snp

package

v0.1.9 Latest Latest Go to latest Published: Sep 10, 2025 License: AGPL-3.0 Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/flashbots/cvm-reverse-proxy

Links

Open Source Insights

Documentation ¶

Overview ¶

Package SNP provides types shared by SNP-based attestation implementations. It ensures all issuers provide the same types to the verify command.

Index ¶

func GetExtendedReport(reportData [64]byte) (report, certChain []byte, err error)
func Product() *spb.SevProduct
type AzureInstanceInfo
type CertificateChain
- func NewCertificateChain(ask, ark *x509.Certificate) CertificateChain
type InstanceInfo

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GetExtendedReport ¶

func GetExtendedReport(reportData [64]byte) (report, certChain []byte, err error)

GetExtendedReport retrieves the extended SNP report from the CVM.

func Product ¶

func Product() *spb.SevProduct

Product returns the SEV product info currently supported by Constellation's SNP attestation.

Types ¶

type AzureInstanceInfo ¶

type AzureInstanceInfo struct {
	// RuntimeData is the Azure runtime data from the vTPM (NVRAM) of the CVM.
	RuntimeData []byte
	// MAAToken is the token of the MAA for the attestation report, used as a fallback
	// if the IDKeyDigest cannot be verified.
	MAAToken string
}

AzureInstanceInfo contains Azure specific information related to SNP attestation.

type CertificateChain ¶

type CertificateChain struct {
	// contains filtered or unexported fields
}

CertificateChain stores an AMD signing key (ASK) and AMD root key (ARK) certificate.

func NewCertificateChain ¶

func NewCertificateChain(ask, ark *x509.Certificate) CertificateChain

NewCertificateChain returns a new CertificateChain with the given ASK and ARK certificates.

type InstanceInfo ¶

type InstanceInfo struct {
	// ReportSigner is the PEM-encoded certificate used to validate the attestation report's signature.
	ReportSigner []byte
	// CertChain is the PEM-encoded certificate chain for the attestation report (ASK+ARK).
	// Intermediate key that validates the ReportSigner and root key.
	CertChain []byte
	// AttestationReport is the attestation report from the vTPM (NVRAM) of the CVM.
	AttestationReport []byte
	Azure             *AzureInstanceInfo
	GCP               *attest.GCEInstanceInfo
}

InstanceInfo contains the necessary information to establish trust in a SNP CVM.

func (*InstanceInfo) AttestationWithCerts ¶

func (a *InstanceInfo) AttestationWithCerts(getter trust.HTTPSGetter,
	fallbackCerts CertificateChain, logger attestation.Logger,
) (*spb.Attestation, error)

AttestationWithCerts returns a formatted version of the attestation report and its certificates from the instanceInfo. Certificates are retrieved in the following precedence: 1. ASK from issuer. On Azure: THIM. One AWS: not prefilled. (Go to option 2) On GCP: prefilled. 2. ASK or ARK from fallbackCerts. 3. ASK or ARK from AMD KDS.

func (*InstanceInfo) ParseCertChain ¶

func (a *InstanceInfo) ParseCertChain() (ask, ark *x509.Certificate, retErr error)

ParseCertChain parses the certificate chain from the instanceInfo into x509-formatted ASK and ARK certificates. If less than 2 certificates are present, only the present certificate is returned. If more than 2 certificates are present, an error is returned.

func (*InstanceInfo) ParseReportSigner ¶

func (a *InstanceInfo) ParseReportSigner() (*x509.Certificate, error)

ParseReportSigner parses the VCEK/VLEK certificate from the instanceInfo into an x509-formatted certificate. If no certificate is present, nil is returned.

Source Files ¶

View all Source files

snp.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL