testing

Documentation

Overview

Package testing defines fakes and mocks for the sev-guest device and AMD-SP.

Index

• func DefaultArk() (*rsa.PrivateKey, error)
• func DefaultAsk() (*rsa.PrivateKey, error)
• func DefaultVcek() (*ecdsa.PrivateKey, error)
• func TestRawReport(userData [64]byte) [labi.SnpReportRespReportSize]byte
• type AmdKeys
  • func DefaultAmdKeys() (*AmdKeys, error)
• type AmdSigner
  • func DefaultCertChain(productName string, creationTime time.Time) (*AmdSigner, error)
  • func (s *AmdSigner) CertTableBytes() ([]byte, error)
  • func (s *AmdSigner) Sign(toSign []byte) (*big.Int, *big.Int, error)
• type AmdSignerBuilder
  • func (b *AmdSignerBuilder) CertChain() (*AmdSigner, error)
• type CertOverride
• type Device
  • func TcDevice(tcs []TestCase, now time.Time) (*Device, error)
  • func (d *Device) Close() error
  • func (d *Device) Ioctl(command uintptr, req interface{}) (uintptr, error)
  • func (d *Device) Open(path string) error
• type GetReportResponse
• type Getter
  • func (g *Getter) Get(url string) ([]byte, error)
• type TestCase
  • func TestCases() []TestCase

Functions

func DefaultArk

func DefaultArk() (*rsa.PrivateKey, error)

DefaultArk returns a new RSA key with the expected size for an ARK.

func DefaultAsk

func DefaultAsk() (*rsa.PrivateKey, error)

DefaultAsk returns a new RSA key with the expected size for an ASK.

func DefaultVcek

func DefaultVcek() (*ecdsa.PrivateKey, error)

DefaultVcek returns a new ECDSA key on the expected curve for a VCEK.

func TestRawReport

func TestRawReport(userData [64]byte) [labi.SnpReportRespReportSize]byte

We can't sign the report with AMD keys, and verification isn't the client's responsibility, so we keep the signature zeros. Similarly, we leave the randomly-generated fields zero.

Types

type AmdKeys

type AmdKeys struct {
	Ark  *rsa.PrivateKey
	Ask  *rsa.PrivateKey
	Vcek *ecdsa.PrivateKey
}

AmdKeys encapsulates the key chain of ARK through ASK down to VCEK.

func DefaultAmdKeys

func DefaultAmdKeys() (*AmdKeys, error)

DefaultAmdKeys returns a key set for ARK, ASK, and VCEK with the expected key type and size.

type AmdSigner

type AmdSigner struct {
	Ark  *x509.Certificate
	Ask  *x509.Certificate
	Vcek *x509.Certificate
	Keys *AmdKeys
}

AmdSigner encapsulates a key and certificate chain following the format of AMD-SP's VCEK for signing attestation reports.

func DefaultCertChain

func DefaultCertChain(productName string, creationTime time.Time) (*AmdSigner, error)

DefaultCertChain creates a test-only certificate chain for a fake attestation signer.

func (*AmdSigner) CertTableBytes

func (s *AmdSigner) CertTableBytes() ([]byte, error)

CertTableBytes outputs the certificates in AMD's ABI format.

func (*AmdSigner) Sign

func (s *AmdSigner) Sign(toSign []byte) (*big.Int, *big.Int, error)

Sign takes a chunk of bytes, signs it with VcekPriv, and returns the R, S pair for the signature in little endian format.

type AmdSignerBuilder

type AmdSignerBuilder struct {
	// Keys contains the private keys that will get a certificate chain structure.
	Keys             *AmdKeys
	Product          string
	ArkCreationTime  time.Time
	AskCreationTime  time.Time
	VcekCreationTime time.Time
	ArkCustom        CertOverride
	AskCustom        CertOverride
	VcekCustom       CertOverride
	// Intermediate built certificates
	Ark  *x509.Certificate
	Ask  *x509.Certificate
	Vcek *x509.Certificate
}

AmdSignerBuilder represents toggleable configurations of the VCEK certificate chain.

func (*AmdSignerBuilder) CertChain

func (b *AmdSignerBuilder) CertChain() (*AmdSigner, error)

CertChain creates a test-only certificate chain from the keys and configurables in b.

type CertOverride

type CertOverride struct {
	// If 0, interpreted as Version, otherwise the ARK cert version number.
	Version            int
	SerialNumber       *big.Int
	Issuer             *pkix.Name
	Subject            *pkix.Name
	SignatureAlgorithm x509.SignatureAlgorithm
	PublicKeyAlgorithm x509.PublicKeyAlgorithm
	KeyUsage           x509.KeyUsage
	// If nil, interpreted as default, otherwise the CRLDistributionPoints for the cert.
	CRLDistributionPoints []string
	// If nil, interpreted as default list.
	Extensions []pkix.Extension
}

CertOverride encapsulates certificate aspects that can be overriden when creating a certificate chain.

type Device

type Device struct {
	UserDataRsp map[string]interface{}
	Certs       []byte
	Signer      *AmdSigner
	// contains filtered or unexported fields
}

Device represents a sev-guest driver implementation with pre-programmed responses to commands.

func TcDevice

func TcDevice(tcs []TestCase, now time.Time) (*Device, error)

TcDevice returns a mock device populated from test cases' inputs and expected outputs.

func (*Device) Close

func (d *Device) Close() error

Close changes the mock device's state to closed.

func (*Device) Ioctl

func (d *Device) Ioctl(command uintptr, req interface{}) (uintptr, error)

Ioctl mocks commands with pre-specified responses for a finite number of requests.

func (*Device) Open

func (d *Device) Open(path string) error

Open changes the mock device's state to open.

type GetReportResponse

type GetReportResponse struct {
	Resp     labi.SnpReportRespABI
	EsResult labi.EsResult
	FwErr    abi.SevFirmwareStatus
}

GetReportResponse represents a mocked response to a command request.

type Getter

type Getter struct {
	Responses map[string][]byte
}

Getter represents a static server for request/respond url -> body contents.

func (*Getter) Get

func (g *Getter) Get(url string) ([]byte, error)

Get returns a registered response for a given URL.

type TestCase

type TestCase struct {
	Name        string
	Input       [64]byte
	Output      [labi.SnpReportRespReportSize]byte
	OutputProto string
	FwErr       abi.SevFirmwareStatus
	EsResult    labi.EsResult
	WantErr     error
}

TestCase represents a get_report input/output test case.

func TestCases

func TestCases() []TestCase

TestCases returns common test cases for get_report.