Add support for validating Genoa attestations (#7051)

Co-authored-by: Amaury Chamayou <amaury@xargs.fr>
Co-authored-by: Amaury Chamayou <amchamay@microsoft.com>

Author: cjen1-msft

CHANGELOG.md

@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Fixed
 
 - Nodes will now avoid re-parsing `.committed` files in the main directory if they have established a later commit point in the `read_only` directories. This should significantly reduce start-up time for nodes with large existing ledgers.
+- Added support for validating Genoa attestations (#7051).
 
 ### Changed
 

CMakeLists.txt

@@ -712,6 +712,11 @@ if(BUILD_TESTS)
       )
     endif()
 
+    add_unit_test(
+      snp_attestation_test
+      ${CMAKE_CURRENT_SOURCE_DIR}/src/pal/test/snp_attestation_validation.cpp
+    )
+
     add_unit_test(map_test ${CMAKE_CURRENT_SOURCE_DIR}/src/ds/test/map_test.cpp)
 
     add_unit_test(

include/ccf/pal/attestation.h

@@ -8,6 +8,7 @@
 #include "ccf/ds/hex.h"
 #include "ccf/ds/logger.h"
 #include "ccf/ds/quote_info.h"
+#include "ccf/pal/attestation_sev_snp.h"
 #include "ccf/pal/measurement.h"
 #include "ccf/pal/snp_ioctl.h"
 
@@ -108,20 +109,45 @@ namespace ccf::pal
       throw std::logic_error(fmt::format(
         "Expected 3 endorsement certificates but got {}", certificates.size()));
     }
+
+    // chip_cert (VCEK) <-signs- sev_version (ASK)
+    // ASK <-signs- root_certificate (ARK)
     auto chip_certificate = certificates[0];
     auto sev_version_certificate = certificates[1];
     auto root_certificate = certificates[2];
 
     auto root_cert_verifier = ccf::crypto::make_verifier(root_certificate);
 
-    if (
-      root_cert_verifier->public_key_pem().str() !=
-      snp::amd_milan_root_signing_public_key)
+    std::string expected_root_public_key;
+    if (quote.version < 3)
+    {
+      // before version 3 there are no cpuid fields so we must assume that it is
+      // milan
+      expected_root_public_key = snp::amd_milan_root_signing_public_key;
+    }
+    else
+    {
+      auto key = snp::amd_root_signing_keys.find(
+        std::make_pair(quote.cpuid_fam_id, quote.cpuid_mod_id));
+      if (key == snp::amd_root_signing_keys.end())
+      {
+        throw std::logic_error(fmt::format(
+          "SEV-SNP: Unsupported CPUID family {} model {}",
+          quote.cpuid_fam_id,
+          quote.cpuid_mod_id));
+      }
+      expected_root_public_key = key->second;
+    }
+    if (root_cert_verifier->public_key_pem().str() != expected_root_public_key)
     {
       throw std::logic_error(fmt::format(
         "SEV-SNP: The root of trust public key for this attestation was not "
-        "the expected one {}",
-        root_cert_verifier->public_key_pem().str()));
+        "the expected one for v{} {} {}:  {} != {}",
+        quote.version,
+        quote.cpuid_fam_id,
+        quote.cpuid_mod_id,
+        root_cert_verifier->public_key_pem().str(),
+        expected_root_public_key));
     }
 
     if (!root_cert_verifier->verify_certificate({&root_certificate}))
@@ -140,6 +166,7 @@ namespace ccf::pal
         "attestation is broken");
     }
 
+    // According to Table 134 (2025-06-12) only ecdsa_p384_sha384 is supported
     if (quote.signature_algo != snp::SignatureAlgorithm::ecdsa_p384_sha384)
     {
       throw std::logic_error(fmt::format(

include/ccf/pal/attestation_sev_snp.h

@@ -8,6 +8,7 @@
 #include "ccf/pal/report_data.h"
 
 #include <array>
+#include <cstdint>
 #include <map>
 #include <string>
 
@@ -35,6 +36,48 @@ pCCoMNit2uLo9M18fHz10lOMT8nWAUvRZFzteXCm+7PHdYPlmQwUw3LvenJ/ILXo
 QPHfbkH0CyPfhl1jWhJFZasCAwEAAQ==
 -----END PUBLIC KEY-----
 )";
+  constexpr auto amd_genoa_root_signing_public_key =
+    R"(-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3Cd95S/uFOuRIskW9vz9
+VDBF69NDQF79oRhL/L2PVQGhK3YdfEBgpF/JiwWFBsT/fXDhzA01p3LkcT/7Ldjc
+RfKXjHl+0Qq/M4dZkh6QDoUeKzNBLDcBKDDGWo3v35NyrxbA1DnkYwUKU5AAk4P9
+4tKXLp80oxt84ahyHoLmc/LqsGsp+oq1Bz4PPsYLwTG4iMKVaaT90/oZ4I8oibSr
+u92vJhlqWO27d/Rxc3iUMyhNeGToOvgx/iUo4gGpG61NDpkEUvIzuKcaMx8IdTpW
+g2DF6SwF0IgVMffnvtJmA68BwJNWo1E4PLJdaPfBifcJpuBFwNVQIPQEVX3aP89H
+JSp8YbY9lySS6PlVEqTBBtaQmi4ATGmMR+n2K/e+JAhU2Gj7jIpJhOkdH9firQDn
+mlA2SFfJ/Cc0mGNzW9RmIhyOUnNFoclmkRhl3/AQU5Ys9Qsan1jT/EiyT+pCpmnA
++y9edvhDCbOG8F2oxHGRdTBkylungrkXJGYiwGrR8kaiqv7NN8QhOBMqYjcbrkEr
+0f8QMKklIS5ruOfqlLMCBw8JLB3LkjpWgtD7OpxkzSsohN47Uom86RY6lp72g8eX
+HP1qYrnvhzaG1S70vw6OkbaaC9EjiH/uHgAJQGxon7u0Q7xgoREWA/e7JcBQwLg8
+0Hq/sbRuqesxz7wBWSY254cCAwEAAQ==
+-----END PUBLIC KEY-----
+)";
+  constexpr auto amd_turin_root_signing_public_key =
+    R"(-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwaAriB7EIuVc4ZB1wD3Y
+fDxL+9eyS7+izm0Jj3W772NINCWl8Bj3w/JD2ZjmbRxWdIq/4d9iarCKorXloJUB
+1jRdgxqccTx1aOoig4+2w1XhVVJT7K457wT5ZLNJgQaxqa9Etkwjd6+9sOhlCDE9
+l43kQ0R2BikVJa/uyyVOSwEk5w5tXKOuG9jvq6QtAMJasW38wlqRDaKEGtZ9VUgG
+on27ZuL4sTJuC/azz9/iQBw8kEilzOl95AiTkeY5jSEBDWbAqnZk5qlM7kISKG20
+kgQm14mhNKDI2p2oua+zuAG7i52epoRF2GfU0TYk/yf+vCNB2tnechFQuP2e8bLk
+95ZdqPi9/UWw4JXjtdEA4u2JYplSSUPQVAXKt6LVqujtJcM59JKr2u0XQ75KwxcM
+p15gSXhBfInvPAwuAY4dEwwGqT8oIg4esPHwEsmChhYeDIxPG9R4fx9O0q6p8Gb+
+HXlTiS47P9YNeOpidOUKzDl/S1OvyhDtSL8LJc24QATFydo/iD/KUdvFTRlD0crk
+AMkZLoWQ8hLDGc6BZJXsdd7Zf2e4UW3tI/1oh/2t23Ot3zyhTcv5gDbABu0LjVe9
+8uRnS15SMwK//lJt9e5BqKvgABkSoABf+B4VFtPVEX0ygrYaFaI9i5ABrxnVBmzX
+pRb21iI1NlNCfOGUPIhVpWECAwEAAQ==
+-----END PUBLIC KEY-----
+)";
+
+  using AMDFamily = uint8_t;
+  using AMDModel = uint8_t;
+  inline const std::map<std::pair<AMDFamily, AMDModel>, const char*>
+    amd_root_signing_keys{
+      {{0x19, 0x01}, amd_milan_root_signing_public_key},
+      {{0x19, 0x11}, amd_genoa_root_signing_public_key},
+      // Disabled until we can test this
+      //{{0x1A, 0x02}, amd_turin_root_signing_public_key},
+    };
 
 #pragma pack(push, 1)
   // Table 3

src/pal/test/snp_attestation_validation.cpp

@@ -0,0 +1,93 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the Apache 2.0 License.
+
+#include "ccf/ds/hex.h"
+#include "ccf/ds/quote_info.h"
+#include "ccf/pal/attestation.h"
+#include "ccf/pal/measurement.h"
+#include "ccf/pal/report_data.h"
+#include "crypto/openssl/hash.h"
+#include "pal/test/snp_attestation_validation_data.h"
+
+#define DOCTEST_CONFIG_IMPLEMENT
+#include <doctest/doctest.h>
+
+TEST_CASE("milan validation")
+{
+  using namespace ccf;
+
+  auto milan_quote_info = QuoteInfo{
+    .format = QuoteFormat::amd_sev_snp_v1,
+    .quote = pal::snp::testing::milan_attestation,
+    .endorsements = std::vector<uint8_t>(
+      pal::snp::testing::milan_endorsements.begin(),
+      pal::snp::testing::milan_endorsements.end()),
+    .uvm_endorsements = std::nullopt,
+  };
+
+  pal::PlatformAttestationMeasurement measurement;
+  pal::PlatformAttestationReportData report_data;
+
+  pal::verify_snp_attestation_report(
+    milan_quote_info, measurement, report_data);
+}
+
+TEST_CASE("genoa validation")
+{
+  using namespace ccf;
+
+  auto genoa_quote_info = QuoteInfo{
+    .format = QuoteFormat::amd_sev_snp_v1,
+    .quote = pal::snp::testing::genoa_attestation,
+    .endorsements = std::vector<uint8_t>(
+      pal::snp::testing::genoa_endorsements.begin(),
+      pal::snp::testing::genoa_endorsements.end()),
+    .uvm_endorsements = std::nullopt,
+  };
+
+  pal::PlatformAttestationMeasurement measurement;
+  pal::PlatformAttestationReportData report_data;
+
+  pal::verify_snp_attestation_report(
+    genoa_quote_info, measurement, report_data);
+}
+
+TEST_CASE("Mismatched attestation and endorsements fail")
+{
+  using namespace ccf;
+
+  auto mismatched_quote = QuoteInfo{
+    .format = QuoteFormat::amd_sev_snp_v1,
+    .quote = pal::snp::testing::milan_attestation,
+    .endorsements = std::vector<uint8_t>(
+      pal::snp::testing::genoa_endorsements.begin(),
+      pal::snp::testing::genoa_endorsements.end()),
+    .uvm_endorsements = std::nullopt,
+  };
+
+  pal::PlatformAttestationMeasurement measurement;
+  pal::PlatformAttestationReportData report_data;
+
+  try
+  {
+    pal::verify_snp_attestation_report(
+      mismatched_quote, measurement, report_data);
+  }
+  catch (const std::logic_error& e)
+  {
+    const std::string what = e.what();
+    CHECK(
+      what.find("SEV-SNP: The root of trust public key for this attestation "
+                "was not the expected one") != std::string::npos);
+  }
+}
+
+int main(int argc, char** argv)
+{
+  ccf::crypto::openssl_sha256_init();
+  doctest::Context context;
+  context.applyCommandLine(argc, argv);
+  int res = context.run();
+  ccf::crypto::openssl_sha256_shutdown();
+  return res;
+}