Create types for validation of an SNP attestation

[tylerfanelli]

enarx-archive/sev#75

[fitzthum]

@tylerfanelli

jsyk we are thinking we might want to use this library to help implement this confidential-containers/trustee#191 for the Confidential Containers Attestation Service. This will require SNP support. Is that something you are planning on adding at some point? We might also be able to contribute something here.

@larrydewey @dubek

[larrydewey]

@tylerfanelli like @fitzthum mentioned, I have code I would be more than happy to provide some PRs for to help integrate SNP support.

[tylerfanelli]

Hi @fitzthum and @larrydewey .

I'm actually working on SNP attestation support in libkrun at the moment, much of that work would fit well into this library. Yes, I'd be very interested in receiving some PRs to help with SNP support. Likewise, I have some contributions as well that are upcoming.

[dubek]

Shameless plug: just pointing out that there's a Python package/utility to compute SNP measurements at https://github.com/IBM/sev-snp-measure . It doesn't work as-is for libkrun because memory structures are different (maybe I can add support, PRs welcome ;-), but it should have all the building blocks. Might be helpeful as another reference implementation.

[fitzthum]

Yeah there's a question about scope here. It's one thing to verify the signature of the report, but we will also want to verify the launch digest (what @dubek's Python package does). Is this in scope of this crate? It would require taking in the full fw binary, possibly some hashes for direct boot stuff, and the CPU count, and calculating the running hash of the VMSAs and the fw.

[slp]

Yeah there's a question about scope here. It's one thing to verify the signature of the report, but we will also want to verify the launch digest (what @dubek's Python package does). Is this in scope of this crate? It would require taking in the full fw binary, possibly some hashes for direct boot stuff, and the CPU count, and calculating the running hash of the VMSAs and the fw.

I'd say so. For plain SEV, session::Session is able to verify the measurement. Blobs are added to it using session::Session::update_data(). Given that this crate has recently acquired the ability to generate the VMSA pages from scratch, I think it makes sense to extend session::Session to support SEV-ES attestation (should be fairly trivial), and then introduce a variant (perhaps create a Session trait and then implement SessionSev and SessionSnp`?) to support SNP verification too. I wrote some code in Rust to understand how SNP measurement calculation works, perhaps it could also be used as a reference (https://github.com/slp/snp-digest-rs).

@tylerfanelli @crobinso What do you think?

[tylerfanelli]

I'd say so. For plain SEV, session::Session is able to verify the measurement. Blobs are added to it using session::Session::update_data(). Given that this crate has recently acquired the ability to generate the VMSA pages from scratch, I think it makes sense to extend session::Session to support SEV-ES attestation (should be fairly trivial),

Agreed. This would be helpful as well, I'll look into adding this.

and then introduce a variant (perhaps create a Session trait and then implement SessionSev and SessionSnp`?)

Or perhaps split session into session::sev and session::snp, like what is done in the launch module.

to support SNP verification too. I wrote some code in Rust to understand how SNP measurement calculation works, perhaps it could also be used as a reference (https://github.com/slp/snp-digest-rs).

Session::update_data() should work for this. However, I think a plain "SEV" Session would need to be different from an SNP Session.

[tylerfanelli]

@fitzthum @dubek Just a note as I'm closing this issue: We have extended SNP support and released version 1.0.0. If there is anything missing that you would like to see in the crate, please submit an issue so we can discuss further.