Sign the function attestation

This commit does the following: - uses Hacl's Ed25519 signing to get the signature of the cumulative function execution report - appends the signature in the end of the differential attestation report - for now, it uses a dummy key which has to be replaced with the function provider private key Signed-off-by: dimstav23 <[email protected]>
TUM-DSE · Dec 18, 2024 · 7498d4d · 7498d4d
1 parent f940263
commit 7498d4d
Show file tree

Hide file tree

Showing 6 changed files with 47 additions and 3 deletions.
diff --git a/kernel/src/attestation/monitor.rs b/kernel/src/attestation/monitor.rs
@@ -9,6 +9,7 @@ use alloc::vec::Vec;
 use crate::vaddr_as_u64_slice;
 
 use crate::my_crypto_wrapper::my_SHA512;
+use crate::my_crypto_wrapper::my_Hacl_Ed25519_sign;
 use crate::my_crypto_wrapper::get_keys;
 use crate::my_crypto_wrapper::decrypt;
 use crate::my_crypto_wrapper::key_pair;
@@ -40,6 +41,7 @@ fn get_snp_report() -> Option<(&'static [u8], usize)> {
   }
 }
 
+const SIGNATURE_SIZE: usize = 64;
 const HASH_SIZE: usize = 64;
 const KEY_SIZE: usize = 32;
 const NONCE_SIZE: usize = 24;
@@ -91,6 +93,29 @@ pub fn measure(start_address: u64, size: u64) -> [u8; HASH_SIZE] {
     hash
 }
 
+fn sign_report(report: &[u8]) -> [u8; SIGNATURE_SIZE] {
+    let report_addr = report.as_ptr() as u64; // Convert the pointer to u64
+    let report_size = report.len() as u64;   // Get the size of the report
+
+    // Use a dummy private key for development
+    // TODO: Use the function provider private key used for communication with the client
+    let dummy_private_key: [u8; KEY_SIZE] = [0x69; KEY_SIZE];
+
+    // Sign the report
+    let mut signature: [u8; SIGNATURE_SIZE] = [0; SIGNATURE_SIZE];
+    unsafe {
+        my_Hacl_Ed25519_sign(
+            report_addr as *const u8,
+            report_size.try_into().unwrap(),
+            dummy_private_key.as_ptr(),
+            signature.as_mut_ptr(),
+        );
+    }
+
+    // Return the signature
+    signature
+}
+
 fn copy_back_report(report_buffer: u64, report_data: &[u8], report_size: usize) {
   // Ensure the size is within limits to avoid out-of-bounds access
   assert!(report_size <= PAGE_SIZE, "Report size exceeds the allowed page size.");
@@ -295,9 +320,13 @@ fn function_report(params: &mut RequestParams) -> Result<(), SvsmReqError>{
     // Now new_report holds the existing report data + measurements
     let new_report_size = new_report.len();
 
+    // Sign the new report with a dummy private key
+    let signature = sign_report(&new_report);
+    new_report.extend_from_slice(&signature);
+
     // Perform the copy_back_report with the new cumulative report
     if params.rcx != 0 {
-        copy_back_report(params.rcx, &new_report, new_report_size);
+        copy_back_report(params.rcx, &new_report, new_report_size + signature.len());
     }
 
     return Ok(());

diff --git a/kernel/src/my_crypto/build.sh b/kernel/src/my_crypto/build.sh
@@ -13,7 +13,14 @@ gcc -mno-sse -mno-sse2 -mno-avx -fno-tree-vectorize -nostdlib -Ihacl/karamel/ -I
 	-c hacl/Hacl_Salsa20.c
 gcc -mno-sse -mno-sse2 -mno-avx -fno-tree-vectorize -nostdlib -Ihacl/karamel/ -Ihacl/karamel/krmllib/dist/minimal -Ihacl/karamel/include/ -Ihacl/include -fPIC \
 	-c hacl/Hacl_MAC_Poly1305.c
-ar rcs libmy_crypto.a Hacl_Curve25519_51.o Hacl_NaCl.o Hacl_Hash_SHA3.o Hacl_Salsa20.o Hacl_MAC_Poly1305.o my_crypto.o 
+
+# for report signing
+gcc -mno-sse -mno-sse2 -mno-avx -fno-tree-vectorize -nostdlib -Ihacl/karamel/ -Ihacl/karamel/krmllib/dist/minimal -Ihacl/karamel/include/ -Ihacl/include -fPIC \
+	-c hacl/Hacl_Ed25519.c
+gcc -mno-sse -mno-sse2 -mno-avx -fno-tree-vectorize -nostdlib -Ihacl/karamel/ -Ihacl/karamel/krmllib/dist/minimal -Ihacl/karamel/include/ -Ihacl/include -fPIC \
+	-c hacl/Hacl_Hash_SHA2.c # required by Hacl_Ed25519.c
+
+ar rcs libmy_crypto.a Hacl_Curve25519_51.o Hacl_NaCl.o Hacl_Hash_SHA3.o Hacl_Salsa20.o Hacl_MAC_Poly1305.o Hacl_Ed25519.o Hacl_Hash_SHA2.o my_crypto.o
 mkdir -p ../../../libmy_crypto/
 cp libmy_crypto.a ../../../libmy_crypto/libmy_crypto.a 
 cp my_crypto.h ../../../../module/include/

diff --git a/kernel/src/my_crypto/libmy_crypto.a b/kernel/src/my_crypto/libmy_crypto.a
diff --git a/kernel/src/my_crypto/my_crypto.c b/kernel/src/my_crypto/my_crypto.c
@@ -1,5 +1,6 @@
 #include "my_crypto.h"
 #include "hacl/include/Hacl_Curve25519_51.h" 
+#include "hacl/include/Hacl_Ed25519.h"
 #include "hacl/include/Hacl_NaCl.h"
 #include "hacl/include/Hacl_Hash_SHA3.h"
 #include <stdint.h>
@@ -30,7 +31,7 @@ key_pair* gen_keys()
 	return &monitor_keys;
 }
 
- unsigned int get_key_size()
+unsigned int get_key_size()
 {
 	return 32;
 }
@@ -64,3 +65,8 @@ void my_SHA512(uint8_t* buff, const unsigned int buff_len, uint8_t* hash)
 {
 	Hacl_Hash_SHA3_sha3_512(hash, buff, buff_len);
 }
+
+void my_Hacl_Ed25519_sign(uint8_t *msg, uint32_t msg_len, uint8_t *private_key, uint8_t *signature)
+{
+  Hacl_Ed25519_sign(signature, private_key, msg_len, msg);
+}
diff --git a/kernel/src/my_crypto/my_crypto.h b/kernel/src/my_crypto/my_crypto.h
@@ -56,4 +56,5 @@ uint32_t decrypt(
 );
 
 void my_SHA512(uint8_t* buff, const unsigned int buff_len, uint8_t* hash);
+void my_Hacl_Ed25519_sign(uint8_t *msg, uint32_t msg_len, uint8_t *private_key, uint8_t *signature);
 #endif
diff --git a/kernel/src/my_crypto_wrapper/mod.rs b/kernel/src/my_crypto_wrapper/mod.rs
@@ -40,6 +40,7 @@ extern "C" {
         ) -> u32;
 
     pub fn my_SHA512(buff: *mut u8, buff_len: u32, hash: *mut u8) -> i32;
+    pub fn my_Hacl_Ed25519_sign(msg: *const u8, msg_len: u32, private_key: *const u8, signature: *mut u8) -> i32;
     pub fn get_cycles() -> u64;
 
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -56,4 +56,5 @@ uint32_t decrypt( @@
     );
     void my_SHA512(uint8_t* buff, const unsigned int buff_len, uint8_t* hash);
+    void my_Hacl_Ed25519_sign(uint8_t *msg, uint32_t msg_len, uint8_t *private_key, uint8_t *signature);
     #endif