Comparing changes

This commit fixes legacy attestation report verification by addressing a few problems: 1. Fix typo of `launch_digest` definition for the `LegacyAttestationReport` structure: should be `DIGEST_SIZE` not `POLICY_SIZE`. 2. Signature verification should be performed on the SHA256 digest, not on the raw data. Additionally, the return value of `sig.verify()` should be properly converted to the `Result` type. 3. The `EcdsaSignature` structure has a size of 512 bytes, but the `LegacyAttestationReport` defines the signature as 144 bytes. Change the type of the signature to an `Array<u8, 144>` with an appropriate conversion trait. Signed-off-by: Roman Penyaev <r.peniaev@gmail.com>

- Upgrading to vendored openssl. - Updating dependency libraries. - Patched code for new version of library. Signed-off-by: Larry Dewey <larry.dewey@amd.com>

Switching to vendored openssl

Although exceptionally rare, adding support for Turin V2 Reports. Also checking to make sure mask_chip_id is handled appropriately, as well. Should be a patch release. - Added PR improvement requests. - Added comments to explain why we are skipping 8 bytes for Turin-like systems. Signed-off-by: Larry Dewey <larry.dewey@amd.com>

Previously we assumed that `MASK_CHIP_KEY` also contained information identifying if `MASK_CHIP_ID` was enabled. This was unfortunately incorrect, so the only method remaining to see if `MASK_CHIP_ID` is enabled is to see if the full value of the `CHIP_ID` is zeroed. Signed-off-by: Larry Dewey <larry.dewey@amd.com>

AttestationReport: Fixing turin-like check fn

With the previous implementation, it was not a very clean implementation. It worked, but it was full of required type declarations for the `parse_bytes` method. This implements `skip_bytes` separately, and helps segment the issues so you don't need to provide it every single time. Signed-off-by: Larry Dewey <larry.dewey@amd.com>

parser: More friendly ReadExt and WriteExt

Adding logic to parse bytes from kernel for different tcb versions and updating the SnpPlatformStatus to include missing data fields Signed-off-by: ajcaldelas <alan.caldelas@amd.com>

It turns out that OpenSSL generates several types of PEM formats for private keys. The 'BEGIN PRIVATE KEY' is the PKCS8 format, but previously there was the EC 'legacy', which can still be used and generated successfully by OpenSSL. Among these, there are also encrypted PEM keys, which start with the 'BEGIN ENCRYPTED PRIVATE KEY' line and can also be used. This patch extends support for PEM formats by adding two more: EC legacy ("BEGIN EC PRIVATE KEY") and PKCS8 encrypted ("BEGIN ENCRYPTED PRIVATE KEY"). Why bother? The following commands are all valid and generate three PEM keys: ```bash openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 -out id-block-key.pem ``` ```bash openssl ecparam -name secp384r1 -genkey -noout -out id-block-key.pem ``` ```bash openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 -aes256 -out id-block-key.pem ``` but only the first one is supported by the `sev` library. This commit fixes the issue without any cost. Signed-off-by: Roman Penyaev <r.peniaev@gmail.com>

Updating library version to 6.1.0 Signed-off-by: DGonzalezVillal <Diego.GonzalezVillalobos@amd.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Comparing changes

Open a pull request

Commits on Apr 3, 2025

Commits on Apr 8, 2025

Commits on Apr 10, 2025

Commits on Apr 23, 2025

Commits on Apr 24, 2025

Commits on Apr 30, 2025

Commits on May 5, 2025

Commits on May 6, 2025

This comparison is taking too long to generate.

Uh oh!