Skip to content

security: make cnf.jwk<->report_data binding fatal for SEV-SNP/TDX; fix TDX report_data offset #371

Description

@imran-siddique

Tracked follow-up from the June 2026 org-wide security hardening review. Wave 1/2 fixes are merged and published; this is remaining hardening.

For SEV-SNP/TDX the cnf.jwk<->report_data binding is currently advisory (non-fatal) and the TDX report_data is read from a best-effort/likely-wrong offset. Extract report_data from the parsed raw_evidence at the correct documented offset and require it to equal jwk_thumbprint(cnf.jwk.x); a mismatch must be fatal for all hardware platforms.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions