validate: change parameters, now accept a full cert chain

In keeping with the tool's approach, which handles the entire SEV
certificate chain, make the same adjustment for the `validate`
command: allow the file path to the entire certificate chain instead
of just a single file with the PEK certificate, as extracting the PEK
alone is not possible with `sevctl`.

Signed-off-by: Roman Penyaev <[email protected]>

Author: rouming

src/main.rs

@@ -130,12 +130,12 @@ enum SevctlCmd {
 
     /// Validate subcommands
     Validate {
-        /// PEK directory path
-        #[arg(short, long = "pek", required = true)]
-        pek_path: PathBuf,
+        /// Path to the SEV cert chain, can be obtained by the `export` subcommand
+        #[arg(value_name = "sev-cert-chain", required = true)]
+        chain_path: PathBuf,
 
-        /// Attestation Report directory path
-        #[arg(short, long = "attestation-report", required = true)]
+        /// Path to the attestation report binary file
+        #[arg(value_name = "attestation-report", required = true)]
         ar_path: PathBuf,
     },
 
@@ -266,7 +266,10 @@ fn main() -> Result<()> {
         SevctlCmd::Session { name, pdh, policy } => session::cmd(name, pdh, policy),
         SevctlCmd::Show { cmd } => show::cmd(cmd),
         SevctlCmd::Verify { sev, oca, ca } => verify::cmd(sevctl.quiet, sev, oca, ca),
-        SevctlCmd::Validate { pek_path, ar_path } => validate::cmd(pek_path, ar_path),
+        SevctlCmd::Validate {
+            chain_path,
+            ar_path,
+        } => validate::cmd(chain_path, ar_path),
         SevctlCmd::Vmsa(option) => match option {
             VmsaCmd::Build(args) => vmsa::build::cmd(args),
             VmsaCmd::Show(args) => vmsa::show::cmd(args),

src/validate.rs

@@ -1,24 +1,15 @@
 // SPDX-License-Identifier: Apache-2.0
 
-use sev::certs::sev::{sev::Certificate, Verifiable};
+use sev::certs::sev::{sev::Chain, Verifiable};
 use sev::firmware::host::LegacyAttestationReport;
 
+use anyhow::{Context, Result};
 use std::{fs, path::PathBuf};
 
-static PEK_NAME: &str = "pek.cert";
-static AR_NAME: &str = "attestation_report.bin";
+use codicon::*;
 
 /// Validates the provided Platform Endorsement Key signed the specified Attestation Report.
-/// This assumes the PEK name to be `pek.cert` and the report name to be `attestation_report.bin`.
-pub fn cmd(mut pek: PathBuf, mut report: PathBuf) -> Result<(), anyhow::Error> {
-    if pek.exists() && pek.is_dir() {
-        pek = pek.join(PEK_NAME);
-    }
-
-    if report.exists() && report.is_dir() {
-        report = report.join(AR_NAME);
-    }
-
+pub fn cmd(chain_path: PathBuf, report: PathBuf) -> Result<(), anyhow::Error> {
     // Verify the binary being provided is of the correct size.
     if fs::metadata(report.clone())?.len() as usize
         != std::mem::size_of::<LegacyAttestationReport>()
@@ -31,11 +22,10 @@ pub fn cmd(mut pek: PathBuf, mut report: PathBuf) -> Result<(), anyhow::Error> {
 
     buf.clear();
 
-    buf = fs::read(pek)?;
-    let pek_cert: Certificate = bincode::deserialize(&buf)?;
-
-    drop(buf);
+    let mut chainf =
+        fs::File::open(chain_path).context("unable to open SEV certificate chain file")?;
+    let chain = Chain::decode(&mut chainf, ()).context("unable to decode chain")?;
 
     // Verify using the implementation
-    Ok((&pek_cert, &legacy_report).verify()?)
+    Ok((&chain.pek, &legacy_report).verify()?)
 }