testing

package
v0.14.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 28, 2025 License: Apache-2.0 Imports: 35 Imported by: 3

Documentation

Overview

Package testing defines fakes and mocks for the sev-guest device and AMD-SP.

Index

Constants

View Source 
const (
	// KeyChoiceVcek represents the default choice of the VCEK signing the report.
	KeyChoiceVcek = iota
	// KeyChoiceVlek represents the choice of the VLEK signing the report.
	KeyChoiceVlek
)

Variables

View Source 
var (
	// Product decides the expected product for attestation report validation. If empty, inferred
	// to be the ProductLine of --product_name.
	Product = flag.String("product", "",
		"The product string for the SEV-SNP machine tested on. The stepping version is ignored.")

	// ProductName decides the fake certificates' product name. It must be parsable by
	// kds.ParseProductName. The flag may also be used to direct the hardware verification options.
	// If empty, defined to be kds.ProductName(abi.DefaultSevProduct()).
	ProductName = flag.String("product_name", "",
		"The product name for the SEV-SNP machine tested on. Overrides --product.")
)

Functions

func CreateRawReport added in v0.8.0 

func CreateRawReport(opts *TestReportOptions) [labi.SnpReportRespReportSize]byte

CreateRawReport creates simple raw attestation report with the given configurable data in options. We can't sign the report with AMD keys, and verification isn't the client's responsibility, so we keep the signature zeros. Similarly, we leave the randomly-generated fields zero.

func CustomExtensions added in v0.8.0 

func CustomExtensions(tcb kds.TCBParts, hwid []byte, cspid, productName string) []pkix.Extension

CustomExtensions returns an array of extensions following the KDS specification for the given values.

func DefaultArk 

func DefaultArk() *rsa.PrivateKey

DefaultArk returns a new RSA key with the expected size for an ARK.

func DefaultAsk 

func DefaultAsk() *rsa.PrivateKey

DefaultAsk returns a new RSA key with the expected size for an ASK.

func DefaultAsvk added in v0.8.0 

func DefaultAsvk() *rsa.PrivateKey

DefaultAsvk returns a new RSA key with the expected size for an ASVK.

func DefaultVcek 

func DefaultVcek() *ecdsa.PrivateKey

DefaultVcek returns a new ECDSA key on the expected curve for a VCEK.

func DefaultVlek added in v0.8.0 

func DefaultVlek() *ecdsa.PrivateKey

DefaultVlek returns a new ECDSA key on the expected curve for a VLEK.

func DerivedKeyRequestToString added in v0.2.3 

func DerivedKeyRequestToString(req *labi.SnpDerivedKeyReqABI) string

DerivedKeyRequestToString translates a DerivedKeyReqABI into a map key string representation.

func FindChipTcbCerts added in v0.4.0 

func FindChipTcbCerts(database *kpb.Certificates, chipID []byte) map[uint64][]byte

FindChipTcbCerts returns the TcbCerts associated with the given chipID in the database if they exist. If not, returns nil.

func GetKDS added in v0.4.0 

func GetKDS(t testing.TB) trust.HTTPSGetter

GetKDS returns an HTTPSGetter that can produce the expected certificates for a given URL in the test environment.

func GetProduct added in v0.11.1 

func GetProduct(t testing.TB) *spb.SevProduct

GetProduct returns the expected product for validation.

func GetProductLine added in v0.11.1 

func GetProductLine() string

GetProductLine returns the actual or inferred value of --product.

func GetProductName added in v0.9.2 

func GetProductName() string

GetProductName returns the --product_name flag value or a valid Default.

func Match added in v0.4.5 

func Match(got error, want string) bool

Match returns true iff both errors match expectations closely enough

func TestRawReport added in v0.2.1 

func TestRawReport(reportData [64]byte) [labi.SnpReportRespReportSize]byte

TestRawReport creates a simple V2 raw attestation report with the given REPORT_DATA. We can't sign the report with AMD keys, and verification isn't the client's responsibility, so we keep the signature zeros. Similarly, we leave the randomly-generated fields zero.

func TestRawReportV3 added in v0.12.0 

func TestRawReportV3(reportData [64]byte, fms uint32) [labi.SnpReportRespReportSize]byte

TestRawReportV3 creates simple V3 raw attestation report with the given REPORT_DATA and CPUID_1_EAX. We can't sign the report with AMD keys, and verification isn't the client's responsibility, so we keep the signature zeros. Similarly, we leave the randomly-generated fields zero.

func TestUseKDS added in v0.5.0 

func TestUseKDS() bool

TestUseKDS returns whether tests should use the network to connect the live AMD Key Distribution service.

Types

type AmdKeys 

type AmdKeys struct {
	Ark  *rsa.PrivateKey
	Ask  *rsa.PrivateKey
	Asvk *rsa.PrivateKey
	Vcek *ecdsa.PrivateKey
	Vlek *ecdsa.PrivateKey
}

AmdKeys encapsulates the key chain of ARK through ASK down to VCEK.

func DefaultAmdKeys 

func DefaultAmdKeys() *AmdKeys

DefaultAmdKeys returns a key set for ARK, ASK, and VCEK with the expected key type and size.

type AmdSigner 

type AmdSigner struct {
	Ark    *x509.Certificate
	Ask    *x509.Certificate
	Asvk   *x509.Certificate
	Vcek   *x509.Certificate
	Vlek   *x509.Certificate
	Extras map[string][]byte
	Keys   *AmdKeys
	// This identity does not match AMD's notion of an HWID. It is purely to combine expectations of
	// report data -> KDS URL construction for the fake KDS implementation.
	HWID    [abi.ChipIDSize]byte
	TCB     kds.TCBVersion
	Product *spb.SevProduct
}

AmdSigner encapsulates a key and certificate chain following the format of AMD-SP's VCEK for signing attestation reports.

func DefaultTestOnlyCertChain added in v0.8.0 

func DefaultTestOnlyCertChain(productName string, creationTime time.Time) (*AmdSigner, error)

DefaultTestOnlyCertChain creates a test-only certificate chain for a fake attestation signer.

func (*AmdSigner) CertTableBytes 

func (s *AmdSigner) CertTableBytes() ([]byte, error)

CertTableBytes outputs the certificates in AMD's ABI format.

func (*AmdSigner) Sign 

func (s *AmdSigner) Sign(toSign []byte) (*big.Int, *big.Int, error)

Sign takes a chunk of bytes, signs it with VcekPriv, and returns the R, S pair for the signature in little endian format.

type AmdSignerBuilder 

type AmdSignerBuilder struct {
	// Keys contains the private keys that will get a certificate chain structure.
	Keys             *AmdKeys
	ProductName      string
	ArkCreationTime  time.Time
	AskCreationTime  time.Time
	AsvkCreationTime time.Time
	VcekCreationTime time.Time
	VlekCreationTime time.Time
	ArkCustom        CertOverride
	AskCustom        CertOverride
	AsvkCustom       CertOverride
	VcekCustom       CertOverride
	VlekCustom       CertOverride
	CSPID            string
	HWID             [abi.ChipIDSize]byte
	TCB              kds.TCBVersion
	// Intermediate built certificates
	Ark    *x509.Certificate
	Ask    *x509.Certificate
	Asvk   *x509.Certificate
	Vcek   *x509.Certificate
	Vlek   *x509.Certificate
	Extras map[string][]byte
}

AmdSignerBuilder represents toggleable configurations of the VCEK certificate chain.

func (*AmdSignerBuilder) TestOnlyCertChain added in v0.8.0 

func (b *AmdSignerBuilder) TestOnlyCertChain() (*AmdSigner, error)

TestOnlyCertChain creates a test-only certificate chain from the keys and configurables in b.

type CertOverride 

type CertOverride struct {
	// If 0, interpreted as Version, otherwise the ARK cert version number.
	Version            int
	SerialNumber       *big.Int
	Issuer             *pkix.Name
	Subject            *pkix.Name
	SignatureAlgorithm x509.SignatureAlgorithm
	PublicKeyAlgorithm x509.PublicKeyAlgorithm
	KeyUsage           x509.KeyUsage
	// If nil, interpreted as default, otherwise the CRLDistributionPoints for the cert.
	CRLDistributionPoints []string
	// If nil, interpreted as default list.
	Extensions []pkix.Extension
}

CertOverride encapsulates certificate aspects that can be overridden when creating a certificate chain.

type Device 

type Device struct {
	ReportDataRsp map[string]any
	Keys          map[string][]byte
	Certs         []byte
	Signer        *AmdSigner
	SevProduct    *spb.SevProduct
	// contains filtered or unexported fields
}

Device represents a sev-guest driver implementation with pre-programmed responses to commands.

func TcDevice 

func TcDevice(tcs []TestCase, opts *DeviceOptions) (*Device, error)

TcDevice returns a mock device populated from test cases' inputs and expected outputs.

func (*Device) Close 

func (d *Device) Close() error

Close changes the mock device's state to closed.

func (*Device) Ioctl 

func (d *Device) Ioctl(command uintptr, req any) (uintptr, error)

Ioctl mocks commands with pre-specified responses for a finite number of requests.

func (*Device) Open 

func (d *Device) Open(_ string) error

Open changes the mock device's state to open.

func (*Device) Product added in v0.7.1 

func (d *Device) Product() *spb.SevProduct

Product returns the mocked product info or the default.

type DeviceOptions added in v0.2.4 

type DeviceOptions struct {
	Keys    map[string][]byte
	Now     time.Time
	Signer  *AmdSigner
	Product *spb.SevProduct
}

DeviceOptions specifies customizations for a fake sev-guest device.

type FakeKDS added in v0.4.0 

type FakeKDS struct {
	Certs *kpb.Certificates
	// Two CERTIFICATE PEMs for ASK, then ARK or ASVK then ARK, per product
	RootBundles map[string]*RootBundle
}

FakeKDS implements the verify.HTTPSGetter interface to provide certificates like AMD KDS, but with certificates cached in a protobuf.

func FakeKDSFromFile added in v0.4.0 

func FakeKDSFromFile(path string) (*FakeKDS, error)

FakeKDSFromFile returns a FakeKDS from a path to a serialized fakekds.Certificates message.

func FakeKDSFromSigner added in v0.4.0 

func FakeKDSFromSigner(signer *AmdSigner) (*FakeKDS, error)

FakeKDSFromSigner returns a FakeKDS that produces the fake signer's certificates following the AMD KDS REST API expectations.

func (*FakeKDS) Get added in v0.4.0 

func (f *FakeKDS) Get(url string) ([]byte, error)

Get translates a KDS url into the expected certificate as represented in the fake's certificate database.

type GetReportResponse 

type GetReportResponse struct {
	Resp     labi.SnpReportRespABI
	EsResult labi.EsResult
	FwErr    abi.SevFirmwareStatus
}

GetReportResponse represents a mocked response to a command request.

type GetResponse added in v0.7.1 

type GetResponse struct {
	Occurrences uint
	Body        []byte
	Error       error
}

GetResponse controls how often (Occurrences) a certain response should be provided.

type Getter 

type Getter struct {
	Responses map[string][]GetResponse
	// contains filtered or unexported fields
}

Getter is a mock for HTTPSGetter interface that sequentially returns the configured responses for the provided URL. Responses are returned as a queue, i.e., always serving from index 0.

func SimpleGetter added in v0.7.1 

func SimpleGetter(responses map[string][]byte) *Getter

SimpleGetter constructs a static server from url -> body responses. For more elaborate tests, construct a custom Getter.

func (*Getter) Done added in v0.7.1 

func (g *Getter) Done(t testing.TB)

Done checks that all configured responses have been consumed, and errors otherwise.

func (*Getter) Get 

func (g *Getter) Get(url string) ([]byte, error)

Get the next response body and error. The response is also removed, if it has been requested the configured number of times.

func (*Getter) GetContext added in v0.14.0 

func (g *Getter) GetContext(ctx context.Context, url string) ([]byte, error)

GetContext checks whether the context expired, returns the context error if that's the case and calls Get otherwise.

type KeyChoice added in v0.8.0 

type KeyChoice int

KeyChoice represents which key is expected to have signed the report.

type QuoteProvider added in v0.10.0 

type QuoteProvider struct {
	Device *Device
}

QuoteProvider represents a SEV-SNP backed configfs-tsm with pre-programmed responses to attestations.

func TcQuoteProvider added in v0.10.0 

func TcQuoteProvider(tcs []TestCase, opts *DeviceOptions) (*QuoteProvider, error)

TcQuoteProvider returns a mock quote provider populated from test cases' inputs and expected outputs.

func (*QuoteProvider) GetRawQuote added in v0.10.0 

func (p *QuoteProvider) GetRawQuote(reportData [64]byte) ([]uint8, error)

GetRawQuote returns the raw report assigned for given reportData.

func (*QuoteProvider) IsSupported added in v0.10.0 

func (*QuoteProvider) IsSupported() bool

IsSupported returns true

func (*QuoteProvider) Product added in v0.10.1 

func (p *QuoteProvider) Product() *spb.SevProduct

Product returns the mocked product info or the default.

type RootBundle added in v0.8.0 

type RootBundle struct {
	VcekBundle string
	VlekBundle string
}

RootBundle represents the two different CA bundles that the KDS can return.

type TestCase 

type TestCase struct {
	Name        string
	Input       [64]byte
	Output      [labi.SnpReportRespReportSize]byte
	OutputProto string
	FwErr       abi.SevFirmwareStatus
	EsResult    labi.EsResult
	EK          KeyChoice
	WantErr     string
}

TestCase represents a get_report input/output test case.

func TestCases 

func TestCases() []TestCase

TestCases returns common test cases for get_report.

type TestReportOptions added in v0.8.0 

type TestReportOptions struct {
	ReportData []byte
	SignerInfo abi.SignerInfo
	FMS        uint32
	// If 0, then treated as 2.
	Version uint32
}

TestReportOptions represents a few configurables for generating fake reports from particular inputs.

Source Files

View all Source files

Directories

Path Synopsis
Package client (in testing) allows tests to get a fake or real sev-guest device.
 Package client (in testing) allows tests to get a fake or real sev-guest device.
Package data (in testing) allows tests to access data for testing purpose.
 Package data (in testing) allows tests to access data for testing purpose.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.