client

package
v0.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 10, 2024 License: Apache-2.0 Imports: 11 Imported by: 8

Documentation

Overview

Package client provides an interface to the AMD SEV-SNP guest device commands.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetDerivedKeyAcknowledgingItsLimitations added in v0.2.3 

func GetDerivedKeyAcknowledgingItsLimitations(d Device, request *SnpDerivedKeyReq) (*labi.SnpDerivedKeyRespABI, error)

GetDerivedKeyAcknowledgingItsLimitations returns 32 bytes of key material that the AMD security processor derives from the given parameters. Security limitations of this command are described more in the project README.

func GetExtendedReport deprecated 

func GetExtendedReport(d Device, reportData [64]byte) (*pb.Attestation, error)

GetExtendedReport gets an extended attestation report at VMPL0 into a structured type.

Deprecated: Use GetQuoteProto.

func GetExtendedReportAtVmpl deprecated 

func GetExtendedReportAtVmpl(d Device, reportData [64]byte, vmpl int) (*pb.Attestation, error)

GetExtendedReportAtVmpl gets an extended attestation report at the given VMPL into a structured type.

Deprecated: Use GetQuoteProtoAtLevel

func GetQuoteProto added in v0.10.1 

func GetQuoteProto(qp QuoteProvider, reportData [64]byte) (*pb.Attestation, error)

GetQuoteProto uses the given QuoteProvider to return the protobuf representation of an attestation report with cached certificate chain.

func GetQuoteProtoAtLevel added in v0.10.1 

func GetQuoteProtoAtLevel(qp LeveledQuoteProvider, reportData [64]byte, vmpl uint) (*pb.Attestation, error)

GetQuoteProtoAtLevel uses the given LeveledQuoteProvider to return the protobuf representation of an attestation report at a given VMPL with cached certificate chain.

func GetRawExtendedReport deprecated 

func GetRawExtendedReport(d Device, reportData [64]byte) ([]byte, []byte, error)

GetRawExtendedReport requests for an attestation report that incorporates the given user data, and additional key certificate information.

Deprecated: Use QuoteProvider.

func GetRawExtendedReportAtVmpl deprecated 

func GetRawExtendedReportAtVmpl(d Device, reportData [64]byte, vmpl int) ([]byte, []byte, error)

GetRawExtendedReportAtVmpl requests for an attestation report that incorporates the given user data at the given VMPL, and additional key certificate information.

Deprecated: Use LeveledQuoteProvider.

func GetRawReport deprecated 

func GetRawReport(d Device, reportData [64]byte) ([]byte, error)

GetRawReport requests for an attestation report at VMPL0 that incorporates the given user data.

Deprecated: Use QuoteProvider.

func GetRawReportAtVmpl deprecated 

func GetRawReportAtVmpl(d Device, reportData [64]byte, vmpl int) ([]byte, error)

GetRawReportAtVmpl requests for an attestation report at the given VMPL that incorporates the given user data.

Deprecated: Use LeveledQuoteProvider.

func GetReport deprecated 

func GetReport(d Device, reportData [64]byte) (*pb.Report, error)

GetReport gets an attestation report at VMPL0 into its protobuf representation.

Deprecated: Use GetQuoteProto.

func GetReportAtVmpl deprecated 

func GetReportAtVmpl(d Device, reportData [64]byte, vmpl int) (*pb.Report, error)

GetReportAtVmpl gets an attestation report at the given VMPL into its protobuf representation.

Deprecated: Use GetQuoteProtoAtLevel.

func UseDefaultSevGuest added in v0.4.0 

func UseDefaultSevGuest() bool

UseDefaultSevGuest returns true iff -sev_guest_device_path=default.

Types

type Device 

type Device interface {
	// Open prepares the Device from the given path.
	Open(path string) error
	// Close releases the device resource.
	Close() error
	// Ioctl performs the given command with the given argument.
	Ioctl(command uintptr, argument any) (uintptr, error)
	// Product returns AMD SEV-related CPU information of the calling CPU.
	Product() *pb.SevProduct
}

Device encapsulates the possible commands to the AMD SEV guest device.

type GuestFieldSelect added in v0.2.3 

type GuestFieldSelect struct {
	TCBVersion  bool
	GuestSVN    bool
	Measurement bool
	FamilyID    bool
	ImageID     bool
	GuestPolicy bool
}

GuestFieldSelect represents which guest-provided information will be mixed into a derived key.

func (GuestFieldSelect) ABI added in v0.2.3 

func (g GuestFieldSelect) ABI() uint64

ABI returns the SNP ABI-specified uint64 bitmask of guest field selection.

type LeveledQuoteProvider added in v0.10.0 

type LeveledQuoteProvider interface {
	// IsSupported returns whether the kernel supports this implementation.
	IsSupported() bool
	// GetRawQuote returns a raw report with the given privilege level.
	GetRawQuoteAtLevel(reportData [64]byte, vmpl uint) ([]uint8, error)
	// Product returns AMD SEV-related CPU information of the calling CPU.
	//
	// Deprecated: Use abi.ExtraPlatformInfoGUID in raw quote certificate table.
	Product() *pb.SevProduct
}

LeveledQuoteProvider encapsulates calls to collect an extended attestation report at a given privilege level.

func GetLeveledQuoteProvider added in v0.10.0 

func GetLeveledQuoteProvider() (LeveledQuoteProvider, error)

GetLeveledQuoteProvider returns a supported SEV-SNP LeveledQuoteProvider.

type LinuxConfigFsQuoteProvider added in v0.10.0 

type LinuxConfigFsQuoteProvider struct{}

LinuxConfigFsQuoteProvider implements the QuoteProvider interface to fetch attestation quote via ConfigFS.

func (*LinuxConfigFsQuoteProvider) GetRawQuote added in v0.10.0 

func (p *LinuxConfigFsQuoteProvider) GetRawQuote(reportData [64]byte) ([]uint8, error)

GetRawQuote returns byte format attestation plus certificate table via ConfigFS.

func (*LinuxConfigFsQuoteProvider) GetRawQuoteAtLevel added in v0.10.0 

func (p *LinuxConfigFsQuoteProvider) GetRawQuoteAtLevel(reportData [64]byte, level uint) ([]uint8, error)

GetRawQuoteAtLevel returns byte format attestation plus certificate table via ConfigFS.

func (*LinuxConfigFsQuoteProvider) IsSupported added in v0.10.0 

func (p *LinuxConfigFsQuoteProvider) IsSupported() bool

IsSupported checks if TSM client can be created to use ConfigFS system.

func (*LinuxConfigFsQuoteProvider) Product deprecated added in v0.10.1 

func (*LinuxConfigFsQuoteProvider) Product() *spb.SevProduct

Product returns the current CPU's associated AMD SEV product information.

Deprecated: Use ExtraPlatformInfoGUID from the cert table.

type LinuxDevice 

type LinuxDevice struct {
	// contains filtered or unexported fields
}

LinuxDevice implements the Device interface with Linux ioctls.

func OpenDevice 

func OpenDevice() (*LinuxDevice, error)

OpenDevice opens the SEV-SNP guest device.

func (*LinuxDevice) Close 

func (d *LinuxDevice) Close() error

Close closes the SEV-SNP guest device.

func (*LinuxDevice) Ioctl 

func (d *LinuxDevice) Ioctl(command uintptr, req any) (uintptr, error)

Ioctl sends a command with its wrapped request and response values to the Linux device.

func (*LinuxDevice) Open 

func (d *LinuxDevice) Open(path string) error

Open opens the SEV-SNP guest device from a given path

func (*LinuxDevice) Product added in v0.7.1 

func (d *LinuxDevice) Product() *spb.SevProduct

Product returns the current CPU's associated AMD SEV product information.

type LinuxIoctlQuoteProvider added in v0.10.0 

type LinuxIoctlQuoteProvider struct{}

LinuxIoctlQuoteProvider implements the QuoteProvider interface to fetch attestation quote via the deprecated /dev/sev-guest ioctl.

func (*LinuxIoctlQuoteProvider) GetRawQuote added in v0.10.0 

func (p *LinuxIoctlQuoteProvider) GetRawQuote(reportData [64]byte) ([]uint8, error)

GetRawQuote returns byte format attestation plus certificate table via /dev/sev-guest ioctl.

func (*LinuxIoctlQuoteProvider) GetRawQuoteAtLevel added in v0.10.0 

func (p *LinuxIoctlQuoteProvider) GetRawQuoteAtLevel(reportData [64]byte, level uint) ([]uint8, error)

GetRawQuoteAtLevel returns byte format attestation plus certificate table via /dev/sev-guest ioctl.

func (*LinuxIoctlQuoteProvider) IsSupported added in v0.10.0 

func (p *LinuxIoctlQuoteProvider) IsSupported() bool

IsSupported checks if TSM client can be created to use /dev/sev-guest ioctl.

func (*LinuxIoctlQuoteProvider) Product deprecated added in v0.10.1 

func (*LinuxIoctlQuoteProvider) Product() *spb.SevProduct

Product returns the current CPU's associated AMD SEV product information.

Deprecated: Use ExtraPlatformInfoGUID from the cert table.

type QuoteProvider added in v0.10.0 

type QuoteProvider interface {
	// IsSupported returns whether the kernel supports this implementation.
	IsSupported() bool
	// GetRawQuote returns a raw report with the default privilege level.
	GetRawQuote(reportData [64]byte) ([]uint8, error)
	// Product returns AMD SEV-related CPU information of the calling CPU.
	//
	// Deprecated: Use abi.ExtraPlatformInfoGUID in the raw quote certificate table.
	Product() *pb.SevProduct
}

QuoteProvider encapsulates calls to collect an extended attestation report.

func GetQuoteProvider added in v0.10.0 

func GetQuoteProvider() (QuoteProvider, error)

GetQuoteProvider returns a supported SEV-SNP QuoteProvider.

type SnpDerivedKeyReq added in v0.2.3 

type SnpDerivedKeyReq struct {
	// UseVCEK determines if the derived key will be based on VCEK or VMRK. This is opposite from the
	// ABI's ROOT_KEY_SELECT to avoid accidentally making an unsafe choice in a multitenant
	// environment.
	UseVCEK          bool
	GuestFieldSelect GuestFieldSelect
	// Vmpl to mix into the key. Must be greater than or equal to current Vmpl.
	Vmpl uint32
	// GuestSVN to mix into the key. Must be less than or equal to GuestSVN at launch.
	GuestSVN uint32
	// TCBVersion to mix into the key. Must be less than or equal to the CommittedTcb.
	TCBVersion uint64
}

SnpDerivedKeyReq represents a request to the SEV guest device to derive a key from specified information.

Source Files

View all Source files

Directories

Path Synopsis
Package linuxabi describes the /dev/sev-guest ioctl command ABI.
 Package linuxabi describes the /dev/sev-guest ioctl command ABI.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.