Differential Attestation reports generation #3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit performs the following: - Introduce ProcessMasurements structure in the ProcessContext. It currently includes the init (pal) measurement, the manifest measurement and the libos measurement that are calculated when a Zygote is loaded and inherited by the derived Trustlets. - Add and set the parent_id field in the Trusted Process so that we know from which Zygote each Trustlet is derived. - Enhance the call_handler of the monitor with the DIFF_ATTEST operation - Implement the functions for getting the measurements. - The measure function takes a starting address and a size and returns the digest of this memory region - The monitor_report is WIP (has to generate, store and return the SNP report) - The zygote_report retrieves the Zygote measurements based on the zygote_id. TODO: return the SNP report + the zygote measurement fields in a guest provided buffer - The trustlet_report retrieves the Trustlet measurements based on the trustlet_id. TODO: return the SNP report + the trustlet measurement fields in a guest provided buffer - The function_report deserializes the struct with the trustlet id, function input and output provided from the guest, retrieves the trustlet measurements and measures the input and output. TODO: return the SNP report + the trustlet measurement fields + the function data measurements in a guest provided buffer - The diff_attestation determines which function to be called for each attestation type. It is mostly there for convenience as the user should call only the function attestation eventually. Signed-off-by: dimstav23 <[email protected]>
…rieval and append the measurements to that when a report is requested Signed-off-by: dimstav23 <[email protected]>
This commit performs the following: - Better handling of the report response storing its actual size and removing the response-related metadata fields from the stored report - Add two getters for the report address and size in the SnpReportResponse struct - Minor changes to satisfy the compiler checker Signed-off-by: dimstav23 <[email protected]>
Signed-off-by: dimstav23 <[email protected]>
Signed-off-by: dimstav23 <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR performs the following:
ProcessMasurementsstructure in theProcessContext. It currently includes the init (pal) measurement, the manifest measurement and the libos measurement that are calculated when aZygoteis loaded and inherited by the derivedTrustlets.parent_idfield in the Trusted Process so that we know from whichZygoteeachTrustletis derived.measurefunction takes a starting address and a size and returns the digest of this memory regionmonitor_reportgenerates, stores and returns the SNP reportzygote_reportretrieves theZygotemeasurements based on thezygote_idand returns the SNP report and the zygote measurement fields in a guest provided buffertrustlet_reportretrieves theTrustletmeasurements based on thetrustlet_idand returns the SNP report and the trustlet measurement fields in a guest provided bufferfunction_reportdeserializes the struct with thetrustlet id, functioninputandoutputprovided from the guest, retrieves theTrustletmeasurements and measures theinputandoutput. Then, it returns the SNP report and the trustlet measurement fields as well as the function data measurements in a guest provided bufferdiff_attestationdetermines which function to be called for each attestation type. It is mostly there for convenience as the user should call only the function attestation eventually.SnpReportResponsestructmonitor_init()stepTest
To test it, you need to use the update
t.ctest provided in theWallet-VMPLrepo.Versions:
Wallet-VMPL: Branch:dimstav23/update_test_with_attestation, commit:78f073bf832eea9939362e7595da9665fbcb156dgramine-svsm: Branch:devcommit:66b537682590c96d1e0f923e6dfadadd6197ac2dSteps:
cd module && make vmpl.ko && make reload && make t./test 10This will do the following:
initthe monitor and retrieve its reportZygoteand get its reportTrustletand get its reportfunctionwithinputandoutputdata and get its reportmoduledirectory with descriptive names and structure for better readabilityNote: