Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add checking of TCB version when checking a SNP attestation #6812

Open
cjen1-msft opened this issue Feb 6, 2025 · 2 comments
Open

Add checking of TCB version when checking a SNP attestation #6812

cjen1-msft opened this issue Feb 6, 2025 · 2 comments
Assignees
@cjen1-msft
Milestone
6.0.0-rc0

Comments

@cjen1-msft
Copy link
Contributor

SNP attestation reports are checked by verify_snp_attestation_report but only validates that the TCB in the attestation report matches that in the endorsed_tcb field in the quote.

The 'correct' fix will probably be to add a new set of 'good' tcbs.
This can then get populated with the current TCB on network creation and then updated via a governance action.
@cjen1-msft cjen1-msft self-assigned this Feb 6, 2025
@cjen1-msft cjen1-msft added this to the 6.0.0-rc0 milestone Feb 6, 2025
@cjen1-msft
Copy link
Contributor Author

cjen1-msft commented Feb 6, 2025
edited
Loading

This should also mix the TCB version into any derived keys (#6791).

@cjen1-msft cjen1-msft mentioned this issue Feb 6, 2025
Merged
4 tasks
@cjen1-msft
Copy link
Contributor Author

From: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html
We should be require at least TCB[SNP] version 0x18 on Milan and 0x17 on Genoa.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cjen1-msft cjen1-msft

Labels
None yet
Projects
None yet
Milestone
6.0.0-rc0
Development

No branches or pull requests
1 participant
@cjen1-msft