| Message ID | 20220110060445.549800-1-shirong@linux.alibaba.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Allow guest to query AMD SEV(-ES) runtime attestation evidence | expand |
Hi Shirong, On 1/10/22 12:04 AM, Shirong Hao wrote: > This patch series is provided to allow the guest application to query > AMD SEV(-ES) runtime attestation evidence by communicating with the host > service (Attestation Evidence Broker). > > The following is the design document. > >> Background > > Compared with SEV-SNP and Intel TDX, the runtime attestation of > SEV(-ES) does NOT support guest-provided data included in the > attestation report [1,2]. In addition, SEV(-ES) also does NOT support > the dynamic measurement. During runtime, it can only generate static > attestation report with the constant launch digest reflecting the > initial measurement. > > Although SEV(-ES) has above limitations, its runtime attestation is > still useful. When the SEV(-ES) guest is running, it can report the > attestation report with fixed launch digest as a heartbeat for trusted > healthy check. > > SEV(-ES) runtime attestation includes two participants: > attester and verifier. > > - The attester running in a SEV(-ES) guest is responsible for > collecting attestation evidence. > - The verifier running in a trusted environment is responsible for > verifying the attestation evidence provided by the attester. Note > that the verifier can run on any platform even non-TEE. > >> SEV(-ES) Attestation Evidence > > Verifier uses the following SEV(-ES) certificate chains to verify the > signature of the attestation report generated by the `ATTESTATION` > command [2]: > > 1. certificate chain for device identity: > ARK -> ASK -> CEK -> PEK -> report > 2. certificate chain for platform owner identity: > OCA -> PEK -> report > > - `foo -> bar` indicates using the public key of `foo` to verify the > signature of `bar`. > - ARK is the root of trust of AMD and OCA is the root of trust for > platform owners. OCA has two ways: > 1. Self-owned: The OCA Key Pair and self-signed OCA certificate > are automatically generated by the SEV(-ES) firmware. > 2. Externally-owned: External users use OCA Key Pair to generate > self-signed OCA certificates in a trusted environment. > > Verifier needs to verify the attestation report with the certificate chain. > ARK and ASK can be obtained directly from the AMD KDS server. CEK, PEK, > OCA, and attestation report are related to the specific SEV(-ES) platform, > therefore SEV(-ES) Attestation Evidence collected by attester should > include attestation report (with the constant launch digest), PEK, CEK, > and OCA certificate. > > | Contents of SEV(-ES) Attestation Evidence | SEV(-ES) firmware command | > | :-: | :-: | > | attestation report | ATTESTATION | > | CEK | GET_ID | > | OCA,PEK | PDH_CERT_EXPORT | > >> Query SEV(-ES) Attestation Evidence > > According to the official feedback[3], SEV(-ES) firmware APIs don't support > query attestation report in SEV(-ES) guest and there is no plan to support > it in the future. Instead, this capability will be available in SEV-SNP. > > In some scenarios, the guest application needs to query the attestation > report to establish an attested channel with the remote peer. There are > two approaches for a guest application to query an attestation evidence: > > - Hypercall approach > - VSOCK approach > > Considering time and cost, we only need to implement one of them. > > - Hypercall approach > > SEV(-ES) guest exits to VMM using `hypercall` and then interacts with SEV > firmware to query the components composing an attestation evidence, > including attestation report, PEK, CEK, OCA certificate. To build an > attestation evidence, the steps include: > > 1. The guest application requests a shared memory page, initiates a > hypercall, and switches from the guest mode to the host mode. > 2. In the host mode, KVM sends the `GET_ID, PDH_CERT_EXPORT, ATTESTATION` > command requests to SEV firmware. > 3. The shared memory page is filled with the data returned by the > SEV firmware. > 4. The guest application can obtain attestation evidence by reading the > data in the shared memory. > > Although this method can meet our requirements, it requires a lot of > modifications to the guest kernel and KVM. > > - VSOCK approach > > In the current implementation, QEMU provides the QMP interface > "query-sev-attestation-report" to query the attestation report in the host. > However, QEMU is not the only VMM. In order to support various VMM in > different scenarios, it is necessary to design a general host service, such > as attestation evidence Broker (AEB) to query attestation evidence from the > host. > > The workflow of AEB is as followed: > > 1. The user-level application in the guest sends a request > (including guest firmware handle) to AEB through VSOCK. > 2. AEB requests to query attestation report, PEK, CEK, OCA certificate by > calling multiple SEV firmware APIs (refer to the table above for > specific API commands) and assembles these information into the > attestation evidence. > 3. AEB returns the attestation evidence to the application in the guest. > > To query the attestation report in host with AEB, we provides three patches > to achieve the following two goals. > > 1. It is necessary to add a `SEV_GET_REPORT` interface in ccp driver so > that AEB can execute `ioctl` on the `/dev/sev` device and then call > the `SEV_GET_REPORT` interface to send the `ATTESTATION` command to > the SEV firmware to query attestation report. > > 2. In order to obtain the guest handle required by the `ATTESTATION` > command to the SEV firmware, a new hypercall needs to be added to the > KVM. The application in the guest obtains the guest handle through this > newly added hypercal, and then sends it to the AEB service through > VSOCK. The AEB service uses the guest handle as the input parameter > of the `ATTESTATION` command to interact with the SEV firmware. SEV (-ES) is not designed to support the runtime attestation. Still, your approach here somehow gives the impression to the guest application that it's getting the runtime attestation report from the hardware. I am not sure if it's a good idea. In your above example, what stops KVM from providing a wrong handle on step #2. How does the guest owner (=customer) know that it is getting the report from their VM? Maybe one way to create an association is for the guest owner to inject a nonce during the launch flow, and the guest application uses this nonce to request the report once. Alternatively, you can implement a virtual device that can be used by guest applications to request the attestation report from the VMM. In this approach, the VMM can emulate virtual device, and on read, it can call down to PSP to get the attestation report. Now it all starts sounding like a vTPM ;) thanks > > Note that hypercall is not the only way to obtain the guest handle. > Actually the qmp interface `query-sev` can query the guest handle as well. > However, as mentioned previously, qemu is not the only VMM. > >> Communication protocol > > Below is the communication protocol between the guest application and AEB. > > ```protobuf > syntax = "proto3"; > ... > message RetrieveAttestationEvidenceSizeRequest{ > uint32 guest_handle = 1; > } > message RetrieveAttestationEvidenceRequest{ > uint32 guest_handle = 1; > uint32 evidence_size = 2; > } > message RetrieveAttestationEvidenceSizeResponse{ > uint32 error_code = 1; > uint32 evidence_size = 2; > } > message RetrieveAttestationEvidenceResponse{ > uint32 error_code = 1; > uint32 evidence_size = 2; > bytes evidence = 3; > } > service AEBService { > rpc RetrieveAttestationEvidenceSize > (RetrieveAttestationEvidenceSizeRequest) > returns (RetrieveAttestationEvidenceSizeResponse); > rpc RetrieveAttestationEvidence(RetrieveAttestationEvidenceRequest) > returns (RetrieveAttestationEvidenceResponse); > } > ``` > >> Reference > > [1] https://www.amd.com/system/files/TechDocs/ > 55766_SEV-KM_API_Specification.pdf > [2] https://www.amd.com/system/files/TechDocs/56860.pdf > [3] https://github.com/AMDESE/AMDSEV/issues/71#issuecomment-926118314 > > Shirong Hao (3): > KVM: X86: Introduce KVM_HC_VM_HANDLE hypercall > KVM/SVM: move the implementation of sev_get_attestation_report to ccp > driver > crypto: ccp: Implement SEV_GET_REPORT ioctl command > > arch/x86/include/asm/kvm_host.h | 1 + > arch/x86/kvm/svm/sev.c | 49 +++------------------- > arch/x86/kvm/svm/svm.c | 11 +++++ > arch/x86/kvm/x86.c | 7 +++- > drivers/crypto/ccp/sev-dev.c | 74 +++++++++++++++++++++++++++++++++ > include/linux/psp-sev.h | 7 ++++ > include/uapi/linux/kvm_para.h | 1 + > include/uapi/linux/psp-sev.h | 17 ++++++++ > 8 files changed, 123 insertions(+), 44 deletions(-) >