ConvertGCEFirmwareVersionToSCRTMVersion creates the corresponding SCRTM version string from a numerical GCE firmware version.

ConvertSCRTMVersionToGCEFirmwareVersion attempts to parse the Firmware Version of a GCE VM from the bytes of the version string of the SCRTM.

CreateEKPublicAreaFromKey creates a public area from a go interface PublicKey.

CreateImportBlob uses the provided public EK to encrypt the sensitive data.

CreateSigningKeyImportBlob uses the provided public EK to encrypt the signing key into import blob format.

EvaluatePolicy succeeds if the provided MachineState complies with the provided policy.

GCEInstanceURL returns a Google API URL to the specified instance.

GetGCEInstanceInfo takes a GCE-issued x509 EK/AK certificate and tries to extract its GCE instance information.

ParseGCENonHostInfo attempts to parse the Confidential VM technology used by a GCE VM from the GCE Non-Host info event.

SevSnpDefaultOptions returns a default validation policy and verification options for SEV-SNP attestation reports on GCE.

SevSnpDefaultValidateOpts returns a default validation policy for SEV-SNP attestation reports on GCE.

SevSnpDefaultValidateOptsForTest is a non-production policy only meant for testing.

TdxDefaultOptions returns a default validation policy and verification options for TDX attestation quote on GCE.

TdxDefaultValidateOpts returns a default validation policy for TDX attestation quote on GCE.

VerifyAttestation performs the following checks on an Attestation: - the AK used to generate the attestation is trusted (based on VerifyOpts) - the provided signature is generated by the trusted AK public key - the signature signs the provided quote data - the quote data starts with TPM_GENERATED_VALUE - the quote data is a valid TPMS_QUOTE_INFO - the quote data was taken over the provided PCRs - the provided PCR values match the quote data internal digest - the provided opts.Nonce matches that in the quote data - the provided eventlog matches the provided PCR values After this, the eventlog is parsed and the corresponding MachineState is returned.

VerifyGceTechnology checks the GCE-specific GceNonHost event's Trusted Execution Technology (TEE) claim using attestation reports if the technology supports them, and only then validates that a particular technology has proven that it is in use.

VerifySevSnpAttestation checks that the SEV-SNP attestation report matches expectations for the product.

VerifyTdxAttestation checks that the TDX attestation quote is valid.

Measured when Boot Manager attempts to execute code from a Boot Option.

Expected TCG Event Log Event Types.

Expected TCG Event Log Event Types.

Constant events used with type "EV_EFI_ACTION".

GRUB (https://www.gnu.org/software/grub/).

Expected TCG Event Log Event Types.

Expected TCG Event Log Event Types.

Expected TCG Event Log Event Types.

Expected TCG Event Log Event Types.

Expected TCG Event Log Event Types.

UnsupportedLoader refers to a second-stage bootloader that is of an unsupported type.

go:embed secure-boot/GcePk.crt.

Certificates corresponding to the known CA certs for GCE.

Certificates corresponding to the known CA certs for GCE.

GCENonHostInfoSignature identifies the GCE Non-Host info event, which indicates if memory encryption is enabled.

GceVirtualFirmwarePrefix is the little-endian UCS-2 encoded string "GCE Virtual Firmware v" without a null terminator.

go:embed secure-boot/MicCorKEKCA2011_2011-06-24.crt.

go:embed secure-boot/MicCorUEFCA2011_2011-06-27.crt.

go:embed secure-boot/canonical-boothole.crt.

go:embed secure-boot/cisco-boothole.crt.

go:embed secure-boot/debian-boothole.crt.

go:embed secure-boot/MicWinProPCA2011_2011-10-19.crt.

GroupedError collects related errors and exposes them as a single error.

VerifyOpts allows for customizing the functionality of VerifyAttestation.

VerifySnpOpts allows for customizing the functionality of VerifyAttestation's SEV-SNP verification.

VerifyTdxOpts allows for customizing the functionality of VerifyAttestation's TDX verification.

Bootloader refers to the second-stage bootloader that loads and transfers execution to the OS kernel.