Skip to content

feat(verifier/snp): support report v3-5, Genoa/Turin and on-demand VCEK from KDS#186

Merged
jialez0 merged 1 commit into
openanolis:mainfrom
jialez0:feat/snp-turin-genoa-kds-verifier
Jun 30, 2026
Merged

feat(verifier/snp): support report v3-5, Genoa/Turin and on-demand VCEK from KDS#186
jialez0 merged 1 commit into
openanolis:mainfrom
jialez0:feat/snp-turin-genoa-kds-verifier

Conversation

@jialez0

@jialez0 jialez0 commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

Problem

The bare-metal SEV-SNP verifier (deps/verifier/src/snp) currently:

  • accepts only report version 2 (report.version != 2 → error), but modern AMD CPUs emit v5 reports;
  • bundles only the Milan ASK/ARK/ASVK chain, so Genoa/Turin reports cannot be verified;
  • requires the evidence to embed the cert chain (bail!("Cert chain is unset")) and has no KDS fallback, so it fails on hosts that do not provision the VCEK cert table in the extended report.

On a real AMD EPYC 9T25 (Turin) SEV-SNP guest, every genuine attestation is rejected at Cert chain is unset (and would also fail the version / Milan-only checks).

Change

Keeps the sev crate at 4.0.0 (so MSRV 1.76 is preserved — no dependency bump), and:

  • accepts report versions 2..=5;
  • derives the processor generation (Milan/Genoa/Turin) from the report CPUID family/model bytes;
  • bundles Genoa and Turin ASK/ARK/ASVK chains and selects the right one per generation;
  • fetches the VCEK from the AMD KDS on demand when the evidence has no cert chain (reuses the crate's existing reqwest dependency);
  • reads reported_tcb from the raw report bytes with a generation-aware layout, fixing Turin's FMC-shifted TCB that the sev 4.x struct misreads, and checks the Turin FMC SPL and 8-byte HWID.

Because sev 4.0.0 round-trips a v5 report byte-for-byte, the existing bincode-based signature reconstruction stays valid; only the offset-based fields (CPUID, Turin TCB) are read from the raw bytes.

Validation

Verified end-to-end on a real AMD EPYC 9T25 (Turin) SEV-SNP guest:

  • the guest-components SNP attester produces a v5 report with an empty cert chain;
  • this verifier now accepts it: VCEK fetched from KDS, ECDSA P-384 signature validated, measurement + reported_tcb (bl=3, tee=2, snp=5, microcode=97, fmc=1) claims emitted.

Adds offline Turin report + VCEK test vectors and 3 unit tests; all 17 snp tests pass, clippy clean, MSRV 1.76 build clean.

Note: the az-snp-vtpm verifier path already references ProcessorGeneration/CERT_CHAINS and is out of scope here; this PR adds ProcessorGeneration which it needs.

@shankailun-aliyun

Copy link
Copy Markdown
Collaborator

@jialez0 ,您好,您的请求已接收,请耐心等待结果。

@shankailun-aliyun

Copy link
Copy Markdown
Collaborator

@jialez0 ,您好,未检测到有镜像需要构建,如需重新检测请评论 /start

@shankailun-aliyun

Copy link
Copy Markdown
Collaborator

@jialez0 ,您好,您的请求已接收,请耐心等待结果。

@shankailun-aliyun

Copy link
Copy Markdown
Collaborator

@jialez0 ,您好,未检测到有镜像需要构建,如需重新检测请评论 /start

@jialez0 jialez0 force-pushed the feat/snp-turin-genoa-kds-verifier branch from 9374694 to 3d45d33 Compare June 29, 2026 09:29
@shankailun-aliyun

Copy link
Copy Markdown
Collaborator

@jialez0 ,您好,您的请求已接收,请耐心等待结果。

@shankailun-aliyun

Copy link
Copy Markdown
Collaborator

@jialez0 ,您好,未检测到有镜像需要构建,如需重新检测请评论 /start

@shankailun-aliyun

Copy link
Copy Markdown
Collaborator

@jialez0 ,您好,您的请求已接收,请耐心等待结果。

@shankailun-aliyun

Copy link
Copy Markdown
Collaborator

@jialez0 ,您好,未检测到有镜像需要构建,如需重新检测请评论 /start

…EK from KDS

The bare-metal SNP verifier only accepted report version 2, only bundled the
Milan ASK/ARK/ASVK chain, and required the evidence to already contain the
cert chain. On modern hosts (Genoa/Turin, report v5) that do not provision
the VCEK cert table in the extended report, this rejects every real
attestation with "Cert chain is unset" / "Unexpected report version".

This change keeps the `sev` crate at 4.0.0 (so MSRV 1.76 is preserved) and:
- accepts report versions 2..=5
- derives the processor generation (Milan/Genoa/Turin) from the report CPUID
  family/model bytes
- bundles the Genoa and Turin ASK/ARK/ASVK chains and selects per generation
- fetches the VCEK from the AMD KDS on demand when the evidence has no cert
  chain (reusing the crate's existing reqwest dependency)
- reads reported_tcb from the raw report bytes with a generation-aware layout,
  fixing Turin's FMC-shifted TCB that the sev 4.x struct misreads, and checks
  the Turin FMC SPL and 8-byte HWID

Verified end-to-end on a real AMD EPYC 9T25 (Turin) SEV-SNP guest: the
guest-components SNP attester produces a v5 report that this verifier now
accepts (VCEK fetched from KDS, ECDSA P-384 signature validated, measurement
and TCB claims emitted). Adds offline Turin report + VCEK test vectors.

Signed-off-by: Jiale Zhang <zhangjiale@linux.alibaba.com>
@jialez0 jialez0 force-pushed the feat/snp-turin-genoa-kds-verifier branch from 3d45d33 to e1f090f Compare June 30, 2026 03:11
@shankailun-aliyun

Copy link
Copy Markdown
Collaborator

@jialez0 ,您好,您的请求已接收,请耐心等待结果。

@shankailun-aliyun

Copy link
Copy Markdown
Collaborator

@jialez0 ,您好,未检测到有镜像需要构建,如需重新检测请评论 /start

@jialez0 jialez0 merged commit 98b2c6a into openanolis:main Jun 30, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants