@@ -103,12 +103,13 @@ func GetProduct(t testing.TB) *spb.SevProduct {
103103// AmdSigner encapsulates a key and certificate chain following the format of AMD-SP's VCEK for
104104// signing attestation reports.
105105type AmdSigner struct {
106- Ark * x509.Certificate
107- Ask * x509.Certificate
108- Asvk * x509.Certificate
109- Vcek * x509.Certificate
110- Vlek * x509.Certificate
111- Keys * AmdKeys
106+ Ark * x509.Certificate
107+ Ask * x509.Certificate
108+ Asvk * x509.Certificate
109+ Vcek * x509.Certificate
110+ Vlek * x509.Certificate
111+ Extras map [string ][]byte
112+ Keys * AmdKeys
112113 // This identity does not match AMD's notion of an HWID. It is purely to combine expectations of
113114 // report data -> KDS URL construction for the fake KDS implementation.
114115 HWID [abi .ChipIDSize ]byte
@@ -189,11 +190,12 @@ type AmdSignerBuilder struct {
189190 HWID [abi .ChipIDSize ]byte
190191 TCB kds.TCBVersion
191192 // Intermediate built certificates
192- Ark * x509.Certificate
193- Ask * x509.Certificate
194- Asvk * x509.Certificate
195- Vcek * x509.Certificate
196- Vlek * x509.Certificate
193+ Ark * x509.Certificate
194+ Ask * x509.Certificate
195+ Asvk * x509.Certificate
196+ Vcek * x509.Certificate
197+ Vlek * x509.Certificate
198+ Extras map [string ][]byte
197199}
198200
199201func (b * AmdSignerBuilder ) productName () string {
@@ -529,13 +531,14 @@ func (b *AmdSignerBuilder) TestOnlyCertChain() (*AmdSigner, error) {
529531 }
530532 }
531533 s := & AmdSigner {
532- Ark : b .Ark ,
533- Ask : b .Ask ,
534- Asvk : b .Asvk ,
535- Vcek : b .Vcek ,
536- Vlek : b .Vlek ,
537- Keys : b .Keys ,
538- TCB : b .TCB ,
534+ Ark : b .Ark ,
535+ Ask : b .Ask ,
536+ Asvk : b .Asvk ,
537+ Vcek : b .Vcek ,
538+ Vlek : b .Vlek ,
539+ Keys : b .Keys ,
540+ Extras : b .Extras ,
541+ TCB : b .TCB ,
539542 }
540543 copy (s .HWID [:], b .HWID [:])
541544 return s , nil
@@ -563,7 +566,9 @@ func DefaultTestOnlyCertChain(productName string, creationTime time.Time) (*AmdS
563566// CertTableBytes outputs the certificates in AMD's ABI format.
564567func (s * AmdSigner ) CertTableBytes () ([]byte , error ) {
565568 // Calculate the output size and the offset at which to copy each certificate.
566- headers := make ([]abi.CertTableHeaderEntry , 6 ) // ARK, ASK, VCEK, VLEK, ASVK, NULL
569+ const baseEntries = 6 // ARK, ASK, VCEK, VLEK, ASVK, NULL
570+ entries := baseEntries + len (s .Extras )
571+ headers := make ([]abi.CertTableHeaderEntry , entries )
567572 headers [0 ].GUID = uuid .Parse (abi .ArkGUID )
568573 headers [0 ].Offset = uint32 (len (headers ) * abi .CertTableEntrySize )
569574 headers [0 ].Length = uint32 (len (s .Ark .Raw ))
@@ -584,9 +589,20 @@ func (s *AmdSigner) CertTableBytes() ([]byte, error) {
584589 headers [4 ].Offset = headers [3 ].Offset + headers [3 ].Length
585590 headers [4 ].Length = uint32 (len (s .Asvk .Raw ))
586591
592+ index := 4
593+ blobs := [][]byte {s .Ark .Raw , s .Ask .Raw , s .Vcek .Raw , s .Vlek .Raw , s .Asvk .Raw }
594+ for guid , data := range s .Extras {
595+ prior := index
596+ index ++
597+ headers [index ].GUID = uuid .Parse (guid )
598+ headers [index ].Offset = headers [prior ].Offset + headers [prior ].Length
599+ headers [index ].Length = uint32 (len (data ))
600+ blobs = append (blobs , data )
601+ }
602+
587603 // Write out the headers and the certificates at the appropriate offsets.
588- result := make ([]byte , headers [4 ].Offset + headers [4 ].Length )
589- for i , cert := range [][] byte { s . Ark . Raw , s . Ask . Raw , s . Vcek . Raw , s . Vlek . Raw , s . Asvk . Raw } {
604+ result := make ([]byte , headers [index ].Offset + headers [index ].Length )
605+ for i , cert := range blobs {
590606 if err := (& headers [i ]).Write (result [i * abi .CertTableEntrySize :]); err != nil {
591607 return nil , err
592608 }
0 commit comments