package check

Get desktop application:
View/edit binary Protocol Buffers messages

Config is the overall message input for the check tool. This provides all the flags that configure the tool, including the validation policy.

optional RootOfTrust root_of_trust = 1
Configures which hardware keys to trust. Default uses library-embedded certificates.
optional Policy policy = 2
The report validation policy.

Policy is a representation of an attestation report validation policy. Each field corresponds to a field on validate.Options. This format is useful for providing programmatic inputs to the `check` CLI tool.

Used in: Config

uint32 minimum_guest_svn = 1
uint64 policy = 2
The component-wise maximum permissible guest policy, except API version values, and SingleSocket are the minimum permissible.
bytes family_id = 3
Should be 16 bytes long
bytes image_id = 4
Should be 16 bytes long
optional google.protobuf.UInt32Value vmpl = 5
uint64 minimum_tcb = 6
uint64 minimum_launch_tcb = 7
optional google.protobuf.UInt64Value platform_info = 8
bool require_author_key = 9
bytes report_data = 10
Should be 64 bytes long
bytes measurement = 11
Should be 48 bytes long
bytes host_data = 12
Should be 32 bytes long
bytes report_id = 13
Should be 32 bytes long
bytes report_id_ma = 14
Should be 32 bytes long
bytes chip_id = 15
Should be 64 bytes long
uint32 minimum_build = 16
string minimum_version = 17
Should be "maj.min", both should be 0-255.
bool permit_provisional_firmware = 18
bool require_id_block = 19
repeated bytes trusted_author_keys = 20
repeated bytes trusted_author_key_hashes = 21
repeated bytes trusted_id_keys = 22
repeated bytes trusted_id_key_hashes = 23
optional sevsnp.SevProduct product = 24
The expected product that generated the attestation report. Stepping optional.

RootOfTrust represents configuration for which hardware root of trust certificates to use for verifying attestation report signatures.

Used in: Config

string product = 1
The expected AMD product the attestation was collected from. Default "Milan".
repeated string cabundle_paths = 2
Paths to CA bundles for the AMD product. Must be in PEM format, AS[V]K, then ARK certificates. This is for verifing a report's signature, as opposed to validating trust in the report's ID key or author key. If empty, uses the verification library's embedded certificates from AMD.
repeated string cabundles = 3
PEM format CA bundles for the AMD product. Combined with contents of cabundle_paths.
bool check_crl = 4
If true, download and check the CRL for revoked certificates.
bool disallow_network = 5
If true, then check is not permitted to download necessary files for verification.
string product_line = 6
The expected AMD product line the attestation was collected from. Default "Milan".

package check

message Config

optional RootOfTrust root_of_trust = 1

optional Policy policy = 2

message Policy

uint32 minimum_guest_svn = 1

uint64 policy = 2

bytes family_id = 3

bytes image_id = 4

optional google.protobuf.UInt32Value vmpl = 5

uint64 minimum_tcb = 6

uint64 minimum_launch_tcb = 7

optional google.protobuf.UInt64Value platform_info = 8

bool require_author_key = 9

bytes report_data = 10

bytes measurement = 11

bytes host_data = 12

bytes report_id = 13

bytes report_id_ma = 14

bytes chip_id = 15

uint32 minimum_build = 16

string minimum_version = 17

bool permit_provisional_firmware = 18

bool require_id_block = 19

repeated bytes trusted_author_keys = 20

repeated bytes trusted_author_key_hashes = 21

repeated bytes trusted_id_keys = 22

repeated bytes trusted_id_key_hashes = 23

optional sevsnp.SevProduct product = 24

message RootOfTrust

string product = 1

repeated string cabundle_paths = 2

repeated string cabundles = 3

bool check_crl = 4

bool disallow_network = 5

string product_line = 6