Not sure if this is the right place to ask but I think there might be some AMD people here that could provide some insight.
When fetching the VCEK-certificate, the documentation specifies the following API-endpoint: vcek/v1/{product_name}/{hwID}?{parameters}. It also specifies how to translate the binary return value into a product_name that can be used in the API.
This does not seem like a maintainable way to fetch the certificate. Every code base doing attestation verification needs to have a translation from the version value to the version string (Milan, Genoa,...), which needs to be updated every time a new generation is released. It seems to me that the API should have an (alternative) endpoint that uses a version number that can de derived directly from the CPUID return value, foregoing the need for this translation logic and making SEV-SNP capable software much easier to maintain.
Does this make sense or am I missing something here?
Not sure if this is the right place to ask but I think there might be some AMD people here that could provide some insight.
When fetching the VCEK-certificate, the documentation specifies the following API-endpoint:
vcek/v1/{product_name}/{hwID}?{parameters}. It also specifies how to translate the binary return value into aproduct_namethat can be used in the API.This does not seem like a maintainable way to fetch the certificate. Every code base doing attestation verification needs to have a translation from the version value to the version string (Milan, Genoa,...), which needs to be updated every time a new generation is released. It seems to me that the API should have an (alternative) endpoint that uses a version number that can de derived directly from the CPUID return value, foregoing the need for this translation logic and making SEV-SNP capable software much easier to maintain.
Does this make sense or am I missing something here?