Documentation ¶
Overview ¶
Package client provides an interface to the AMD SEV-SNP guest device commands.
Index ¶
- func GetDerivedKeyAcknowledgingItsLimitations(d Device, request *SnpDerivedKeyReq) (*labi.SnpDerivedKeyRespABI, error)
- func GetExtendedReport(d Device, reportData [64]byte) (*pb.Attestation, error)
- func GetExtendedReportAtVmpl(d Device, reportData [64]byte, vmpl int) (*pb.Attestation, error)
- func GetRawExtendedReport(d Device, reportData [64]byte) ([]byte, []byte, error)
- func GetRawExtendedReportAtVmpl(d Device, reportData [64]byte, vmpl int) ([]byte, []byte, error)
- func GetRawReport(d Device, reportData [64]byte) ([]byte, error)
- func GetRawReportAtVmpl(d Device, reportData [64]byte, vmpl int) ([]byte, error)
- func GetReport(d Device, reportData [64]byte) (*pb.Report, error)
- func GetReportAtVmpl(d Device, reportData [64]byte, vmpl int) (*pb.Report, error)
- func UseDefaultSevGuest() bool
- type Device
- type GuestFieldSelect
- type LinuxDevice
- type SnpDerivedKeyReq
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetDerivedKeyAcknowledgingItsLimitations ¶ added in v0.2.3
func GetDerivedKeyAcknowledgingItsLimitations(d Device, request *SnpDerivedKeyReq) (*labi.SnpDerivedKeyRespABI, error)
GetDerivedKeyAcknowledgingItsLimitations returns 32 bytes of key material that the AMD security processor derives from the given parameters. Security limitations of this command are described more in the project README.
func GetExtendedReport ¶
func GetExtendedReport(d Device, reportData [64]byte) (*pb.Attestation, error)
GetExtendedReport gets an extended attestation report at VMPL0 into a structured type.
func GetExtendedReportAtVmpl ¶
GetExtendedReportAtVmpl gets an extended attestation report at the given VMPL into a structured type.
func GetRawExtendedReport ¶
GetRawExtendedReport requests for an attestation report that incorporates the given user data, and additional key certificate information.
func GetRawExtendedReportAtVmpl ¶
GetRawExtendedReportAtVmpl requests for an attestation report that incorporates the given user data at the given VMPL, and additional key certificate information.
func GetRawReport ¶
GetRawReport requests for an attestation report at VMPL0 that incorporates the given user data.
func GetRawReportAtVmpl ¶
GetRawReportAtVmpl requests for an attestation report at the given VMPL that incorporates the given user data.
func GetReportAtVmpl ¶
GetReportAtVmpl gets an attestation report at the given VMPL into its protobuf representation.
func UseDefaultSevGuest ¶ added in v0.4.0
func UseDefaultSevGuest() bool
UseDefaultSevGuest returns true iff -sev_guest_device_path=default.
Types ¶
type Device ¶
type Device interface { Open(path string) error Close() error Ioctl(command uintptr, argument any) (uintptr, error) }
Device encapsulates the possible commands to the AMD SEV guest device.
type GuestFieldSelect ¶ added in v0.2.3
type GuestFieldSelect struct { TCBVersion bool GuestSVN bool Measurement bool FamilyID bool ImageID bool GuestPolicy bool }
GuestFieldSelect represents which guest-provided information will be mixed into a derived key.
func (GuestFieldSelect) ABI ¶ added in v0.2.3
func (g GuestFieldSelect) ABI() uint64
ABI returns the SNP ABI-specified uint64 bitmask of guest field selection.
type LinuxDevice ¶
type LinuxDevice struct {
// contains filtered or unexported fields
}
LinuxDevice implements the Device interface with Linux ioctls.
func OpenDevice ¶
func OpenDevice() (*LinuxDevice, error)
OpenDevice opens the SEV-SNP guest device.
func (*LinuxDevice) Close ¶
func (d *LinuxDevice) Close() error
Close closes the SEV-SNP guest device.
func (*LinuxDevice) Ioctl ¶
func (d *LinuxDevice) Ioctl(command uintptr, req any) (uintptr, error)
Ioctl sends a command with its wrapped request and response values to the Linux device.
func (*LinuxDevice) Open ¶
func (d *LinuxDevice) Open(path string) error
Open opens the SEV-SNP guest device from a given path
type SnpDerivedKeyReq ¶ added in v0.2.3
type SnpDerivedKeyReq struct { // UseVCEK determines if the derived key will be based on VCEK or VMRK. This is opposite from the // ABI's ROOT_KEY_SELECT to avoid accidentally making an unsafe choice in a multitenant // environment. UseVCEK bool GuestFieldSelect GuestFieldSelect // Vmpl to mix into the key. Must be greater than or equal to current Vmpl. Vmpl uint32 // GuestSVN to mix into the key. Must be less than or equal to GuestSVN at launch. GuestSVN uint32 // TCBVersion to mix into the key. Must be less than or equal to the CommittedTcb. TCBVersion uint64 }
SnpDerivedKeyReq represents a request to the SEV guest device to derive a key from specified information.