Expand description
This library enables guest attestation flows for SEV-SNP CVMs on Azure. Please refer to the documentation in this repository for details on the attestation procedure.
§SNP Report Validation
The following code will retrieve an SNP report from the vTPM device, parse it, and validate it against the AMD certificate chain. Finally it will verify that a hash of a raw HCL report’s Variable Data is equal to the report_data field in an embedded Attestation Report structure.
§
use az_snp_vtpm::{amd_kds, hcl, vtpm};
use az_snp_vtpm::report::{AttestationReport, Validateable};
use std::error::Error;
fn main() -> Result<(), Box<dyn Error>> {
let bytes = vtpm::get_report()?;
let hcl_report = hcl::HclReport::new(bytes)?;
let var_data_hash = hcl_report.var_data_sha256();
let snp_report: AttestationReport = hcl_report.try_into()?;
let vcek = amd_kds::get_vcek(&snp_report)?;
let cert_chain = amd_kds::get_cert_chain()?;
cert_chain.validate()?;
vcek.validate(&cert_chain)?;
snp_report.validate(&vcek)?;
if var_data_hash != snp_report.report_data[..32] {
return Err("var_data_hash mismatch".into());
}
Ok(())
}Modules§
Enums§
Functions§
- is_
snp_ cvm - Determines if the current VM is an SEV-SNP CVM.
Returns
Ok(true)if the VM is an SEV-SNP CVM,Ok(false)if it is not, andErrif an error occurs.