testnet/detee-cli
3
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

fix injector based on new version of snpguest

Browse Source
This commit is contained in:
ghe0 2025-07-04 20:13:36 +03:00
parent 156853dc7e
commit f7df59e068
Signed by: ghe0
GPG Key ID: 451028EE56A0FBB4
1 changed files with 17 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
scripts/detee-cli_injector.sh
View File

@ -31,6 +31,17 @@ if [[ -z "${VM_HOSTNAME}" ]]; then
VM_HOSTNAME="detee-vm" VM_HOSTNAME="detee-vm"
fi fi
if [[ "$LOG_LEVEL" == "DEBUG" ]]; then
echo Environment variables:
env | grep \
-e SERVER_ADDR \
-e SSH_KEY_FILE \
-e DETEE_INSTALL_URL \
-e DETEE_INSTALL_SHA \
-e MEASUREMENT \
-e VM_HOSTNAME
fi
server="$SERVER_ADDR" server="$SERVER_ADDR"
ssh_pubkey_dir="${HOME}/.detee/cli/vms/ssh" ssh_pubkey_dir="${HOME}/.detee/cli/vms/ssh"
cert_dir="${HOME}/.detee/cli/vms/certs" cert_dir="${HOME}/.detee/cli/vms/certs"
@ -95,7 +106,7 @@ report_crt_hash=$( snpguest display report "$server_report" \
echo_blue "The hash in the report is $report_crt_hash" echo_blue "The hash in the report is $report_crt_hash"
if [[ "$crt_hash" != "$report_crt_hash" ]]; then if [[ "${crt_hash,,}" != "${report_crt_hash,,}" ]]; then
echo The hash of the certificate does not match the hash from the report. Exiting. echo The hash of the certificate does not match the hash from the report. Exiting.
exit 2 exit 2
fi fi
@ -122,19 +133,20 @@ mkdir -p "$amd_certs_dir"
ln -fs "${cert_dir}/ask-milan.pem" "${amd_certs_dir}/ask.pem" ln -fs "${cert_dir}/ask-milan.pem" "${amd_certs_dir}/ask.pem"
ln -fs "${cert_dir}/ark-milan.pem" "${amd_certs_dir}/ark.pem" ln -fs "${cert_dir}/ark-milan.pem" "${amd_certs_dir}/ark.pem"
[[ -f "${vcek_path}" ]] || { [[ -f "${vcek_path}" ]] || {
snpguest fetch vcek pem milan "$amd_certs_dir" "$server_report" || { snpguest fetch vcek --processor-model milan pem "$amd_certs_dir" "$server_report" || {
# You are probably wondering what this weird shit is doing here. # You are probably wondering what this weird shit is doing here.
# The AMD API for VCEK has throttling, and this scripts needs to run in parallel. # The AMD API for VCEK has throttling, and this scripts needs to run in parallel.
sleep 10 sleep 10
[[ -f "${vcek_path}" ]] || { [[ -f "${vcek_path}" ]] || {
snpguest fetch vcek pem milan "$amd_certs_dir" "$server_report" snpguest fetch vcek --processor-model milan pem "$amd_certs_dir" "$server_report"
} }
} }
mv "${amd_certs_dir}/vcek.pem" "${vcek_path}" mv "${amd_certs_dir}/vcek.pem" "${vcek_path}"
} }
ln -fs "${vcek_path}" "${amd_certs_dir}/vcek.pem" ln -fs "${vcek_path}" "${amd_certs_dir}/vcek.pem"
snpguest verify certs "$amd_certs_dir" snpguest verify certs "$amd_certs_dir"
snpguest verify attestation "$amd_certs_dir" "$server_report" echo snpguest verify attestation "$amd_certs_dir" "$server_report"
snpguest verify attestation --processor-model milan "$amd_certs_dir" "$server_report"
echo_yellow "The attestation got verified based on the CA from AMD for the Milan generation!" echo_yellow "The attestation got verified based on the CA from AMD for the Milan generation!"
echo_blue "Verifying if measurement is $MEASUREMENT..." echo_blue "Verifying if measurement is $MEASUREMENT..."
@ -144,7 +156,7 @@ guest_measurement=$( snpguest display report "$server_report" \
echo_blue "The guests's measurement is $guest_measurement" echo_blue "The guests's measurement is $guest_measurement"
if [[ "$guest_measurement" != "$MEASUREMENT" ]]; then if [[ "${guest_measurement,,}" != "${MEASUREMENT,,}" ]]; then
echo_red "The measurement of the server does not match." echo_red "The measurement of the server does not match."
echo_yellow "Please use this project to get your measurement: https://github.com/virtee/sev-snp-measure" echo_yellow "Please use this project to get your measurement: https://github.com/virtee/sev-snp-measure"
echo_yellow "After that, please sepcify the measurement ast the MEASUREMENT environment variable." echo_yellow "After that, please sepcify the measurement ast the MEASUREMENT environment variable."