AMDESE
[WIP] Attestation protocol
Implement most of the attestation protocol with its two calls, according to the SVSM spec.
This is still WIP because it still misses:
- Call to openssl SHA-512 routine to build the report data
- Actual call to hypervisor to get the attestation report
Once we have these features in linux-svsm I can rebase and plug them into the mocks that I left in src/protocols/attestation.rs (functions todo_sha_512() and get_snp_attestation_report()).
In order to test this I implemented an attestation SVSM call in OVMF during boot.
I had to modify AsmVmgExitSvsm to optionally fill a struct with the response register values. I'll point to these changes soon.
I pushed a v2 of this branch (7 patches) to https://github.com/svsm-vtpm/linux-svsm/tree/attestation-protocol-v2 :
- it is based on @cclaudio 's #55.
- it removes the WIP parts: it actually calls openssl's SHA-512 and actually requests the attestation report from the PSP.
I have a PoC guest linux kernel support of getting the attestation report via SVSM; I implemented it as another ioctl in /dev/sev-guest. I'll probably share these patches soon.
I succeeded starting a guest and fetching a VMPL0 report via SVSM and a VMPL1 report via "regular" guest message request.
Update: I published the guest kernel RFC patch series for getting SVSM attestation report https://lore.kernel.org/linux-coco/[email protected]/
It uses the SVSM_ATTEST_SERVICES call implemented in the attestation-protocol-v2 branch (mentioned in the previous comment).
... and here is a simple guest userspace program to call the new SNP_SVSM_ATTEST_SERVICES ioctl (defined in the kernel RFC patches mentioned above) and save the responses in local files: https://gist.github.com/dubek/0e0a419fecf2ca87dd65d483d5c446d5