Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fetch KDS cert logic fails on non-Milan machines #591

Open
deeglaze opened this issue Nov 21, 2024 · 4 comments
Open

Fetch KDS cert logic fails on non-Milan machines #591

deeglaze opened this issue Nov 21, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@deeglaze
Copy link

Describe the bug

fetch_vcek_from_kds is a fallback mechanism when extended guest requests fail to provide a cached VCEK certificate to the guest. The solution in PR #555 hardcodes "Milan" in the endpoint. This will not work for Genoa, Turin, or later products because of the baked-in model string. You can extract the family and model number from attestation report v3 by

family is zen3/zen4 (19h) and map model 0 to "Milan", 1 to "Genoa", or
family is zen5 (1Ah) and map model 2 to "Turin".

How to reproduce

Don't provide cached VCEK to a SEV-SNP VM and verify attestation on Genoa or later.

CoCo version information

latest

What TEE are you seeing the problem on

Snp

Failing command and relevant log output

No response

@deeglaze deeglaze added the bug Something isn't working label Nov 21, 2024
@Xynnn007
Copy link
Member

Are you interested in this? @AdithyaKrishnan

@AdithyaKrishnan
Copy link
Contributor

Yes, I'll create a PR to address this very soon.

@vele-lorica
Copy link

Hey guys, I am assuming we need to update to sev 5.0 to enable extracting those values from v3 attestation report? Also, is there any status to resolving this bug?

@deeglaze
Copy link
Author

I have this KDS URL derivation logic present in a Go library you can base a solution off https://github.com/google/go-sev-guest/blob/main/verify/verify.go#L742

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants