-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement the attestation report feature #69
Commits on Oct 29, 2023
-
$ make V=1 or $ make V=2 These can be used to easily build targets in verbose mode. That can be helpful for debugging. Currently we support V=1 or V=2 (the biggest is the most verbose). Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 877befc - Browse repository at this point
Copy the full SHA 877befcView commit details -
sev/ghcb: Add guest_request() and guest_ext_request()
Both functions are used to send SNP_GUEST_REQUEST messages to the PSP, but the guest_ext_request() includes an extended request to the hypervisor. More information can be found in the AMD GHCB specification. Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 5c9706e - Browse repository at this point
Copy the full SHA 5c9706eView commit details -
sev/secrets_page: Export the VMPCK size
Export the VMPCK size to be used in other crates. Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for d658c55 - Browse repository at this point
Copy the full SHA d658c55View commit details -
crypto: Add SVSM kernel crypto API
Add a generic interface for AES-256 GCM encryption and decryption. They are both required for requesting an attestation report. With this interface we should be able to keep the crypto code isolated in crates and also easily choose which crypto implementation should be compiled-in. Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 2bdb8ce - Browse repository at this point
Copy the full SHA 2bdb8ceView commit details
Commits on Nov 6, 2023
-
crypto: Add RustCrypto-based implementation
Add a RustCrypto-based implementation for the SVSM Aes256GCM trait. Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 4a25564 - Browse repository at this point
Copy the full SHA 4a25564View commit details
Commits on Nov 8, 2023
-
greq: Add SnpGuestRequestMsg and SnpGuestRequestExtData
These structures are used in the SNP_GUEST_REQUEST communication between the guest and the PSP; their implementation follow the AMD SEV-SNP specification, chapter 7. The SnpGuestRequestMsg is used to carry a SNP_GUEST_REQUEST command or response in the payload, which is encrypted using AES-256 GCM. This message can't be tampered with by the hypervisor because only the PSP and the guest have access to the key to decrypt the payload. An extended SNP_GUEST_REQUEST command also requests data from the hypervisor; in this case, the SnpGuestRequestExtData is also provided. The hypervisor will use it to store the requested data. Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 9211b4f - Browse repository at this point
Copy the full SHA 9211b4fView commit details -
greq: Add SnpGuestRequestDriver
Add a driver to send SNP_GUEST_REQUEST commands to the PSP. The command can be any of the request or response command types defined in the SEV-SNP spec, regardless if it's a regular or an extended command. The send_regular_guest_request() and send_extended_guest_request() functions can be used to send regular and extended commands, respectively. guest_request_driver_init() is used to initialize the static driver instance. Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for c491656 - Browse repository at this point
Copy the full SHA c491656View commit details -
svsm: Call disable_vmpck0() in the panic handler
The panic handler is called when the SVSM state is not reliable any more. Disable the VMPCK0 key to prevent it from being exploited. Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for 228e9f6 - Browse repository at this point
Copy the full SHA 228e9f6View commit details -
greq: Add attestation report support
Add get_regular_report() and get_extended_report(). They both call the SNP_GUEST_REQUEST driver to request a VMPL0 attestation report, the difference is that get_extended_report() also requests the SEV-SNP certificates needed to verify the attestation report. The get_extended_report() function will return an empty buffer if the SEV-SNP certificates where not imported yet, but they can be imported from the host using the github virtee/snphost project: $ snphost import <PEM-files-directory> For testing purposes, if you import PEM files that contain some random data, you should be able to see the same random data when you call get_extended_report() from the SVSM. Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Configuration menu - View commit details
-
Copy full SHA for fffd826 - Browse repository at this point
Copy the full SHA fffd826View commit details