From 2664cdadcdcdeba1233d18b02554b9f7862c86c1 Mon Sep 17 00:00:00 2001 From: Ian Chin Wang Date: Fri, 19 Dec 2025 13:50:44 -0500 Subject: [PATCH] Get auxblob for SEV-SNP only in TSM attester Intel TDX does not use auxblob currently. Query the TSM report twice, for SEV-SNP, one to get the provider and outblob, and the other to fetch the auxblob. Signed-off-by: Ian Chin Wang --- attesters/tsm/tsm.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/attesters/tsm/tsm.go b/attesters/tsm/tsm.go index 65f6d1e..826e256 100644 --- a/attesters/tsm/tsm.go +++ b/attesters/tsm/tsm.go @@ -95,7 +95,7 @@ func (t *TSMPlugin) GetEvidence(in *compositor.EvidenceIn) *compositor.EvidenceO if in.ContentType == format.ContentType { req := &report.Request{ InBlob: in.Nonce, - GetAuxBlob: true, + GetAuxBlob: false, } options := make(map[string]string) @@ -135,6 +135,17 @@ func (t *TSMPlugin) GetEvidence(in *compositor.EvidenceIn) *compositor.EvidenceO AuxBlob: resp.AuxBlob, } + // SEV-SNP stores cert table in auxblob. Get the report one more time to fetch the auxblob + if resp.Provider == "sev_guest" { + req.GetAuxBlob = true + resp, err := report.Get(client, req) + if err != nil { + errMsg := fmt.Errorf("failed to get TSM report: %v", err) + return getEvidenceError(errMsg) + } + out.AuxBlob = resp.AuxBlob + } + var encodeOp func() ([]byte, error) encodeAs := "JSON"