Documentation ¶
Index ¶
- Constants
- func GenerateMAAHostData(inputBytes []byte) [HOST_DATA_SIZE]byte
- func GenerateMAAReportData(inputBytes []byte) [REPORT_DATA_SIZE]byte
- func GetVCEKFromCertChain(certChain []byte) (*x509.Certificate, error)
- func IsSNPVM() bool
- func IsSNPVM5() bool
- func IsSNPVM6() bool
- func ParseVCEK(certChain []byte) (uint64, error)
- type AttestationReportFetcher
- type CertFetcher
- type CertState
- type SNPAttestationReport
Constants ¶
const ( ATTESTATION_REPORT_SIZE = 1184 // Size of ATTESTATION_REPORT (Table 21) REPORT_DATA_SIZE = 64 // Size of REPORT_DATA in ATTESTATION_REPORT REPORT_DATA_OFFSET = 80 // Offset of REPORT_DATA in ATTESTATION_REPORT HOST_DATA_SIZE = 32 // Size of HOST_DATA in ATTESTATION_REPORT HOST_DATA_OFFSET = 192 // Offset of HOST_DATA in ATTESTATION_REPORT REPORTED_TCB_OFFSET = 384 REPORTED_TCB_SIZE = 8 CHIP_ID_OFFSET = 416 CHIP_ID_SIZE = 64 REPORT_REQ_SIZE = 96 // Size of MSG_REPORT_REQ (Table 20) REPORT_RSP_SIZE = 1280 // Size of MSG_REPORT_RSP (Table 23) PAYLOAD_SIZE = 40 // Size of sev_snp_guest_request struct from sev-snp driver include/uapi/linux/psp-sev-guest.h )
const ( MSG_REPORT_REQ = 5 MSG_REPORT_RSP = 6 )
Message Type Encodings (Table 100)
const ( /* Size of the following struct in include/uapi/linux/sev-guest.h. It will have the conteints of MSG_REPORT_RSP (Table 23) in the first REPORT_RSP_SIZE bytes. typedef struct { // response data, see SEV-SNP spec for the format uint8_t data[4000]; } snp_report_resp; */ REPORT_RSP_CONTAINER_SIZE_6 = 4000 // Size of snp_guest_request_ioctl PAYLOAD_SIZE_6 = 32 // Value of SNP_GET_REPORT in sev-snp driver include/uapi/linux/sev-guest.h SNP_GET_REPORT_IOCTL_REQ_CODE_6 = 3223343872 )
Linux kernel 6.x specific values
const ( AzureCertCacheRequestURITemplate = "https://%s/%s/certificates/%s/%s?%s" AmdVCEKRequestURITemplate = "https://%s/%s/%s?ucodeSPL=%d&snpSPL=%d&teeSPL=%d&blSPL=%d" AmdCertChainRequestURITemplate = "https://%s/%s/cert_chain" LocalTHIMUriTemplate = "http://%s" // To-Do update once we know what this looks like )
const ( BlSplTcbmByteIndex = 0 TeeSplTcbmByteIndex = 1 TcbSpl_4TcbmByteIndex = 2 TcbSpl_5TcbmByteIndex = 3 TcbSpl_6TcbmByteIndex = 4 TcbSpl_7TcbmByteIndex = 5 SnpSplTcbmByteIndex = 6 UcodeSplTcbmByteIndex = 7 )
const MaxResponseBodySize = 100 * 1024 * 1024 // 100MB
const SNP_DEVICE_PATH_5 = "/dev/sev"
const SNP_DEVICE_PATH_6 = "/dev/sev-guest"
const (
// Value of SEV_SNP_GUEST_MSG_REPORT in sev-snp driver include/uapi/linux/psp-sev-guest.h
SNP_GET_REPORT_IOCTL_REQ_CODE_5 = 3223868161
)
Variables ¶
This section is empty.
Functions ¶
func GenerateMAAHostData ¶
func GenerateMAAHostData(inputBytes []byte) [HOST_DATA_SIZE]byte
Takes bytes and generate host data that UVM creates at launch of SNP VM (SHA256 hash of arbitrary data). It's only useful to create fake attestation report
func GenerateMAAReportData ¶
func GenerateMAAReportData(inputBytes []byte) [REPORT_DATA_SIZE]byte
Takes bytes and generate report data that MAA expects (SHA256 hash of arbitrary data).
func GetVCEKFromCertChain ¶
func GetVCEKFromCertChain(certChain []byte) (*x509.Certificate, error)
parses the cached CertChain and returns the VCEK leaf certificate Subject of the (x509) VCEK certificate (CN=SEV-VCEK)
func IsSNPVM5 ¶
func IsSNPVM5() bool
Check if the code is being run in SNP VM for Linux kernel version 5.x.
Types ¶
type AttestationReportFetcher ¶
type AttestationReportFetcher interface { // Fetches attestation report as []byte. // reportData is guest-provided data defined in SEV-SNP Firmware ABI Specification. FetchAttestationReportByte(reportData [REPORT_DATA_SIZE]byte) ([]byte, error) // Fetches attestation report as hex. // reportData is guest-provided data defined in SEV-SNP Firmware ABI Specification. FetchAttestationReportHex(reportData [REPORT_DATA_SIZE]byte) (string, error) }
func NewAttestationReportFetcher ¶
func NewAttestationReportFetcher() (AttestationReportFetcher, error)
func NewAttestationReportFetcher5 ¶
func NewAttestationReportFetcher5() AttestationReportFetcher
func NewAttestationReportFetcher6 ¶
func NewAttestationReportFetcher6() AttestationReportFetcher
func UnsafeNewFakeAttestationReportFetcher ¶
func UnsafeNewFakeAttestationReportFetcher(hostDataBytes [HOST_DATA_SIZE]byte) AttestationReportFetcher
Not SECURE. It returns fake attestation report. hostDataBytes is data provided by the hypervisor at launch defined in SEV-SNP Firmware ABI Specification. In real SNP VMs, hostDataBytes is provided by the hypervisor.
type CertFetcher ¶
type CertFetcher struct { EndpointType string `json:"endpoint_type"` // AMD, AzCache, LocalTHIM Endpoint string `json:"endpoint"` TEEType string `json:"tee_type,omitempty"` APIVersion string `json:"api_version,omitempty"` }
CertFetcher contains information about the certificate cache service that provides access to the certificate chain required upon attestation
func DefaultAMDMilanCertFetcherNew ¶
func DefaultAMDMilanCertFetcherNew() CertFetcher
Creates default AMD CertFetcher instance for Milan
func DefaultAzureCertFetcherNew ¶
func DefaultAzureCertFetcherNew() CertFetcher
Creates default Azure CertFetcher instance for SEV-SNP
func (CertFetcher) GetCertChain ¶
func (certFetcher CertFetcher) GetCertChain(chipID string, reportedTCB uint64) ([]byte, uint64, error)
Fetches platform certificates of SEV-SNP VM.
The certificates are concatenation of VCEK, ASK, and ARK certificates (PEM format, in that order). https://www.amd.com/en/support/tech-docs/versioned-chip-endorsement-key-vcek-certificate-and-kds-interface-specification
It also returns TCB as uint64 (useful only when "LocalTHIM" is used for EndpointType).
func (CertFetcher) GetThimCerts ¶
func (certFetcher CertFetcher) GetThimCerts(uri string) (*common.THIMCerts, error)
type CertState ¶
type CertState struct { CertFetcher CertFetcher `json:"cert_cache"` Tcbm uint64 `json:"tcbm"` }
CertState contains information about the certificate cache service that provides access to the certificate chain required upon attestation
func (*CertState) Attest ¶
func (certState *CertState) Attest(maa common.MAA, runtimeDataBytes []byte, uvmInformation common.UvmInformation) (string, error)
Attest interacts with maa services to fetch an MAA token MAA expects four attributes: (A) the attestation report signed by the PSP signing key (B) a certificate chain that endorses the signing key of the attestation report (C) reference information that provides evidence that the UVM image is genuine. (D) inittime data: this is the policy blob that has been hashed by the host OS during the utility
VM bringup and has been reported by the PSP in the attestation report as HOST DATA
(E) runtime data: for example it may be a wrapping key blob that has been hashed during the attestation report
retrieval and has been reported by the PSP in the attestation report as REPORT DATA
Note that it uses fake attestation report if it's not running inside SNP VM
func (*CertState) RefreshCertChain ¶
func (certState *CertState) RefreshCertChain(SNPReport SNPAttestationReport) ([]byte, error)
type SNPAttestationReport ¶
type SNPAttestationReport struct { // version no. of this attestation report. Set to 1 for this specification. Version uint32 `json:"version"` // The guest SVN GuestSvn uint32 `json:"guest_svn"` // see table 8 - various settings Policy uint64 `json:"policy"` // as provided at launch hex string of a 16-byte integer FamilyID string `json:"family_id"` // as provided at launch hex string of a 16-byte integer ImageID string `json:"image_id"` // the request VMPL for the attestation report VMPL uint32 `json:"vmpl"` SignatureAlgo uint32 `json:"signature_algo"` // The install version of the firmware PlatformVersion uint64 `json:"platform_version"` // information about the platform see table 22 PlatformInfo uint64 `json:"platform_info"` // 31 bits of reserved, must be zero, bottom bit indicates that the digest of the author key is present in AUTHOR_KEY_DIGEST. Set to the value of GCTX.AuthorKeyEn. AuthorKeyEn uint32 `json:"author_key_en"` // must be zero Reserved1 uint32 `json:"reserved1"` // Guest provided data. 64-byte ReportData string `json:"report_data"` // measurement calculated at launch 48-byte Measurement string `json:"measurement"` // data provided by the hypervisor at launch 32-byte HostData string `json:"host_data"` // SHA-384 digest of the ID public key that signed the ID block provided in SNP_LAUNCH_FINISH 48-byte IDKeyDigest string `json:"id_key_digest"` // SHA-384 digest of the Author public key that certified the ID key, if provided in SNP_LAUNCH_FINISH. Zeros if author_key_en is 1 (sounds backwards to me). 48-byte AuthorKeyDigest string `json:"author_key_digest"` // Report ID of this guest. 32-byte ReportID string `json:"report_id"` // Report ID of this guest's mmigration agent. 32-byte ReportIDMA string `json:"report_id_ma"` // Reported TCB version used to derive the VCEK that signed this report ReportedTCB uint64 `json:"reported_tcb"` // reserved 24-byte Reserved2 string `json:"reserved2"` // Identifier unique to the chip 64-byte ChipID string `json:"chip_id"` // The current commited SVN of the firware (version 2 report feature) CommittedSvn uint64 `json:"committed_svn"` // The current commited version of the firware CommittedVersion uint64 `json:"committed_version"` // The SVN that this guest was launched or migrated at LaunchSvn uint64 `json:"launch_svn"` // reserved 168-byte Reserved3 string `json:"reserved3"` // Signature of this attestation report. See table 23. 512-byte Signature string `json:"signature"` }
func (*SNPAttestationReport) DeserializeReport ¶
func (r *SNPAttestationReport) DeserializeReport(report []uint8) error
func (*SNPAttestationReport) SerializeReport ¶
func (r *SNPAttestationReport) SerializeReport() (report []uint8, err error)