Skip to content

validate: change parameters, now accept a full cert chain #205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tylerfanelli merged 1 commit into from
Apr 17, 2025
Merged

validate: change parameters, now accept a full cert chain #205

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 9 additions & 6 deletions src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,12 +130,12 @@ enum SevctlCmd {

/// Validate subcommands
Validate {
/// PEK directory path
#[arg(short, long = "pek", required = true)]
pek_path: PathBuf,
/// Path to the SEV cert chain, can be obtained by the `export` subcommand
#[arg(value_name = "sev-cert-chain", required = true)]
chain_path: PathBuf,

/// Attestation Report directory path
#[arg(short, long = "attestation-report", required = true)]
/// Path to the attestation report binary file
#[arg(value_name = "attestation-report", required = true)]
ar_path: PathBuf,
},

Expand Down Expand Up @@ -266,7 +266,10 @@ fn main() -> Result<()> {
SevctlCmd::Session { name, pdh, policy } => session::cmd(name, pdh, policy),
SevctlCmd::Show { cmd } => show::cmd(cmd),
SevctlCmd::Verify { sev, oca, ca } => verify::cmd(sevctl.quiet, sev, oca, ca),
SevctlCmd::Validate { pek_path, ar_path } => validate::cmd(pek_path, ar_path),
SevctlCmd::Validate {
chain_path,
ar_path,
} => validate::cmd(chain_path, ar_path),
SevctlCmd::Vmsa(option) => match option {
VmsaCmd::Build(args) => vmsa::build::cmd(args),
VmsaCmd::Show(args) => vmsa::show::cmd(args),
Expand Down
26 changes: 8 additions & 18 deletions src/validate.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,15 @@
// SPDX-License-Identifier: Apache-2.0

use sev::certs::sev::{sev::Certificate, Verifiable};
use sev::certs::sev::{sev::Chain, Verifiable};
use sev::firmware::host::LegacyAttestationReport;

use anyhow::{Context, Result};
use std::{fs, path::PathBuf};

static PEK_NAME: &str = "pek.cert";
static AR_NAME: &str = "attestation_report.bin";
use codicon::*;

/// Validates the provided Platform Endorsement Key signed the specified Attestation Report.
/// This assumes the PEK name to be `pek.cert` and the report name to be `attestation_report.bin`.
pub fn cmd(mut pek: PathBuf, mut report: PathBuf) -> Result<(), anyhow::Error> {
if pek.exists() && pek.is_dir() {
pek = pek.join(PEK_NAME);
}

if report.exists() && report.is_dir() {
report = report.join(AR_NAME);
}

pub fn cmd(chain_path: PathBuf, report: PathBuf) -> Result<(), anyhow::Error> {
// Verify the binary being provided is of the correct size.
if fs::metadata(report.clone())?.len() as usize
!= std::mem::size_of::<LegacyAttestationReport>()
Expand All @@ -31,11 +22,10 @@ pub fn cmd(mut pek: PathBuf, mut report: PathBuf) -> Result<(), anyhow::Error> {

buf.clear();

buf = fs::read(pek)?;
let pek_cert: Certificate = bincode::deserialize(&buf)?;

drop(buf);
let mut chainf =
fs::File::open(chain_path).context("unable to open SEV certificate chain file")?;
let chain = Chain::decode(&mut chainf, ()).context("unable to decode chain")?;

// Verify using the implementation
Ok((&pek_cert, &legacy_report).verify()?)
Ok((&chain.pek, &legacy_report).verify()?)
}
Loading