attest

package
v0.0.0-...-3739264 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 1, 2024 License: MIT Imports: 20 Imported by: 1

README

This package implements the Attest operation to fetch an attestation token from MAA. It interacts with the following Azure services:

  • Microsoft Azure Attestation (maa): for issuing an attestation token given an attestation report signed by a key that is rooted to the cert chain, and additional evidence including the blobs that have been hashed to the report's HOST_DATA and REPORT_DATA fields during virtual machine bringup and retrieval of the attestation report, respectively;

The attestation report is fetched from the platform security processor by executing the /tools/get-snp-report tool which is compiled and copied into the container's root filesystem under /bin.

Documentation

Index

Constants

View Source 
const (
	ATTESTATION_REPORT_SIZE = 1184 // Size of ATTESTATION_REPORT (Table 21)
	REPORT_DATA_SIZE        = 64   // Size of REPORT_DATA in ATTESTATION_REPORT
	REPORT_DATA_OFFSET      = 80   // Offset of REPORT_DATA in ATTESTATION_REPORT
	HOST_DATA_SIZE          = 32   // Size of HOST_DATA in ATTESTATION_REPORT
	HOST_DATA_OFFSET        = 192  // Offset of HOST_DATA in ATTESTATION_REPORT
	REPORTED_TCB_OFFSET     = 384
	REPORTED_TCB_SIZE       = 8
	CHIP_ID_OFFSET          = 416
	CHIP_ID_SIZE            = 64
	REPORT_REQ_SIZE         = 96   // Size of MSG_REPORT_REQ (Table 20)
	REPORT_RSP_SIZE         = 1280 // Size of MSG_REPORT_RSP (Table 23)
	PAYLOAD_SIZE            = 40   // Size of sev_snp_guest_request struct from sev-snp driver include/uapi/linux/psp-sev-guest.h
)
View Source 
const (
	MSG_REPORT_REQ = 5
	MSG_REPORT_RSP = 6
)

Message Type Encodings (Table 100)

View Source 
const (
	/*
		Size of the following struct in include/uapi/linux/sev-guest.h.
		It will have the conteints of MSG_REPORT_RSP (Table 23) in the first REPORT_RSP_SIZE bytes.
			typedef struct {
				// response data, see SEV-SNP spec for the format
				uint8_t  data[4000];
			} snp_report_resp;
	*/
	REPORT_RSP_CONTAINER_SIZE_6 = 4000

	// Size of snp_guest_request_ioctl
	PAYLOAD_SIZE_6 = 32
	// Value of SNP_GET_REPORT in sev-snp driver include/uapi/linux/sev-guest.h
	SNP_GET_REPORT_IOCTL_REQ_CODE_6 = 3223343872
)

Linux kernel 6.x specific values

View Source 
const (
	AzureCertCacheRequestURITemplate = "https://%s/%s/certificates/%s/%s?%s"
	AmdVCEKRequestURITemplate        = "https://%s/%s/%s?ucodeSPL=%d&snpSPL=%d&teeSPL=%d&blSPL=%d"
	AmdCertChainRequestURITemplate   = "https://%s/%s/cert_chain"
	LocalTHIMUriTemplate             = "http://%s" // To-Do update once we know what this looks like

)
View Source 
const (
	BlSplTcbmByteIndex    = 0
	TeeSplTcbmByteIndex   = 1
	TcbSpl_4TcbmByteIndex = 2
	TcbSpl_5TcbmByteIndex = 3
	TcbSpl_6TcbmByteIndex = 4
	TcbSpl_7TcbmByteIndex = 5
	SnpSplTcbmByteIndex   = 6
	UcodeSplTcbmByteIndex = 7
)
View Source 
const MaxResponseBodySize = 100 * 1024 * 1024 // 100MB
View Source 
const SNP_DEVICE_PATH_5 = "/dev/sev"
View Source 
const SNP_DEVICE_PATH_6 = "/dev/sev-guest"
View Source 
const (
	// Value of SEV_SNP_GUEST_MSG_REPORT in sev-snp driver include/uapi/linux/psp-sev-guest.h
	SNP_GET_REPORT_IOCTL_REQ_CODE_5 = 3223868161
)

Variables

This section is empty.

Functions

func GenerateMAAHostData 

func GenerateMAAHostData(inputBytes []byte) [HOST_DATA_SIZE]byte

Takes bytes and generate host data that UVM creates at launch of SNP VM (SHA256 hash of arbitrary data). It's only useful to create fake attestation report

func GenerateMAAReportData 

func GenerateMAAReportData(inputBytes []byte) [REPORT_DATA_SIZE]byte

Takes bytes and generate report data that MAA expects (SHA256 hash of arbitrary data).

func GetVCEKFromCertChain 

func GetVCEKFromCertChain(certChain []byte) (*x509.Certificate, error)

parses the cached CertChain and returns the VCEK leaf certificate Subject of the (x509) VCEK certificate (CN=SEV-VCEK)

func IsSNPVM 

func IsSNPVM() bool

func IsSNPVM5 

func IsSNPVM5() bool

Check if the code is being run in SNP VM for Linux kernel version 5.x.

func IsSNPVM6 

func IsSNPVM6() bool

Check if the code is being run in SNP VM for Linux kernel version 6.x.

func ParseVCEK 

func ParseVCEK(certChain []byte) (uint64, error)

parses the VCEK certificate to return the TCB version fields reprocessed back into a uint64 to compare against the `ReportedTCB` in the fetched attestation report

Types

type AttestationReportFetcher 

type AttestationReportFetcher interface {
	// Fetches attestation report as []byte.
	// reportData is guest-provided data defined in SEV-SNP Firmware ABI Specification.
	FetchAttestationReportByte(reportData [REPORT_DATA_SIZE]byte) ([]byte, error)
	// Fetches attestation report as hex.
	// reportData is guest-provided data defined in SEV-SNP Firmware ABI Specification.
	FetchAttestationReportHex(reportData [REPORT_DATA_SIZE]byte) (string, error)
}

func NewAttestationReportFetcher 

func NewAttestationReportFetcher() (AttestationReportFetcher, error)

func NewAttestationReportFetcher5 

func NewAttestationReportFetcher5() AttestationReportFetcher

func NewAttestationReportFetcher6 

func NewAttestationReportFetcher6() AttestationReportFetcher

func UnsafeNewFakeAttestationReportFetcher 

func UnsafeNewFakeAttestationReportFetcher(hostDataBytes [HOST_DATA_SIZE]byte) AttestationReportFetcher

Not SECURE. It returns fake attestation report. hostDataBytes is data provided by the hypervisor at launch defined in SEV-SNP Firmware ABI Specification. In real SNP VMs, hostDataBytes is provided by the hypervisor.

type CertFetcher 

type CertFetcher struct {
	EndpointType string `json:"endpoint_type"` // AMD, AzCache, LocalTHIM
	Endpoint     string `json:"endpoint"`
	TEEType      string `json:"tee_type,omitempty"`
	APIVersion   string `json:"api_version,omitempty"`
}

CertFetcher contains information about the certificate cache service that provides access to the certificate chain required upon attestation

func DefaultAMDMilanCertFetcherNew 

func DefaultAMDMilanCertFetcherNew() CertFetcher

Creates default AMD CertFetcher instance for Milan

func DefaultAzureCertFetcherNew 

func DefaultAzureCertFetcherNew() CertFetcher

Creates default Azure CertFetcher instance for SEV-SNP

func (CertFetcher) GetCertChain 

func (certFetcher CertFetcher) GetCertChain(chipID string, reportedTCB uint64) ([]byte, uint64, error)

Fetches platform certificates of SEV-SNP VM.

The certificates are concatenation of VCEK, ASK, and ARK certificates (PEM format, in that order). https://www.amd.com/en/support/tech-docs/versioned-chip-endorsement-key-vcek-certificate-and-kds-interface-specification

It also returns TCB as uint64 (useful only when "LocalTHIM" is used for EndpointType).

func (CertFetcher) GetThimCerts 

func (certFetcher CertFetcher) GetThimCerts(uri string) (*common.THIMCerts, error)

type CertState 

type CertState struct {
	CertFetcher CertFetcher `json:"cert_cache"`
	Tcbm        uint64      `json:"tcbm"`
}

CertState contains information about the certificate cache service that provides access to the certificate chain required upon attestation

func (*CertState) Attest 

func (certState *CertState) Attest(maa common.MAA, runtimeDataBytes []byte, uvmInformation common.UvmInformation) (string, error)

Attest interacts with maa services to fetch an MAA token MAA expects four attributes: (A) the attestation report signed by the PSP signing key (B) a certificate chain that endorses the signing key of the attestation report (C) reference information that provides evidence that the UVM image is genuine. (D) inittime data: this is the policy blob that has been hashed by the host OS during the utility 

VM bringup and has been reported by the PSP in the attestation report as HOST DATA

(E) runtime data: for example it may be a wrapping key blob that has been hashed during the attestation report 

retrieval and has been reported by the PSP in the attestation report as REPORT DATA

Note that it uses fake attestation report if it's not running inside SNP VM

func (*CertState) RefreshCertChain 

func (certState *CertState) RefreshCertChain(SNPReport SNPAttestationReport) ([]byte, error)

type SNPAttestationReport 

type SNPAttestationReport struct {
	// version no. of this attestation report. Set to 1 for this specification.
	Version uint32 `json:"version"`
	// The guest SVN
	GuestSvn uint32 `json:"guest_svn"`
	// see table 8 - various settings
	Policy uint64 `json:"policy"`
	// as provided at launch    hex string of a 16-byte integer
	FamilyID string `json:"family_id"`
	// as provided at launch 	hex string of a 16-byte integer
	ImageID string `json:"image_id"`
	// the request VMPL for the attestation report
	VMPL          uint32 `json:"vmpl"`
	SignatureAlgo uint32 `json:"signature_algo"`
	// The install version of the firmware
	PlatformVersion uint64 `json:"platform_version"`
	// information about the platform see table 22
	PlatformInfo uint64 `json:"platform_info"`
	// 31 bits of reserved, must be zero, bottom bit indicates that the digest of the author key is present in AUTHOR_KEY_DIGEST. Set to the value of GCTX.AuthorKeyEn.
	AuthorKeyEn uint32 `json:"author_key_en"`
	// must be zero
	Reserved1 uint32 `json:"reserved1"`
	// Guest provided data.	64-byte
	ReportData string `json:"report_data"`
	// measurement calculated at launch 48-byte
	Measurement string `json:"measurement"`
	// data provided by the hypervisor at launch 32-byte
	HostData string `json:"host_data"`
	// SHA-384 digest of the ID public key that signed the ID block provided in SNP_LAUNCH_FINISH 48-byte
	IDKeyDigest string `json:"id_key_digest"`
	// SHA-384 digest of the Author public key that certified the ID key, if provided in SNP_LAUNCH_FINISH. Zeros if author_key_en is 1 (sounds backwards to me). 48-byte
	AuthorKeyDigest string `json:"author_key_digest"`
	// Report ID of this guest. 32-byte
	ReportID string `json:"report_id"`
	// Report ID of this guest's mmigration agent. 32-byte
	ReportIDMA string `json:"report_id_ma"`
	// Reported TCB version used to derive the VCEK that signed this report
	ReportedTCB uint64 `json:"reported_tcb"`
	// reserved 24-byte
	Reserved2 string `json:"reserved2"`
	// Identifier unique to the chip 64-byte
	ChipID string `json:"chip_id"`
	// The current commited SVN of the firware (version 2 report feature)
	CommittedSvn uint64 `json:"committed_svn"`
	// The current commited version of the firware
	CommittedVersion uint64 `json:"committed_version"`
	// The SVN that this guest was launched or migrated at
	LaunchSvn uint64 `json:"launch_svn"`
	// reserved 168-byte
	Reserved3 string `json:"reserved3"`
	// Signature of this attestation report. See table 23. 512-byte
	Signature string `json:"signature"`
}

func (*SNPAttestationReport) DeserializeReport 

func (r *SNPAttestationReport) DeserializeReport(report []uint8) error

func (*SNPAttestationReport) SerializeReport 

func (r *SNPAttestationReport) SerializeReport() (report []uint8, err error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.