Documentation
¶
Overview ¶
Package client provides an interface to the AMD SEV-SNP guest device commands.
Index ¶
- func GetDerivedKeyAcknowledgingItsLimitations(d Device, request *SnpDerivedKeyReq) (*labi.SnpDerivedKeyRespABI, error)
- func GetExtendedReport(d Device, reportData [64]byte) (*pb.Attestation, error)deprecated
- func GetExtendedReportAtVmpl(d Device, reportData [64]byte, vmpl int) (*pb.Attestation, error)deprecated
- func GetQuoteProto(qp QuoteProvider, reportData [64]byte) (*pb.Attestation, error)
- func GetQuoteProtoAtLevel(qp LeveledQuoteProvider, reportData [64]byte, vmpl uint) (*pb.Attestation, error)
- func GetRawExtendedReport(d Device, reportData [64]byte) ([]byte, []byte, error)deprecated
- func GetRawExtendedReportAtVmpl(d Device, reportData [64]byte, vmpl int) ([]byte, []byte, error)deprecated
- func GetRawReport(d Device, reportData [64]byte) ([]byte, error)deprecated
- func GetRawReportAtVmpl(d Device, reportData [64]byte, vmpl int) ([]byte, error)deprecated
- func GetReport(d Device, reportData [64]byte) (*pb.Report, error)deprecated
- func GetReportAtVmpl(d Device, reportData [64]byte, vmpl int) (*pb.Report, error)deprecated
- func UseDefaultSevGuest() bool
- type Device
- type GuestFieldSelect
- type LeveledQuoteProvider
- type LinuxConfigFsQuoteProvider
- func (p *LinuxConfigFsQuoteProvider) GetRawQuote(reportData [64]byte) ([]uint8, error)
- func (p *LinuxConfigFsQuoteProvider) GetRawQuoteAtLevel(reportData [64]byte, level uint) ([]uint8, error)
- func (p *LinuxConfigFsQuoteProvider) IsSupported() bool
- func (*LinuxConfigFsQuoteProvider) Product() *spb.SevProductdeprecated
- type LinuxDevice
- type LinuxIoctlQuoteProvider
- func (p *LinuxIoctlQuoteProvider) GetRawQuote(reportData [64]byte) ([]uint8, error)
- func (p *LinuxIoctlQuoteProvider) GetRawQuoteAtLevel(reportData [64]byte, level uint) ([]uint8, error)
- func (p *LinuxIoctlQuoteProvider) IsSupported() bool
- func (*LinuxIoctlQuoteProvider) Product() *spb.SevProductdeprecated
- type QuoteProvider
- type SnpDerivedKeyReq
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetDerivedKeyAcknowledgingItsLimitations ¶ added in v0.2.3
func GetDerivedKeyAcknowledgingItsLimitations(d Device, request *SnpDerivedKeyReq) (*labi.SnpDerivedKeyRespABI, error)
GetDerivedKeyAcknowledgingItsLimitations returns 32 bytes of key material that the AMD security processor derives from the given parameters. Security limitations of this command are described more in the project README.
func GetExtendedReport
deprecated
func GetExtendedReport(d Device, reportData [64]byte) (*pb.Attestation, error)
GetExtendedReport gets an extended attestation report at VMPL0 into a structured type.
Deprecated: Use GetQuoteProto.
func GetExtendedReportAtVmpl
deprecated
func GetQuoteProto ¶ added in v0.10.1
func GetQuoteProto(qp QuoteProvider, reportData [64]byte) (*pb.Attestation, error)
GetQuoteProto uses the given QuoteProvider to return the protobuf representation of an attestation report with cached certificate chain.
func GetQuoteProtoAtLevel ¶ added in v0.10.1
func GetQuoteProtoAtLevel(qp LeveledQuoteProvider, reportData [64]byte, vmpl uint) (*pb.Attestation, error)
GetQuoteProtoAtLevel uses the given LeveledQuoteProvider to return the protobuf representation of an attestation report at a given VMPL with cached certificate chain.
func GetRawExtendedReportAtVmpl
deprecated
func GetRawReport
deprecated
func UseDefaultSevGuest ¶ added in v0.4.0
func UseDefaultSevGuest() bool
UseDefaultSevGuest returns true iff -sev_guest_device_path=default.
Types ¶
type Device ¶
type Device interface {
// Open prepares the Device from the given path.
Open(path string) error
// Close releases the device resource.
Close() error
// Ioctl performs the given command with the given argument.
Ioctl(command uintptr, argument any) (uintptr, error)
// Product returns AMD SEV-related CPU information of the calling CPU.
Product() *pb.SevProduct
}
Device encapsulates the possible commands to the AMD SEV guest device.
type GuestFieldSelect ¶ added in v0.2.3
type GuestFieldSelect struct {
TCBVersion bool
GuestSVN bool
Measurement bool
FamilyID bool
ImageID bool
GuestPolicy bool
}
GuestFieldSelect represents which guest-provided information will be mixed into a derived key.
func (GuestFieldSelect) ABI ¶ added in v0.2.3
func (g GuestFieldSelect) ABI() uint64
ABI returns the SNP ABI-specified uint64 bitmask of guest field selection.
type LeveledQuoteProvider ¶ added in v0.10.0
type LeveledQuoteProvider interface {
// IsSupported returns whether the kernel supports this implementation.
IsSupported() bool
// GetRawQuote returns a raw report with the given privilege level.
GetRawQuoteAtLevel(reportData [64]byte, vmpl uint) ([]uint8, error)
// Product returns AMD SEV-related CPU information of the calling CPU.
//
// Deprecated: Use abi.ExtraPlatformInfoGUID in raw quote certificate table.
Product() *pb.SevProduct
}
LeveledQuoteProvider encapsulates calls to collect an extended attestation report at a given privilege level.
func GetLeveledQuoteProvider ¶ added in v0.10.0
func GetLeveledQuoteProvider() (LeveledQuoteProvider, error)
GetLeveledQuoteProvider returns a supported SEV-SNP LeveledQuoteProvider.
type LinuxConfigFsQuoteProvider ¶ added in v0.10.0
type LinuxConfigFsQuoteProvider struct{}
LinuxConfigFsQuoteProvider implements the QuoteProvider interface to fetch attestation quote via ConfigFS.
func (*LinuxConfigFsQuoteProvider) GetRawQuote ¶ added in v0.10.0
func (p *LinuxConfigFsQuoteProvider) GetRawQuote(reportData [64]byte) ([]uint8, error)
GetRawQuote returns byte format attestation plus certificate table via ConfigFS.
func (*LinuxConfigFsQuoteProvider) GetRawQuoteAtLevel ¶ added in v0.10.0
func (p *LinuxConfigFsQuoteProvider) GetRawQuoteAtLevel(reportData [64]byte, level uint) ([]uint8, error)
GetRawQuoteAtLevel returns byte format attestation plus certificate table via ConfigFS.
func (*LinuxConfigFsQuoteProvider) IsSupported ¶ added in v0.10.0
func (p *LinuxConfigFsQuoteProvider) IsSupported() bool
IsSupported checks if TSM client can be created to use ConfigFS system.
func (*LinuxConfigFsQuoteProvider) Product
deprecated
added in
v0.10.1
func (*LinuxConfigFsQuoteProvider) Product() *spb.SevProduct
Product returns the current CPU's associated AMD SEV product information.
Deprecated: Use ExtraPlatformInfoGUID from the cert table.
type LinuxDevice ¶
type LinuxDevice struct {
// contains filtered or unexported fields
}
LinuxDevice implements the Device interface with Linux ioctls.
func OpenDevice ¶
func OpenDevice() (*LinuxDevice, error)
OpenDevice opens the SEV-SNP guest device.
func (*LinuxDevice) Close ¶
func (d *LinuxDevice) Close() error
Close closes the SEV-SNP guest device.
func (*LinuxDevice) Ioctl ¶
func (d *LinuxDevice) Ioctl(command uintptr, req any) (uintptr, error)
Ioctl sends a command with its wrapped request and response values to the Linux device.
func (*LinuxDevice) Open ¶
func (d *LinuxDevice) Open(path string) error
Open opens the SEV-SNP guest device from a given path
func (*LinuxDevice) Product ¶ added in v0.7.1
func (d *LinuxDevice) Product() *spb.SevProduct
Product returns the current CPU's associated AMD SEV product information.
type LinuxIoctlQuoteProvider ¶ added in v0.10.0
type LinuxIoctlQuoteProvider struct{}
LinuxIoctlQuoteProvider implements the QuoteProvider interface to fetch attestation quote via the deprecated /dev/sev-guest ioctl.
func (*LinuxIoctlQuoteProvider) GetRawQuote ¶ added in v0.10.0
func (p *LinuxIoctlQuoteProvider) GetRawQuote(reportData [64]byte) ([]uint8, error)
GetRawQuote returns byte format attestation plus certificate table via /dev/sev-guest ioctl.
func (*LinuxIoctlQuoteProvider) GetRawQuoteAtLevel ¶ added in v0.10.0
func (p *LinuxIoctlQuoteProvider) GetRawQuoteAtLevel(reportData [64]byte, level uint) ([]uint8, error)
GetRawQuoteAtLevel returns byte format attestation plus certificate table via /dev/sev-guest ioctl.
func (*LinuxIoctlQuoteProvider) IsSupported ¶ added in v0.10.0
func (p *LinuxIoctlQuoteProvider) IsSupported() bool
IsSupported checks if TSM client can be created to use /dev/sev-guest ioctl.
func (*LinuxIoctlQuoteProvider) Product
deprecated
added in
v0.10.1
func (*LinuxIoctlQuoteProvider) Product() *spb.SevProduct
Product returns the current CPU's associated AMD SEV product information.
Deprecated: Use ExtraPlatformInfoGUID from the cert table.
type QuoteProvider ¶ added in v0.10.0
type QuoteProvider interface {
// IsSupported returns whether the kernel supports this implementation.
IsSupported() bool
// GetRawQuote returns a raw report with the default privilege level.
GetRawQuote(reportData [64]byte) ([]uint8, error)
// Product returns AMD SEV-related CPU information of the calling CPU.
//
// Deprecated: Use abi.ExtraPlatformInfoGUID in the raw quote certificate table.
Product() *pb.SevProduct
}
QuoteProvider encapsulates calls to collect an extended attestation report.
func GetQuoteProvider ¶ added in v0.10.0
func GetQuoteProvider() (QuoteProvider, error)
GetQuoteProvider returns a supported SEV-SNP QuoteProvider.
type SnpDerivedKeyReq ¶ added in v0.2.3
type SnpDerivedKeyReq struct {
// UseVCEK determines if the derived key will be based on VCEK or VMRK. This is opposite from the
// ABI's ROOT_KEY_SELECT to avoid accidentally making an unsafe choice in a multitenant
// environment.
UseVCEK bool
GuestFieldSelect GuestFieldSelect
// Vmpl to mix into the key. Must be greater than or equal to current Vmpl.
Vmpl uint32
// GuestSVN to mix into the key. Must be less than or equal to GuestSVN at launch.
GuestSVN uint32
// TCBVersion to mix into the key. Must be less than or equal to the CommittedTcb.
TCBVersion uint64
}
SnpDerivedKeyReq represents a request to the SEV guest device to derive a key from specified information.
Source Files
Directories