pr feedback: internal/guest/linux package, Makefile, refactor

Add new internal/guest/linux package, which for now includes linux specific
ioctl definitions and Ioctl call.

Refactor devicemapper to use the new package.

Update makefile to conditionally include snp-report binary in initrd

Signed-off-by: Maksim An <[email protected]>

Makefile

@@ -1,4 +1,5 @@
 BASE:=base.tar.gz
+INCLUDE_UTILITIES:=0
 
 GO:=go
 GO_FLAGS:=-ldflags "-s -w" # strip Go binaries
@@ -49,7 +50,9 @@ out/delta.tar.gz: bin/init bin/vsockexec bin/cmd/gcs bin/cmd/gcstools bin/cmd/ho
 	cp bin/cmd/gcs rootfs/bin/
 	cp bin/cmd/gcstools rootfs/bin/
 	cp bin/cmd/hooks/wait-paths rootfs/bin/
-	cp bin/internal/tools/snp-report rootfs/bin/
+	if [ $(INCLUDE_UTILITIES) -eq 1 ]; then \
+		cp bin/internal/tools/snp-report rootfs/bin/; \
+	fi
 	for tool in $(GCS_TOOLS); do ln -s gcstools rootfs/bin/$$tool; done
 	git -C $(SRCROOT) rev-parse HEAD > rootfs/gcs.commit && \
 	git -C $(SRCROOT) rev-parse --abbrev-ref HEAD > rootfs/gcs.branch

internal/guest/snp/fake_report.go → internal/guest/amdsev/fake_report.go

@@ -1,7 +1,7 @@
 //go:build linux
 // +build linux
 
-package snp
+package amdsev
 
 import (
 	"bytes"

internal/guest/snp/report.go → internal/guest/amdsev/report.go

@@ -1,9 +1,9 @@
 //go:build linux
 // +build linux
 
-// package snp contains minimal functionality required to fetch
+// Package amdsev contains minimal functionality required to fetch
 // attestation reports inside an enlightened guest.
-package snp
+package amdsev
 
 import (
 	"bytes"
@@ -13,7 +13,7 @@ import (
 	"os"
 	"unsafe"
 
-	"golang.org/x/sys/unix"
+	"github.com/Microsoft/hcsshim/internal/guest/linux"
 )
 
 const (
@@ -46,42 +46,18 @@ type SevSNPGuestRequest struct {
 	Error           uint32
 }
 
-// Below is ported from Linux kernel code:
-// https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772966/include/uapi/asm-generic/ioctl.h
+// AMD SEV ioctl definitions
 const (
-	iocNone     = 0
-	iocWrite    = 1
-	iocRead     = 2
-	iocNRBits   = 8
-	iocTypeBits = 8
-	iocSizeBits = 14
-	iocDirBits  = 2
-
-	// bit shifts
-	iocNRShift   = 0
-	iocTypeShift = iocNRBits
-	iocSizeShift = iocTypeShift + iocTypeBits
-	iocDirShift  = iocSizeShift + iocSizeBits
-
 	// SEV-SNP IOCTL type
 	sevGuestType = 'S'
 	// SEV-SNP IOCTL size, same as unsafe.Sizeof(SevSNPGuestRequest{})
-	sevGuestSize = 40
+	sevGuestSize    = 40
+	SevSnpIoctlBase = linux.IocWRBase | sevGuestType<<linux.IocTypeShift | sevGuestSize<<linux.IocSizeShift
 
 	// SEV-SNP requests
 	sevSNPReportCode = 0x1
 )
 
-// _IOC macros equivalent
-func ioc(dir, t, nr, size int) int {
-	return dir<<iocDirShift | t<<iocTypeShift | nr<<iocNRShift | size<<iocSizeShift
-}
-
-// _IOCWR macros equivalent
-func iocWR(t, nr, size int) int {
-	return ioc(iocRead|iocWrite, t, nr, size)
-}
-
 // msgReportRequest used to issue SEV-SNP request
 // https://www.amd.com/system/files/TechDocs/56860.pdf
 // MSG_REPORT_REQ Table 20.
@@ -166,15 +142,6 @@ type msgReportResponse struct {
 	reserved2  [64]byte // padding to the size of SEV_SNP_REPORT_RSP_BUF_SZ (i.e., 1280 bytes)
 }
 
-func snpIoctl(f *os.File, code int, payload *SevSNPGuestRequest) error {
-	sevSNPIOCBase := iocWR(sevGuestType, 0x0, sevGuestSize)
-	_, _, errno := unix.Syscall(unix.SYS_IOCTL, f.Fd(), uintptr(code|sevSNPIOCBase), uintptr(unsafe.Pointer(payload)))
-	if errno != 0 {
-		return fmt.Errorf("failed to make snp IOCTL: %s", errno)
-	}
-	return nil
-}
-
 // FetchRawSNPReport returns attestation report bytes.
 func FetchRawSNPReport(reportData string) ([]byte, error) {
 	f, err := os.OpenFile("/dev/sev", os.O_RDWR, 0)
@@ -199,7 +166,7 @@ func FetchRawSNPReport(reportData string) ([]byte, error) {
 		copy(msgReportIn.ReportData[:], rd[:])
 	}
 
-	payload := SevSNPGuestRequest{
+	payload := &SevSNPGuestRequest{
 		RequestMsgType:  MsgReportRequest,
 		ResponseMsgType: MsgReportResponse,
 		MsgVersion:      1,
@@ -210,7 +177,7 @@ func FetchRawSNPReport(reportData string) ([]byte, error) {
 		Error:           0,
 	}
 
-	if err := snpIoctl(f, sevSNPReportCode, &payload); err != nil {
+	if err := linux.Ioctl(f, sevSNPReportCode|SevSnpIoctlBase, uintptr(unsafe.Pointer(payload))); err != nil {
 		return nil, err
 	}
 	return msgReportOut.Report[:], nil
@@ -297,25 +264,3 @@ func FetchParsedSNPReport(reportData string) (Report, error) {
 	}
 	return report.report(), nil
 }
-
-// ValidateHostData fetches SNP report (if applicable) and validates `hostData` against
-// HostData set at UVM launch.
-func ValidateHostData(hostData, reportData string) error {
-	report, err := FetchParsedSNPReport(reportData)
-	if err != nil {
-		// For non-SNP hardware /dev/sev will not exist
-		if os.IsNotExist(err) {
-			return nil
-		}
-		return err
-	}
-
-	if report.HostData != hostData {
-		return fmt.Errorf(
-			"security policy digest %q doesn't match HostData provided at launch %q",
-			hostData,
-			report.HostData,
-		)
-	}
-	return nil
-}

internal/guest/linux/ioctl.go

@@ -0,0 +1,36 @@
+//go:build linux
+// +build linux
+
+package linux
+
+import (
+	"os"
+
+	"golang.org/x/sys/unix"
+)
+
+const (
+	IocWrite    = 1
+	IocRead     = 2
+	IocNRBits   = 8
+	IocTypeBits = 8
+	IocSizeBits = 14
+	IocDirBits  = 2
+
+	IocNRMask    = (1 << IocNRBits) - 1
+	IocTypeMask  = (1 << IocTypeBits) - 1
+	IocSizeMask  = (1 << IocSizeBits) - 1
+	IocDirMask   = (1 << IocDirBits) - 1
+	IocTypeShift = IocNRBits
+	IocSizeShift = IocTypeShift + IocTypeBits
+	IocDirShift  = IocSizeShift + IocSizeBits
+	IocWRBase    = (IocRead | IocWrite) << IocDirShift
+)
+
+func Ioctl(f *os.File, code int, payloadPtr uintptr) error {
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, f.Fd(), uintptr(code), payloadPtr)
+	if errno != 0 {
+		return errno
+	}
+	return nil
+}

internal/guest/runtime/hcsv2/hostdata.go

@@ -0,0 +1,33 @@
+//go:build linux
+// +build linux
+
+package hcsv2
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/Microsoft/hcsshim/internal/guest/amdsev"
+)
+
+// ValidateHostData fetches SNP report (if applicable) and validates `hostData` against
+// HostData set at UVM launch.
+func ValidateHostData(hostData, reportData string) error {
+	report, err := amdsev.FetchParsedSNPReport(reportData)
+	if err != nil {
+		// For non-SNP hardware /dev/sev will not exist
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+
+	if report.HostData != hostData {
+		return fmt.Errorf(
+			"security policy digest %q doesn't match HostData provided at launch %q",
+			hostData,
+			report.HostData,
+		)
+	}
+	return nil
+}

internal/guest/runtime/hcsv2/uvm.go

@@ -16,7 +16,6 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/Microsoft/hcsshim/internal/guest/snp"
 	"github.com/mattn/go-shellwords"
 	"github.com/pkg/errors"
 
@@ -101,7 +100,7 @@ func (h *Host) SetSecurityPolicy(base64Policy string) error {
 		return err
 	}
 
-	if err := snp.ValidateHostData(hostData, ""); err != nil {
+	if err := ValidateHostData(hostData, ""); err != nil {
 		return err
 	}
 

internal/guest/storage/devicemapper/devicemapper.go

@@ -11,6 +11,7 @@ import (
 	"time"
 	"unsafe"
 
+	"github.com/Microsoft/hcsshim/internal/guest/linux"
 	"golang.org/x/sys/unix"
 )
 
@@ -28,24 +29,9 @@ var (
 )
 
 const (
-	_IOC_WRITE    = 1
-	_IOC_READ     = 2
-	_IOC_NRBITS   = 8
-	_IOC_TYPEBITS = 8
-	_IOC_SIZEBITS = 14
-	_IOC_DIRBITS  = 2
-
-	_IOC_NRMASK    = ((1 << _IOC_NRBITS) - 1)
-	_IOC_TYPEMASK  = ((1 << _IOC_TYPEBITS) - 1)
-	_IOC_SIZEMASK  = ((1 << _IOC_SIZEBITS) - 1)
-	_IOC_DIRMASK   = ((1 << _IOC_DIRBITS) - 1)
-	_IOC_TYPESHIFT = (_IOC_NRBITS)
-	_IOC_SIZESHIFT = (_IOC_TYPESHIFT + _IOC_TYPEBITS)
-	_IOC_DIRSHIFT  = (_IOC_SIZESHIFT + _IOC_SIZEBITS)
-
 	_DM_IOCTL      = 0xfd
 	_DM_IOCTL_SIZE = 312
-	_DM_IOCTL_BASE = (_IOC_READ|_IOC_WRITE)<<_IOC_DIRSHIFT | _DM_IOCTL<<_IOC_TYPESHIFT | _DM_IOCTL_SIZE<<_IOC_SIZESHIFT
+	_DM_IOCTL_BASE = linux.IocWRBase | _DM_IOCTL<<linux.IocTypeShift | _DM_IOCTL_SIZE<<linux.IocSizeShift
 
 	_DM_READONLY_FLAG       = 1 << 0
 	_DM_SUSPEND_FLAG        = 1 << 1
@@ -134,9 +120,8 @@ func (err *dmError) Error() string {
 
 // ioctl issues the specified device-mapper ioctl
 func ioctl(f *os.File, code int, data *dmIoctl) error {
-	_, _, errno := unix.Syscall(unix.SYS_IOCTL, f.Fd(), uintptr(code|_DM_IOCTL_BASE), uintptr(unsafe.Pointer(data)))
-	if errno != 0 {
-		return &dmError{Op: code, Err: errno}
+	if err := linux.Ioctl(f, code|_DM_IOCTL_BASE, uintptr(unsafe.Pointer(data))); err != nil {
+		return &dmError{Op: code, Err: err}
 	}
 	return nil
 }

internal/tools/snp-report/main.go

@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/Microsoft/hcsshim/internal/guest/snp"
+	"github.com/Microsoft/hcsshim/internal/guest/amdsev"
 )
 
 func main() {
@@ -41,7 +41,7 @@ func main() {
 	flag.Parse()
 
 	if *binaryFmtFlag {
-		binaryReport, err := snp.FetchRawSNPReport(*reportDataFlag)
+		binaryReport, err := amdsev.FetchRawSNPReport(*reportDataFlag)
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
@@ -50,12 +50,12 @@ func main() {
 		os.Exit(0)
 	}
 
-	var report snp.Report
+	var report amdsev.Report
 	var err error
 	if *fakeReportFlag {
-		report, err = snp.FetchFakeSNPReport(*hostDataFlag)
+		report, err = amdsev.FetchFakeSNPReport(*hostDataFlag)
 	} else {
-		report, err = snp.FetchParsedSNPReport(*reportDataFlag)
+		report, err = amdsev.FetchParsedSNPReport(*reportDataFlag)
 	}
 	if err != nil {
 		fmt.Printf("failed to fetch SNP report: %s", err)

pkg/securitypolicy/securitypolicy.go

@@ -88,8 +88,9 @@ func NewOpenDoorPolicy() *SecurityPolicy {
 	}
 }
 
-// NewSecurityPolicyDigest converts base64policy string into JSON and computes
-// sha256-digest on the JSON string.
+// NewSecurityPolicyDigest decodes base64 encoded policy string, computes
+// sha256 digest on the resulting byte slice and returns it as a base64 encoded
+// string.
 func NewSecurityPolicyDigest(base64policy string) (string, error) {
 	jsonPolicy, err := base64.StdEncoding.DecodeString(base64policy)
 	if err != nil {