From 29c0553cb242bd2ed22fbadb645e8f7521f65abc Mon Sep 17 00:00:00 2001 From: Larry Dewey Date: Thu, 29 Jun 2023 10:58:27 -0500 Subject: [PATCH] WIP: SEV: Adding missing functionality Adding a command to perform offline Legacy SEV attestation. Signed-off-by: Larry Dewey --- Cargo.lock | 276 ++++++++++++++++++++---------------------------- Cargo.toml | 3 +- src/main.rs | 78 ++++++++++---- src/session.rs | 2 +- src/validate.rs | 38 +++++++ 5 files changed, 213 insertions(+), 184 deletions(-) create mode 100644 src/validate.rs diff --git a/Cargo.lock b/Cargo.lock index 9c72ed6..5f6516b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4,9 +4,9 @@ version = 3 [[package]] name = "aho-corasick" -version = "1.0.1" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "67fc08ce920c31afb70f013dcce1bfc3a3195de6a228474e45e1f145b36f8d04" +checksum = "43f6cb1bf222025340178f382c426f13757b2960e89779dfcb319c32542a5a41" dependencies = [ "memchr", ] @@ -37,6 +37,12 @@ dependencies = [ "winapi", ] +[[package]] +name = "autocfg" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" + [[package]] name = "base64" version = "0.13.1" @@ -127,22 +133,23 @@ checksum = "e496a50fda8aacccc86d7529e2c1e0892dbd0f898a6b5645b5561b89c3210efa" [[package]] name = "dirs" -version = "4.0.0" +version = "5.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ca3aa72a6f96ea37bbc5aa912f6788242832f75369bdfdadcb0e38423f100059" +checksum = "44c45a9d03d6676652bcb5e724c7e988de1acad23a711b5217ab9cbecbec2225" dependencies = [ "dirs-sys", ] [[package]] name = "dirs-sys" -version = "0.3.7" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1b1d1d91c932ef41c0f2663aa8b0ca0342d444d842c06914aa0a7e352d0bada6" +checksum = "520f05a5cbd335fae5a99ff7a6ab8627577660ee5cfd6a94a6a929b52ff0321c" dependencies = [ "libc", + "option-ext", "redox_users", - "winapi", + "windows-sys", ] [[package]] @@ -166,7 +173,7 @@ checksum = "4bcfec3a70f97c962c307b2d2c56e358cf1d00b558d74262b5f929ee8cc7e73a" dependencies = [ "errno-dragonfly", "libc", - "windows-sys 0.48.0", + "windows-sys", ] [[package]] @@ -214,9 +221,9 @@ dependencies = [ [[package]] name = "getrandom" -version = "0.2.9" +version = "0.2.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c85e1d9ab2eadba7e5040d4e09cbd6d072b76a557ad64e797c2cb9d4da21d7e4" +checksum = "be4136b2a15dd319360be1c07d9933517ccf0be8f16bf62a3bee4f0d618df427" dependencies = [ "cfg-if", "libc", @@ -243,9 +250,15 @@ dependencies = [ [[package]] name = "hermit-abi" -version = "0.3.1" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "443144c8cdadd93ebf52ddb4056d257f5b52c04d3c804e657d19eb73fc33668b" + +[[package]] +name = "hex" +version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fed44880c466736ef9a5c5b5facefb5ed0785676d0c02d612db14e54f0d84286" +checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" [[package]] name = "httparse" @@ -280,13 +293,13 @@ dependencies = [ [[package]] name = "io-lifetimes" -version = "1.0.10" +version = "1.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c66c74d2ae7e79a5a8f7ac924adbe38ee42a859c6539ad869eb51f0b52dc220" +checksum = "eae7b9aee968036d54dce06cebaefd919e4472e753296daccd6d344e3e2df0c2" dependencies = [ - "hermit-abi 0.3.1", + "hermit-abi 0.3.2", "libc", - "windows-sys 0.48.0", + "windows-sys", ] [[package]] @@ -297,9 +310,9 @@ checksum = "d8972d5be69940353d5347a1344cb375d9b457d6809b428b05bb1ca2fb9ce007" [[package]] name = "itoa" -version = "1.0.6" +version = "1.0.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "453ad9f582a441959e5f0d088b02ce04cfe8d51a8eaf077f12ac6d3e94164ca6" +checksum = "62b02a5381cc465bd3041d84623d0fa3b66738b52b8e2fc3bab8ad63ab032f4a" [[package]] name = "kvm-bindings" @@ -312,9 +325,9 @@ dependencies = [ [[package]] name = "kvm-ioctls" -version = "0.13.0" +version = "0.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b8f8dc9c1896e5f144ec5d07169bc29f39a047686d29585a91f30489abfaeb6b" +checksum = "436246b230532c94ec619332e820e31518dac7943cf848b052e618467a7ede8a" dependencies = [ "kvm-bindings", "libc", @@ -329,9 +342,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" [[package]] name = "libc" -version = "0.2.144" +version = "0.2.147" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b00cc1c228a6782d0f076e7b232802e0c5689d41bb5df366f2a6b6621cfdfe1" +checksum = "b4668fb0ea861c1df094127ac5f1da3409a82116a4ba74fca2e58ef927159bb3" [[package]] name = "linux-raw-sys" @@ -377,9 +390,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.17.1" +version = "1.18.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3" +checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d" [[package]] name = "openssl" @@ -404,7 +417,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.16", + "syn 2.0.23", ] [[package]] @@ -415,9 +428,9 @@ checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" [[package]] name = "openssl-src" -version = "111.25.3+1.1.1t" +version = "111.26.0+1.1.1u" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "924757a6a226bf60da5f7dd0311a34d2b52283dd82ddeb103208ddc66362f80c" +checksum = "efc62c9f12b22b8f5208c23a7200a442b2e5999f8bdf80233852122b5a4f6f37" dependencies = [ "cc", ] @@ -435,6 +448,12 @@ dependencies = [ "vcpkg", ] +[[package]] +name = "option-ext" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d" + [[package]] name = "percent-encoding" version = "2.3.0" @@ -482,9 +501,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.27" +version = "1.0.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f4f29d145265ec1c483c7c654450edde0bfe043d3938d6972630663356d9500" +checksum = "573015e8ab27661678357f27dc26460738fd2b6c86e46f386fde94cb5d913105" dependencies = [ "proc-macro2", ] @@ -520,9 +539,21 @@ dependencies = [ [[package]] name = "regex" -version = "1.8.2" +version = "1.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d1a59b5d8e97dee33696bf13c5ba8ab85341c002922fba050069326b9c498974" +checksum = "b2eae68fc220f7cf2532e4494aded17545fce192d59cd996e0fe7887f4ceb575" +dependencies = [ + "aho-corasick", + "memchr", + "regex-automata", + "regex-syntax", +] + +[[package]] +name = "regex-automata" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e9aaecc05d5c4b5f7da074b9a0d1a0867e71fd36e7fc0482d8bcfe8e8fc56290" dependencies = [ "aho-corasick", "memchr", @@ -531,37 +562,37 @@ dependencies = [ [[package]] name = "regex-syntax" -version = "0.7.2" +version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "436b050e76ed2903236f032a59761c1eb99e1b0aead2c257922771dab1fc8c78" +checksum = "2ab07dc67230e4a4718e70fd5c20055a4334b121f1f9db8fe63ef39ce9b8c846" [[package]] name = "rustix" -version = "0.37.19" +version = "0.37.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "acf8729d8542766f1b2cf77eb034d52f40d375bb8b615d0b147089946e16613d" +checksum = "4d69718bf81c6127a49dc64e44a742e8bb9213c0ff8869a22c308f84c1d4ab06" dependencies = [ "bitflags", "errno", "io-lifetimes", "libc", "linux-raw-sys", - "windows-sys 0.48.0", + "windows-sys", ] [[package]] name = "ryu" -version = "1.0.13" +version = "1.0.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f91339c0467de62360649f8d3e185ca8de4224ff281f66000de5eb2a77a79041" +checksum = "fe232bdf6be8c8de797b22184ee71118d63780ea42ac85b61d1baa6d3b782ae9" [[package]] name = "schannel" -version = "0.1.21" +version = "0.1.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "713cfb06c7059f3588fb8044c0fad1d09e3c01d225e25b9220dbfdcf16dbb1b3" +checksum = "0c3733bf4cf7ea0880754e19cb5a462007c4a8c1914bff372ccc95b464f1df88" dependencies = [ - "windows-sys 0.42.0", + "windows-sys", ] [[package]] @@ -589,47 +620,47 @@ dependencies = [ [[package]] name = "serde" -version = "1.0.163" +version = "1.0.167" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2113ab51b87a539ae008b5c6c02dc020ffa39afd2d83cffcb3f4eb2722cebec2" +checksum = "7daf513456463b42aa1d94cff7e0c24d682b429f020b9afa4f5ba5c40a22b237" dependencies = [ "serde_derive", ] [[package]] name = "serde-big-array" -version = "0.4.1" +version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3323f09a748af288c3dc2474ea6803ee81f118321775bffa3ac8f7e65c5e90e7" +checksum = "11fc7cc2c76d73e0f27ee52abbd64eec84d46f370c88371120433196934e4b7f" dependencies = [ "serde", ] [[package]] name = "serde_bytes" -version = "0.11.9" +version = "0.11.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "416bda436f9aab92e02c8e10d49a15ddd339cea90b6e340fe51ed97abb548294" +checksum = "5a16be4fe5320ade08736447e3198294a5ea9a6d44dde6f35f0a5e06859c427a" dependencies = [ "serde", ] [[package]] name = "serde_derive" -version = "1.0.163" +version = "1.0.167" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8c805777e3930c8883389c602315a24224bcc738b63905ef87cd1420353ea93e" +checksum = "b69b106b68bc8054f0e974e70d19984040f8a5cf9215ca82626ea4853f82c4b9" dependencies = [ "proc-macro2", "quote", - "syn 2.0.16", + "syn 2.0.23", ] [[package]] name = "serde_json" -version = "1.0.96" +version = "1.0.100" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "057d394a50403bcac12672b2b18fb387ab6d289d957dab67dd201875391e52f1" +checksum = "0f1e14e89be7aa4c4b78bdbdc9eb5bf8517829a600ae8eaa39a6e1d960b5185c" dependencies = [ "itoa", "ryu", @@ -638,15 +669,15 @@ dependencies = [ [[package]] name = "sev" -version = "1.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a8c8ec2a5131be61bba9ffad92aead45bd27805c9701d265b7196d4914299b98" +version = "1.2.0" +source = "git+https://github.com/virtee/sev#5958ac577e3dd4d7cb05065fcd562460bdbd0f72" dependencies = [ "bincode", "bitfield 0.13.2", "bitflags", "codicon", "dirs", + "hex", "iocuddle", "kvm-ioctls", "openssl", @@ -659,7 +690,7 @@ dependencies = [ [[package]] name = "sevctl" -version = "0.4.0" +version = "0.4.1" dependencies = [ "anyhow", "base64", @@ -733,9 +764,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.16" +version = "2.0.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a6f671d4b5ffdb8eadec19c0ae67fe2639df8684bd7bc4b83d986b8db549cf01" +checksum = "59fb7d6d8281a51045d62b8eb3a7d1ce347b76f312af50cd3dc0af39c87c1737" dependencies = [ "proc-macro2", "quote", @@ -744,15 +775,16 @@ dependencies = [ [[package]] name = "tempfile" -version = "3.5.0" +version = "3.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b9fbec84f381d5795b08656e4912bec604d162bff9291d6189a78f4c8ab87998" +checksum = "31c0432476357e58790aaa47a8efb0c5138f137343f3b5f23bd36a27e3b0a6d6" dependencies = [ + "autocfg", "cfg-if", "fastrand", "redox_syscall 0.3.5", "rustix", - "windows-sys 0.45.0", + "windows-sys", ] [[package]] @@ -775,22 +807,22 @@ dependencies = [ [[package]] name = "thiserror" -version = "1.0.40" +version = "1.0.43" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "978c9a314bd8dc99be594bc3c175faaa9794be04a5a5e153caba6915336cebac" +checksum = "a35fc5b8971143ca348fa6df4f024d4d55264f3468c71ad1c2f365b0a4d58c42" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.40" +version = "1.0.43" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f9456a42c5b0d803c8cd86e73dd7cc9edd429499f37a3550d286d5e86720569f" +checksum = "463fe12d7993d3b327787537ce8dd4dfa058de32fc2b195ef3cde03dc4771e8f" dependencies = [ "proc-macro2", "quote", - "syn 2.0.16", + "syn 2.0.23", ] [[package]] @@ -816,9 +848,9 @@ checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460" [[package]] name = "unicode-ident" -version = "1.0.8" +version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e5464a87b239f13a63a501f2701565754bae92d243d4bb7eb12f6d57d2269bf4" +checksum = "22049a19f4a68748a168c0fc439f9516686aa045927ff767eca0a85101fb6e73" [[package]] name = "unicode-normalization" @@ -854,9 +886,12 @@ dependencies = [ [[package]] name = "uuid" -version = "1.3.3" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "345444e32442451b267fc254ae85a209c64be56d2890e601a0c37ff0c3c5ecd2" +checksum = "d023da39d1fde5a8a3fe1f3e01ca9632ada0a63e9797de55a879d6e2236277be" +dependencies = [ + "serde", +] [[package]] name = "vcpkg" @@ -923,147 +958,66 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" -[[package]] -name = "windows-sys" -version = "0.42.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a3e1820f08b8513f676f7ab6c1f99ff312fb97b553d30ff4dd86f9f15728aa7" -dependencies = [ - "windows_aarch64_gnullvm 0.42.2", - "windows_aarch64_msvc 0.42.2", - "windows_i686_gnu 0.42.2", - "windows_i686_msvc 0.42.2", - "windows_x86_64_gnu 0.42.2", - "windows_x86_64_gnullvm 0.42.2", - "windows_x86_64_msvc 0.42.2", -] - -[[package]] -name = "windows-sys" -version = "0.45.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0" -dependencies = [ - "windows-targets 0.42.2", -] - [[package]] name = "windows-sys" version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9" dependencies = [ - "windows-targets 0.48.0", -] - -[[package]] -name = "windows-targets" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071" -dependencies = [ - "windows_aarch64_gnullvm 0.42.2", - "windows_aarch64_msvc 0.42.2", - "windows_i686_gnu 0.42.2", - "windows_i686_msvc 0.42.2", - "windows_x86_64_gnu 0.42.2", - "windows_x86_64_gnullvm 0.42.2", - "windows_x86_64_msvc 0.42.2", + "windows-targets", ] [[package]] name = "windows-targets" -version = "0.48.0" +version = "0.48.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b1eb6f0cd7c80c79759c929114ef071b87354ce476d9d94271031c0497adfd5" +checksum = "05d4b17490f70499f20b9e791dcf6a299785ce8af4d709018206dc5b4953e95f" dependencies = [ - "windows_aarch64_gnullvm 0.48.0", - "windows_aarch64_msvc 0.48.0", - "windows_i686_gnu 0.48.0", - "windows_i686_msvc 0.48.0", - "windows_x86_64_gnu 0.48.0", - "windows_x86_64_gnullvm 0.48.0", - "windows_x86_64_msvc 0.48.0", + "windows_aarch64_gnullvm", + "windows_aarch64_msvc", + "windows_i686_gnu", + "windows_i686_msvc", + "windows_x86_64_gnu", + "windows_x86_64_gnullvm", + "windows_x86_64_msvc", ] -[[package]] -name = "windows_aarch64_gnullvm" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8" - [[package]] name = "windows_aarch64_gnullvm" version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "91ae572e1b79dba883e0d315474df7305d12f569b400fcf90581b06062f7e1bc" -[[package]] -name = "windows_aarch64_msvc" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43" - [[package]] name = "windows_aarch64_msvc" version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b2ef27e0d7bdfcfc7b868b317c1d32c641a6fe4629c171b8928c7b08d98d7cf3" -[[package]] -name = "windows_i686_gnu" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f" - [[package]] name = "windows_i686_gnu" version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "622a1962a7db830d6fd0a69683c80a18fda201879f0f447f065a3b7467daa241" -[[package]] -name = "windows_i686_msvc" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060" - [[package]] name = "windows_i686_msvc" version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4542c6e364ce21bf45d69fdd2a8e455fa38d316158cfd43b3ac1c5b1b19f8e00" -[[package]] -name = "windows_x86_64_gnu" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36" - [[package]] name = "windows_x86_64_gnu" version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ca2b8a661f7628cbd23440e50b05d705db3686f894fc9580820623656af974b1" -[[package]] -name = "windows_x86_64_gnullvm" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3" - [[package]] name = "windows_x86_64_gnullvm" version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7896dbc1f41e08872e9d5e8f8baa8fdd2677f29468c4e156210174edc7f7b953" -[[package]] -name = "windows_x86_64_msvc" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0" - [[package]] name = "windows_x86_64_msvc" version = "0.48.0" diff --git a/Cargo.toml b/Cargo.toml index 514b711..9f018a7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -22,7 +22,8 @@ is-it-maintained-issue-resolution = { repository = "virtee/sevctl" } is-it-maintained-open-issues = { repository = "virtee/sevctl" } [dependencies] -sev = { version = "1.1.0", features = ["openssl"] } +sev = { git="https://github.com/virtee/sev", features = ["openssl"] } +#sev = { path="../virtee-sev", features = ["openssl"] } serde = { version = "1.0", features = ["derive"] } # serde_json is just for the example, not required in general serde_json = "1.0" diff --git a/src/main.rs b/src/main.rs index 23dc86d..1a6bc57 100644 --- a/src/main.rs +++ b/src/main.rs @@ -7,6 +7,7 @@ mod measurement; mod ok; mod secret; mod session; +mod validate; mod vmsa; use anyhow::{Context, Result}; @@ -15,12 +16,22 @@ use structopt::StructOpt; use codicon::*; -use ::sev::certs::*; -use ::sev::firmware::host::{ - types::{PlatformStatusFlags, SnpStatus, Status}, - Firmware, +// use ::sev::certs::{*, sev::{sev::{Certificate, Usage}, ca, Chain}}; +// use ::sev::firmware::host::{Firmware, PlatformStatusFlags, SnpPlatformStatus, Status}; +// use ::sev::Generation; + +use ::sev::{ + Generation, + certs::sev::Chain as CertSevChain, + certs::sev::ca::Chain as CertSevCaChain, + certs::sev::{Usage, sev::{Certificate, Chain, Usage as SevUsage}}, + firmware::host::{ + Firmware, + Status, + SnpPlatformStatus, + PlatformStatusFlags + } }; -use ::sev::Generation; use std::fs::File; use std::io; @@ -126,6 +137,25 @@ enum SevctlCmd { ca: Option, }, + #[structopt(about = "Validate subcommands")] + Validate { + #[structopt( + parse(from_os_str), + short = "-p", + long = "--pek", + help = "PEK file path" + )] + pek_path: PathBuf, + + #[structopt( + parse(from_os_str), + short = "-a", + long = "--attestation-report", + help = "Attestation Report file path" + )] + ar_path: PathBuf, + }, + #[structopt(about = "VMSA-related subcommands")] Vmsa(VmsaCmd), @@ -136,13 +166,13 @@ enum SevctlCmd { Secret(secret::SecretCmd), } -fn download(url: &str, usage: Usage) -> Result { +fn download(url: &str, usage: Usage) -> Result { let mut err_stack = vec![]; for attempt in 1..4 { match http::get(url) { Ok(rsp) => { - return sev::Certificate::decode(rsp.into_reader(), ()) + return Certificate::decode(rsp.into_reader(), ()) .context(format!("failed to decode {} certificate", usage)) } Err(http::Error::Status(_, rsp)) => { @@ -174,7 +204,7 @@ fn download(url: &str, usage: Usage) -> Result { .context(format!("final http request failed: {}", e)) })?; - sev::Certificate::decode(rsp.into_reader(), ()) + Certificate::decode(rsp.into_reader(), ()) .context(format!("failed to decode {} certificate", usage)) } @@ -189,14 +219,14 @@ fn platform_status() -> Result { .context("unable to fetch platform status") } -fn snp_platform_status() -> Result { +fn snp_platform_status() -> Result { firmware()? .snp_platform_status() .map_err(|e| anyhow::anyhow!(format!("{:?}", e))) .context("unable to fetch snp platform status") } -fn chain() -> Result { +fn chain() -> Result { const CEK_SVC: &str = "https://kdsintf.amd.com/cek/id"; let mut chain = firmware()? @@ -215,7 +245,7 @@ fn chain() -> Result { Ok(chain) } -fn ca_chain_builtin(chain: &sev::Chain) -> Result { +fn ca_chain_builtin(chain: &Chain) -> Result { use std::convert::TryFrom; Generation::try_from(chain) @@ -244,6 +274,7 @@ fn main() -> Result<()> { SevctlCmd::Session { name, pdh, policy } => session::cmd(name, pdh, policy), SevctlCmd::Show { cmd } => show::cmd(cmd), SevctlCmd::Verify { sev, oca, ca } => verify::cmd(sevctl.quiet, sev, oca, ca), + SevctlCmd::Validate { pek_path, ar_path } => validate::cmd(pek_path, ar_path), SevctlCmd::Vmsa(option) => match option { VmsaCmd::Build(args) => vmsa::build::cmd(args), VmsaCmd::Show(args) => vmsa::show::cmd(args), @@ -317,7 +348,7 @@ mod show { .context("error fetching identifier")?; let snp_status = snp_platform_status()?; println!("https://kdsintf.amd.com/vcek/v1/Milan/{}?blSPL={:02}&teeSPL={:02}&snpSPL={:02}&ucodeSPL={:02}", - id, snp_status.tcb.platform_version.bootloader, snp_status.tcb.platform_version.tee, snp_status.tcb.platform_version.snp, snp_status.tcb.platform_version.microcode); + id, snp_status.reported_tcb_version.bootloader, snp_status.reported_tcb_version.tee, snp_status.reported_tcb_version.snp, snp_status.reported_tcb_version.microcode); } Show::Flags => { for f in [ @@ -352,7 +383,7 @@ mod export { let mut out = std::io::Cursor::new(Vec::new()); if full { - let full_chain = Chain { + let full_chain = CertSevChain { ca: ca_chain_builtin(&chain)?, sev: chain, }; @@ -378,6 +409,7 @@ mod export { mod verify { use super::*; use colorful::*; + use ::sev::certs::sev::Verifiable; use std::convert::TryInto; use std::fmt::Display; @@ -397,7 +429,7 @@ mod verify { if let Some(filename) = oca { let mut file = File::open(filename).context("unable to open OCA certificate file")?; - schain.oca = sev::Certificate::decode(&mut file, ()).context("unable to decode OCA")?; + schain.oca = Certificate::decode(&mut file, ()).context("unable to decode OCA")?; } if !quiet { @@ -458,29 +490,30 @@ mod verify { } } - fn sev_chain(filename: Option) -> Result { + fn sev_chain(filename: Option) -> Result { Ok(match filename { None => chain()?, Some(f) => { let mut file = File::open(f).context("unable to open SEV certificate chain file")?; - sev::Chain::decode(&mut file, ()).context("unable to decode chain")? + Chain::decode(&mut file, ()).context("unable to decode chain")? } }) } - fn ca_chain(filename: PathBuf) -> Result { + fn ca_chain(filename: PathBuf) -> Result { let mut file = File::open(filename).context("unable to open CA certificate chain file")?; - ca::Chain::decode(&mut file, ()).context("unable to decode chain") + CertSevCaChain::decode(&mut file, ()).context("unable to decode chain") } } mod generate { use super::*; + use ::sev::certs::sev::Signer; pub fn cmd(oca_path: PathBuf, key_path: PathBuf) -> Result<()> { - let (mut oca, prv) = sev::Certificate::generate(sev::Usage::OCA) + let (mut oca, prv) = Certificate::generate(SevUsage::OCA) .context("unable to generate OCA key pair")?; prv.sign(&mut oca).context("key signing failed")?; @@ -512,6 +545,9 @@ mod rotate { } mod provision { + use ::sev::certs::sev::PrivateKey; + use ::sev::certs::sev::Signer; + use super::*; pub fn cmd(oca_path: PathBuf, prv_key_path: PathBuf) -> Result<()> { @@ -519,13 +555,13 @@ mod provision { let cert = File::open(oca_path.clone()) .context(format!("failed to open {}", oca_path.display())) .and_then(|mut f| { - sev::Certificate::decode(&mut f, ()).context("failed to decode OCA") + Certificate::decode(&mut f, ()).context("failed to decode OCA") })?; let prv_key = File::open(prv_key_path.clone()) .context(format!("failed to open {}", prv_key_path.display())) .and_then(|mut f| { - PrivateKey::::decode(&mut f, &cert) + PrivateKey::::decode(&mut f, &cert) .context("failed to decode OCA private key") })?; diff --git a/src/session.rs b/src/session.rs index 753f8ad..09722d7 100644 --- a/src/session.rs +++ b/src/session.rs @@ -8,7 +8,7 @@ use std::mem::size_of; use std::path::PathBuf; use std::slice::from_raw_parts; -use ::sev::certs::sev::Certificate; +use ::sev::certs::sev::sev::Certificate; use ::sev::{launch::sev, session}; use codicon::{Decoder, Encoder}; diff --git a/src/validate.rs b/src/validate.rs new file mode 100644 index 0000000..e86a035 --- /dev/null +++ b/src/validate.rs @@ -0,0 +1,38 @@ +// SPDX-License-Identifier: Apache-2.0 +use sev::certs::sev::{sev::Certificate, Verifiable}; +use sev::firmware::guest::LegacyAttestationReport; + +use std::{fs, path::PathBuf}; + +static PEK_NAME: &str = "pek.cert"; +static AR_NAME: &str = "attestation_report.bin"; + +/// Validates the provided Platform Endorsement Key signed the specified Attestation Report. +/// This assumes the PEK name to be `pek.cert` and the report name to be `attestation_report.bin`. +pub fn cmd(mut pek: PathBuf, mut report: PathBuf) -> Result<(), anyhow::Error> { + if pek.exists() && pek.is_dir() { + pek = pek.join(PEK_NAME); + } + + if report.exists() && report.is_dir() { + report = report.join(AR_NAME); + } + + // Verify the binary being provided is of the correct size. + if fs::metadata(report.clone())?.len() as usize != std::mem::size_of::() { + return Err(anyhow::anyhow!("Unexpected report size encountered.")); + } + + let mut buf: Vec = fs::read(report)?; + let legacy_report: LegacyAttestationReport = bincode::deserialize(&buf)?; + + buf.clear(); + + buf = fs::read(pek)?; + let pek_cert: Certificate = bincode::deserialize(&buf)?; + + drop(buf); + + // Verify using the implementation + Ok((&pek_cert, &legacy_report).verify()?) +}