testnet/detee-cli
3
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

fix injector based on new version of snpguest

Browse Source
This commit is contained in:
ghe0 2025-07-04 20:13:36 +03:00
parent 156853dc7e
commit f7df59e068
Signed by: ghe0
GPG Key ID: 451028EE56A0FBB4
1 changed files with 17 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
scripts/detee-cli_injector.sh
View File

@ -31,6 +31,17 @@ if [[ -z "${VM_HOSTNAME}" ]]; then
VM_HOSTNAME="detee-vm"
fi
if [[ "$LOG_LEVEL" == "DEBUG" ]]; then
echo Environment variables:
env | grep \
-e SERVER_ADDR \
-e SSH_KEY_FILE \
-e DETEE_INSTALL_URL \
-e DETEE_INSTALL_SHA \
-e MEASUREMENT \
-e VM_HOSTNAME
fi
server="$SERVER_ADDR"
ssh_pubkey_dir="${HOME}/.detee/cli/vms/ssh"
cert_dir="${HOME}/.detee/cli/vms/certs"
@ -95,7 +106,7 @@ report_crt_hash=$( snpguest display report "$server_report" \
echo_blue "The hash in the report is $report_crt_hash"
if [[ "$crt_hash" != "$report_crt_hash" ]]; then
if [[ "${crt_hash,,}" != "${report_crt_hash,,}" ]]; then
echo The hash of the certificate does not match the hash from the report. Exiting.
exit 2
fi
@ -122,19 +133,20 @@ mkdir -p "$amd_certs_dir"
ln -fs "${cert_dir}/ask-milan.pem" "${amd_certs_dir}/ask.pem"
ln -fs "${cert_dir}/ark-milan.pem" "${amd_certs_dir}/ark.pem"
[[ -f "${vcek_path}" ]] || {
snpguest fetch vcek pem milan "$amd_certs_dir" "$server_report" || {
snpguest fetch vcek --processor-model milan pem "$amd_certs_dir" "$server_report" || {
# You are probably wondering what this weird shit is doing here.
# The AMD API for VCEK has throttling, and this scripts needs to run in parallel.
sleep 10
[[ -f "${vcek_path}" ]] || {
snpguest fetch vcek pem milan "$amd_certs_dir" "$server_report"
snpguest fetch vcek --processor-model milan pem "$amd_certs_dir" "$server_report"
}
}
mv "${amd_certs_dir}/vcek.pem" "${vcek_path}"
}
ln -fs "${vcek_path}" "${amd_certs_dir}/vcek.pem"
snpguest verify certs "$amd_certs_dir"
snpguest verify attestation "$amd_certs_dir" "$server_report"
echo snpguest verify attestation "$amd_certs_dir" "$server_report"
snpguest verify attestation --processor-model milan "$amd_certs_dir" "$server_report"
echo_yellow "The attestation got verified based on the CA from AMD for the Milan generation!"
echo_blue "Verifying if measurement is $MEASUREMENT..."
@ -144,7 +156,7 @@ guest_measurement=$( snpguest display report "$server_report" \
echo_blue "The guests's measurement is $guest_measurement"
if [[ "$guest_measurement" != "$MEASUREMENT" ]]; then
if [[ "${guest_measurement,,}" != "${MEASUREMENT,,}" ]]; then
echo_red "The measurement of the server does not match."
echo_yellow "Please use this project to get your measurement: https://github.com/virtee/sev-snp-measure"
echo_yellow "After that, please sepcify the measurement ast the MEASUREMENT environment variable."