Merge branch 'dimstav23/diff_attest_reports' into dev

Author: Sabanic-P

kernel/src/attestation/monitor.rs

@@ -111,6 +111,14 @@ impl SnpReportResponse {
 
         Ok(())
     }
+
+    pub fn get_report(&self) -> &AttestationReport {
+          &self.report
+    }
+
+    pub fn get_report_size(&self) -> u32 {
+          self.report_size
+    }
 }
 
 /// The `TCB_VERSION` contains the security version numbers of each

kernel/src/greq/pld_report.rs

@@ -3,6 +3,7 @@ use crate::mm::PAGE_SIZE;
 use crate::address::{Address, VirtAddr};
 use crate::process_manager::process_paging::ProcessPageTableRef;
 use crate::process_manager::process_paging::ProcessPageFlags;
+use super::process_memory::{ALLOCATION_RANGE_VIRT_START, PGD};
 use crate::cpu::control_regs::read_cr3;
 use crate::sev::{rmp_adjust, RMPFlags};
 use crate::types::PageSize;
@@ -19,6 +20,9 @@ pub struct AllocationRange(pub u64, pub u64);
 impl AllocationRange {
 
     pub fn allocate(&mut self, pages: u64){
+        // Allocates a new memory range for the Monitor
+        // Currently the start virtual address is fixed to ALLOCATION_RANGE_VIRT_START
+        // Reuses the Process page managment to add new memory to the Monitor
         let mut page_table_ref = ProcessPageTableRef::default();
         page_table_ref.set_external_table(read_cr3().bits() as u64);
         self.allocate_(&mut page_table_ref, pages, ALLOCATION_VADDR_START, true, false);
@@ -54,9 +58,9 @@ impl AllocationRange {
             self.0 = pgd[DEFAULT_ALLOCATION_RANGE_MOUNT];
             self.1 = pages;
         } else {
-            let offset = start_addr >> PGD_SHIFT;
+            let offset: usize = start_address.to_pgtbl_idx::<PGD>();
             let (_mapping, pgd) = paddr_as_slice!(page_table_ref.process_page_table);
-            self.0 = pgd[offset as usize];
+            self.0 = pgd[offset];
             self.1 = pages;
         }
     }

kernel/src/process_manager/allocation.rs

@@ -4,8 +4,9 @@ use crate::attestation;
 use crate::process_manager::process::TrustedProcessType;
 
 const MONITOR_INIT: u32 = 0;
-const ATTEST_MONITOR: u32 = 1;
-//const LOAD_POLICY: u32 = 2;
+// const MONITOR: u32 = 1;
+const DIFF_ATTEST: u32 = 2;
+//const LOAD_POLICY: u32 = 3;
 const CREATE_ZYGOTE: u32 = 4;
 const DELETE_ZYGOTE: u32 = 5;
 const CREATE_TRUSTLET: u32 = 6;
@@ -14,16 +15,22 @@ const INVOKE_TRUSTLET: u32 = 8;
 
 const GET_PUBLIC_KEY: u32 = 30;
 const SEND_POLICY: u32 = 31;
-pub fn attest_monitor(params: &mut RequestParams) -> Result<(), SvsmReqError>{
-    attestation::monitor::attest_monitor(params)
+
+pub fn diff_attestation(params: &mut RequestParams) -> Result<(), SvsmReqError>{
+    attestation::monitor::diff_attestation(params)
 }
 
-fn monitor_init(_params: &mut RequestParams) -> Result<(), SvsmReqError>{
+fn monitor_init(params: &mut RequestParams) -> Result<(), SvsmReqError>{
 
     log::info!("Initilization Monitor");
+
+    /* Request a monitor measurement upon initialization */
+    params.rdx = attestation::monitor::MONITOR_ATTESTATION;
+    params.rcx = 0;
+    let _ = attestation::monitor::diff_attestation(params);
     //add_monitor_memory();
     //super::process::PROCESS_STORE.init(10);
-//    crate::sp_pagetable::set_ecryption_mask_address_size();
+    //crate::sp_pagetable::set_ecryption_mask_address_size();
     log::info!("Initilization Done");
     Ok(())
 }
@@ -60,7 +67,7 @@ pub fn monitor_call_handler(request: u32, params: &mut RequestParams) -> Result<
     log::info!("request: {}",request);
     match request {
         MONITOR_INIT => monitor_init(params),
-        ATTEST_MONITOR => attest_monitor(params),
+        DIFF_ATTEST => diff_attestation(params),
         CREATE_ZYGOTE => create_zygote(params),
         DELETE_ZYGOTE => delete_zygote(params),
         CREATE_TRUSTLET => create_trustlet(params),

kernel/src/process_manager/call_handler.rs

@@ -1,6 +1,6 @@
 use memory_helper::set_ecryption_mask_address_size;
-use process::PROCESS_STORE;
 use process_memory::additional_monitor_memory_init;
+pub use process::PROCESS_STORE;
 
 use crate::utils::immut_after_init::ImmutAfterInitCell;
 

kernel/src/process_manager/mod.rs

@@ -28,6 +28,7 @@ use cpuarch::vmsa::VMSA;
 use core::mem::replace;
 
 use super::memory_channels::MemoryChannel;
+use crate::attestation::monitor::{ProcessMeasurements, measure};
 
 trait FromVAddr {
     fn from_virt_addr(v: VirtAddr) -> &'static mut VMSA;
@@ -114,7 +115,9 @@ pub struct ProcessID(pub usize);
 pub struct TrustedProcess {
     pub process_type: TrustedProcessType,
     pub id: u64,
+    pub parent_id: u64,
     pub base: ProcessBaseContext,
+    pub measurements: ProcessMeasurements,
     #[allow(dead_code)]
     pub context: ProcessContext,
     //pub channel: MemoryChannel,
@@ -138,36 +141,47 @@ impl TrustedProcess {
         let libos_size= zygote_data_struct[5];
 
 
-        // The allocation is always starting at the same virtual address which is why only one allocaiton is valid
+        // The allocation (AllocationRange) is always starting at the same virtual address which is why only one allocaiton is valid
         // at the same time. TODO: Allow for different start addresses
-        let (pal_data, pal_range) = ProcessPageTableRef::copy_data_from_guest(pal, pal_size, pgt);
         let mut base = ProcessBaseContext::default();
+        let mut measurements = ProcessMeasurements::default();
+
+        let (pal_data, pal_range) = ProcessPageTableRef::copy_data_from_guest(pal, pal_size, pgt);
         base.init_with_data(pal_data, pal_size, pal_range);
+        measurements.init_measurement = measure(pal_data.into(), pal_size);
+
         let (manifest_data, manifest_range) = ProcessPageTableRef::copy_data_from_guest(manifest, manifest_size, pgt);
         base.add_manifest(manifest_data, manifest_size, manifest_range);
+        measurements.manifest_measurement = measure(manifest_data.into(), manifest_size);
+
         let(libos_data, libos_range) = ProcessPageTableRef::copy_data_from_guest(libos, libos_size, pgt);
         base.add_libos(libos_data, libos_size, libos_range);
-
+        measurements.libos_measurement = measure(libos_data.into(), libos_size);
 
         // TODO: Free zygote data
         Self {
             process_type: TrustedProcessType::Zygote,
             id: 0,
+            parent_id: 0,
             base,
+            measurements,
             context: ProcessContext::default(),
         }
     }
 
     fn dublicate(pid: ProcessID) -> TrustedProcess {
         let process = PROCESS_STORE.get(pid);
         let base: ProcessBaseContext = process.base;
+        let measurements: ProcessMeasurements = process.measurements;
         let mut context = ProcessContext::default();
-        context.init(base);
+        context.init(base, measurements);
 
         TrustedProcess {
             process_type: TrustedProcessType::Trustlet,
             id: 0,
+            parent_id: pid.0 as u64, // set the id of the parent zygote
             base,
+            measurements,
             context,
         }
 
@@ -189,7 +203,9 @@ impl TrustedProcess {
         Self {
             process_type: TrustedProcessType::Undefined,
             id: 0,
+            parent_id: 0,
             base: ProcessBaseContext::default(),
+            measurements: ProcessMeasurements::default(),
             context: ProcessContext::default(),
         }
     }
@@ -337,9 +353,9 @@ impl ProcessBaseContext {
         self.alloc_range_manifest = data;
     }
 
-    pub fn add_libos(&mut self, manifest: VirtAddr, size: u64, data: AllocationRange){
+    pub fn add_libos(&mut self, libos: VirtAddr, size: u64, data: AllocationRange){
         let size = (4096 - (size & 0xFFF)) + size;
-        self.page_table_ref.add_libos(manifest,size);
+        self.page_table_ref.add_libos(libos,size);
         self.alloc_range_libos = data;
     }
 
@@ -356,6 +372,7 @@ pub struct ProcessContext {
     pub vmsa: PhysAddr,
     pub channel: MemoryChannel,
     pub sev_features: u64,
+    pub measurements: ProcessMeasurements,
 }
 
 impl Default for ProcessContext {
@@ -365,14 +382,15 @@ impl Default for ProcessContext {
             vmsa: PhysAddr::null(),
             channel: MemoryChannel::default(),
             sev_features: 0,
+            measurements: ProcessMeasurements::default(),
         }
     }
 }
 
 
 impl ProcessContext {
 
-    pub fn init(&mut self, base: ProcessBaseContext) {
+    pub fn init(&mut self, base: ProcessBaseContext, measurements: ProcessMeasurements) {
 
         //Creating new VMSA for the Process
         let new_vmsa_page = allocate_page();
@@ -424,7 +442,7 @@ impl ProcessContext {
         self.vmsa = new_vmsa_page;
         self.sev_features = vmsa.sev_features;
         self.base = base;
-
+        self.measurements = measurements;
     }
 
     pub fn add_function(&mut self, function: VirtAddr, size: u64) {

kernel/src/process_manager/process.rs

@@ -40,7 +40,7 @@ pub struct ProcessMemConfig {
     free_page_list_table_entry: u64,
 }
 
-pub const ALLOCATION_RANGE_VIRT_START: u64 = 0x30000000000u64;
+pub const ALLOCATION_RANGE_VIRT_START: u64 = 0x300_0000_0000u64;
 
 static PROCESS_MEM_CONFIG: SpinLock<ProcessMemConfig> = SpinLock::new(ProcessMemConfig::new());
 pub static CPU_COUNT: ImmutAfterInitCell<u64> = ImmutAfterInitCell::new(0);
@@ -52,7 +52,7 @@ const MiB: usize = KiB * 1024;
 #[allow(non_upper_case_globals)]
 const GiB: usize = MiB * 1024;
 
-const ADDRESS_START_FREE_PAGE_LIST: usize = 0x8000000000;
+const ADDRESS_START_FREE_PAGE_LIST: usize = 0x80_0000_0000;
 
 const CONDITION_MIN_MEM_SIZE: usize = 1 * GiB;
 
@@ -74,7 +74,7 @@ impl ProcessMemConfig{
             initilized: false,
             total_size: 0,
             free: 0,
-            free_page_list: 0x8000000000u64,
+            free_page_list: ADDRESS_START_FREE_PAGE_LIST as u64,
             free_page_list_used_len: 0,
             page_top: PhysAddr::null(),
             page_base: PhysAddr::null(),

kernel/src/process_manager/process_memory.rs

@@ -15,6 +15,11 @@ use crate::process_manager::allocation::AllocationRange;
 use core::ffi::CStr;
 use super::memory_helper::{ZERO_PAGE};
 
+// TP: Trusted Process
+const TP_STACK_START_VADDR: u64 = 0x80_0000_0000;
+const TP_MANIFEST_START_VADDR: u64 = 0x100_0000_0000;
+const TP_LIBOS_START_VADDR: u64 = 0x180_0000_0000;
+
 // Flags for the Page Table
 // In general all Trusted Processes need to
 // have user accessable set
@@ -269,21 +274,21 @@ impl ProcessPageTableRef {
             self.add_region(program_header, elf_file );
         }
         //Add stack
-        self.add_stack(VirtAddr::from(0x8000000000usize), 8);
+        self.add_stack(VirtAddr::from(TP_STACK_START_VADDR), 8);
         self.print_table();
         VirtAddr::from(elf.elf_hdr.e_entry)
     }
 
     pub fn add_manifest(&self, data: VirtAddr, size: u64) {
         let data: *mut u8 = data.as_mut_ptr::<u8>();
         let data = unsafe { slice::from_raw_parts(data, size as usize) };
-        self.add_region_vaddr(VirtAddr::from(0x10000000000u64), data);
+        self.add_region_vaddr(VirtAddr::from(TP_MANIFEST_START_VADDR), data);
     }
 
     pub fn add_libos(&self, data: VirtAddr, size: u64) {
         let data: *mut u8 = data.as_mut_ptr::<u8>();
         let data = unsafe { slice::from_raw_parts(data, size as usize) };
-        self.add_region_vaddr(VirtAddr::from(0x18000000000u64), data);
+        self.add_region_vaddr(VirtAddr::from(TP_LIBOS_START_VADDR), data);
     }
 
     pub fn add_function(&self, data:VirtAddr, size: u64) {