forked from microsoft/hcsshim
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add guest package for fetching attestation report via syscall (micros…
…oft#1341) Add `internal/guest/linux package`, which contains linux ioctl definitions. Devicemapper code is refactored to use the new package. Introduce new `amdsevsnp` package with Introduce ioctl wrappers and structs required to fetch attestation report. Validate that `LaunchData` provided to HCS during UVM boot and `HostData` returned as part of attestation report match. Add utility binary to fetch SNP report and update Makefile to support `DEV_BUILD` parameter, which includes test utilities inside LCOW image. Fake attestation report can be used when testing integrations. Signed-off-by: Maksim An <[email protected]>
- Loading branch information
Showing
14 changed files
with
651 additions
and
58 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
//go:build linux | ||
// +build linux | ||
|
||
// Package linux contains definitions required for making a linux ioctl. | ||
package linux | ||
|
||
import ( | ||
"os" | ||
"unsafe" | ||
|
||
"golang.org/x/sys/unix" | ||
) | ||
|
||
// 32 bits to describe an ioctl: | ||
// 0-7: NR (command for a given ioctl type) | ||
// 8-15: TYPE (ioctl type) | ||
// 16-29: SIZE (payload size) | ||
// 30-31: DIR (direction of ioctl, can be: none/write/read/write-read) | ||
const ( | ||
IocWrite = 1 | ||
IocRead = 2 | ||
IocNRBits = 8 | ||
IocTypeBits = 8 | ||
IocSizeBits = 14 | ||
IocDirBits = 2 | ||
|
||
IocNRMask = (1 << IocNRBits) - 1 | ||
IocTypeMask = (1 << IocTypeBits) - 1 | ||
IocSizeMask = (1 << IocSizeBits) - 1 | ||
IocDirMask = (1 << IocDirBits) - 1 | ||
IocTypeShift = IocNRBits | ||
IocSizeShift = IocTypeShift + IocTypeBits | ||
IocDirShift = IocSizeShift + IocSizeBits | ||
IocWRBase = (IocRead | IocWrite) << IocDirShift | ||
) | ||
|
||
// Ioctl makes a syscall described by `command` with data `dataPtr` to device | ||
// driver file `f`. | ||
func Ioctl(f *os.File, command int, dataPtr unsafe.Pointer) error { | ||
if _, _, err := unix.Syscall( | ||
unix.SYS_IOCTL, | ||
f.Fd(), | ||
uintptr(command), | ||
uintptr(dataPtr), | ||
); err != 0 { | ||
return err | ||
} | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
//go:build linux | ||
// +build linux | ||
|
||
package hcsv2 | ||
|
||
import ( | ||
"bytes" | ||
"fmt" | ||
"os" | ||
|
||
"github.com/Microsoft/hcsshim/pkg/amdsevsnp" | ||
) | ||
|
||
// validateHostData fetches SNP report (if applicable) and validates `hostData` against | ||
// HostData set at UVM launch. | ||
func validateHostData(hostData []byte) error { | ||
report, err := amdsevsnp.FetchParsedSNPReport(nil) | ||
if err != nil { | ||
// For non-SNP hardware /dev/sev will not exist | ||
if os.IsNotExist(err) { | ||
return nil | ||
} | ||
return err | ||
} | ||
|
||
if bytes.Compare(hostData, report.HostData) != 0 { | ||
return fmt.Errorf( | ||
"security policy digest %q doesn't match HostData provided at launch %q", | ||
hostData, | ||
report.HostData, | ||
) | ||
} | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
//go:build linux | ||
// +build linux | ||
|
||
package fake | ||
|
||
import ( | ||
"encoding/hex" | ||
"fmt" | ||
|
||
"github.com/Microsoft/hcsshim/pkg/amdsevsnp" | ||
) | ||
|
||
const fakeSNPReport = "01000000010000001f00030000000000010000000000000000000000000000000200000000000000000000000000000000000000010000000000000000000028010000000000000000000000000000007ab000a323b3c873f5b81bbe584e7c1a26bcf40dc27e00f8e0d144b1ed2d14f10000000000000000000000000000000000000000000000000000000000000000e29af700e85b39996fa38226d2804b78cad746ffef4477360a61b47874bdecd640f9d32f5ff64a55baad3c545484d9ed28603a3ea835a83bd688b0ec1dcb36b6b8c22412e5b63115b75db8628b989bc598c475ca5f7683e8d351e7e789a1baff19041750567161ad52bf0d152bd76d7c6f313d0a0fd72d0089692c18f521155800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040aea62690b08eb6d680392c9a9b3db56a9b3cc44083b9da31fb88bcfc493407ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000028000000000000000000000000000000000000000000000000e6c86796cd44b0bc6b7c0d4fdab33e2807e14b5fc4538b3750921169d97bcf4447c7d3ab2a7c25f74c1641e2885c1011d025cc536f5c9a2504713136c7877f480000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003131c0f3e7be5c6e400f22404596e1874381e99d03de45ef8b97eee0a0fa93a4911550330343f14dddbbd6c0db83744f000000000000000000000000000000000000000000000000db07c83c5e6162c2387f3b76cd547672657f6a5df99df98efee7c15349320d83e086c5003ec43050a9b18d1c39dedc340000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" | ||
|
||
// FetchRawSNPReport hex decodes fakeSNPReport. | ||
func FetchRawSNPReport() ([]byte, error) { | ||
return hex.DecodeString(fakeSNPReport) | ||
} | ||
|
||
// FetchSNPReport returns amdsev.Report object that corresponds to the decoded | ||
// version of fakeSNPReport. Overrides the resulting report's HostData field | ||
// with provided `hostData`. | ||
func FetchSNPReport(hostData string) (amdsevsnp.Report, error) { | ||
if hostData == "" { | ||
hostData = "28603a3ea835a83bd688b0ec1dcb36b6b8c22412e5b63115b75db8628b989bc5" | ||
} | ||
hdBytes, err := hex.DecodeString(hostData) | ||
if err != nil { | ||
return amdsevsnp.Report{}, fmt.Errorf("failed to decode host data: %w", err) | ||
} | ||
r := amdsevsnp.Report{ | ||
Version: 1, | ||
GuestSVN: 1, | ||
Policy: 0x03001f, | ||
FamilyID: "00000000000000000000000000000001", | ||
ImageID: "00000000000000000000000000000001", | ||
VMPL: 0, | ||
SignatureAlgo: 1, | ||
PlatformVersion: 0x2800000000000000, | ||
PlatformInfo: 1, | ||
AuthorKeyEn: 0, | ||
ReportData: "7ab000a323b3c873f5b81bbe584e7c1a26bcf40dc27e00f8e0d144b1ed2d14f10000000000000000000000000000000000000000000000000000000000000000", | ||
Measurement: "e29af700e85b39996fa38226d2804b78cad746ffef4477360a61b47874bdecd640f9d32f5ff64a55baad3c545484d9ed", | ||
HostData: hdBytes[:], | ||
IDKeyDigest: "98c475ca5f7683e8d351e7e789a1baff19041750567161ad52bf0d152bd76d7c6f313d0a0fd72d0089692c18f5211558", | ||
AuthorKeyDigest: "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", | ||
ReportID: "40aea62690b08eb6d680392c9a9b3db56a9b3cc44083b9da31fb88bcfc493407", | ||
ReportIDMA: "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", | ||
ReportTCB: 0x2800000000000000, | ||
ChipID: "e6c86796cd44b0bc6b7c0d4fdab33e2807e14b5fc4538b3750921169d97bcf4447c7d3ab2a7c25f74c1641e2885c1011d025cc536f5c9a2504713136c7877f48", | ||
CommittedSVN: "0000000000000000", | ||
CommittedVersion: "0000000000000000", | ||
LaunchSVN: "0000000000000000", | ||
Signature: "3131c0f3e7be5c6e400f22404596e1874381e99d03de45ef8b97eee0a0fa93a4911550330343f14dddbbd6c0db83744f000000000000000000000000000000000000000000000000db07c83c5e6162c2387f3b76cd547672657f6a5df99df98efee7c15349320d83e086c5003ec43050a9b18d1c39dedc340000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", | ||
} | ||
return r, nil | ||
} |
Oops, something went wrong.