NOISSUE - Add vTPM AK hash to SEV-SNP report (#543)

danko-miladinovic · web-flow · commit 3b1605da7777 · 2025-11-03T13:01:53.000+01:00
* add vTPM AK to SEV-SNP report

* fix ci errors
diff --git a/pkg/attestation/vtpm/vtpm.go b/pkg/attestation/vtpm/vtpm.go
@@ -213,7 +213,15 @@ func VTPMVerify(quote []byte, teeNonce []byte, vtpmNonce []byte, writer io.Write
 		return errors.Wrap(fmt.Errorf("failed to unmarshal quote"), err)
 	}
 
-	if err := quoteprovider.VerifyAttestationReportTLS(attestation.GetSevSnpAttestation(), teeNonce, policy); err != nil {
+	akPub := attestation.GetAkPub()
+
+	nonce := make([]byte, 0, len(teeNonce)+len(akPub))
+	nonce = append(nonce, teeNonce...)
+	nonce = append(nonce, akPub...)
+
+	attestData := sha3.Sum512(nonce)
+
+	if err := quoteprovider.VerifyAttestationReportTLS(attestation.GetSevSnpAttestation(), attestData[:], policy); err != nil {
 		return fmt.Errorf("failed to verify TEE attestation report: %v", err)
 	}
 
@@ -307,7 +315,15 @@ func FetchQuote(nonce []byte) (*attest.Attestation, error) {
 }
 
 func addTEEAttestation(attestation *attest.Attestation, nonce []byte, vmpl uint) error {
-	rawTeeAttestation, err := quoteprovider.FetchAttestation(nonce, vmpl)
+	akPub := attestation.GetAkPub()
+
+	teeNonce := make([]byte, 0, len(nonce)+len(akPub))
+	teeNonce = append(teeNonce, nonce...)
+	teeNonce = append(teeNonce, akPub...)
+
+	attestData := sha3.Sum512(teeNonce)
+
+	rawTeeAttestation, err := quoteprovider.FetchAttestation(attestData[:], vmpl)
 	if err != nil {
 		return fmt.Errorf("failed to fetch TEE attestation report: %v", err)
 	}
