Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Use reported TCB when fetching VCEK #73

Merged
merged 1 commit into from
Aug 31, 2023
Merged

fix: Use reported TCB when fetching VCEK #73

merged 1 commit into from
Aug 31, 2023

Conversation

msanft
Copy link
Contributor

@msanft msanft commented Aug 31, 2023

Proposed Change

Use the ReportedTCB when querying the AMD KDS for the VCEK certificate, as per the specification:

The firmware maintains a TCB_VERSION called the ReportedTcb. ReportedTcb is used to derive
the VCEK that signs the attestation report.

Additional Info

I've added no tests regarding this, since I don't know how a test could look like without adding additional testdata. If you are fine with adding additional testdata, I can add a test for the case of an report with mismatching CurrentTCB and ReportedTCB, which should trigger the bug from the issue mentioned below.

This fixes #72

@msanft msanft mentioned this pull request Aug 31, 2023
Merged
3 tasks
@deeglaze deeglaze self-requested a review August 31, 2023 15:03
@deeglaze
Copy link
Collaborator

Thanks for the report and fix!

@deeglaze deeglaze merged commit c83c3d9 into google:main Aug 31, 2023
8 checks passed
@deeglaze
Copy link
Collaborator

deeglaze commented Sep 2, 2023 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deeglaze deeglaze deeglaze approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AMD KDS is queried with wrong TCB version
2 participants
@msanft @deeglaze