snp: use cache for VCEKs

fitzthum · fitzthum · commit 0da0952e4dec · 2025-10-07T13:28:35.000-07:00
Let's use the cache for VCEKs. This will reduce traffic to the KDS,
eliminate timeouts when we retry the attestation several times in
succession, and allow air-gapped environments to pre-provsion VCEKs.

Use the URL for the KDS as the key, since it has all the information
needed to define a particular VCEK.

Signed-off-by: Tobin Feldman-Fitzthum &lt;tfeldmanfitz@nvidia.com&gt;
diff --git a/deps/verifier/src/lib.rs b/deps/verifier/src/lib.rs
@@ -82,7 +82,7 @@ pub fn to_verifier(tee: &Tee, _cache: Arc<dyn Cache + Send + Sync>) -> Result<Bo
         Tee::Snp => {
             cfg_if::cfg_if! {
                 if #[cfg(feature = "snp-verifier")] {
-                    let verifier = snp::Snp::default();
+                    let verifier = snp::Snp::new(_cache);
                     Ok(Box::new(verifier) as Box<dyn Verifier + Send + Sync>)
                 } else {
                     bail!("feature `snp-verifier` is not enabled for `verifier` crate.")
diff --git a/deps/verifier/src/snp/mod.rs b/deps/verifier/src/snp/mod.rs
@@ -88,8 +88,9 @@ pub(crate) static CERT_CHAINS: LazyLock<HashMap<ProcessorGeneration, VendorCerti
         map
     });
 
-#[derive(Default, Debug)]
-pub struct Snp {}
+pub struct Snp {
+    cache: Arc<dyn Cache + Send + Sync>,
+}
 
 #[derive(Clone, Debug)]
 pub(crate) enum VendorEndorsementKey {
@@ -220,7 +221,7 @@ impl Verifier for Snp {
             // No certificate chain provided, so we need to request the VCEK from KDS
             _ => {
                 // Get VCEK from KDS
-                let vcek_buf = fetch_vcek_from_kds(report, proc_gen.clone())
+                let vcek_buf = self.fetch_vcek_from_kds(report, proc_gen.clone())
                     .await
                     .context("Failed to fetch VCEK from KDS")?;
                 let vcek = Certificate::from_bytes(&vcek_buf)
@@ -287,6 +288,100 @@ impl Verifier for Snp {
     }
 }
 
+impl Snp {
+    pub fn new(cache: Arc<dyn Cache + Send + Sync>) -> Self {
+         Self {
+             cache,
+         }
+    }
+
+    /// Fetches VCEK in DER format from AMD KDS.
+    /// If the VCEK is retrieved successfully, it is added to the cache,
+    /// which is cheked prior to fetching the cert.
+    /// If the VCEK cannot be fetched from the VCEK, this method
+    /// does not retry.
+    async fn fetch_vcek_from_kds(
+        &self,
+        att_report: AttestationReport,
+        proc_gen: ProcessorGeneration,
+    ) -> Result<Vec<u8>> {
+        // Use attestation report to get data for URL
+        let hw_id: String = if att_report.chip_id.as_slice() != [0; 64] {
+            match proc_gen {
+                ProcessorGeneration::Turin => {
+                    let shorter_bytes: &[u8] = &att_report.chip_id[0..8];
+                    hex::encode(shorter_bytes)
+                }
+                _ => hex::encode(att_report.chip_id),
+            }
+        } else {
+            bail!("Hardware ID is 0s on attestation report. Confirm that MASK_CHIP_ID is set to 0 to request from VCEK from KDS.");
+        };
+
+        // Request VCEK from KDS
+        let vcek_url: String = match proc_gen {
+            ProcessorGeneration::Turin => {
+                let fmc = if let Some(fmc) = att_report.reported_tcb.fmc {
+                    fmc
+                } else {
+                    bail!("A Turin processor must have a fmc value");
+                };
+                format!(
+                    "{KDS_CERT_SITE}{KDS_VCEK}/{}/\
+                    {hw_id}?fmcSPL={:02}&blSPL={:02}&teeSPL={:02}&snpSPL={:02}&ucodeSPL={:02}",
+                    proc_gen,
+                    fmc,
+                    att_report.reported_tcb.bootloader,
+                    att_report.reported_tcb.tee,
+                    att_report.reported_tcb.snp,
+                    att_report.reported_tcb.microcode
+                )
+            }
+            _ => {
+                format!(
+                    "{KDS_CERT_SITE}{KDS_VCEK}/{}/\
+                    {hw_id}?blSPL={:02}&teeSPL={:02}&snpSPL={:02}&ucodeSPL={:02}",
+                    proc_gen,
+                    att_report.reported_tcb.bootloader,
+                    att_report.reported_tcb.tee,
+                    att_report.reported_tcb.snp,
+                    att_report.reported_tcb.microcode
+                )
+            }
+        };
+
+        // Check cache for VCEK
+        let vcek_cache_key = format!("snp_verifier_{vcek_url}");
+        if let Some(cached_vcek_b64) = self.cache.get(vcek_cache_key.clone()).await {
+            let vcek: Vec<u8> = STANDARD.decode(cached_vcek_b64)?;
+            return Ok(vcek)
+        }
+
+        // VCEK in DER format
+        let vcek_rsp: ReqwestResponse = get(vcek_url.clone())
+            .await
+            .context("Unable to send request for VCEK")?;
+
+        match vcek_rsp.status() {
+            StatusCode::OK => {
+                let vcek_rsp_bytes: Vec<u8> = vcek_rsp
+                    .bytes()
+                    .await
+                    .context("Unable to parse VCEK")?
+                    .to_vec();
+
+                // Add fetched VCEK to cache
+                let vcek_b64 = STANDARD.encode(&vcek_rsp_bytes);
+                self.cache.set(vcek_cache_key, vcek_b64).await?;
+
+                Ok(vcek_rsp_bytes)
+            }
+
+            status => bail!("Unable to fetch VCEK from URL: {status:?}, {vcek_url:?}"),
+        }
+    }
+}
+
 /// Retrieves the octet string value for a given OID from a certificate's extensions.
 /// Supports both raw and DER-encoded formats.
 pub(crate) fn get_oid_octets<const N: usize>(
@@ -421,75 +516,6 @@ pub(crate) fn get_common_name(cert: &x509::X509) -> Result<String> {
     Ok(e.data().as_utf8()?.to_string())
 }
 
-/// Asynchronously fetches the VCEK from the Key Distribution Service (KDS) using the provided attestation report.
-/// Returns the VCEK in DER format as part of a certificate table entry.
-async fn fetch_vcek_from_kds(
-    att_report: AttestationReport,
-    proc_gen: ProcessorGeneration,
-) -> Result<Vec<u8>> {
-    // Use attestation report to get data for URL
-    let hw_id: String = if att_report.chip_id.as_slice() != [0; 64] {
-        match proc_gen {
-            ProcessorGeneration::Turin => {
-                let shorter_bytes: &[u8] = &att_report.chip_id[0..8];
-                hex::encode(shorter_bytes)
-            }
-            _ => hex::encode(att_report.chip_id),
-        }
-    } else {
-        bail!("Hardware ID is 0s on attestation report. Confirm that MASK_CHIP_ID is set to 0 to request from VCEK from KDS.");
-    };
-
-    // Request VCEK from KDS
-    let vcek_url: String = match proc_gen {
-        ProcessorGeneration::Turin => {
-            let fmc = if let Some(fmc) = att_report.reported_tcb.fmc {
-                fmc
-            } else {
-                bail!("A Turin processor must have a fmc value");
-            };
-            format!(
-                "{KDS_CERT_SITE}{KDS_VCEK}/{}/\
-                {hw_id}?fmcSPL={:02}&blSPL={:02}&teeSPL={:02}&snpSPL={:02}&ucodeSPL={:02}",
-                proc_gen,
-                fmc,
-                att_report.reported_tcb.bootloader,
-                att_report.reported_tcb.tee,
-                att_report.reported_tcb.snp,
-                att_report.reported_tcb.microcode
-            )
-        }
-        _ => {
-            format!(
-                "{KDS_CERT_SITE}{KDS_VCEK}/{}/\
-                {hw_id}?blSPL={:02}&teeSPL={:02}&snpSPL={:02}&ucodeSPL={:02}",
-                proc_gen,
-                att_report.reported_tcb.bootloader,
-                att_report.reported_tcb.tee,
-                att_report.reported_tcb.snp,
-                att_report.reported_tcb.microcode
-            )
-        }
-    };
-    // VCEK in DER format
-    let vcek_rsp: ReqwestResponse = get(vcek_url.clone())
-        .await
-        .context("Unable to send request for VCEK")?;
-
-    match vcek_rsp.status() {
-        StatusCode::OK => {
-            let vcek_rsp_bytes: Vec<u8> = vcek_rsp
-                .bytes()
-                .await
-                .context("Unable to parse VCEK")?
-                .to_vec();
-            Ok(vcek_rsp_bytes)
-        }
-
-        status => bail!("Unable to fetch VCEK from URL: {status:?}, {vcek_url:?}"),
-    }
-}
-
 /// Determines the processor model based on the family and model IDs from the attestation report.
 fn get_processor_generation(att_report: &AttestationReport) -> Result<ProcessorGeneration> {
     let cpu_fam = att_report
