svsm: add SVSM VTPM Service Attestation

vTPM service attestation is described in section 8.3 of "Secure VM Service Module for SEV-SNP Guests, Publication #58019 Revision: 1.00 Issue Date: July 2023". It certifies the Endorsement Key (EK) of the vTPM by providing the TPMT_PUBLIC structure of the EK. This is crucial for downstream projects like Keylime, as the SVSM vTPM lacks an EK certificate found in physical TPMs to anchor trust. The attestation is part of the SVSM Attestation Protocol and uses the SVSM_ATTEST_SINGLE_SERVICE call (see section 7 of the specifications). It is triggered by making an SVSM_ATTEST_SINGLE_SERVICE call with the GUID set to c476f1eb-0123-45a5-9641-b4e7dde5bfe3. The attestation code returns the VMPL0 attestation report and the vTPM Service Manifest Data Structure (TPMT_PUBLIC structure of the EK). The REPORT_DATA in the SNP attestation request is the SHA-512 digest of the input nonce and the vTPM Service Manifest Data Structure. The vTPM initialization function was modified to generate an RSA 2048-bit EK from the TPM's Endorsement Primary Seed (EPS) and cache the public key as a TPMT_PUBLIC structure. This cached EK public key can be retrieved later for vTPM service attestation. The EK is created with the TCG default EK template (see Table 4 of the "TCG EK Credential Profile For TPM Family 2.0; Level 0 Version 2.5 Revision 2.0"). Since the EK is derived from the EPS, it can be recreated upstream at any time. For example, the same EK can be recreated in an OS using the TSS2 command "tpm2_createek -c ek.ctx -G rsa -u ek.pub" and compared against the one returned by vTPM service attestation. vTPM service attestation as specified can only return one type of EK, so the implementation supports RSA 2048-bit EK as defined in Table 4 of the "TCG EK Credential Profile For TPM Family 2.0; Level 0 Version 2.5 Revision 2.0," which is the most common Trusted Computing Group(TCG) EK type. Resolves coconut-svsm#437, resolves coconut-svsm#361 Signed-off-by: Geoffrey Ndu <[email protected]>
hpe-security-lab · Feb 12, 2025 · d33d9ce · d33d9ce
1 parent ea67f20
commit d33d9ce
Show file tree

Hide file tree

Showing 11 changed files with 639 additions and 5 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -57,8 +57,8 @@ intrusive-collections = "0.9.6"
 libfuzzer-sys = "0.4"
 log = "0.4.17"
 p384 = { version = "0.13.0" }
-sha2 = "0.10.8"
-uuid = "1.6.1"
+sha2  = { version = "0.10.8", default-features = false }
+uuid = { version = "1.6.1", default-features = false }
 # Add the derive feature by default because all crates use it.
 zerocopy = { version = "0.8.2", features = ["derive"] }
 

diff --git a/igvmbuilder/Cargo.toml b/igvmbuilder/Cargo.toml
@@ -11,7 +11,7 @@ bootlib.workspace = true
 clap = { workspace = true, default-features = true, features = ["derive"] }
 igvm_defs.workspace = true
 igvm.workspace = true
-uuid.workspace = true
+uuid = { workspace = true, default-features = true }
 zerocopy.workspace = true
 zerocopy07 = { package = "zerocopy", version = "0.7" }
 

diff --git a/kernel/Cargo.toml b/kernel/Cargo.toml
@@ -36,6 +36,9 @@ packit.workspace = true
 libtcgtpm = { workspace = true, optional = true }
 zerocopy = { workspace = true, features = ["alloc", "derive"] }
 release.workspace = true
+# Need "force-soft", see https://github.com/RustCrypto/hashes/issues/446
+sha2 = { workspace = true, features = ["force-soft"] }
+uuid.workspace = true
 
 builtin = { workspace = true, optional = true }
 builtin_macros = { workspace = true }

diff --git a/kernel/src/error.rs b/kernel/src/error.rs
@@ -45,6 +45,17 @@ pub enum ApicError {
     Registration,
 }
 
+/// Errors related to Attestation handling. These may originate from multiple
+/// layers in the system.
+#[derive(Clone, Copy, Debug)]
+pub enum AttestationError {
+    /// An error related to attestation report.
+    Report,
+
+    /// An error related to attestation manifest.
+    Manifest,
+}
+
 /// A generic error during SVSM operation.
 #[derive(Clone, Copy, Debug)]
 pub enum SvsmError {
@@ -100,6 +111,8 @@ pub enum SvsmError {
     NotSupported,
     /// Generic errors related to APIC emulation.
     Apic(ApicError),
+    /// Generic errors related to attestation handling.
+    Attestation(AttestationError),
     /// Errors related to Hyper-V.
     HyperV(u16),
 }
@@ -116,6 +129,12 @@ impl From<ApicError> for SvsmError {
     }
 }
 
+impl From<AttestationError> for SvsmError {
+    fn from(err: AttestationError) -> Self {
+        Self::Attestation(err)
+    }
+}
+
 impl From<ObjError> for SvsmError {
     fn from(err: ObjError) -> Self {
         Self::Obj(err)