Merge pull request #20 from jrjatin/validate-changes

Add validate CLI changes and testcases

go.mod

@@ -3,12 +3,15 @@ module github.com/google/go-tdx-guest
 go 1.19
 
 require (
-	github.com/google/go-cmp v0.5.5
+	github.com/google/go-cmp v0.5.7
 	github.com/google/logger v1.1.1
 	go.uber.org/multierr v1.11.0
-	golang.org/x/crypto v0.11.0
-	golang.org/x/sys v0.10.0
+	golang.org/x/crypto v0.13.0
+	golang.org/x/sys v0.12.0
 	google.golang.org/protobuf v1.31.0
 )
 
-require golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 // indirect
+require (
+	github.com/google/go-sev-guest v0.8.0 // indirect
+	golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 // indirect
+)

go.sum

@@ -2,6 +2,10 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
+github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
+github.com/google/go-sev-guest v0.8.0 h1:IIZIqdcMJXgTm1nMvId442OUpYebbWDWa9bi9/lUUwc=
+github.com/google/go-sev-guest v0.8.0/go.mod h1:hc1R4R6f8+NcJwITs0L90fYWTsBpd1Ix+Gur15sqHDs=
 github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ=
 github.com/google/logger v1.1.1/go.mod h1:BkeJZ+1FhQ+/d087r4dzojEg1u2ZX+ZqG1jTUrLM+zQ=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -10,9 +14,13 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
 golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
+golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=

proto/check.proto

@@ -33,8 +33,8 @@ message Policy {
 }
 
 message HeaderPolicy {
-  uint32 minmum_qe_svn = 1; //should not exceed uint16 max
-  uint32 minimum_pce_svn = 2; //should not exceed uint16 max
+  uint32 minimum_qe_svn = 1;   // should not exceed uint16 max
+  uint32 minimum_pce_svn = 2;  // should not exceed uint16 max
 
   // Unique vendor id of QE vendor
   bytes qe_vendor_id = 3;  // should be 16 bytes
@@ -53,7 +53,33 @@ message TDQuoteBodyPolicy {
   bytes report_data = 10;         // should be 64 bytes
 }
 
+// RootOfTrust represents configuration for which hardware root of trust
+// certificates to use for verifying attestation quote.
+message RootOfTrust {
+  // Paths to CA bundles for the Intel TDX.
+  // Must be in PEM format.
+  // If empty, uses the verification library's embedded certificates from Intel.
+  repeated string cabundle_paths = 1;
+
+  // PEM format CA bundles for Intel TDX. Combined with contents of
+  // cabundle_paths.
+  repeated string cabundles = 2;
+
+  // If true, download and check the CRL for revoked certificates.
+  bool check_crl = 3;
+
+  // If true, then check is not permitted to download necessary files for
+  // verification.
+  bool get_collateral = 4;
+}
+
+// Config is the overall message input for the check tool. This provides all
+// the flags that configure the tool, including the validation policy.
 message Config {
-  // The quote validation policy.
+  // The report validation policy.
   Policy policy = 1;
+
+  // Configures which hardware keys to trust. Default uses library-embedded
+  // certificate.
+  RootOfTrust root_of_trust = 2;
 }