = DefaultRootCerts["Milan"]
 	}
 	var cn string
 	if r.Platform != "" {
@@ -308,14 +307,10 @@ func (r *AMDRootCerts) ValidateArkX509() error {
 	if err := r.validateRootX509(r.ArkX509, arkX509Version, "ARK", cn); err != nil {
 		return err
 	}
-	arkSev := r.ArkSev
-	if arkSev == nil {
-		arkSev = DefaultRootCerts.ArkSev
-	}
-	if r.noCrossCheckTestOnly {
-		return nil
+	if r.ArkSev != nil {
+		return crossCheckSevX509(r.ArkSev, r.ArkX509)
 	}
-	return crossCheckSevX509(arkSev, r.ArkX509)
+	return nil
 }
 
 // Checks some steps of AMD SEV API Appendix B.3
@@ -335,7 +330,7 @@ func validateRootSev(subject, issuer *abi.AskCert, version, keyUsage uint32, sub
 // This covers steps 1, 2, and 5
 func (r *AMDRootCerts) ValidateAskSev() error {
 	if r == nil {
-		r = &DefaultRootCerts
+		r = DefaultRootCerts["Milan"]
 	}
 	return validateRootSev(r.AskSev, r.ArkSev, askVersion, askKeyUsage, "ASK", "ARK")
 }
@@ -344,19 +339,19 @@ func (r *AMDRootCerts) ValidateAskSev() error {
 // This covers steps 5, 6, 9, and 11.
 func (r *AMDRootCerts) ValidateArkSev() error {
 	if r == nil {
-		r = &DefaultRootCerts
+		r = DefaultRootCerts["Milan"]
 	}
 	return validateRootSev(r.ArkSev, r.ArkSev, arkVersion, arkKeyUsage, "ARK", "ARK")
 }
 
 // ValidateX509 will validate the x509 certificates of the ASK and ARK.
 func (r *AMDRootCerts) ValidateX509() error {
-	if err := r.ValidateAskX509(); err != nil {
-		return fmt.Errorf("ASK validation error: %v", err)
-	}
 	if err := r.ValidateArkX509(); err != nil {
 		return fmt.Errorf("ARK validation error: %v", err)
 	}
+	if err := r.ValidateAskX509(); err != nil {
+		return fmt.Errorf("ASK validation error: %v", err)
+	}
 	return nil
 }
 
@@ -448,7 +443,7 @@ func (r *AMDRootCerts) validateVcekCertificatePlatformSpecifics(cert *x509.Certi
 // VcekDER checks that the VCEK certificate matches expected fields
 // from the KDS specification and also that its certificate chain matches
 // hardcoded trusted root certificates from AMD.
-func VcekDER(vcek []byte, ask []byte, ark []byte) (*x509.Certificate, *AMDRootCerts, error) {
+func VcekDER(vcek []byte, ask []byte, ark []byte, options *Options) (*x509.Certificate, *AMDRootCerts, error) {
 	vcekCert, err := x509.ParseCertificate(vcek)
 	if err != nil {
 		return nil, nil, fmt.Errorf("could not interpret VCEK DER bytes: %v", err)
@@ -457,21 +452,34 @@ func VcekDER(vcek []byte, ask []byte, ark []byte) (*x509.Certificate, *AMDRootCe
 	if err != nil {
 		return nil, nil, err
 	}
-	root := &AMDRootCerts{
-		Platform: vcekProductMap[exts.ProductName],
-		// Allow tests to disable crosscheck on test-only certificates.
-		noCrossCheckTestOnly: DefaultRootCerts.noCrossCheckTestOnly,
-	}
-	if err := root.FromDER(ask, ark); err != nil {
-		return nil, nil, err
-	}
-	if err := root.ValidateX509(); err != nil {
-		return nil, nil, err
+	roots := options.TrustedRoots
+	platform := vcekProductMap[exts.ProductName]
+	if roots == nil {
+		root := &AMDRootCerts{
+			Platform: platform,
+			// Require that the root matches embedded root certs.
+			AskSev: DefaultRootCerts[platform].AskSev,
+			ArkSev: DefaultRootCerts[platform].ArkSev,
+		}
+		if err := root.FromDER(ask, ark); err != nil {
+			return nil, nil, err
+		}
+		if err := root.ValidateX509(); err != nil {
+			return nil, nil, err
+		}
+		roots = map[string][]*AMDRootCerts{
+			platform: []*AMDRootCerts{root},
+		}
 	}
-	if err := root.validateVcekCertificatePlatformSpecifics(vcekCert); err != nil {
-		return nil, nil, err
+	var lastErr error
+	for _, platformRoot := range roots[platform] {
+		if err := platformRoot.validateVcekCertificatePlatformSpecifics(vcekCert); err != nil {
+			lastErr = err
+			continue
+		}
+		return vcekCert, platformRoot, nil
 	}
-	return vcekCert, root, nil
+	return nil, nil, fmt.Errorf("VCEK could not be verified by any trusted roots. Last error: %v", lastErr)
 }
 
 // SnpReportSignature verifies the attestation report's signature based on the report's
@@ -509,13 +517,17 @@ type Options struct {
 	// Getter takes a URL and returns the body of its contents. By default uses http.Get and returns
 	// the body.
 	Getter HTTPSGetter
+	// TrustedRoots specifies the ARK and ASK certificates to trust when checking the VCEK. If nil,
+	// then verification will fall back on embedded AMD-published root certificates.
+	// Maps the platform name to an array of allowed roots.
+	TrustedRoots map[string][]*AMDRootCerts
 }
 
 // SnpAttestation verifies the protobuf representation of an attestation report's signature based
 // on the report's SignatureAlgo, provided the certificate chain is valid.
 func SnpAttestation(attestation *spb.Attestation, options *Options) error {
 	chain := attestation.GetCertificateChain()
-	vcek, root, err := VcekDER(chain.GetVcekCert(), chain.GetAskCert(), chain.GetArkCert())
+	vcek, root, err := VcekDER(chain.GetVcekCert(), chain.GetAskCert(), chain.GetArkCert(), options)
 	if err != nil {
 		return err
 	}

verify/verify_test.go

@@ -58,28 +58,30 @@ func initSigner() {
 func TestEmbeddedCertsAppendixB3Expectations(t *testing.T) {
 	// https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf
 	// Appendix B.1
-	if err := DefaultRootCerts.ValidateAskSev(); err != nil {
-		t.Errorf("Embedded ASK failed validation: %v", err)
-	}
-	if err := DefaultRootCerts.ValidateArkSev(); err != nil {
-		t.Errorf("Embedded ARK failed validation: %v", err)
+	for _, root := range DefaultRootCerts {
+		if err := root.ValidateAskSev(); err != nil {
+			t.Errorf("Embedded ASK failed validation: %v", err)
+		}
+		if err := root.ValidateArkSev(); err != nil {
+			t.Errorf("Embedded ARK failed validation: %v", err)
+		}
 	}
 }
 
 func TestFakeCertsKDSExpectations(t *testing.T) {
 	signMu.Do(initSigner)
 	root := AMDRootCerts{
-		Platform:             platform,
-		ArkX509:              signer.Ark,
-		AskX509:              signer.Ask,
-		noCrossCheckTestOnly: true,
-	}
-	if err := root.ValidateAskX509(); err != nil {
-		t.Errorf("fake ASK validation error: %v", err)
+		Platform: platform,
+		ArkX509:  signer.Ark,
+		AskX509:  signer.Ask,
+		// No ArkSev or AskSev intentionally for test certs.
 	}
 	if err := root.ValidateArkX509(); err != nil {
 		t.Errorf("fake ARK validation error: %v", err)
 	}
+	if err := root.ValidateAskX509(); err != nil {
+		t.Errorf("fake ASK validation error: %v", err)
+	}
 }
 
 func TestParseVcekCert(t *testing.T) {
@@ -162,7 +164,6 @@ func TestSnpReportSignature(t *testing.T) {
 
 func TestKdsMetadataLogic(t *testing.T) {
 	signMu.Do(initSigner)
-	DefaultRootCerts.noCrossCheckTestOnly = true
 	asn1Zero, _ := asn1.Marshal(0)
 	productName, _ := asn1.Marshal("Cookie-B0")
 	var hwid [64]byte
@@ -284,7 +285,19 @@ func TestKdsMetadataLogic(t *testing.T) {
 			t.Errorf("%+v.CertChain() errored unexpectedly: %v", tc.builder, err)
 			continue
 		}
-		vcek, _, err := VcekDER(newSigner.Vcek.Raw, newSigner.Ask.Raw, newSigner.Ark.Raw)
+		// Trust the test-generated root if the test should pass. Otherwise, other root logic
+		// won't get tested.
+		options := &Options{TrustedRoots: map[string][]*AMDRootCerts{
+			"Milan": []*AMDRootCerts{&AMDRootCerts{
+				Platform: "Milan",
+				ArkX509:  newSigner.Ark,
+				AskX509:  newSigner.Ask,
+			}},
+		}}
+		if tc.wantErr != "" {
+			options = &Options{}
+		}
+		vcek, _, err := VcekDER(newSigner.Vcek.Raw, newSigner.Ask.Raw, newSigner.Ark.Raw, options)
 		if err == nil && tc.wantErr != "" {
 			t.Errorf("%s: VcekDER(...) = %+v did not error as expected.", tc.name, vcek)
 		}
@@ -382,13 +395,20 @@ func TestOpenGetExtendedReportVerifyClose(t *testing.T) {
 		t.Error(err)
 	}
 	defer d.Close()
+	// Trust the test device's root certs.
+	options := &Options{TrustedRoots: map[string][]*AMDRootCerts{
+		"Milan": []*AMDRootCerts{&AMDRootCerts{
+			Platform: "Milan",
+			ArkX509:  d.Signer.Ark,
+			AskX509:  d.Signer.Ask,
+		}}}}
 	for _, tc := range tests {
 		ereport, err := sg.GetExtendedReport(d, tc.Input)
 		if err != tc.WantErr {
 			t.Fatalf("%s: GetExtendedReport(d, %v) = %v, %v. Want err: %v", tc.Name, tc.Input, ereport, err, tc.WantErr)
 		}
 		if tc.WantErr == nil {
-			if err := SnpAttestation(ereport, &Options{}); err != nil {
+			if err := SnpAttestation(ereport, options); err != nil {
 				t.Errorf("SnpAttestation(%v) errored unexpectedly: %v", ereport, err)
 			}
 		}