diff --git a/kernel/src/attestation/monitor.rs b/kernel/src/attestation/monitor.rs index 2d9f5fe95..997edd832 100644 --- a/kernel/src/attestation/monitor.rs +++ b/kernel/src/attestation/monitor.rs @@ -9,6 +9,7 @@ use alloc::vec::Vec; use crate::vaddr_as_u64_slice; use crate::my_crypto_wrapper::my_SHA512; +use crate::my_crypto_wrapper::my_Hacl_Ed25519_sign; use crate::my_crypto_wrapper::get_keys; use crate::my_crypto_wrapper::decrypt; use crate::my_crypto_wrapper::key_pair; @@ -40,6 +41,7 @@ fn get_snp_report() -> Option<(&'static [u8], usize)> { } } +const SIGNATURE_SIZE: usize = 64; const HASH_SIZE: usize = 64; const KEY_SIZE: usize = 32; const NONCE_SIZE: usize = 24; @@ -91,6 +93,29 @@ pub fn measure(start_address: u64, size: u64) -> [u8; HASH_SIZE] { hash } +fn sign_report(report: &[u8]) -> [u8; SIGNATURE_SIZE] { + let report_addr = report.as_ptr() as u64; // Convert the pointer to u64 + let report_size = report.len() as u64; // Get the size of the report + + // Use a dummy private key for development + // TODO: Use the function provider private key used for communication with the client + let dummy_private_key: [u8; KEY_SIZE] = [0x69; KEY_SIZE]; + + // Sign the report + let mut signature: [u8; SIGNATURE_SIZE] = [0; SIGNATURE_SIZE]; + unsafe { + my_Hacl_Ed25519_sign( + report_addr as *const u8, + report_size.try_into().unwrap(), + dummy_private_key.as_ptr(), + signature.as_mut_ptr(), + ); + } + + // Return the signature + signature +} + fn copy_back_report(report_buffer: u64, report_data: &[u8], report_size: usize) { // Ensure the size is within limits to avoid out-of-bounds access assert!(report_size <= PAGE_SIZE, "Report size exceeds the allowed page size."); @@ -295,9 +320,13 @@ fn function_report(params: &mut RequestParams) -> Result<(), SvsmReqError>{ // Now new_report holds the existing report data + measurements let new_report_size = new_report.len(); + // Sign the new report with a dummy private key + let signature = sign_report(&new_report); + new_report.extend_from_slice(&signature); + // Perform the copy_back_report with the new cumulative report if params.rcx != 0 { - copy_back_report(params.rcx, &new_report, new_report_size); + copy_back_report(params.rcx, &new_report, new_report_size + signature.len()); } return Ok(()); diff --git a/kernel/src/my_crypto/build.sh b/kernel/src/my_crypto/build.sh index abc808f75..a44e68589 100755 --- a/kernel/src/my_crypto/build.sh +++ b/kernel/src/my_crypto/build.sh @@ -13,7 +13,14 @@ gcc -mno-sse -mno-sse2 -mno-avx -fno-tree-vectorize -nostdlib -Ihacl/karamel/ -I -c hacl/Hacl_Salsa20.c gcc -mno-sse -mno-sse2 -mno-avx -fno-tree-vectorize -nostdlib -Ihacl/karamel/ -Ihacl/karamel/krmllib/dist/minimal -Ihacl/karamel/include/ -Ihacl/include -fPIC \ -c hacl/Hacl_MAC_Poly1305.c -ar rcs libmy_crypto.a Hacl_Curve25519_51.o Hacl_NaCl.o Hacl_Hash_SHA3.o Hacl_Salsa20.o Hacl_MAC_Poly1305.o my_crypto.o + +# for report signing +gcc -mno-sse -mno-sse2 -mno-avx -fno-tree-vectorize -nostdlib -Ihacl/karamel/ -Ihacl/karamel/krmllib/dist/minimal -Ihacl/karamel/include/ -Ihacl/include -fPIC \ + -c hacl/Hacl_Ed25519.c +gcc -mno-sse -mno-sse2 -mno-avx -fno-tree-vectorize -nostdlib -Ihacl/karamel/ -Ihacl/karamel/krmllib/dist/minimal -Ihacl/karamel/include/ -Ihacl/include -fPIC \ + -c hacl/Hacl_Hash_SHA2.c # required by Hacl_Ed25519.c + +ar rcs libmy_crypto.a Hacl_Curve25519_51.o Hacl_NaCl.o Hacl_Hash_SHA3.o Hacl_Salsa20.o Hacl_MAC_Poly1305.o Hacl_Ed25519.o Hacl_Hash_SHA2.o my_crypto.o mkdir -p ../../../libmy_crypto/ cp libmy_crypto.a ../../../libmy_crypto/libmy_crypto.a cp my_crypto.h ../../../../module/include/ diff --git a/kernel/src/my_crypto/libmy_crypto.a b/kernel/src/my_crypto/libmy_crypto.a index c603aaca4..0b9345f0a 100644 Binary files a/kernel/src/my_crypto/libmy_crypto.a and b/kernel/src/my_crypto/libmy_crypto.a differ diff --git a/kernel/src/my_crypto/my_crypto.c b/kernel/src/my_crypto/my_crypto.c index 8e38902b3..88b22302f 100644 --- a/kernel/src/my_crypto/my_crypto.c +++ b/kernel/src/my_crypto/my_crypto.c @@ -1,5 +1,6 @@ #include "my_crypto.h" #include "hacl/include/Hacl_Curve25519_51.h" +#include "hacl/include/Hacl_Ed25519.h" #include "hacl/include/Hacl_NaCl.h" #include "hacl/include/Hacl_Hash_SHA3.h" #include @@ -30,7 +31,7 @@ key_pair* gen_keys() return &monitor_keys; } - unsigned int get_key_size() +unsigned int get_key_size() { return 32; } @@ -64,3 +65,8 @@ void my_SHA512(uint8_t* buff, const unsigned int buff_len, uint8_t* hash) { Hacl_Hash_SHA3_sha3_512(hash, buff, buff_len); } + +void my_Hacl_Ed25519_sign(uint8_t *msg, uint32_t msg_len, uint8_t *private_key, uint8_t *signature) +{ + Hacl_Ed25519_sign(signature, private_key, msg_len, msg); +} \ No newline at end of file diff --git a/kernel/src/my_crypto/my_crypto.h b/kernel/src/my_crypto/my_crypto.h index fb687185a..508031007 100644 --- a/kernel/src/my_crypto/my_crypto.h +++ b/kernel/src/my_crypto/my_crypto.h @@ -56,4 +56,5 @@ uint32_t decrypt( ); void my_SHA512(uint8_t* buff, const unsigned int buff_len, uint8_t* hash); +void my_Hacl_Ed25519_sign(uint8_t *msg, uint32_t msg_len, uint8_t *private_key, uint8_t *signature); #endif diff --git a/kernel/src/my_crypto_wrapper/mod.rs b/kernel/src/my_crypto_wrapper/mod.rs index 68cdfbe11..4cebf549e 100644 --- a/kernel/src/my_crypto_wrapper/mod.rs +++ b/kernel/src/my_crypto_wrapper/mod.rs @@ -40,6 +40,7 @@ extern "C" { ) -> u32; pub fn my_SHA512(buff: *mut u8, buff_len: u32, hash: *mut u8) -> i32; + pub fn my_Hacl_Ed25519_sign(msg: *const u8, msg_len: u32, private_key: *const u8, signature: *mut u8) -> i32; pub fn get_cycles() -> u64; }