Merge pull request #34 from deeglaze/fwcert

Add firmware cert to certificate chain
google · Jan 19, 2023 · 0d57edf · 0d57edf
2 parents a487d28 + 8c9936c
commit 0d57edf
Show file tree

Hide file tree

Showing 8 changed files with 68 additions and 27 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -44,10 +44,10 @@ jobs:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           version: "3.12.4"
       - name: Install protoc-gen-go
-        run: go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1
+        run: go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.28.1
       - name: Check Protobuf Generation
         run: |
-          go generate ./... 
+          go generate ./...
           git diff -G'^[^/]' --exit-code
       - name: Generate all protobufs
         run: go generate ./...

diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,4 @@
 !*.*
 !*/
 *~
+external/*
diff --git a/abi/abi.go b/abi/abi.go
@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"math/big"
 
+	"github.com/google/go-sev-guest/gce"
 	pb "github.com/google/go-sev-guest/proto/sevsnp"
 	"github.com/google/logger"
 	"github.com/pborman/uuid"
@@ -690,9 +691,11 @@ func (c *CertTable) Proto() *pb.CertificateChain {
 	if err != nil {
 		logger.Warningf("ARK certificate not found in data pages: %v", err)
 	}
+	firmware, _ := c.GetByGUIDString(gce.FirmwareCertGUID)
 	return &pb.CertificateChain{
-		VcekCert: vcek,
-		AskCert:  ask,
-		ArkCert:  ark,
+		VcekCert:     vcek,
+		AskCert:      ask,
+		ArkCert:      ark,
+		FirmwareCert: firmware,
 	}
 }
diff --git a/gce/gce.go b/gce/gce.go
@@ -0,0 +1,19 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package gce defines logic specific to verification of GCE-specific attestations.
+package gce
+
+// FirmwareCertGUID is the extended report GUID table GUID for a firmware certificate on GCE.
+const FirmwareCertGUID = "9f4116cd-c503-4f5a-8f6f-fb68882f4ce2"
diff --git a/proto/check/check.pb.go b/proto/check/check.pb.go
diff --git a/proto/fakekds/fakekds.pb.go b/proto/fakekds/fakekds.pb.go
diff --git a/proto/sevsnp.proto b/proto/sevsnp.proto
@@ -65,6 +65,10 @@ message CertificateChain {
 
   // The AMD Root key certificate (signs the ASK cert).
   bytes ark_cert = 3;
+
+  // A certificate the host may inject to endorse the measurement of the
+  // firmware.
+  bytes firmware_cert = 4;
 }
 
 message Attestation {

diff --git a/proto/sevsnp/sevsnp.pb.go b/proto/sevsnp/sevsnp.pb.go