[release/6.x] Backport: Turin support (#7295, #7264, #7449, #7748, #7749)

[cjen1-msft]

Backport (#7295, #7264, #7449, #7748, #7749)

It turns out that I had missed backporting several of the Turin support PRs.

So now to backport them simultaneously.

[Copilot]

Pull request overview

Backports a set of upstream changes to add/complete AMD SEV-SNP “Turin” support in the 6.x release branch, spanning CPUID mapping, endorsements fetching/validation, tests, and documentation.

Changes:

• Add Turin CPUID/product mapping + regression tests and update minimum TCB guidance/docs.
• Update SNP endorsements URL generation to include Turin-specific fields (eg fmcSPL) and handle Turin chip-id shortening for VCEK fetch.
• Refactor SNP attestation verification to validate the endorsement certificate chain earlier; add a standalone verify_attestation fetch+verify utility.

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
src/pal/test/verify_attestation.cpp	New CLI utility to fetch AMD endorsements and verify an SNP quote.
src/pal/test/snp_attestation_validation_data.h	Adds Turin attestation + endorsement cert chain test vectors.
src/pal/test/snp_attestation_validation.cpp	Adds Turin validation + CPUID roundtrip tests; simplifies exception assertion.
src/pal/attestation.cpp	Refactors SNP attestation verification ordering (cert chain first), updates chip-id comparison for Turin.
src/node/quote_endorsements_client.h	Adjusts client construction (drops RPCSessions parameter) and related includes.
src/node/node_state.h	Updates endorsements client instantiation to match new constructor signature.
src/http/error_reporter.h	Adds missing include for referenced CCF types; formatting fix.
scripts/fetch_amd_collateral.py	Adds Turin handling for AMD KDS URLs (short hwid + fmcSPL) and CLI choices.
include/ccf/pal/sev_snp_cpuid.h	Fixes Turin model/CPUID mapping + documents sources.
include/ccf/pal/attestation_sev_snp_endorsements.h	Adds optional fmcSPL parameter for AMD endorsements endpoints.
include/ccf/pal/attestation_sev_snp.h	Enables Turin root key; adds get_chip_id_for_vcek() and passes Turin fmc into AMD URL generation.
doc/operations/platforms/snp.rst	Updates example minimum TCB version and adds a CPUID/TCB table including Turin.
CMakeLists.txt	Builds + installs new verify_attestation binary.
CHANGELOG.md	Notes Turin attestation support backport.

Comments suppressed due to low confidence (2)

scripts/fetch_amd_collateral.py:29

• make_host_amd_blob now emits "cacheControl": 0 (number), but the corresponding C++ ACIReportEndorsements.cache_control field is declared as a string and JSON parsing expects a string. This change will make the script output incompatible unless the C++ JSON type is updated (or this is reverted to a string).

def make_host_amd_blob(tcbm, leaf, chain):
    return json.dumps(
        {
            "cacheControl": 0,
            "tcbm": tcbm.upper(),
            "vcekCert": leaf,
            "certificateChain": chain,
        }

include/ccf/pal/attestation_sev_snp.h:553

• Same as above: this default branch formats product directly in the exception message, likely resulting in an integer value. Use to_string(product) for readability/consistency (or remove the default if it is unreachable).

            default:
            {
              throw std::logic_error(
                fmt::format("Unsupported SEV-SNP product: {}", product));
            }

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.