google
diff --git a/‎abi/abi.go‎
Lines changed: 3 additions & 0 deletions b/‎abi/abi.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎kds/kds.go‎
Lines changed: 25 additions & 1 deletion b/‎kds/kds.go‎
Lines changed: 25 additions & 1 deletion
diff --git a/‎proto/fakekds.proto‎
Lines changed: 1 addition & 0 deletions b/‎proto/fakekds.proto‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎proto/fakekds/fakekds.pb.go‎
Lines changed: 19 additions & 10 deletions b/‎proto/fakekds/fakekds.pb.go‎
Lines changed: 19 additions & 10 deletions
diff --git a/‎testing/client/client.go‎
Lines changed: 29 additions & 0 deletions b/‎testing/client/client.go‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎testing/fake_certs.go‎
Lines changed: 3 additions & 2 deletions b/‎testing/fake_certs.go‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎testing/fakekds.go‎
Lines changed: 12 additions & 14 deletions b/‎testing/fakekds.go‎
Lines changed: 12 additions & 14 deletions
@@ -984,6 +984,9 @@ func SevProductFromCpuid1Eax(eax uint32) *pb.SevProduct {
 // MaskedCpuid1EaxFromSevProduct returns the Cpuid1Eax value expected from the given product
 // when masked with CpuidProductMask.
 func MaskedCpuid1EaxFromSevProduct(product *pb.SevProduct) uint32 {
+	if product == nil {
+		return 0
+	}
 	var family, model, stepping byte
 	if product.MachineStepping != nil {
 		stepping = byte(product.MachineStepping.Value & 0xf)
 
@@ -99,9 +99,19 @@ var (
 		"Genoa-B0": {Name: pb.SevProduct_SEV_PRODUCT_GENOA, MachineStepping: uint0},
 		"Genoa-B1": {Name: pb.SevProduct_SEV_PRODUCT_GENOA, MachineStepping: uint1},
 		"Genoa-B2": {Name: pb.SevProduct_SEV_PRODUCT_GENOA, MachineStepping: uint2},
+		"Turin-B0": {Name: pb.SevProduct_SEV_PRODUCT_TURIN, MachineStepping: uint0},
+		"Turin-B1": {Name: pb.SevProduct_SEV_PRODUCT_TURIN, MachineStepping: uint1},
 	}
 	milanSteppingVersions = []string{"B0", "B1"}
 	genoaSteppingVersions = []string{"B0", "B1", "B2"}
+	turinSteppingVersions = []string{"B0", "B1"}
+
+	// ProductLineCpuid associates the CPUID_1_EAX value (Stepping 0) to its AMD product name.
+	ProductLineCpuid = map[uint32]string{
+		0x00a00f10: "Milan",
+		0x00a10f10: "Genoa",
+		0x00b00f20: "Turin",
+	}
 )
 
 // TCBVersion is a 64-bit bitfield of different security patch levels of AMD firmware and microcode.
@@ -731,6 +741,8 @@ func ProductLine(product *pb.SevProduct) string {
 		return "Milan"
 	case pb.SevProduct_SEV_PRODUCT_GENOA:
 		return "Genoa"
+	case pb.SevProduct_SEV_PRODUCT_TURIN:
+		return "Turin"
 	default:
 		return "Unknown"
 	}
@@ -785,12 +797,22 @@ func ProductName(product *pb.SevProduct) string {
 		if int(stepping) >= len(genoaSteppingVersions) {
 			return "unmappedGenoaStepping"
 		}
-		return fmt.Sprintf("Milan-%s", genoaSteppingVersions[stepping])
+		return fmt.Sprintf("Genoa-%s", genoaSteppingVersions[stepping])
+	case pb.SevProduct_SEV_PRODUCT_TURIN:
+		if int(stepping) >= len(turinSteppingVersions) {
+			return "unmappedTurinStepping"
+		}
+		return fmt.Sprintf("Turin-%s", turinSteppingVersions[stepping])
 	default:
 		return "Unknown"
 	}
 }
 
+// ProductLineFromFms returns the product name used in the KDS endpoint to fetch VCEK certificates.
+func ProductLineFromFms(fms uint32) string {
+	return ProductLine(abi.SevProductFromCpuid1Eax(fms))
+}
+
 // ParseProduct returns the SevProductName for a product name without the stepping suffix.
 //
 // Deprecated: Use ParseProductLine
@@ -809,6 +831,8 @@ func ParseProductLine(productLine string) (*pb.SevProduct, error) {
 		return &pb.SevProduct{Name: pb.SevProduct_SEV_PRODUCT_MILAN}, nil
 	case "Genoa":
 		return &pb.SevProduct{Name: pb.SevProduct_SEV_PRODUCT_GENOA}, nil
+	case "Turin":
+		return &pb.SevProduct{Name: pb.SevProduct_SEV_PRODUCT_TURIN}, nil
 	default:
 		return nil, fmt.Errorf("unknown AMD SEV product: %q", productLine)
 	}
 
@@ -26,6 +26,7 @@ message Certificates {
     bytes chip_id = 1;  // Should be 64 bytes
     map<uint64, bytes> tcb_certs = 2;
     string hostname = 3;
+    uint32 fms = 4;
   }
   repeated ChipTCBCerts chip_certs = 1;
 }
@@ -22,6 +22,7 @@ import (
 	"github.com/google/go-sev-guest/client"
 	test "github.com/google/go-sev-guest/testing"
 	"github.com/google/go-sev-guest/verify/trust"
+	"google.golang.org/protobuf/proto"
 )
 
 // SkipUnmockableTestCase returns whether we have to skip a mocked failure test case on real hardware.
@@ -130,6 +131,17 @@ func GetSevQuoteProvider(tcs []test.TestCase, opts *test.DeviceOptions, tb testi
 					},
 				},
 			},
+			"Genoa": {
+				{
+					Product:     "Genoa", // TODO(Issue#114): Remove
+					ProductLine: "Genoa",
+					ProductCerts: &trust.ProductCerts{
+						Ask:  sevQp.Device.Signer.Ask,
+						Ark:  sevQp.Device.Signer.Ark,
+						Asvk: sevQp.Device.Signer.Asvk,
+					},
+				},
+			},
 		}
 		badSnpRoot := map[string][]*trust.AMDRootCerts{
 			"Milan": {
@@ -144,6 +156,18 @@ func GetSevQuoteProvider(tcs []test.TestCase, opts *test.DeviceOptions, tb testi
 					},
 				},
 			},
+			"Genoa": {
+				{
+					Product:     "Genoa", // TODO(Issue#114): Remove
+					ProductLine: "Genoa",
+					ProductCerts: &trust.ProductCerts{
+						// No ASK, oops.
+						Ask:  sevQp.Device.Signer.Ark,
+						Ark:  sevQp.Device.Signer.Ark,
+						Asvk: sevQp.Device.Signer.Ark,
+					},
+				},
+			},
 		}
 		fakekds, err := test.FakeKDSFromSigner(sevQp.Device.Signer)
 		if err != nil {
@@ -152,6 +176,11 @@ func GetSevQuoteProvider(tcs []test.TestCase, opts *test.DeviceOptions, tb testi
 		return sevQp, goodSnpRoot, badSnpRoot, fakekds
 	}
 
+	// If requested to use a different product than on the machine, fail.
+	if opts.Product != nil && !proto.Equal(abi.SevProduct(), opts.Product) {
+		return nil, nil, nil, nil
+	}
+
 	client, err := client.GetQuoteProvider()
 	if err != nil {
 		tb.Fatalf("Failed to open SEV guest device: %v", err)
 
@@ -110,8 +110,9 @@ type AmdSigner struct {
 	Keys   *AmdKeys
 	// This identity does not match AMD's notion of an HWID. It is purely to combine expectations of
 	// report data -> KDS URL construction for the fake KDS implementation.
-	HWID [abi.ChipIDSize]byte
-	TCB  kds.TCBVersion
+	HWID    [abi.ChipIDSize]byte
+	TCB     kds.TCBVersion
+	Product *spb.SevProduct
 }
 
 // AmdKeys encapsulates the key chain of ARK through ASK down to VCEK.
 
@@ -23,6 +23,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/google/go-sev-guest/abi"
 	"github.com/google/go-sev-guest/kds"
 	kpb "github.com/google/go-sev-guest/proto/fakekds"
 	"github.com/google/go-sev-guest/verify/trust"
@@ -75,14 +76,14 @@ type RootBundle struct {
 type FakeKDS struct {
 	Certs *kpb.Certificates
 	// Two CERTIFICATE PEMs for ASK, then ARK or ASVK then ARK, per product
-	RootBundles map[string]RootBundle
+	RootBundles map[string]*RootBundle
 }
 
 // FakeKDSFromFile returns a FakeKDS from a path to a serialized fakekds.Certificates message.
 func FakeKDSFromFile(path string) (*FakeKDS, error) {
 	result := &FakeKDS{
 		Certs: &kpb.Certificates{},
-		RootBundles: map[string]RootBundle{
+		RootBundles: map[string]*RootBundle{
 			"Milan": {
 				VcekBundle: string(trust.AskArkMilanVcekBytes),
 				VlekBundle: string(trust.AskArkMilanVlekBytes),
@@ -110,14 +111,17 @@ func FakeKDSFromFile(path string) (*FakeKDS, error) {
 // AMD KDS REST API expectations.
 func FakeKDSFromSigner(signer *AmdSigner) (*FakeKDS, error) {
 	certs := &kpb.Certificates{}
+	rootBundles := map[string]*RootBundle{}
 	certs.ChipCerts = []*kpb.Certificates_ChipTCBCerts{
 		{
 			ChipId: signer.HWID[:],
 			TcbCerts: map[uint64][]byte{
 				uint64(signer.TCB): signer.Vcek.Raw,
 			},
+			Fms: abi.MaskedCpuid1EaxFromSevProduct(signer.Product),
 		},
 	}
+	productLine := kds.ProductLine(signer.Product)
 
 	b := &strings.Builder{}
 	if err := multierr.Combine(
@@ -126,8 +130,7 @@ func FakeKDSFromSigner(signer *AmdSigner) (*FakeKDS, error) {
 	); err != nil {
 		return nil, fmt.Errorf("could not encode VCEK root certificates: %v", err)
 	}
-	vcekBundle := b.String()
-	var vlekBundle string
+	rootBundles[productLine] = &RootBundle{VcekBundle: b.String()}
 	if signer.Asvk != nil {
 		b := &strings.Builder{}
 		if err := multierr.Combine(
@@ -136,15 +139,10 @@ func FakeKDSFromSigner(signer *AmdSigner) (*FakeKDS, error) {
 		); err != nil {
 			return nil, fmt.Errorf("could not encode VLEK root certificates: %v", err)
 		}
-		vlekBundle = b.String()
-	}
-	return &FakeKDS{
-		Certs: certs,
-		RootBundles: map[string]RootBundle{"Milan": {
-			VcekBundle: vcekBundle,
-			VlekBundle: vlekBundle,
-		}},
-	}, nil
+		rootBundles[productLine].VlekBundle = b.String()
+	}
+
+	return &FakeKDS{Certs: certs, RootBundles: rootBundles}, nil
 }
 
 // FindChipTcbCerts returns the TcbCerts associated with the given chipID in the database if they
@@ -200,7 +198,7 @@ func GetKDS(t testing.TB) trust.HTTPSGetter {
 	}
 	fakeKds := &FakeKDS{
 		Certs: &kpb.Certificates{},
-		RootBundles: map[string]RootBundle{"Milan": {
+		RootBundles: map[string]*RootBundle{"Milan": {
 			VcekBundle: string(trust.AskArkMilanVcekBytes),
 			VlekBundle: string(trust.AskArkMilanVlekBytes),
 		},
Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ message Certificates {`
`26`	`26`	`bytes chip_id = 1; // Should be 64 bytes`
`27`	`27`	`map<uint64, bytes> tcb_certs = 2;`
`28`	`28`	`string hostname = 3;`
	`29`	`+ uint32 fms = 4;`
`29`	`30`	`}`
`30`	`31`	`repeated ChipTCBCerts chip_certs = 1;`
`31`	`32`	`}`