Skip to content
This repository has been archived by the owner on Jan 26, 2024. It is now read-only.

Attestation-report #9

Open
pegahnikbakht opened this issue Apr 5, 2022 · 5 comments
Open

Attestation-report #9

pegahnikbakht opened this issue Apr 5, 2022 · 5 comments
Labels
documentation Improvements or additions to documentation

Comments

@pegahnikbakht
Copy link

Hi,

In the setup for ssh-key-excahnge example, I do not see the steps to gain the attestation report, which steps should be followed for the attestation in ssh-key-excahnge example?
@pegahnikbakht pegahnikbakht changed the title Attesttion-report Attestation-report Apr 5, 2022
@jlarrew
Copy link
Contributor

jlarrew commented Apr 5, 2022

Hi pegahnikbakht,

The guest can retrieve the attestation report using sev-guest-get-report, like so:

$ sev-guest get-report report.bin

The SNP attestation report allows for 512-bits of guest-supplied information to be included in the report. The recommended protocol for remote attestation is for the guest to generate a fresh public/private key pair and include the hash of the public portion of the key in the (signed) attestation report. The guest then sends both the attestation report and the public key to the other party. The sev-guest utility will hash the contents of the file specified with the -f option, like so:

$ sev-guest get-report -f ssh-key.pem report.bin

The other party can trust the provided public key if all of the following tests pass:

  1. The signature on the attestation report validates correctly using the public portion of the VCEK for the platform.
  2. The fingerprint of the guest Identity Key (supplied during guest launch) in the report matches the expected value.
  3. The fingerprint of the public key received with the report matches the guest-supplied information in the report.

I'll update the documentation to clarify this. Thanks for the report!

Sincerely,
Jesse

@jlarrew jlarrew added the documentation Improvements or additions to documentation label Apr 5, 2022
@StanPlatinum StanPlatinum mentioned this issue Apr 6, 2022
Open
@pegahnikbakht
Copy link
Author

@jlarrew Hi again,
Thanks for the answer, we are getting an error execlp: No such file or directory while running ./sev-guest get-report report.bin
Do you know why this is happening?

@jlarrew
Copy link
Contributor

jlarrew commented Apr 6, 2022

Hi pegahnikbakht,

This happens because execlp() is looking for the sev-guest-get-report binary in your PATH and can't find it. If you build a debian package (make guest-deb) and install it, then everything will work as intended. If you prefer to run the programs from the source directory, then you can simply execute sev-guest-get-report directly. (The sev-guest binary is just a wrapper that execs the appropriate sub command.)

I hope this helps!

Sincerely,
Jesse

@pegahnikbakht
Copy link
Author

Thanks we manage to run sev-guest-get-report directly and get the report. I think I close this issue.
Thanks for the help again.

@pegahnikbakht
Copy link
Author

pegahnikbakht commented May 3, 2022
edited
Loading

Hi,

I have one more question regarding this issue, in the attestation report that we got from the guest, some of fields are zero like: Family ID, Image ID, report data, host data, ID key digest, and author key digest.
One more thing is that it shows the "signature algorithm: 1 (invalid): as invalid.
Do you know why these values are zero and why the signature algorithm is invalid and how we can get valid values for them?

Thanks in advance for the help.
Pegah

@pegahnikbakht pegahnikbakht reopened this May 4, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jlarrew @pegahnikbakht