google · deeglaze · Oct 26, 2023 · Oct 26, 2023
diff --git a/testing/mocks.go b/testing/mocks.go
@@ -25,7 +25,6 @@ import (
 	spb "github.com/google/go-sev-guest/proto/sevsnp"
 	"github.com/pkg/errors"
 	"golang.org/x/sys/unix"
-	"google.golang.org/protobuf/types/known/wrapperspb"
 )
 
 // GetReportResponse represents a mocked response to a command request.
@@ -144,10 +143,7 @@ func (d *Device) Ioctl(command uintptr, req any) (uintptr, error) {
 // Product returns the mocked product info or the default.
 func (d *Device) Product() *spb.SevProduct {
 	if d.SevProduct == nil {
-		return &spb.SevProduct{
-			Name:            spb.SevProduct_SEV_PRODUCT_MILAN,
-			MachineStepping: &wrapperspb.UInt32Value{Value: 0},
-		}
+		return abi.DefaultSevProduct()
 	}
 	return d.SevProduct
 }

diff --git a/testing/test_cases.go b/testing/test_cases.go
@@ -23,6 +23,7 @@ import (
 	"github.com/google/go-sev-guest/abi"
 	labi "github.com/google/go-sev-guest/client/linuxabi"
 	"github.com/google/go-sev-guest/kds"
+	spb "github.com/google/go-sev-guest/proto/sevsnp"
 )
 
 // userZeros defines a ReportData example that is all zeros
@@ -151,15 +152,22 @@ func CreateRawReport(opts *TestReportOptions) [labi.SnpReportRespReportSize]byte
 
 // DeviceOptions specifies customizations for a fake sev-guest device.
 type DeviceOptions struct {
-	Keys   map[string][]byte
-	Now    time.Time
-	Signer *AmdSigner
+	Keys    map[string][]byte
+	Now     time.Time
+	Signer  *AmdSigner
+	Product *spb.SevProduct
 }
 
 func makeTestCerts(opts *DeviceOptions) ([]byte, *AmdSigner, error) {
 	signer := opts.Signer
+	var productString string
+	if opts.Product != nil {
+		productString = kds.ProductString(opts.Product)
+	} else {
+		productString = kds.DefaultProductString()
+	}
 	if signer == nil {
-		s, err := DefaultTestOnlyCertChain(kds.DefaultProductString(), opts.Now)
+		s, err := DefaultTestOnlyCertChain(productString, opts.Now)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -250,5 +258,6 @@ func TcDevice(tcs []TestCase, opts *DeviceOptions) (*Device, error) {
 		Certs:         certs,
 		Signer:        signer,
 		Keys:          opts.Keys,
+		SevProduct:    opts.Product,
 	}, nil
 }
diff --git a/verify/verify.go b/verify/verify.go
@@ -687,17 +687,18 @@ func SnpAttestation(attestation *spb.Attestation, options *Options) error {
 // certificate chain.
 func fillInAttestation(attestation *spb.Attestation, options *Options) error {
 	var productOverridden bool
-	if options.Product != nil {
-		attestation.Product = options.Product
-		productOverridden = true
-	} else if attestation.Product == nil {
-		attestation.Product = abi.DefaultSevProduct()
+	if attestation.Product == nil {
+		if options.Product != nil {
+			attestation.Product = options.Product
+		} else {
+			attestation.Product = abi.DefaultSevProduct()
+		}
 		productOverridden = true
 	}
 	if options.DisableCertFetching {
 		return nil
 	}
-	product := kds.ProductString(options.Product)
+	product := kds.ProductString(attestation.Product)
 	getter := options.Getter
 	if getter == nil {
 		getter = trust.DefaultHTTPSGetter()
@@ -736,6 +737,8 @@ func fillInAttestation(attestation *spb.Attestation, options *Options) error {
 				}
 			}
 			chain.VcekCert = vcek
+			// An attempt was made with defaults or the option's product, so now use
+			// the VCEK cert to determine the real product info.
 			if productOverridden {
 				cert, err := x509.ParseCertificate(vcek)
 				if err != nil {
@@ -758,7 +761,10 @@ func fillInAttestation(attestation *spb.Attestation, options *Options) error {
 			return ErrMissingVlek
 		}
 	}
-	return nil
+
+	// Pass along the expected product information for VcekDER. fillInAttestation will ensure
+	// that this is a noop if options.Product began as non-nil.
+	return updateProductExpectation(&options.Product, attestation.Product)
 }
 
 // GetAttestationFromReport uses AMD's Key Distribution Service (KDS) to download the certificate