@super-protocol/addons-tee 2.0.0 → 2.0.1

package/dist/sgx-native-module/pki.service.js

@@ -0,0 +1,74 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PkiService = exports.ECPCurve = exports.CertificateFormat = exports.CertificateKeyType = void 0;
+const { CryptoPrimitives } = require("../../bindings/sgx-native/build/Release/sgx_native.node");
+var CertificateKeyType;
+(function (CertificateKeyType) {
+    CertificateKeyType["RSA"] = "RSA";
+    CertificateKeyType["ECP"] = "ECP";
+})(CertificateKeyType || (exports.CertificateKeyType = CertificateKeyType = {}));
+var CertificateFormat;
+(function (CertificateFormat) {
+    CertificateFormat["PEM"] = "PEM";
+    CertificateFormat["DER"] = "DER";
+})(CertificateFormat || (exports.CertificateFormat = CertificateFormat = {}));
+var ECPCurve;
+(function (ECPCurve) {
+    ECPCurve["SECP192R1"] = "SECP192R1"; /*!< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. */
+    ECPCurve["SECP224R1"] = "SECP224R1"; /*!< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. */
+    ECPCurve["SECP256R1"] = "SECP256R1"; /*!< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. */
+    ECPCurve["SECP384R1"] = "SECP384R1"; /*!< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. */
+    ECPCurve["SECP521R1"] = "SECP521R1"; /*!< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. */
+    ECPCurve["BP256R1"] = "BP256R1"; /*!< Domain parameters for 256-bit Brainpool curve. */
+    ECPCurve["BP384R1"] = "BP384R1"; /*!< Domain parameters for 384-bit Brainpool curve. */
+    ECPCurve["BP512R1"] = "BP512R1"; /*!< Domain parameters for 512-bit Brainpool curve. */
+    // @TODO: MBEDTLS NOT SUPPORT EXRPORT CURVE25519 = "CURVE25519", /*!< Domain parameters for Curve25519. */
+    ECPCurve["SECP192K1"] = "SECP192K1"; /*!< Domain parameters for 192-bit "Koblitz" curve. */
+    ECPCurve["SECP224K1"] = "SECP224K1"; /*!< Domain parameters for 224-bit "Koblitz" curve. */
+    ECPCurve["SECP256K1"] = "SECP256K1"; /*!< Domain parameters for 256-bit "Koblitz" curve. */
+    // @TODO: MBEDTLS NOT SUPPORT EXRPORT    CURVE448 = "CURVE448",     /*!< Domain parameters for Curve448. */
+})(ECPCurve || (exports.ECPCurve = ECPCurve = {}));
+class PkiService {
+    constructor() {
+        this.cryptoPrimitives = new CryptoPrimitives();
+    }
+    async generateTlsCertificate(params = {}) {
+        const subject = {
+            commonName: params.subject?.commonName ?? "localhost",
+            countryName: params.subject?.countryName ?? "US",
+            state: params.subject?.state ?? "New York",
+            localityName: params.subject?.localityName ?? "New York",
+            organizationName: params.subject?.organizationName ?? "SuperProtocol",
+            organizationUnit: params.subject?.organizationUnit ?? "TEE",
+        };
+        const format = params.format ?? CertificateFormat.PEM;
+        const keyType = params.keyType ?? CertificateKeyType.RSA;
+        let rsaKeyBits;
+        let ecpCurve;
+        if (keyType === CertificateKeyType.RSA) {
+            rsaKeyBits = params.rsaKeyBits ?? 3072;
+        }
+        else if (keyType === CertificateKeyType.ECP) {
+            ecpCurve = params.ecpCurve ?? ECPCurve.SECP384R1;
+        }
+        const withQuote = params.withQuote ?? false;
+        const serialNumber = params.serialNumber ?? "01";
+        const days = params.days ?? 365;
+        const dnsNames = params.dnsNames ?? [];
+        const ips = params.ips ?? [];
+        return this.cryptoPrimitives.GenerateTlsCertificate({
+            format,
+            subject,
+            keyType,
+            withQuote,
+            rsaKeyBits,
+            ecpCurve,
+            serialNumber,
+            days,
+            dnsNames,
+            ips,
+        });
+    }
+}
+exports.PkiService = PkiService;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicGtpLnNlcnZpY2UuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvc2d4LW5hdGl2ZS1tb2R1bGUvcGtpLnNlcnZpY2UudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsTUFBTSxFQUFFLGdCQUFnQixFQUFFLEdBQUcsT0FBTyxDQUFDLHlEQUF5RCxDQUFDLENBQUM7QUFPaEcsSUFBWSxrQkFHWDtBQUhELFdBQVksa0JBQWtCO0lBQzFCLGlDQUFXLENBQUE7SUFDWCxpQ0FBVyxDQUFBO0FBQ2YsQ0FBQyxFQUhXLGtCQUFrQixrQ0FBbEIsa0JBQWtCLFFBRzdCO0FBRUQsSUFBWSxpQkFHWDtBQUhELFdBQVksaUJBQWlCO0lBQ3pCLGdDQUFXLENBQUE7SUFDWCxnQ0FBVyxDQUFBO0FBQ2YsQ0FBQyxFQUhXLGlCQUFpQixpQ0FBakIsaUJBQWlCLFFBRzVCO0FBRUQsSUFBWSxRQWNYO0FBZEQsV0FBWSxRQUFRO0lBQ2hCLG1DQUF1QixDQUFBLENBQUMsK0VBQStFO0lBQ3ZHLG1DQUF1QixDQUFBLENBQUMsK0VBQStFO0lBQ3ZHLG1DQUF1QixDQUFBLENBQUMsK0VBQStFO0lBQ3ZHLG1DQUF1QixDQUFBLENBQUMsK0VBQStFO0lBQ3ZHLG1DQUF1QixDQUFBLENBQUMsK0VBQStFO0lBQ3ZHLCtCQUFtQixDQUFBLENBQUMsc0RBQXNEO0lBQzFFLCtCQUFtQixDQUFBLENBQUMsc0RBQXNEO0lBQzFFLCtCQUFtQixDQUFBLENBQUMsc0RBQXNEO0lBQzFFLDBHQUEwRztJQUMxRyxtQ0FBdUIsQ0FBQSxDQUFDLHNEQUFzRDtJQUM5RSxtQ0FBdUIsQ0FBQSxDQUFDLHNEQUFzRDtJQUM5RSxtQ0FBdUIsQ0FBQSxDQUFDLHNEQUFzRDtJQUM5RSwyR0FBMkc7QUFDL0csQ0FBQyxFQWRXLFFBQVEsd0JBQVIsUUFBUSxRQWNuQjtBQTBCRCxNQUFhLFVBQVU7SUFHbkI7UUFDSSxJQUFJLENBQUMsZ0JBQWdCLEdBQUcsSUFBSSxnQkFBZ0IsRUFBRSxDQUFDO0lBQ25ELENBQUM7SUFFRCxLQUFLLENBQUMsc0JBQXNCLENBQUMsU0FBd0IsRUFBRTtRQUNuRCxNQUFNLE9BQU8sR0FBRztZQUNaLFVBQVUsRUFBRSxNQUFNLENBQUMsT0FBTyxFQUFFLFVBQVUsSUFBSSxXQUFXO1lBQ3JELFdBQVcsRUFBRSxNQUFNLENBQUMsT0FBTyxFQUFFLFdBQVcsSUFBSSxJQUFJO1lBQ2hELEtBQUssRUFBRSxNQUFNLENBQUMsT0FBTyxFQUFFLEtBQUssSUFBSSxVQUFVO1lBQzFDLFlBQVksRUFBRSxNQUFNLENBQUMsT0FBTyxFQUFFLFlBQVksSUFBSSxVQUFVO1lBQ3hELGdCQUFnQixFQUFFLE1BQU0sQ0FBQyxPQUFPLEVBQUUsZ0JBQWdCLElBQUksZUFBZTtZQUNyRSxnQkFBZ0IsRUFBRSxNQUFNLENBQUMsT0FBTyxFQUFFLGdCQUFnQixJQUFJLEtBQUs7U0FDOUQsQ0FBQztRQUVGLE1BQU0sTUFBTSxHQUFHLE1BQU0sQ0FBQyxNQUFNLElBQUksaUJBQWlCLENBQUMsR0FBRyxDQUFDO1FBQ3RELE1BQU0sT0FBTyxHQUFHLE1BQU0sQ0FBQyxPQUFPLElBQUksa0JBQWtCLENBQUMsR0FBRyxDQUFDO1FBRXpELElBQUksVUFBOEIsQ0FBQztRQUNuQyxJQUFJLFFBQThCLENBQUM7UUFFbkMsSUFBSSxPQUFPLEtBQUssa0JBQWtCLENBQUMsR0FBRyxFQUFFLENBQUM7WUFDckMsVUFBVSxHQUFHLE1BQU0sQ0FBQyxVQUFVLElBQUksSUFBSSxDQUFDO1FBQzNDLENBQUM7YUFBTSxJQUFJLE9BQU8sS0FBSyxrQkFBa0IsQ0FBQyxHQUFHLEVBQUUsQ0FBQztZQUM1QyxRQUFRLEdBQUcsTUFBTSxDQUFDLFFBQVEsSUFBSSxRQUFRLENBQUMsU0FBUyxDQUFDO1FBQ3JELENBQUM7UUFFRCxNQUFNLFNBQVMsR0FBRyxNQUFNLENBQUMsU0FBUyxJQUFJLEtBQUssQ0FBQztRQUM1QyxNQUFNLFlBQVksR0FBRyxNQUFNLENBQUMsWUFBWSxJQUFJLElBQUksQ0FBQztRQUNqRCxNQUFNLElBQUksR0FBRyxNQUFNLENBQUMsSUFBSSxJQUFJLEdBQUcsQ0FBQztRQUNoQyxNQUFNLFFBQVEsR0FBRyxNQUFNLENBQUMsUUFBUSxJQUFJLEVBQUUsQ0FBQztRQUN2QyxNQUFNLEdBQUcsR0FBRyxNQUFNLENBQUMsR0FBRyxJQUFJLEVBQUUsQ0FBQztRQUU3QixPQUFPLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxzQkFBc0IsQ0FBQztZQUNoRCxNQUFNO1lBQ04sT0FBTztZQUNQLE9BQU87WUFDUCxTQUFTO1lBQ1QsVUFBVTtZQUNWLFFBQVE7WUFDUixZQUFZO1lBQ1osSUFBSTtZQUNKLFFBQVE7WUFDUixHQUFHO1NBQ04sQ0FBQyxDQUFDO0lBQ1AsQ0FBQztDQUNKO0FBaERELGdDQWdEQyJ9

package/dist/sgx-native-module/sev-snp-mrenclave.d.ts

@@ -0,0 +1,59 @@
+/// <reference types="node" />
+/// <reference types="node" />
+import { StorageAccess } from "@super-protocol/sdk-js";
+import { Transform } from "stream";
+import { SNPReport } from "../proto/AmdSevSnp";
+interface VMCommon {
+    kernelHash: Buffer;
+    initrdHash: Buffer | undefined;
+    ovmfHash: Buffer;
+}
+interface VMConfig extends VMCommon {
+    ovmfBucket: string;
+    ovmfPrefix: string;
+    ovmfFilename: string;
+}
+interface VMMeasure extends VMCommon {
+    ovmfFilePath: string;
+}
+export interface SNPMrEnclaveCalculatorArgs {
+    cacheFolder?: string;
+    rmPrevCache?: boolean;
+    vmRepoOwner?: string;
+    vmRepo?: string;
+    releaseAsset?: string;
+    downloadAssetRetryInterval?: number;
+    downloadAssetRetryMax?: number;
+    storageAccess?: StorageAccess;
+    cacheRecordsTTL?: number;
+}
+export declare class SNPMrEnclaveCalculator {
+    private readonly cacheFolder;
+    private readonly vmRepoOwner;
+    private readonly vmRepo;
+    private readonly releaseAsset;
+    private readonly axiosInstance;
+    private readonly retryInterval;
+    private readonly retryMax;
+    private readonly storageAccess;
+    private readonly vmInfoCache;
+    private readonly defaultCredentials;
+    constructor(config: SNPMrEnclaveCalculatorArgs);
+    /**
+     * The method allows to obtain expected mrenclave if the virtual machine for which the report is
+     * submitted was running on one core and a Milan processor
+     * @param report - @see CalcSnpMrEnclaveParams
+     */
+    getSingleCoreMrEnclave(report: SNPReport): Promise<Buffer>;
+    protected downloadAsset(assetUrl: string): Promise<Buffer>;
+    protected extractVMData(data: Buffer): VMConfig;
+    protected static calcHashStream(alg?: string): {
+        process: Transform;
+        get: () => Buffer;
+    };
+    protected static fileExist(filePath: string): Promise<boolean>;
+    protected getAssetUrl(build: string): Promise<string>;
+    protected downloadVM(build: string): Promise<VMMeasure>;
+    protected downloadOvmf(vmFiles: VMConfig, ovmfPath: string): Promise<void>;
+}
+export {};

package/dist/sgx-native-module/sev-snp-mrenclave.js

@@ -0,0 +1,322 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SNPMrEnclaveCalculator = void 0;
+const typebox_1 = require("@sinclair/typebox");
+const value_1 = require("@sinclair/typebox/value");
+const fs = __importStar(require("fs"));
+const fsAsync = __importStar(require("fs/promises"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const sev_snp_1 = require("./sev-snp");
+const axios_1 = __importDefault(require("axios"));
+const sdk_js_1 = require("@super-protocol/sdk-js");
+const dto_js_1 = require("@super-protocol/dto-js");
+const crypto_1 = require("crypto");
+const stream_1 = require("stream");
+const helpers_1 = require("./helpers");
+const amd_sev_snp_napi_rs_1 = require("../../bindings/amd-sev-snp-napi-rs/");
+const VMJsonSchema = typebox_1.Type.Object({
+    kernel: typebox_1.Type.Object({ sha256: typebox_1.Type.String() }),
+    initrd: typebox_1.Type.Optional(typebox_1.Type.Object({ sha256: typebox_1.Type.String() })),
+    bios_amd: typebox_1.Type.Optional(typebox_1.Type.Object({
+        sha256: typebox_1.Type.String(),
+        bucket: typebox_1.Type.String(),
+        prefix: typebox_1.Type.String(),
+        filename: typebox_1.Type.String(),
+    })),
+    bios: typebox_1.Type.Optional(typebox_1.Type.Object({
+        sha256: typebox_1.Type.String(),
+        bucket: typebox_1.Type.String(),
+        prefix: typebox_1.Type.String(),
+        filename: typebox_1.Type.String(),
+    })),
+});
+class VMConfigCache {
+    constructor(ttl = 5 * 60 * 1000) {
+        this.cache = {};
+        this.ttl = ttl;
+    }
+    set(key, value) {
+        const timestamp = Date.now();
+        this.cache[key] = {
+            value,
+            timestamp,
+        };
+    }
+    get(key, force = false) {
+        const record = this.cache[key];
+        if (record) {
+            if (force === false) {
+                const now = Date.now();
+                if (now - record.timestamp > this.ttl) {
+                    return null;
+                }
+            }
+            return record.value;
+        }
+        return null;
+    }
+    clear() {
+        this.cache = {};
+    }
+}
+class SNPMrEnclaveCalculator {
+    constructor(config) {
+        this.axiosInstance = axios_1.default.create();
+        this.defaultCredentials = {
+            storageType: dto_js_1.StorageType.S3,
+            credentials: {
+                endpoint: "https://gateway.storjshare.io",
+                accessKeyId: "jxekrow2wxmjps6pr2jv22hamtha",
+                secretKey: "jztnpl532njcljtdolnpbszq66lgqmwmgkbh747342hwc72grkohi",
+                // prefix and bucket can be any, as it will be filled later
+                bucket: "",
+                prefix: "",
+            },
+        };
+        this.cacheFolder = config.cacheFolder || fs.mkdtempSync(path.join(os.tmpdir(), "snp-mrenclave-cache-"));
+        const rmPrevCache = config.rmPrevCache ?? false;
+        this.vmRepoOwner = config.vmRepoOwner || "Super-Protocol";
+        this.vmRepo = config.vmRepo || "sp-vm";
+        this.releaseAsset = config.releaseAsset || "vm.json";
+        this.retryInterval = config.downloadAssetRetryInterval ?? 1000;
+        this.retryMax = config.downloadAssetRetryMax ?? 3;
+        this.storageAccess = config.storageAccess ?? this.defaultCredentials;
+        const cacheRecordsTTL = config.cacheRecordsTTL ?? 5 * 60 * 1000;
+        if (rmPrevCache) {
+            (0, helpers_1.gramineCompatibleRmDir)(this.cacheFolder);
+        }
+        if (!fs.existsSync(this.cacheFolder)) {
+            fs.mkdirSync(this.cacheFolder, { recursive: true });
+        }
+        this.vmInfoCache = new VMConfigCache(cacheRecordsTTL);
+    }
+    /**
+     * The method allows to obtain expected mrenclave if the virtual machine for which the report is
+     * submitted was running on one core and a Milan processor
+     * @param report - @see CalcSnpMrEnclaveParams
+     */
+    async getSingleCoreMrEnclave(report) {
+        const mrEnclave = await sev_snp_1.SevSNP.getMrEnclave(Buffer.from(report.rawReport));
+        const vmMeasure = await this.downloadVM(report.build);
+        const expectedMrEnclave = await sev_snp_1.SevSNP.calcSnpMrEnclave({
+            ovmfPath: vmMeasure.ovmfFilePath,
+            kernelHash: vmMeasure.kernelHash,
+            initrdHash: vmMeasure.initrdHash,
+            cmdLineHash: Buffer.from(report.cmdLineHash),
+            vcpuSig: report.cpuSig,
+            vcpuCount: report.cores,
+            vmpl: await (0, amd_sev_snp_napi_rs_1.getReportVmpl)(Buffer.from(report.rawReport)),
+            policy: await (0, amd_sev_snp_napi_rs_1.getReportPolicy)(Buffer.from(report.rawReport)),
+        });
+        if (!mrEnclave.equals(expectedMrEnclave))
+            throw new Error(`Expected mrEnclave does not match the calculated one.\n` +
+                `mrEnclave: ${mrEnclave.toString("hex")}\n` +
+                `expectedMrEnclave: ${expectedMrEnclave.toString("hex")}\n` +
+                `report.build: ${report.build}\n` +
+                `vmMeasure: ${JSON.stringify(vmMeasure)}`);
+        const singleCoreMrEnclave = await sev_snp_1.SevSNP.calcSnpMrEnclave({
+            ovmfPath: vmMeasure.ovmfFilePath,
+            kernelHash: vmMeasure.kernelHash,
+            initrdHash: vmMeasure.initrdHash,
+            cmdLineHash: Buffer.from(report.cmdLineHash),
+            vcpuSig: sev_snp_1.SevSNP.getCpuSig(sev_snp_1.AMD_EPYC_MILAN_CPUINFO),
+            vcpuCount: 1,
+        });
+        return singleCoreMrEnclave;
+    }
+    async downloadAsset(assetUrl) {
+        const { retryInterval, retryMax } = this;
+        const response = await sdk_js_1.helpers.tryWithInterval({
+            checkResult(response) {
+                return { isResultOk: response.status === 200 };
+            },
+            handler: async () => {
+                return this.axiosInstance.get(assetUrl, {
+                    responseType: "arraybuffer",
+                });
+            },
+            checkError(err) {
+                if (axios_1.default.isAxiosError(err) && err.response) {
+                    const status = err.response.status;
+                    return { retryable: status < 400 || status >= 500 || status === 429 };
+                }
+                return { retryable: axios_1.default.isAxiosError(err) };
+            },
+            retryInterval,
+            retryMax,
+        });
+        return response.data;
+    }
+    extractVMData(data) {
+        const vmRaw = data.toString("utf-8");
+        const parsed = JSON.parse(vmRaw);
+        const { isValid } = (0, sdk_js_1.validateBySchema)(parsed, VMJsonSchema);
+        if (!isValid) {
+            const validationErrors = Array.from(value_1.Value.Errors(VMJsonSchema, parsed));
+            const details = validationErrors.map((e) => e.message).join(", ");
+            throw new Error(`Failed to validate VM JSON:${details ? `: ${details}` : ""}`);
+        }
+        const vm = parsed;
+        const kernelHash = vm.kernel.sha256;
+        const initrdHash = vm.initrd?.sha256;
+        const OVMF = vm.bios_amd || vm.bios;
+        if (!OVMF) {
+            throw new Error("Neither bios_amd nor bios is available");
+        }
+        const { sha256, bucket, prefix, filename } = OVMF;
+        if (!sha256 || !bucket || !prefix || !filename) {
+            throw new Error("Missing one or more required fields in OVMF");
+        }
+        return {
+            kernelHash: Buffer.from(kernelHash, "hex"),
+            initrdHash: initrdHash ? Buffer.from(initrdHash, "hex") : undefined,
+            ovmfHash: Buffer.from(sha256, "hex"),
+            ovmfBucket: bucket,
+            ovmfPrefix: prefix,
+            ovmfFilename: filename,
+        };
+    }
+    static calcHashStream(alg = "sha256") {
+        const hash = (0, crypto_1.createHash)(alg);
+        return {
+            process: new stream_1.Transform({
+                transform: (data, encoding, done) => {
+                    hash.update(data);
+                    done(null, data);
+                },
+            }),
+            get: () => hash.digest(),
+        };
+    }
+    static async fileExist(filePath) {
+        try {
+            await fsAsync.access(filePath, fs.constants.F_OK);
+            return true;
+        }
+        catch (err) {
+            return false;
+        }
+    }
+    async getAssetUrl(build) {
+        const { retryInterval, retryMax } = this;
+        const response = await sdk_js_1.helpers.tryWithInterval({
+            checkResult(response) {
+                return { isResultOk: response.status === 200 };
+            },
+            handler: async () => {
+                return this.axiosInstance.get(`https://api.github.com/repos/${this.vmRepoOwner}/${this.vmRepo}/releases/tags/${build}`);
+            },
+            checkError(err) {
+                if (axios_1.default.isAxiosError(err) && err.response) {
+                    const status = err.response.status;
+                    return { retryable: status < 400 || status >= 500 || status === 429 };
+                }
+                return { retryable: axios_1.default.isAxiosError(err) };
+            },
+            retryInterval,
+            retryMax,
+        });
+        const { data } = response;
+        const asset = data.assets.find((asset) => asset.name === this.releaseAsset);
+        if (!asset) {
+            throw new Error(`Failed to find asset named ${this.releaseAsset} for build ${build}.`);
+        }
+        return asset.browser_download_url;
+    }
+    async downloadVM(build) {
+        let fromCache = false;
+        let vmFiles;
+        const vmInfo = this.vmInfoCache.get(build);
+        if (vmInfo) {
+            fromCache = true;
+            vmFiles = vmInfo;
+        }
+        else {
+            try {
+                const assetUrl = await this.getAssetUrl(build);
+                const vm = await this.downloadAsset(assetUrl);
+                vmFiles = this.extractVMData(vm);
+            }
+            catch (error) {
+                const vmInfo = this.vmInfoCache.get(build, true);
+                if (vmInfo) {
+                    fromCache = true;
+                    vmFiles = vmInfo;
+                }
+                else {
+                    throw error;
+                }
+            }
+        }
+        const ovmfPath = path.join(this.cacheFolder, `${vmFiles.ovmfHash.toString("hex")}_OVMF.fd`);
+        let fileExistAndCorrect = false;
+        if (await SNPMrEnclaveCalculator.fileExist(ovmfPath)) {
+            const fileStream = fs.createReadStream(ovmfPath);
+            const hash = await sdk_js_1.Crypto.createHash(fileStream, {
+                algo: dto_js_1.HashAlgorithm.SHA256,
+                encoding: dto_js_1.Encoding.hex,
+            });
+            if (vmFiles.ovmfHash.toString("hex") === hash.hash) {
+                fileExistAndCorrect = true;
+            }
+        }
+        if (fileExistAndCorrect !== true) {
+            await this.downloadOvmf(vmFiles, ovmfPath);
+        }
+        if (fromCache !== true) {
+            this.vmInfoCache.set(build, vmFiles);
+        }
+        return {
+            initrdHash: vmFiles.initrdHash,
+            kernelHash: vmFiles.kernelHash,
+            ovmfFilePath: ovmfPath,
+            ovmfHash: vmFiles.ovmfHash,
+        };
+    }
+    async downloadOvmf(vmFiles, ovmfPath) {
+        const access = {
+            ...this.storageAccess,
+            credentials: {
+                ...this.storageAccess.credentials,
+                bucket: vmFiles.ovmfBucket,
+                prefix: vmFiles.ovmfPrefix.endsWith("/") ? vmFiles.ovmfPrefix : `${vmFiles.ovmfPrefix}/`,
+            },
+        };
+        const storageProvider = (0, sdk_js_1.getStorageProvider)(access);
+        const downloaderStream = await storageProvider.downloadFile(vmFiles.ovmfFilename, {});
+        const { process: hashStream, get: getStreamHash } = SNPMrEnclaveCalculator.calcHashStream("sha256");
+        await stream_1.promises.pipeline(downloaderStream, hashStream, fs.createWriteStream(ovmfPath));
+        if (!vmFiles.ovmfHash.equals(getStreamHash())) {
+            throw new Error("The downloaded OVMF-file does not match the expected checksum");
+        }
+    }
+}
+exports.SNPMrEnclaveCalculator = SNPMrEnclaveCalculator;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2V2LXNucC1tcmVuY2xhdmUuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvc2d4LW5hdGl2ZS1tb2R1bGUvc2V2LXNucC1tcmVuY2xhdmUudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSwrQ0FBaUQ7QUFDakQsbURBQWdEO0FBQ2hELHVDQUF5QjtBQUN6QixxREFBdUM7QUFDdkMsMkNBQTZCO0FBQzdCLHVDQUF5QjtBQUN6Qix1Q0FBMkQ7QUFDM0Qsa0RBQTZDO0FBQzdDLG1EQU1nQztBQUNoQyxtREFBOEU7QUFDOUUsbUNBQW9DO0FBQ3BDLG1DQUE2QztBQUM3Qyx1Q0FBbUQ7QUFFbkQsNkVBQXFGO0FBa0JyRixNQUFNLFlBQVksR0FBRyxjQUFJLENBQUMsTUFBTSxDQUFDO0lBQzdCLE1BQU0sRUFBRSxjQUFJLENBQUMsTUFBTSxDQUFDLEVBQUUsTUFBTSxFQUFFLGNBQUksQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDO0lBQzlDLE1BQU0sRUFBRSxjQUFJLENBQUMsUUFBUSxDQUFDLGNBQUksQ0FBQyxNQUFNLENBQUMsRUFBRSxNQUFNLEVBQUUsY0FBSSxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQUMsQ0FBQztJQUM3RCxRQUFRLEVBQUUsY0FBSSxDQUFDLFFBQVEsQ0FDbkIsY0FBSSxDQUFDLE1BQU0sQ0FBQztRQUNSLE1BQU0sRUFBRSxjQUFJLENBQUMsTUFBTSxFQUFFO1FBQ3JCLE1BQU0sRUFBRSxjQUFJLENBQUMsTUFBTSxFQUFFO1FBQ3JCLE1BQU0sRUFBRSxjQUFJLENBQUMsTUFBTSxFQUFFO1FBQ3JCLFFBQVEsRUFBRSxjQUFJLENBQUMsTUFBTSxFQUFFO0tBQzFCLENBQUMsQ0FDTDtJQUNELElBQUksRUFBRSxjQUFJLENBQUMsUUFBUSxDQUNmLGNBQUksQ0FBQyxNQUFNLENBQUM7UUFDUixNQUFNLEVBQUUsY0FBSSxDQUFDLE1BQU0sRUFBRTtRQUNyQixNQUFNLEVBQUUsY0FBSSxDQUFDLE1BQU0sRUFBRTtRQUNyQixNQUFNLEVBQUUsY0FBSSxDQUFDLE1BQU0sRUFBRTtRQUNyQixRQUFRLEVBQUUsY0FBSSxDQUFDLE1BQU0sRUFBRTtLQUMxQixDQUFDLENBQ0w7Q0FDSixDQUFDLENBQUM7QUFHSCxNQUFNLGFBQWE7SUFJZixZQUFZLE1BQWMsQ0FBQyxHQUFHLEVBQUUsR0FBRyxJQUFJO1FBSC9CLFVBQUssR0FBOEQsRUFBRSxDQUFDO1FBSTFFLElBQUksQ0FBQyxHQUFHLEdBQUcsR0FBRyxDQUFDO0lBQ25CLENBQUM7SUFFRCxHQUFHLENBQUMsR0FBVyxFQUFFLEtBQWU7UUFDNUIsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO1FBQzdCLElBQUksQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLEdBQUc7WUFDZCxLQUFLO1lBQ0wsU0FBUztTQUNaLENBQUM7SUFDTixDQUFDO0lBRUQsR0FBRyxDQUFDLEdBQVcsRUFBRSxRQUFpQixLQUFLO1FBQ25DLE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7UUFFL0IsSUFBSSxNQUFNLEVBQUUsQ0FBQztZQUNULElBQUksS0FBSyxLQUFLLEtBQUssRUFBRSxDQUFDO2dCQUNsQixNQUFNLEdBQUcsR0FBRyxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUM7Z0JBQ3ZCLElBQUksR0FBRyxHQUFHLE1BQU0sQ0FBQyxTQUFTLEdBQUcsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO29CQUNwQyxPQUFPLElBQUksQ0FBQztnQkFDaEIsQ0FBQztZQUNMLENBQUM7WUFFRCxPQUFPLE1BQU0sQ0FBQyxLQUFLLENBQUM7UUFDeEIsQ0FBQztRQUVELE9BQU8sSUFBSSxDQUFDO0lBQ2hCLENBQUM7SUFFRCxLQUFLO1FBQ0QsSUFBSSxDQUFDLEtBQUssR0FBRyxFQUFFLENBQUM7SUFDcEIsQ0FBQztDQUNKO0FBY0QsTUFBYSxzQkFBc0I7SUFzQi9CLFlBQVksTUFBa0M7UUFqQjdCLGtCQUFhLEdBQUcsZUFBSyxDQUFDLE1BQU0sRUFBRSxDQUFDO1FBSy9CLHVCQUFrQixHQUFrQjtZQUNqRCxXQUFXLEVBQUUsb0JBQVcsQ0FBQyxFQUFFO1lBQzNCLFdBQVcsRUFBRTtnQkFDVCxRQUFRLEVBQUUsK0JBQStCO2dCQUN6QyxXQUFXLEVBQUUsOEJBQThCO2dCQUMzQyxTQUFTLEVBQUUsdURBQXVEO2dCQUNsRSwyREFBMkQ7Z0JBQzNELE1BQU0sRUFBRSxFQUFFO2dCQUNWLE1BQU0sRUFBRSxFQUFFO2FBQ2I7U0FDSixDQUFDO1FBR0UsSUFBSSxDQUFDLFdBQVcsR0FBRyxNQUFNLENBQUMsV0FBVyxJQUFJLEVBQUUsQ0FBQyxXQUFXLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUMsTUFBTSxFQUFFLEVBQUUsc0JBQXNCLENBQUMsQ0FBQyxDQUFDO1FBQ3hHLE1BQU0sV0FBVyxHQUFHLE1BQU0sQ0FBQyxXQUFXLElBQUksS0FBSyxDQUFDO1FBQ2hELElBQUksQ0FBQyxXQUFXLEdBQUcsTUFBTSxDQUFDLFdBQVcsSUFBSSxnQkFBZ0IsQ0FBQztRQUMxRCxJQUFJLENBQUMsTUFBTSxHQUFHLE1BQU0sQ0FBQyxNQUFNLElBQUksT0FBTyxDQUFDO1FBQ3ZDLElBQUksQ0FBQyxZQUFZLEdBQUcsTUFBTSxDQUFDLFlBQVksSUFBSSxTQUFTLENBQUM7UUFDckQsSUFBSSxDQUFDLGFBQWEsR0FBRyxNQUFNLENBQUMsMEJBQTBCLElBQUksSUFBSSxDQUFDO1FBQy9ELElBQUksQ0FBQyxRQUFRLEdBQUcsTUFBTSxDQUFDLHFCQUFxQixJQUFJLENBQUMsQ0FBQztRQUVsRCxJQUFJLENBQUMsYUFBYSxHQUFHLE1BQU0sQ0FBQyxhQUFhLElBQUksSUFBSSxDQUFDLGtCQUFrQixDQUFDO1FBRXJFLE1BQU0sZUFBZSxHQUFHLE1BQU0sQ0FBQyxlQUFlLElBQUksQ0FBQyxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUM7UUFFaEUsSUFBSSxXQUFXLEVBQUUsQ0FBQztZQUNkLElBQUEsZ0NBQXNCLEVBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQzdDLENBQUM7UUFFRCxJQUFJLENBQUMsRUFBRSxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsV0FBVyxDQUFDLEVBQUUsQ0FBQztZQUNuQyxFQUFFLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxXQUFXLEVBQUUsRUFBRSxTQUFTLEVBQUUsSUFBSSxFQUFFLENBQUMsQ0FBQztRQUN4RCxDQUFDO1FBRUQsSUFBSSxDQUFDLFdBQVcsR0FBRyxJQUFJLGFBQWEsQ0FBQyxlQUFlLENBQUMsQ0FBQztJQUMxRCxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNJLEtBQUssQ0FBQyxzQkFBc0IsQ0FBQyxNQUFpQjtRQUNqRCxNQUFNLFNBQVMsR0FBRyxNQUFNLGdCQUFNLENBQUMsWUFBWSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUM7UUFDM0UsTUFBTSxTQUFTLEdBQUcsTUFBTSxJQUFJLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUN0RCxNQUFNLGlCQUFpQixHQUFHLE1BQU0sZ0JBQU0sQ0FBQyxnQkFBZ0IsQ0FBQztZQUNwRCxRQUFRLEVBQUUsU0FBUyxDQUFDLFlBQVk7WUFDaEMsVUFBVSxFQUFFLFNBQVMsQ0FBQyxVQUFVO1lBQ2hDLFVBQVUsRUFBRSxTQUFTLENBQUMsVUFBVTtZQUNoQyxXQUFXLEVBQUUsTUFBTSxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsV0FBVyxDQUFDO1lBQzVDLE9BQU8sRUFBRSxNQUFNLENBQUMsTUFBTTtZQUN0QixTQUFTLEVBQUUsTUFBTSxDQUFDLEtBQUs7WUFDdkIsSUFBSSxFQUFFLE1BQU0sSUFBQSxtQ0FBYSxFQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxDQUFDO1lBQ3hELE1BQU0sRUFBRSxNQUFNLElBQUEscUNBQWUsRUFBQyxNQUFNLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsQ0FBQztTQUMvRCxDQUFDLENBQUM7UUFFSCxJQUFJLENBQUMsU0FBUyxDQUFDLE1BQU0sQ0FBQyxpQkFBaUIsQ0FBQztZQUNwQyxNQUFNLElBQUksS0FBSyxDQUNYLHlEQUF5RDtnQkFDckQsY0FBYyxTQUFTLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxJQUFJO2dCQUMzQyxzQkFBc0IsaUJBQWlCLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxJQUFJO2dCQUMzRCxpQkFBaUIsTUFBTSxDQUFDLEtBQUssSUFBSTtnQkFDakMsY0FBYyxJQUFJLENBQUMsU0FBUyxDQUFDLFNBQVMsQ0FBQyxFQUFFLENBQ2hELENBQUM7UUFFTixNQUFNLG1CQUFtQixHQUFHLE1BQU0sZ0JBQU0sQ0FBQyxnQkFBZ0IsQ0FBQztZQUN0RCxRQUFRLEVBQUUsU0FBUyxDQUFDLFlBQVk7WUFDaEMsVUFBVSxFQUFFLFNBQVMsQ0FBQyxVQUFVO1lBQ2hDLFVBQVUsRUFBRSxTQUFTLENBQUMsVUFBVTtZQUNoQyxXQUFXLEVBQUUsTUFBTSxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsV0FBVyxDQUFDO1lBQzVDLE9BQU8sRUFBRSxnQkFBTSxDQUFDLFNBQVMsQ0FBQyxnQ0FBc0IsQ0FBQztZQUNqRCxTQUFTLEVBQUUsQ0FBQztTQUNmLENBQUMsQ0FBQztRQUVILE9BQU8sbUJBQW1CLENBQUM7SUFDL0IsQ0FBQztJQUVTLEtBQUssQ0FBQyxhQUFhLENBQUMsUUFBZ0I7UUFDMUMsTUFBTSxFQUFFLGFBQWEsRUFBRSxRQUFRLEVBQUUsR0FBRyxJQUFJLENBQUM7UUFDekMsTUFBTSxRQUFRLEdBQUcsTUFBTSxnQkFBVSxDQUFDLGVBQWUsQ0FBZ0I7WUFDN0QsV0FBVyxDQUFDLFFBQVE7Z0JBQ2hCLE9BQU8sRUFBRSxVQUFVLEVBQUUsUUFBUSxDQUFDLE1BQU0sS0FBSyxHQUFHLEVBQUUsQ0FBQztZQUNuRCxDQUFDO1lBQ0QsT0FBTyxFQUFFLEtBQUssSUFBSSxFQUFFO2dCQUNoQixPQUFPLElBQUksQ0FBQyxhQUFhLENBQUMsR0FBRyxDQUFDLFFBQVEsRUFBRTtvQkFDcEMsWUFBWSxFQUFFLGFBQWE7aUJBQzlCLENBQUMsQ0FBQztZQUNQLENBQUM7WUFDRCxVQUFVLENBQUMsR0FBRztnQkFDVixJQUFJLGVBQUssQ0FBQyxZQUFZLENBQUMsR0FBRyxDQUFDLElBQUksR0FBRyxDQUFDLFFBQVEsRUFBRSxDQUFDO29CQUMxQyxNQUFNLE1BQU0sR0FBRyxHQUFHLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQztvQkFFbkMsT0FBTyxFQUFFLFNBQVMsRUFBRSxNQUFNLEdBQUcsR0FBRyxJQUFJLE1BQU0sSUFBSSxHQUFHLElBQUksTUFBTSxLQUFLLEdBQUcsRUFBRSxDQUFDO2dCQUMxRSxDQUFDO2dCQUVELE9BQU8sRUFBRSxTQUFTLEVBQUUsZUFBSyxDQUFDLFlBQVksQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQ2xELENBQUM7WUFDRCxhQUFhO1lBQ2IsUUFBUTtTQUNYLENBQUMsQ0FBQztRQUVILE9BQU8sUUFBUSxDQUFDLElBQUksQ0FBQztJQUN6QixDQUFDO0lBRVMsYUFBYSxDQUFDLElBQVk7UUFDaEMsTUFBTSxLQUFLLEdBQUcsSUFBSSxDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUVyQyxNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBQ2pDLE1BQU0sRUFBRSxPQUFPLEVBQUUsR0FBRyxJQUFBLHlCQUFnQixFQUFDLE1BQU0sRUFBRSxZQUFZLENBQUMsQ0FBQztRQUMzRCxJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDWCxNQUFNLGdCQUFnQixHQUFHLEtBQUssQ0FBQyxJQUFJLENBQUMsYUFBSyxDQUFDLE1BQU0sQ0FBQyxZQUFZLEVBQUUsTUFBTSxDQUFDLENBQUMsQ0FBQztZQUN4RSxNQUFNLE9BQU8sR0FBRyxnQkFBZ0IsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLENBQUM7WUFDbEUsTUFBTSxJQUFJLEtBQUssQ0FBQyw4QkFBOEIsT0FBTyxDQUFDLENBQUMsQ0FBQyxLQUFLLE9BQU8sRUFBRSxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDO1FBQ25GLENBQUM7UUFFRCxNQUFNLEVBQUUsR0FBRyxNQUFnQixDQUFDO1FBRTVCLE1BQU0sVUFBVSxHQUFHLEVBQUUsQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDO1FBQ3BDLE1BQU0sVUFBVSxHQUFHLEVBQUUsQ0FBQyxNQUFNLEVBQUUsTUFBTSxDQUFDO1FBRXJDLE1BQU0sSUFBSSxHQUFHLEVBQUUsQ0FBQyxRQUFRLElBQUksRUFBRSxDQUFDLElBQUksQ0FBQztRQUNwQyxJQUFJLENBQUMsSUFBSSxFQUFFLENBQUM7WUFDUixNQUFNLElBQUksS0FBSyxDQUFDLHdDQUF3QyxDQUFDLENBQUM7UUFDOUQsQ0FBQztRQUVELE1BQU0sRUFBRSxNQUFNLEVBQUUsTUFBTSxFQUFFLE1BQU0sRUFBRSxRQUFRLEVBQUUsR0FBRyxJQUFJLENBQUM7UUFFbEQsSUFBSSxDQUFDLE1BQU0sSUFBSSxDQUFDLE1BQU0sSUFBSSxDQUFDLE1BQU0sSUFBSSxDQUFDLFFBQVEsRUFBRSxDQUFDO1lBQzdDLE1BQU0sSUFBSSxLQUFLLENBQUMsNkNBQTZDLENBQUMsQ0FBQztRQUNuRSxDQUFDO1FBRUQsT0FBTztZQUNILFVBQVUsRUFBRSxNQUFNLENBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxLQUFLLENBQUM7WUFDMUMsVUFBVSxFQUFFLFVBQVUsQ0FBQyxDQUFDLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxVQUFVLEVBQUUsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDLFNBQVM7WUFDbkUsUUFBUSxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsTUFBTSxFQUFFLEtBQUssQ0FBQztZQUNwQyxVQUFVLEVBQUUsTUFBTTtZQUNsQixVQUFVLEVBQUUsTUFBTTtZQUNsQixZQUFZLEVBQUUsUUFBUTtTQUN6QixDQUFDO0lBQ04sQ0FBQztJQUVTLE1BQU0sQ0FBQyxjQUFjLENBQUMsR0FBRyxHQUFHLFFBQVE7UUFDMUMsTUFBTSxJQUFJLEdBQUcsSUFBQSxtQkFBVSxFQUFDLEdBQUcsQ0FBQyxDQUFDO1FBRTdCLE9BQU87WUFDSCxPQUFPLEVBQUUsSUFBSSxrQkFBUyxDQUFDO2dCQUNuQixTQUFTLEVBQUUsQ0FBQyxJQUFJLEVBQUUsUUFBUSxFQUFFLElBQUksRUFBUSxFQUFFO29CQUN0QyxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxDQUFDO29CQUNsQixJQUFJLENBQUMsSUFBSSxFQUFFLElBQUksQ0FBQyxDQUFDO2dCQUNyQixDQUFDO2FBQ0osQ0FBQztZQUNGLEdBQUcsRUFBRSxHQUFHLEVBQUUsQ0FBQyxJQUFJLENBQUMsTUFBTSxFQUFFO1NBQzNCLENBQUM7SUFDTixDQUFDO0lBRVMsTUFBTSxDQUFDLEtBQUssQ0FBQyxTQUFTLENBQUMsUUFBZ0I7UUFDN0MsSUFBSSxDQUFDO1lBQ0QsTUFBTSxPQUFPLENBQUMsTUFBTSxDQUFDLFFBQVEsRUFBRSxFQUFFLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxDQUFDO1lBRWxELE9BQU8sSUFBSSxDQUFDO1FBQ2hCLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ1gsT0FBTyxLQUFLLENBQUM7UUFDakIsQ0FBQztJQUNMLENBQUM7SUFFUyxLQUFLLENBQUMsV0FBVyxDQUFDLEtBQWE7UUFDckMsTUFBTSxFQUFFLGFBQWEsRUFBRSxRQUFRLEVBQUUsR0FBRyxJQUFJLENBQUM7UUFDekMsTUFBTSxRQUFRLEdBQUcsTUFBTSxnQkFBVSxDQUFDLGVBQWUsQ0FBZ0I7WUFDN0QsV0FBVyxDQUFDLFFBQVE7Z0JBQ2hCLE9BQU8sRUFBRSxVQUFVLEVBQUUsUUFBUSxDQUFDLE1BQU0sS0FBSyxHQUFHLEVBQUUsQ0FBQztZQUNuRCxDQUFDO1lBQ0QsT0FBTyxFQUFFLEtBQUssSUFBSSxFQUFFO2dCQUNoQixPQUFPLElBQUksQ0FBQyxhQUFhLENBQUMsR0FBRyxDQUN6QixnQ0FBZ0MsSUFBSSxDQUFDLFdBQVcsSUFBSSxJQUFJLENBQUMsTUFBTSxrQkFBa0IsS0FBSyxFQUFFLENBQzNGLENBQUM7WUFDTixDQUFDO1lBQ0QsVUFBVSxDQUFDLEdBQUc7Z0JBQ1YsSUFBSSxlQUFLLENBQUMsWUFBWSxDQUFDLEdBQUcsQ0FBQyxJQUFJLEdBQUcsQ0FBQyxRQUFRLEVBQUUsQ0FBQztvQkFDMUMsTUFBTSxNQUFNLEdBQUcsR0FBRyxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUM7b0JBRW5DLE9BQU8sRUFBRSxTQUFTLEVBQUUsTUFBTSxHQUFHLEdBQUcsSUFBSSxNQUFNLElBQUksR0FBRyxJQUFJLE1BQU0sS0FBSyxHQUFHLEVBQUUsQ0FBQztnQkFDMUUsQ0FBQztnQkFFRCxPQUFPLEVBQUUsU0FBUyxFQUFFLGVBQUssQ0FBQyxZQUFZLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUNsRCxDQUFDO1lBQ0QsYUFBYTtZQUNiLFFBQVE7U0FDWCxDQUFDLENBQUM7UUFDSCxNQUFNLEVBQUUsSUFBSSxFQUFFLEdBQUcsUUFBUSxDQUFDO1FBQzFCLE1BQU0sS0FBSyxHQUFHLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLENBQUMsS0FBdUIsRUFBRSxFQUFFLENBQUMsS0FBSyxDQUFDLElBQUksS0FBSyxJQUFJLENBQUMsWUFBWSxDQUFDLENBQUM7UUFFOUYsSUFBSSxDQUFDLEtBQUssRUFBRSxDQUFDO1lBQ1QsTUFBTSxJQUFJLEtBQUssQ0FBQyw4QkFBOEIsSUFBSSxDQUFDLFlBQVksY0FBYyxLQUFLLEdBQUcsQ0FBQyxDQUFDO1FBQzNGLENBQUM7UUFFRCxPQUFPLEtBQUssQ0FBQyxvQkFBb0IsQ0FBQztJQUN0QyxDQUFDO0lBRVMsS0FBSyxDQUFDLFVBQVUsQ0FBQyxLQUFhO1FBQ3BDLElBQUksU0FBUyxHQUFHLEtBQUssQ0FBQztRQUN0QixJQUFJLE9BQWlCLENBQUM7UUFFdEIsTUFBTSxNQUFNLEdBQUcsSUFBSSxDQUFDLFdBQVcsQ0FBQyxHQUFHLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDM0MsSUFBSSxNQUFNLEVBQUUsQ0FBQztZQUNULFNBQVMsR0FBRyxJQUFJLENBQUM7WUFDakIsT0FBTyxHQUFHLE1BQU0sQ0FBQztRQUNyQixDQUFDO2FBQU0sQ0FBQztZQUNKLElBQUksQ0FBQztnQkFDRCxNQUFNLFFBQVEsR0FBRyxNQUFNLElBQUksQ0FBQyxXQUFXLENBQUMsS0FBSyxDQUFDLENBQUM7Z0JBQy9DLE1BQU0sRUFBRSxHQUFHLE1BQU0sSUFBSSxDQUFDLGFBQWEsQ0FBQyxRQUFRLENBQUMsQ0FBQztnQkFDOUMsT0FBTyxHQUFHLElBQUksQ0FBQyxhQUFhLENBQUMsRUFBRSxDQUFDLENBQUM7WUFDckMsQ0FBQztZQUFDLE9BQU8sS0FBSyxFQUFFLENBQUM7Z0JBQ2IsTUFBTSxNQUFNLEdBQUcsSUFBSSxDQUFDLFdBQVcsQ0FBQyxHQUFHLENBQUMsS0FBSyxFQUFFLElBQUksQ0FBQyxDQUFDO2dCQUNqRCxJQUFJLE1BQU0sRUFBRSxDQUFDO29CQUNULFNBQVMsR0FBRyxJQUFJLENBQUM7b0JBQ2pCLE9BQU8sR0FBRyxNQUFNLENBQUM7Z0JBQ3JCLENBQUM7cUJBQU0sQ0FBQztvQkFDSixNQUFNLEtBQUssQ0FBQztnQkFDaEIsQ0FBQztZQUNMLENBQUM7UUFDTCxDQUFDO1FBRUQsTUFBTSxRQUFRLEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsV0FBVyxFQUFFLEdBQUcsT0FBTyxDQUFDLFFBQVEsQ0FBQyxRQUFRLENBQUMsS0FBSyxDQUFDLFVBQVUsQ0FBQyxDQUFDO1FBRTVGLElBQUksbUJBQW1CLEdBQUcsS0FBSyxDQUFDO1FBQ2hDLElBQUksTUFBTSxzQkFBc0IsQ0FBQyxTQUFTLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQztZQUNuRCxNQUFNLFVBQVUsR0FBRyxFQUFFLENBQUMsZ0JBQWdCLENBQUMsUUFBUSxDQUFDLENBQUM7WUFDakQsTUFBTSxJQUFJLEdBQUcsTUFBTSxlQUFNLENBQUMsVUFBVSxDQUFDLFVBQVUsRUFBRTtnQkFDN0MsSUFBSSxFQUFFLHNCQUFhLENBQUMsTUFBTTtnQkFDMUIsUUFBUSxFQUFFLGlCQUFRLENBQUMsR0FBRzthQUN6QixDQUFDLENBQUM7WUFFSCxJQUFJLE9BQU8sQ0FBQyxRQUFRLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxLQUFLLElBQUksQ0FBQyxJQUFJLEVBQUUsQ0FBQztnQkFDakQsbUJBQW1CLEdBQUcsSUFBSSxDQUFDO1lBQy9CLENBQUM7UUFDTCxDQUFDO1FBRUQsSUFBSSxtQkFBbUIsS0FBSyxJQUFJLEVBQUUsQ0FBQztZQUMvQixNQUFNLElBQUksQ0FBQyxZQUFZLENBQUMsT0FBTyxFQUFFLFFBQVEsQ0FBQyxDQUFDO1FBQy9DLENBQUM7UUFFRCxJQUFJLFNBQVMsS0FBSyxJQUFJLEVBQUUsQ0FBQztZQUNyQixJQUFJLENBQUMsV0FBVyxDQUFDLEdBQUcsQ0FBQyxLQUFLLEVBQUUsT0FBTyxDQUFDLENBQUM7UUFDekMsQ0FBQztRQUVELE9BQU87WUFDSCxVQUFVLEVBQUUsT0FBTyxDQUFDLFVBQVU7WUFDOUIsVUFBVSxFQUFFLE9BQU8sQ0FBQyxVQUFVO1lBQzlCLFlBQVksRUFBRSxRQUFRO1lBQ3RCLFFBQVEsRUFBRSxPQUFPLENBQUMsUUFBUTtTQUM3QixDQUFDO0lBQ04sQ0FBQztJQUVTLEtBQUssQ0FBQyxZQUFZLENBQUMsT0FBaUIsRUFBRSxRQUFnQjtRQUM1RCxNQUFNLE1BQU0sR0FBa0I7WUFDMUIsR0FBRyxJQUFJLENBQUMsYUFBYTtZQUNyQixXQUFXLEVBQUU7Z0JBQ1QsR0FBRyxJQUFJLENBQUMsYUFBYSxDQUFDLFdBQVc7Z0JBQ2pDLE1BQU0sRUFBRSxPQUFPLENBQUMsVUFBVTtnQkFDMUIsTUFBTSxFQUFFLE9BQU8sQ0FBQyxVQUFVLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsVUFBVSxDQUFDLENBQUMsQ0FBQyxHQUFHLE9BQU8sQ0FBQyxVQUFVLEdBQUc7YUFDM0Y7U0FDSixDQUFDO1FBRUYsTUFBTSxlQUFlLEdBQUcsSUFBQSwyQkFBa0IsRUFBQyxNQUFNLENBQUMsQ0FBQztRQUNuRCxNQUFNLGdCQUFnQixHQUFHLE1BQU0sZUFBZSxDQUFDLFlBQVksQ0FBQyxPQUFPLENBQUMsWUFBWSxFQUFFLEVBQUUsQ0FBQyxDQUFDO1FBQ3RGLE1BQU0sRUFBRSxPQUFPLEVBQUUsVUFBVSxFQUFFLEdBQUcsRUFBRSxhQUFhLEVBQUUsR0FBRyxzQkFBc0IsQ0FBQyxjQUFjLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDcEcsTUFBTSxpQkFBUSxDQUFDLFFBQVEsQ0FBQyxnQkFBZ0IsRUFBRSxVQUFVLEVBQUUsRUFBRSxDQUFDLGlCQUFpQixDQUFDLFFBQVEsQ0FBQyxDQUFDLENBQUM7UUFFdEYsSUFBSSxDQUFDLE9BQU8sQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLGFBQWEsRUFBRSxDQUFDLEVBQUUsQ0FBQztZQUM1QyxNQUFNLElBQUksS0FBSyxDQUFDLCtEQUErRCxDQUFDLENBQUM7UUFDckYsQ0FBQztJQUNMLENBQUM7Q0FDSjtBQXpSRCx3REF5UkMifQ==

package/dist/sgx-native-module/sev-snp-schema.d.ts

@@ -0,0 +1,22 @@
+import { Static, TLiteral } from "@sinclair/typebox";
+import { ImportantSecurityFields } from "../../bindings/amd-sev-snp-napi-rs";
+export declare const CommonPolicyKeyName = "Common";
+export declare const importantFieldNames: (keyof ImportantSecurityFields)[];
+export declare enum RuleOperator {
+    Le = "le",
+    Eq = "eq",
+    Ge = "ge"
+}
+declare const PolicyRuleSchema: import("@sinclair/typebox").TObject<{
+    name: import("@sinclair/typebox").TUnion<[TLiteral<string>, ...TLiteral<string>[]]>;
+    operator: import("@sinclair/typebox").TUnion<TLiteral<RuleOperator>[]>;
+    value: import("@sinclair/typebox").TUnion<[import("@sinclair/typebox").TNumber, import("@sinclair/typebox").TBoolean]>;
+}>;
+export declare const PolicySetSchema: import("@sinclair/typebox").TObject<{
+    [x: string]: any;
+}>;
+export type PolicySet = Static<typeof PolicySetSchema>;
+export type PolicyRule = Static<typeof PolicyRuleSchema> & {
+    name: keyof ImportantSecurityFields;
+};
+export {};

package/dist/sgx-native-module/sev-snp-schema.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PolicySetSchema = exports.RuleOperator = exports.importantFieldNames = exports.CommonPolicyKeyName = void 0;
+const typebox_1 = require("@sinclair/typebox");
+const amd_sev_snp_napi_rs_1 = require("../../bindings/amd-sev-snp-napi-rs");
+exports.CommonPolicyKeyName = "Common";
+exports.importantFieldNames = Object.keys(amd_sev_snp_napi_rs_1.IMPORTANT_SECURITY_FIELDS_DUMMY);
+const importantFieldLiterals = exports.importantFieldNames.map((k) => typebox_1.Type.Literal(k));
+var RuleOperator;
+(function (RuleOperator) {
+    RuleOperator["Le"] = "le";
+    RuleOperator["Eq"] = "eq";
+    RuleOperator["Ge"] = "ge";
+})(RuleOperator || (exports.RuleOperator = RuleOperator = {}));
+const PolicyRuleSchema = typebox_1.Type.Object({
+    name: typebox_1.Type.Union(importantFieldLiterals),
+    operator: typebox_1.Type.Union(Object.values(RuleOperator).map((op) => typebox_1.Type.Literal(op))),
+    value: typebox_1.Type.Union([typebox_1.Type.Number(), typebox_1.Type.Boolean()]),
+});
+exports.PolicySetSchema = typebox_1.Type.Partial(typebox_1.Type.Object(Object.fromEntries([
+    ...Object.values(amd_sev_snp_napi_rs_1.WellKnownSnpCodeNames).map((key) => [key, typebox_1.Type.Array(PolicyRuleSchema)]),
+    [exports.CommonPolicyKeyName, typebox_1.Type.Array(PolicyRuleSchema)],
+])), { additionalProperties: false });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2V2LXNucC1zY2hlbWEuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvc2d4LW5hdGl2ZS1tb2R1bGUvc2V2LXNucC1zY2hlbWEudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsK0NBQTJEO0FBQzNELDRFQUk0QztBQUUvQixRQUFBLG1CQUFtQixHQUFHLFFBQVEsQ0FBQztBQUUvQixRQUFBLG1CQUFtQixHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMscURBQStCLENBQXNDLENBQUM7QUFFckgsTUFBTSxzQkFBc0IsR0FBRywyQkFBbUIsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLGNBQUksQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLENBRzVFLENBQUM7QUFFRixJQUFZLFlBSVg7QUFKRCxXQUFZLFlBQVk7SUFDcEIseUJBQVMsQ0FBQTtJQUNULHlCQUFTLENBQUE7SUFDVCx5QkFBUyxDQUFBO0FBQ2IsQ0FBQyxFQUpXLFlBQVksNEJBQVosWUFBWSxRQUl2QjtBQUVELE1BQU0sZ0JBQWdCLEdBQUcsY0FBSSxDQUFDLE1BQU0sQ0FBQztJQUNqQyxJQUFJLEVBQUUsY0FBSSxDQUFDLEtBQUssQ0FBQyxzQkFBc0IsQ0FBQztJQUN4QyxRQUFRLEVBQUUsY0FBSSxDQUFDLEtBQUssQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLFlBQVksQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLEVBQUUsRUFBRSxFQUFFLENBQUMsY0FBSSxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDO0lBQy9FLEtBQUssRUFBRSxjQUFJLENBQUMsS0FBSyxDQUFDLENBQUMsY0FBSSxDQUFDLE1BQU0sRUFBRSxFQUFFLGNBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO0NBQ3JELENBQUMsQ0FBQztBQUVVLFFBQUEsZUFBZSxHQUFHLGNBQUksQ0FBQyxPQUFPLENBQ3ZDLGNBQUksQ0FBQyxNQUFNLENBQ1AsTUFBTSxDQUFDLFdBQVcsQ0FBQztJQUNmLEdBQUcsTUFBTSxDQUFDLE1BQU0sQ0FBQywyQ0FBcUIsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsQ0FBQyxHQUFHLEVBQUUsY0FBSSxDQUFDLEtBQUssQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDLENBQUM7SUFDekYsQ0FBQywyQkFBbUIsRUFBRSxjQUFJLENBQUMsS0FBSyxDQUFDLGdCQUFnQixDQUFDLENBQUM7Q0FDdEQsQ0FBQyxDQUNMLEVBQ0QsRUFBRSxvQkFBb0IsRUFBRSxLQUFLLEVBQUUsQ0FDbEMsQ0FBQyJ9

package/dist/sgx-native-module/sev-snp.d.ts

@@ -0,0 +1,127 @@
+/// <reference types="node" />
+import { CpuInfo, ImportantSecurityFields, WellKnownSnpCodeNames } from "../../bindings/amd-sev-snp-napi-rs/";
+import { SnpCert, SevSnpCertificateFormat, SNPReport, SNPReportWithChain } from "../proto/AmdSevSnp";
+import { PolicySet } from "./sev-snp-schema";
+export interface CalcSnpMrEnclaveParams {
+    ovmfPath: string;
+    kernelHash: Buffer;
+    initrdHash?: Buffer;
+    cmdLineHash: Buffer;
+    vcpuSig: number;
+    vcpuCount: number;
+    vmpl?: number;
+    policy?: bigint;
+}
+export declare const AMD_EPYC_MILAN_CPUINFO: CpuInfo;
+export declare const EMPTY_INITRD_SHA256_HASH: Buffer;
+export type ArkHashes = {
+    [key: string]: Buffer;
+};
+export declare function getDefaultArkHashes(): ArkHashes;
+export declare class SevSNP {
+    static serializeSNPReport(report: SNPReportWithChain): Buffer;
+    static deserializeSNPReport(serialized: Buffer): SNPReportWithChain;
+    protected static convertCertToPem(cert: Buffer): string;
+    protected static convertPemToDer(cert: string): Buffer;
+    protected static splitCerts(certsPem: string): string[];
+    protected static readCmdLine(): Promise<string>;
+    /**
+     * Method for generation AMD SEV-SNP Report
+     * @param userData - The data that will be included in the report and will be signed
+     * @param vmpl - Optional VMPL value to pass to the firmware when requesting a report (default: 0)
+     */
+    static generateSNPReport(userData: Buffer, vmpl?: number): Promise<SNPReport>;
+    /**
+     * Method for fetch certificates from AMD KDS
+     * @param report - report generated by the `generateSNPReport` method
+     * @param options - options for working with HTTP, allows you to configure repetitions and the interval between them,
+     *                  as well as the format of the returned certificates
+     */
+    static getReportChain(report: SNPReport, options?: {
+        retryMax?: number;
+        retryInterval?: number;
+        certFormat?: SevSnpCertificateFormat;
+        httpTimeoutMs?: number;
+    }): Promise<SnpCert[]>;
+    /**
+     * Method for generation AMD SEV-SNP Report and fetching certificates
+     * @param userData - @see generateSNPReport
+     * @param options - @see getReportChain
+     */
+    static generateSNPReportWithChain(userData: Buffer, options?: {
+        retryMax?: number;
+        retryInterval?: number;
+        certFormat?: SevSnpCertificateFormat;
+    }): Promise<SNPReportWithChain>;
+    protected static runSubProcess(binaryPath: string, args?: string[], options?: {
+        cwd?: string;
+        timeoutMs?: number;
+    }): Promise<{
+        exitCode: number;
+        stdout: string;
+        stderr: string;
+    }>;
+    static getCertHash(cert: SnpCert): Buffer;
+    protected static isValidArk(ARK: SnpCert, trustedHashes: ArkHashes): boolean;
+    /**
+     * AMD SEV-SNP verification method
+     * @param report - report with full certificate chain
+     * @param options - trustedHashes - map of trusted AMD ARK Certificates (CommonName as Key, Sha256 Hash of Der Certificate as Value) - optional
+     *                  timeoutMs - timeout of the utility snpnost in ms
+     *                  snpGuestBinaryPath - path for snpguest util
+     */
+    static verifyReport(report: SNPReportWithChain, options?: {
+        trustedHashes?: ArkHashes;
+        timeoutMs?: number;
+        snpGuestBinaryPath?: string;
+        tmpDirTemplate?: string;
+    }): Promise<void>;
+    protected static calcMrEnclave(measure: Buffer, vmpl: number, policy: bigint): Buffer;
+    /**
+     * Method for obtaining mrEnclave from report. MrEnclave includes report measure, report vmpl and report policy
+     * @param report - report without certificates
+     */
+    static getMrEnclave(report: Buffer): Buffer;
+    /**
+     * Method for obtaining reportData. This data was passed when generating the report
+     * @param report - report without certificates
+     */
+    static getReportData(report: Buffer): Promise<Buffer>;
+    /**
+     * Method for obtaining measure. Please do not confuse with mrenclave. Report measure is part of mrEnclave.
+     * @param report - report without certificates
+     */
+    static getReportMeasure(report: Buffer): Promise<Buffer>;
+    protected static calculateFileSha256(filePath: string): Promise<Buffer>;
+    protected static calculateCmdlineHash(cmdLine: string): Buffer;
+    /**
+     * The method allows to get the expected mrEnclave without generating a report
+     * @param params - @see CalcSnpMrEnclaveParams
+     */
+    static calcSnpMrEnclave(params: CalcSnpMrEnclaveParams): Promise<Buffer>;
+    protected static extractBuildFromCmdline(cmdLine: string, paramName?: string): string;
+    /**
+     * Compute the 32-bit CPUID signature from family, model, and stepping.
+     * This computation is described in AMD's CPUID Specification, publication #25481
+     * https://www.amd.com/system/files/TechDocs/25481.pdf
+     * See section: CPUID Fn0000_0001_EAX Family, Model, Stepping Identifiers
+     * @param cpuInfo - Structure containing family, model and stepping @see CpuInfo
+     */
+    static getCpuSig(cpuInfo: CpuInfo): number;
+    static getReportImportantSecurityFields(report: Buffer): Promise<ImportantSecurityFields>;
+    static getReportCpuInfo(report: Buffer): Promise<CpuInfo>;
+    static getCpuGeneration(cpuInfo: CpuInfo): Promise<WellKnownSnpCodeNames>;
+    /**
+     * Parse and validate policy
+     * @param input - Raw policy as json-text or object
+     */
+    static parsePolicySet(input: string | Record<string, unknown>): PolicySet;
+    private static checkRule;
+    /**
+     * Verify SNP report against a PolicySet.
+     * Throws an error if any rule fails.
+     * @param report - SNPReport
+     * @param policySet - PolicySet containing rules
+     */
+    static verifyPolicy(report: Buffer, policySet: PolicySet): Promise<void>;
+}