Add SEVSNP plugin for Veraison server #333
Conversation
jraman567
requested review from
setrofim,
thomas-fossati and
yogeshbdeshpande
jraman567
force-pushed
the
upstream/sevsnp
branch
from
193c7ed to
f0bc831
Compare
RATSd needs golang version 1.23.0 or newer as it depends on CMW (https://github.com/veraison/cmw), which needs 1.23.0 or newer. The services repo needs RATSd. Therefore, set the minimum golang version to 1.23.0 Signed-off-by: Jagannathan Raman <[email protected]>
define SEV-SNP scheme for Veraison. Switch to CoRIM version v1.1.3-0.20250307044607-0bbdd6c78526 Signed-off-by: Jagannathan Raman <[email protected]> fix(sensnp+rpm): add SEV-SNP plugin to package
store the trust anchors and reference values in the CoMID's "Attest Key Triple" and "Reference Value Triple" formats. Signed-off-by: Jagannathan Raman <[email protected]>
accept CoRIM endorsements, reference values & trust anchors, and save them in the database. Signed-off-by: Jagannathan Raman <[email protected]>
implement parts of the store handler that synthesize keys from trust anchors and reference values. Signed-off-by: Jagannathan Raman <[email protected]>
Implement an evidence handler to extract claims from the evidence token and store them in an internal representation format ( CoRIM for SEV-SNP). Additionally, implement the GetLevel interface for HCLogger, which was introduced with v1.5.0. Signed-off-by: Jagannathan Raman <[email protected]>
Update the store handler to get Trust Anchor and Reference Value keys from evidence. Add helper routines to parse the TSM report's auxblob to extract AMD keys. Signed-off-by: Jagannathan Raman <[email protected]>
Implement the ValidateEvidenceIntegrity routine of the EvidenceHandler interface. Ensure the root key in auxblob matches the ARK in provisioned trust anchors. Confirm the integrity of the certificate chain in the auxblob and the validity of the signature in the evidence. Signed-off-by: Jagannathan Raman <[email protected]>
Implement the AppraiseEvidence routine in the EvidenceHandler interface to confirm the claims match with the evidence. Signed-off-by: Jagannathan Raman <[email protected]>
Add unit tests for endorsement, evidence and storage handlers Signed-off-by: Jagannathan Raman <[email protected]>
Add README document for SEVSNP scheme Signed-off-by: Jagannathan Raman <[email protected]>
Update the CMW module to enable CMW collection support Signed-off-by: Jagannathan Raman <[email protected]>
Update go-sev-guest to get fix for Genoa VCEK handling Signed-off-by: Jagannathan Raman <[email protected]>
Allow SEVSNP scheme to accept evidence in CMW collection format Signed-off-by: Jagannathan Raman <[email protected]>
REPORTED_TCB is a bitfield of versions. Extract individual versions for comparison. REPORTED_TCB in evidence should be greater than or equal to the reference value. Signed-off-by: Jagannathan Raman <[email protected]>
Some claims in the SEV-SNP profile aren't relevant for verification, so skipping them Signed-off-by: Jagannathan Raman <[email protected]>
jraman567
force-pushed
the
upstream/sevsnp
branch
from
f0bc831 to
80ddda3
Compare
|
|
||
| block, _ := pem.Decode(cert) | ||
| if block == nil || block.Type != "CERTIFICATE" { | ||
| return nil, fmt.Errorf("failed to read certificate") |
There was a problem hiding this comment.
| return nil, fmt.Errorf("failed to read certificate") | |
| return nil, errors.New("failed to read certificate") |
| tcbParts kds.TCBParts | ||
| ) | ||
|
|
||
| // ToDo: following is a circuitous way to obtain the 64-bit TCB integer value |
There was a problem hiding this comment.
If this is a genuine TO DO, preferably create an issue and tag the issue here, please!
| return nil, err | ||
| } | ||
|
|
||
| refValCorim := corim.UnsignedCorim{} |
There was a problem hiding this comment.
just check, if we need to initialise other mandatory part of CoRIM here as well...
yogeshbdeshpande
left a comment
yogeshbdeshpande
left a comment
There was a problem hiding this comment.
in middle of review, just started today
Co-authored-by: Yogesh Deshpande <[email protected]>
Co-authored-by: Yogesh Deshpande <[email protected]>
Co-authored-by: Yogesh Deshpande <[email protected]>
Co-authored-by: Yogesh Deshpande <[email protected]>
Co-authored-by: Yogesh Deshpande <[email protected]>
|
As we are adding new
Also remember to check the suitable places in |
yogeshbdeshpande
left a comment
yogeshbdeshpande
left a comment
There was a problem hiding this comment.
Left some further comments.
| return block.Bytes, nil | ||
| } | ||
|
|
||
| func parseAttestationToken(token *proto.AttestationToken) (*tokens.TSMReport, error) { |
There was a problem hiding this comment.
Just a question, perhaps need a better place to ask, is there a place, where, we say, the supported Media Types for Evidence are 1. TSM in CBOR, 2. TSM in JSON 3. RATSD in JSON ..?
There was a problem hiding this comment.
Hi @yogeshbdeshpande, are you asking where they are documented?
tsm-report's CDDL is here: https://github.com/veraison/ratsd/blob/main/docs/tsm-report.cddl
- TSM in CBOR is recorded here: https://www.iana.org/assignments/media-types/application/vnd.veraison.tsm-report+cbor
I couldn't find the IANA doc for the other two. I'll check with @thomas-fossati on how to get them.
Besides we have this godoc: https://pkg.go.dev/github.com/veraison/ratsd/attesters/tsm
There was a problem hiding this comment.
I couldn't find the IANA doc for the other two. I'll check with @thomas-fossati on how to get them.
TSM in JSON is recorded here: https://www.iana.org/assignments/media-types/application/vnd.veraison.tsm-report+json
RATSd evidence top-level formats are explored here: veraison/ratsd#27
| result := handler.CreateAttestationResult(SchemeName) | ||
|
|
||
| appraisal := result.Submods[SchemeName] | ||
|
|
There was a problem hiding this comment.
Just a question: Is this init to default values or more than this..?
Can you please specify, perhaps a short comment might help as well!
| // - POLICY ToDo: Do we need to test individual policy features? | ||
| // - CURRENT_TCB is informational only. It's best handled by policy | ||
| // - PLATFORM_INFO ToDO: Do we need to test individual platform features? | ||
| // - REPORT_DATA is a nonce supplied by user for freshness, not applicable for verification |
There was a problem hiding this comment.
| // - REPORT_DATA is a nonce supplied by user for freshness, not applicable for verification | |
| // - REPORT_DATA is a nonce supplied by user for freshness, this is verified prior at a suitable point- functon-name() |
| // - REPORT_DATA is a nonce supplied by user for freshness, not applicable for verification | ||
| // - REPORT_ID is ephemeral, so we can't use it for verification. | ||
| // - REPORT_ID_MA is also ephemeral, used for migration | ||
| // - CHIP_ID is unique to an specific attester, but reference values could be used more generally |
There was a problem hiding this comment.
Just a question:
Does the CHIP_ID maps to a specific instance of platform??? If Yes, shall we not populate the InstanceID Claims..
| // ToDo: It is a good idea to test it anyway, but the Version type only tests for | ||
| // equality, and this would trigger spurious failures | ||
| // - COMMITTED_TCB is informational, used by the host to advance REPORTED_TCB | ||
| if k == mKeyPolicy || |
There was a problem hiding this comment.
I have a question here. Should we not expect a definite set of MKeys and check for their presence here or somewhere earlier to report a fail, if a mandatory MKey is missing from Evidence?
Does this happen intrinsically inside the Evidence Decoding, then it is fine, but just checking...
| break claimsLoop | ||
| } | ||
| if !compareTcb(*reportedTcb, *em) { | ||
| // ToDo: Is this a failure condition? |
There was a problem hiding this comment.
Note: Each of these failures should be represented in the corresponding flag inside the TrustVector for Platform ? If not please check and raise a bug on AR4SI if something fundamental missing in the spec..
| 0x1f, 0x1e, 0x1d, 0x1c, 0x1b, 0x1a, 0x19, 0x18, | ||
| } | ||
|
|
||
| func Test_ExtractClaims_ok(t *testing.T) { |
There was a problem hiding this comment.
Just checking, I did not see the Full Evidence JSON Claims set in the test cases..?
is there any reason for this..?
| require.NoError(t, err) | ||
| } | ||
|
|
||
| func Test_ValidateEvidenceIntegrity_ok(t *testing.T) { |
There was a problem hiding this comment.
Also, I saw three types of Evidence Format in the code, but I see ONLY tests with RATSD Token only,
Can you please add the test cases for TSM Report in JSON and CBOR as well ?
|
thomas-fossati
left a comment
thomas-fossati
left a comment
There was a problem hiding this comment.
Thanks, this is great.
I have left a few comments inline.
|
|
||
| It doesn't need any specific install instructions, it gets deployed along with other schemes. | ||
| ``` | ||
| make really-clean; make native-deploy |
There was a problem hiding this comment.
Just a couple of non-blocking notes:
- You can supply more than one target when invoking
make:
make really-clean native-deploy- The
;will not stop updatingnative-deployifreally-cleanfails, which is not what you want. Instead:
make really-clean && make native-deploy| Since ratsd is under construction, please use the following instance of evcli to submit evidence. | ||
| https://github.com/jraman567/evcli |
There was a problem hiding this comment.
More fancy linking:
| Since ratsd is under construction, please use the following instance of evcli to submit evidence. | |
| https://github.com/jraman567/evcli | |
| Since ratsd is under construction, please use the following [fork of evcli](https://github.com/jraman567/evcli) to submit Evidence. |
|
|
||
| ## Usage example | ||
|
|
||
| Following is an example of how to interface with this scheme/plugin. The workflow involves using cocli to submit reference values and ratsd to submit the evidence. |
There was a problem hiding this comment.
| Following is an example of how to interface with this scheme/plugin. The workflow involves using cocli to submit reference values and ratsd to submit the evidence. | |
| Following is an example of how to interface with this scheme/plugin. The workflow involves using cocli to submit Reference Values and [ratsd](https://github.com/veraison/ratsd) to submit Evidence. |
| Generating reference values and evidence is beyond this project's scope. Please see go-gen-ref for creating reference values for SEV-SNP; RATSd generates evidence. | ||
| go-gen-ref: https://github.com/jraman567/go-gen-ref | ||
| ratsd: https://github.com/veraison/ratsd |
There was a problem hiding this comment.
| Generating reference values and evidence is beyond this project's scope. Please see go-gen-ref for creating reference values for SEV-SNP; RATSd generates evidence. | |
| go-gen-ref: https://github.com/jraman567/go-gen-ref | |
| ratsd: https://github.com/veraison/ratsd | |
| Generating Reference Values and Evidence is beyond this project's scope. Please see [go-gen-ref](https://github.com/jraman567/go-gen-ref) for creating Reference Values for SEV-SNP; ratsd generates Evidence. |
| ``` | ||
|
|
||
| ## Attestation Result | ||
| The result is in JWT format. Decoding it using an online tool like https://jwt.io/ reveals formatted results. The trustworthiness vector, as shown below, summarizes the result of verification. |
| } | ||
|
|
||
| if evM.Val.SVN == nil { | ||
| log.Errorf("evidence doesn't have SVN") |
| switch k { | ||
| case mKeyReportedTcb: | ||
| if !compareTcb(m, *em) { | ||
| err = fmt.Errorf("reported TCB in evidence doesn't match reference") |
There was a problem hiding this comment.
please, use errors.New()
| } | ||
|
|
||
| if len(extractedComid.Triples.ReferenceValues.Values) > 1 { | ||
| return nil, fmt.Errorf("unable to process multiple claims in evidence") |
There was a problem hiding this comment.
please, use errors.New()
|
|
||
| keyBlock, _ := pem.Decode([]byte(ark.String())) | ||
| if keyBlock == nil || keyBlock.Type != "CERTIFICATE" { | ||
| return nil, fmt.Errorf("failed to decode ARK") |
There was a problem hiding this comment.
usual errors.New() comment :-)
| } | ||
|
|
||
| if m == nil { | ||
| return "", fmt.Errorf("measurement not found") |
There was a problem hiding this comment.
| return "", fmt.Errorf("measurement not found") | |
| return "", errors.New("measurement not found") |
3 participants
This PR implements the SEVSNP scheme for Veraison.