Crate az_snp_vtpm

This library enables guest attestation flows for SEV-SNP CVMs on Azure. Please refer to the documentation in this repository for details on the attestation procedure.

SNP Report Validation

The following code will retrieve an SNP report from the vTPM device, parse it, and validate it against the AMD certificate chain. Finally it will verify that a hash of a raw HCL report’s Variable Data is equal to the report_data field in an embedded Attestation Report structure.

use az_snp_vtpm::{amd_kds, hcl, vtpm};
use az_snp_vtpm::report::{AttestationReport, Validateable};
use std::error::Error;

fn main() -> Result<(), Box<dyn Error>> {
  let bytes = vtpm::get_report()?;
  let hcl_report = hcl::HclReport::new(bytes)?;
  let var_data_hash = hcl_report.var_data_sha256();
  let snp_report: AttestationReport = hcl_report.try_into()?;

  let vcek = amd_kds::get_vcek(&snp_report)?;
  let cert_chain = amd_kds::get_cert_chain()?;

  cert_chain.validate()?;
  vcek.validate(&cert_chain)?;
  snp_report.validate(&vcek)?;

  if var_data_hash != snp_report.report_data[..32] {
    return Err("var_data_hash mismatch".into());
  }

  Ok(())
}

Modules

• amd_kds
• certs
• hcl
• imds
• report
• vtpm

Enums

• HttpError

Functions

• is_snp_cvm
  Determines if the current VM is an SEV-SNP CVM. Returns Ok(true) if the VM is an SEV-SNP CVM, Ok(false) if it is not, and Err if an error occurs.