@super-protocol/addons-tee 0.8.17-beta.1 → 0.8.17-beta.2

package/bindings/sp-sev/docs/attestation/process.msc

@@ -0,0 +1,60 @@
+# Commits which modify this file MUST generate the new .png!
+msc {
+  tenant     [textbgcolor="green"],
+  host       [textbgcolor="red"],
+  bios       [textbgcolor="orange"],
+  bootloader [textbgcolor="orange"],
+  kernel     [textbgcolor="orange"],
+  psp        [textbgcolor="yellow"];
+
+  tenant=>host [label="cert chain request"];
+  host=>psp [label="cert chain request"];
+  psp=>host [label="cert chain reply\n(w/ firmware version)"];
+  host=>tenant [label="cert chain reply\n(w/ firmware version)"];
+
+  ...;
+
+  tenant box tenant [label="validate cert chain"];
+  tenant box tenant [label="validate fw version"];
+  tenant box tenant [label="craft exec policy"];
+  tenant box tenant [label="random cdh keypair"];
+  tenant box tenant [label="random tek/tik"];
+
+
+  tenant box tenant [label="DH(cdh, pdh) => z"];
+  tenant box tenant [label="KDF(z) => master"];
+  tenant box tenant [label="KDF(master) => kek"];
+  tenant box tenant [label="KDF(master) => kik"];
+
+  tenant => host [label="CDH, MAC(tik, policy),\nMAC(kik, ENC(kek, tek||tik))"];
+  host => psp [label="CDH, MAC(tik, policy),\nMAC(kik, ENC(kek, tek||tik))"];
+
+  psp box psp [label="DH(cdh, pdh) => z"];
+  psp box psp [label="KDF(z) => master"];
+  psp box psp [label="KDF(master) => kek"];
+  psp box psp [label="KDF(master) => kik"];
+
+  psp box psp [label="check MAC(kik, ...)"];
+  psp box psp [label="DEC(kek, tek||tik)"];
+
+  host => psp [label="guest pages"];
+  psp box psp [label="measure guest pages"];
+
+  psp => host [label="MAC(tik, measurement)"];
+  host => tenant [label="MAC(tik, measurement)"];
+
+  tenant box tenant [label="validate measure"];
+  tenant box tenant [label="prepare metadata"];
+  tenant => host [label="enc = ENC(tek, metadata)\nMAC(tik, enc)"];
+  host => psp [label="enc = ENC(tek, metadata)\nMAC(tik, enc)"];
+
+  psp => bios [label="decrypt metadata into guest memory"];
+
+  --- [label="VM START"];
+
+  bios => bootloader [label="metadata"];
+  bootloader => kernel [label="metadata"];
+  kernel box kernel [label="unlock volume"];
+
+  --- [label="BOOT COMPLETE"];
+}

package/bindings/sp-sev/docs/attestation/protections.md

@@ -0,0 +1,53 @@
+# Protections
+
+An SEV-enabled guest will be protected from a number of potential threats.
+
+These threats are broadly categorized like so:
+
+**Confidentiality**: Anything that could disclose and/or read the contents of the virtual machine without
+its explicit permission is a threat to the virtual machine's confidentiality.
+
+**Integrity**: The virtual machine must always see the data that it last wrote. If this invariant is broken,
+then the integrity of the virtual machine is compromised.
+
+**Physical Access Attacks**: An attacker with a substantial level of access to the physical hardware may use
+this access to conduct attacks on the system and virtual machines running on it.
+
+**Miscellaneous**: An attack which doesn't fit in as nicely to any of the other above categories.
+
+Table legend:
+
+* :heavy\_check\_mark:: indicates that this attack is thwarted by an SEV feature.
+
+* :star2:: indicates that this mitigation may be optionally enabled.
+
+* : an empty cell indicates that the attack is *not* mitigated by that technology.
+
+| **Confidentiality** | **SEV** | **SEV-ES** | **SEV-SNP** |
+| ------------------: | :-----: | :--------: | :---------: |
+| VM Memory (*ex: Hypervisor reads private VM memory*) | :heavy\_check\_mark: | :heavy\_check\_mark: | :heavy\_check\_mark: |
+| VM Register State (*ex: Hypervisor attempts to read VM register context*) | | :heavy\_check\_mark: | :heavy\_check\_mark: |
+| DMA Protection (*ex: Device attempts to read VM memory*) | :heavy\_check\_mark: | :heavy\_check\_mark: | :heavy\_check\_mark: |
+| **Integrity** | **SEV** | **SEV-ES** | **SEV-SNP** |
+| Replay Protection (*ex: VM memory is replaced with an old copy*) | | | :heavy\_check\_mark: |
+| Data Corruption (*ex: VM memory is replaced with junk data*) | | | :heavy\_check\_mark: |
+| Memory Aliasing (*ex: Hypervisor maps two guest pages to same DRAM page*) | | | :heavy\_check\_mark: |
+| Memory Re-mapping (*ex: Hypervisor switches DRAM page mapped to a guest page*) | | | :heavy\_check\_mark: |
+| **Availability** | **SEV** | **SEV-ES** | **SEV-SNP** |
+| Guest to Host Denial of Service (*ex: Guest refuses to yield/exit*) | :heavy\_check\_mark: | :heavy\_check\_mark: | :heavy\_check\_mark: |
+| Host to Guest Denial of Service (*ex: Host refuses to run guest*) | | | |
+| **Physical Access Attacks** | **SEV** | **SEV-ES** | **SEV-SNP** |
+| Offline DRAM analysis (*ex: Cold boot*) | :heavy\_check\_mark: | :heavy\_check\_mark: | :heavy\_check\_mark: |
+| Active DRAM corruption (*ex: Manipulate DDR bus while VM is running*) | | | |
+| **Miscellaneous Attacks** | **SEV** | **SEV-ES** | **SEV-SNP** |
+| TCB Rollback (*ex: AMD-SP firmware is reverted to older version*) | | | :heavy\_check\_mark: |
+| Malicious Interrupt/Exception Injection (*ex: interrupt injected while RFLAGS.IF=0*) | | | :star2: |
+| Indirect Branch Predictor Poisoning (*ex: Poison BTB from hypervisor*) | | | :star2: |
+| Secure Hardware Debug Registers (*ex: Breakpoints changed during debugging*) | | | :star2: |
+| Trusted CPUID Information (*ex: Hypervisor lies about platform capabilities*) | | | :star2: |
+| Architectural Side Channels (*ex: PRIME+PROBE to track VM accesses*) | | | |
+| Page-level Side Channels (*ex: Track VM access patterns through page tables*) | | | |
+| Performance Counter Tracking (*ex: Fingerprint VM workloads by performance data*) | | | |
+
+*The table above was taken directly from the [AMD SEV-SNP Whitepaper (Table 1: Threat Model)](
+https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf).*

package/bindings/sp-sev/package-version.py

@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: Apache-2.0
+
+#!/usr/bin/env python3
+import json
+import subprocess
+
+try:
+    out = subprocess.check_output(["cargo", "read-manifest"])
+    print(json.loads(out)["version"])
+except FileNotFoundError:
+    print("unknown")

package/bindings/sp-sev/tests/api.rs

@@ -0,0 +1,191 @@
+// SPDX-License-Identifier: Apache-2.0
+
+#[cfg(all(feature = "sev", target_os = "linux"))]
+
+mod sev {
+    #[cfg(feature = "dangerous_hw_tests")]
+    use serial_test::serial;
+    #[cfg(feature = "dangerous_hw_tests")]
+    use sev::cached_chain;
+    use sev::{certs::sev::sev::Usage, firmware::host::Firmware, Build, Version};
+
+    #[cfg(feature = "dangerous_hw_tests")]
+    #[cfg_attr(not(host), ignore)]
+    #[test]
+    #[serial]
+    fn platform_reset() {
+        let mut fw = Firmware::open().unwrap();
+        fw.platform_reset().unwrap();
+        cached_chain::rm_cached_chain();
+    }
+
+    #[cfg_attr(not(host), ignore)]
+    #[test]
+    fn platform_status() {
+        let mut fw = Firmware::open().unwrap();
+        let status = fw.platform_status().unwrap();
+        assert!(
+            status.build
+                > Build {
+                    version: Version {
+                        major: 0,
+                        minor: 14
+                    },
+                    ..Default::default()
+                }
+        );
+    }
+
+    #[cfg(feature = "dangerous_hw_tests")]
+    #[cfg_attr(not(host), ignore)]
+    #[test]
+    #[serial]
+    fn pek_generate() {
+        let mut fw = Firmware::open().unwrap();
+        fw.pek_generate().unwrap();
+        cached_chain::rm_cached_chain();
+    }
+
+    #[cfg_attr(not(host), ignore)]
+    #[test]
+    fn pek_csr() {
+        let mut fw = Firmware::open().unwrap();
+        let pek = fw.pek_csr().unwrap();
+        assert_eq!(pek, Usage::PEK);
+    }
+
+    #[cfg(feature = "dangerous_hw_tests")]
+    #[cfg_attr(not(host), ignore)]
+    #[test]
+    #[serial]
+    fn pdh_generate() {
+        let mut fw = Firmware::open().unwrap();
+        fw.pdh_generate().unwrap();
+        cached_chain::rm_cached_chain();
+    }
+
+    #[cfg(feature = "openssl")]
+    #[cfg_attr(not(host), ignore)]
+    #[test]
+    fn pdh_cert_export() {
+        use sev::certs::sev::Verifiable;
+
+        let mut fw = Firmware::open().unwrap();
+        let chain = fw.pdh_cert_export().unwrap();
+
+        assert_eq!(chain.pdh, Usage::PDH);
+        assert_eq!(chain.pek, Usage::PEK);
+        assert_eq!(chain.oca, Usage::OCA);
+        assert_eq!(chain.cek, Usage::CEK);
+
+        chain.verify().unwrap();
+    }
+
+    #[cfg(all(feature = "openssl", feature = "dangerous_hw_tests"))]
+    #[cfg_attr(not(host), ignore)]
+    #[test]
+    #[serial]
+    fn pek_cert_import() {
+        use sev::certs::sev::{sev::Certificate, Signer, Verifiable};
+
+        let mut fw = Firmware::open().unwrap();
+
+        let (mut oca, key) = Certificate::generate(Usage::OCA).unwrap();
+        key.sign(&mut oca).unwrap();
+
+        let mut pek = fw.pek_csr().unwrap();
+        key.sign(&mut pek).unwrap();
+
+        fw.pek_cert_import(&pek, &oca).unwrap();
+
+        let chain = fw.pdh_cert_export().unwrap();
+        assert_eq!(oca, chain.oca);
+        chain.verify().unwrap();
+
+        fw.platform_reset().unwrap();
+    }
+
+    #[cfg_attr(not(host), ignore)]
+    #[test]
+    fn get_identifier() {
+        let mut fw = Firmware::open().unwrap();
+        let id = fw.get_identifier().unwrap();
+        assert_ne!(Vec::from(id), vec![0u8; 64]);
+    }
+}
+
+#[cfg(all(feature = "snp", target_os = "linux"))]
+mod snp {
+    use serial_test::serial;
+    use sev::firmware::host::{Config, Firmware, MaskId, SnpPlatformStatus, TcbVersion};
+
+    #[cfg_attr(not(host), ignore)]
+    #[test]
+    fn get_identifier() {
+        let mut fw = Firmware::open().unwrap();
+        let id = fw.get_identifier().unwrap();
+        assert_ne!(Vec::from(id), vec![0u8; 64]);
+    }
+
+    #[cfg_attr(not(host), ignore)]
+    #[test]
+    fn platform_status() {
+        let mut fw: Firmware = Firmware::open().unwrap();
+        let status: SnpPlatformStatus = fw.snp_platform_status().unwrap();
+
+        println!(
+            "Platform status ioctl results:
+              version (major, minor): {}.{}
+              build id: {}
+              guests: {}
+              platform tcb microcode version: {}
+              platform tcb snp version: {}
+              platform tcb tee version: {}
+              platform tcb bootloader version: {}
+              reported tcb microcode version: {}
+              reported tcb snp version: {}
+              reported tcb tee version: {}
+              reported tcb bootloader version: {}
+              state: {}",
+            status.version.major,
+            status.version.minor,
+            status.build_id,
+            status.guest_count,
+            status.platform_tcb_version.microcode,
+            status.platform_tcb_version.snp,
+            status.platform_tcb_version.tee,
+            status.platform_tcb_version.bootloader,
+            status.reported_tcb_version.microcode,
+            status.reported_tcb_version.snp,
+            status.reported_tcb_version.tee,
+            status.reported_tcb_version.bootloader,
+            status.state
+        );
+    }
+
+    #[cfg_attr(not(all(host, feature = "dangerous_hw_tests")), ignore)]
+    #[test]
+    #[serial]
+    fn commit_snp() {
+        let mut fw: Firmware = Firmware::open().unwrap();
+        fw.snp_commit().unwrap();
+    }
+
+    #[cfg_attr(not(all(host, feature = "dangerous_hw_tests")), ignore)]
+    #[test]
+    #[serial]
+    fn set_config() {
+        let mut fw: Firmware = Firmware::open().unwrap();
+        fw.snp_set_config(Config::default()).unwrap();
+    }
+
+    #[cfg_attr(not(all(host, feature = "dangerous_hw_tests")), ignore)]
+    #[test]
+    #[serial]
+    fn test_host_fw_error() {
+        let mut fw: Firmware = Firmware::open().unwrap();
+        let invalid_config = Config::new(TcbVersion::new(100, 100, 100, 100), MaskId(31));
+        let fw_error = fw.snp_set_config(invalid_config).unwrap_err().to_string();
+        assert_eq!(fw_error, "Firmware Error Encountered: Known SEV FW Error: Status Code: 0x16: Given parameter is invalid.")
+    }
+}

package/bindings/sp-sev/tests/certs.rs

@@ -0,0 +1,143 @@
+// SPDX-License-Identifier: Apache-2.0
+
+#[cfg(feature = "sev")]
+mod naples;
+
+#[cfg(feature = "sev")]
+mod rome;
+
+#[cfg(all(feature = "openssl", feature = "sev"))]
+mod sev {
+    use super::*;
+
+    #[test]
+    fn test_for_verify_false_positive() {
+        use ::sev::certs::sev::*;
+        use codicon::Decoder;
+
+        // https://github.com/enarx/enarx/issues/520
+        let naples_cek = sev::Certificate::decode(&mut &naples::CEK[..], ()).unwrap();
+        let rome_ask = ca::Certificate::decode(&mut &builtin::rome::ASK[..], ()).unwrap();
+        assert!((&rome_ask, &naples_cek).verify().is_err());
+    }
+}
+
+#[cfg(all(feature = "snp", any(feature = "openssl", feature = "crypto_nossl")))]
+mod snp {
+    use sev::certs::snp::{builtin::milan, ca, Certificate, Chain, Verifiable};
+
+    const TEST_MILAN_VCEK_DER: &[u8] = include_bytes!("certs_data/vcek_milan.der");
+
+    #[cfg(feature = "openssl")]
+    const TEST_TURIN_VCEK_DER: &[u8] = include_bytes!("certs_data/vcek_turin.der");
+
+    const TEST_MILAN_ATTESTATION_REPORT: &[u8] = include_bytes!("certs_data/report_milan.hex");
+
+    #[cfg(feature = "openssl")]
+    const TEST_MILAN_CA: &[u8] = include_bytes!("certs_data/cert_chain_milan");
+
+    #[cfg(feature = "openssl")]
+    const TEST_TURIN_CA: &[u8] = include_bytes!("certs_data/cert_chain_turin");
+
+    #[test]
+    fn milan_chain() {
+        let ark = milan::ark().unwrap();
+        let ask = milan::ask().unwrap();
+        let vcek = Certificate::from_der(TEST_MILAN_VCEK_DER).unwrap();
+
+        let ca = ca::Chain { ark, ask };
+
+        let chain = Chain {
+            ca,
+            vek: vcek.clone(),
+        };
+
+        assert_eq!(chain.verify().ok(), Some(&vcek));
+    }
+
+    #[test]
+    fn milan_chain_invalid() {
+        let ark = milan::ark().unwrap();
+        let ask = milan::ask().unwrap();
+        let vcek = {
+            let mut buf = TEST_MILAN_VCEK_DER.to_vec();
+            buf[40] ^= 0xff;
+            Certificate::from_der(&buf).unwrap()
+        };
+
+        let ca = ca::Chain { ark, ask };
+
+        let chain = Chain { ca, vek: vcek };
+
+        assert_eq!(chain.verify().ok(), None);
+    }
+
+    #[test]
+    fn milan_report() {
+        use sev::firmware::guest::AttestationReport;
+
+        let ark = milan::ark().unwrap();
+        let ask = milan::ask().unwrap();
+        let vcek = Certificate::from_der(TEST_MILAN_VCEK_DER).unwrap();
+
+        let ca = ca::Chain { ark, ask };
+
+        let chain = Chain { ca, vek: vcek };
+
+        let report_bytes = hex::decode(TEST_MILAN_ATTESTATION_REPORT).unwrap();
+        let report: AttestationReport =
+            unsafe { std::ptr::read(report_bytes.as_ptr() as *const _) };
+
+        assert_eq!((&chain, &report).verify().ok(), Some(()));
+    }
+
+    #[test]
+    fn milan_report_invalid() {
+        use sev::firmware::guest::AttestationReport;
+
+        let ark = milan::ark().unwrap();
+        let ask = milan::ask().unwrap();
+        let vcek = Certificate::from_der(TEST_MILAN_VCEK_DER).unwrap();
+
+        let ca = ca::Chain { ark, ask };
+
+        let chain = Chain { ca, vek: vcek };
+
+        let mut report_bytes = hex::decode(TEST_MILAN_ATTESTATION_REPORT).unwrap();
+        report_bytes[0] ^= 0x80;
+        let report: AttestationReport =
+            unsafe { std::ptr::read(report_bytes.as_ptr() as *const _) };
+
+        assert_eq!((&chain, &report).verify().ok(), None);
+    }
+
+    #[cfg(feature = "openssl")]
+    #[test]
+    fn milan_ca_stack() {
+        let vcek = Certificate::from_der(TEST_MILAN_VCEK_DER).unwrap();
+
+        let ca = ca::Chain::from_pem_bytes(TEST_MILAN_CA).unwrap();
+
+        let chain = Chain {
+            ca,
+            vek: vcek.clone(),
+        };
+
+        assert_eq!(chain.verify().ok(), Some(&vcek));
+    }
+
+    #[cfg(feature = "openssl")]
+    #[test]
+    fn turin_ca_stack() {
+        let vcek = Certificate::from_der(TEST_TURIN_VCEK_DER).unwrap();
+
+        let ca = ca::Chain::from_pem_bytes(TEST_TURIN_CA).unwrap();
+
+        let chain = Chain {
+            ca,
+            vek: vcek.clone(),
+        };
+
+        assert_eq!(chain.verify().ok(), Some(&vcek));
+    }
+}

package/bindings/sp-sev/tests/certs_data/cert_chain_milan

@@ -0,0 +1,74 @@
+-----BEGIN CERTIFICATE-----
+MIIGiTCCBDigAwIBAgIDAQABMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS
+BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg
+Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp
+Y2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTgyNDIwWhcNNDUxMDIy
+MTgyNDIwWjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS
+BgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j
+ZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJU0VWLU1pbGFuMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAnU2drrNTfbhNQIllf+W2y+ROCbSzId1aKZft
+2T9zjZQOzjGccl17i1mIKWl7NTcB0VYXt3JxZSzOZjsjLNVAEN2MGj9TiedL+Qew
+KZX0JmQEuYjm+WKksLtxgdLp9E7EZNwNDqV1r0qRP5tB8OWkyQbIdLeu4aCz7j/S
+l1FkBytev9sbFGzt7cwnjzi9m7noqsk+uRVBp3+In35QPdcj8YflEmnHBNvuUDJh
+LCJMW8KOjP6++Phbs3iCitJcANEtW4qTNFoKW3CHlbcSCjTM8KsNbUx3A8ek5EVL
+jZWH1pt9E3TfpR6XyfQKnY6kl5aEIPwdW3eFYaqCFPrIo9pQT6WuDSP4JCYJbZne
+KKIbZjzXkJt3NQG32EukYImBb9SCkm9+fS5LZFg9ojzubMX3+NkBoSXI7OPvnHMx
+jup9mw5se6QUV7GqpCA2TNypolmuQ+cAaxV7JqHE8dl9pWf+Y3arb+9iiFCwFt4l
+AlJw5D0CTRTC1Y5YWFDBCrA/vGnmTnqG8C+jjUAS7cjjR8q4OPhyDmJRPnaC/ZG5
+uP0K0z6GoO/3uen9wqshCuHegLTpOeHEJRKrQFr4PVIwVOB0+ebO5FgoyOw43nyF
+D5UKBDxEB4BKo/0uAiKHLRvvgLbORbU8KARIs1EoqEjmF8UtrmQWV2hUjwzqwvHF
+ei8rPxMCAwEAAaOBozCBoDAdBgNVHQ4EFgQUO8ZuGCrD/T1iZEib47dHLLT8v/gw
+HwYDVR0jBBgwFoAUhawa0UP3yKxV1MUdQUir1XhK1FMwEgYDVR0TAQH/BAgwBgEB
+/wIBADAOBgNVHQ8BAf8EBAMCAQQwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cHM6Ly9r
+ZHNpbnRmLmFtZC5jb20vdmNlay92MS9NaWxhbi9jcmwwRgYJKoZIhvcNAQEKMDmg
+DzANBglghkgBZQMEAgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIFAKID
+AgEwowMCAQEDggIBAIgeUQScAf3lDYqgWU1VtlDbmIN8S2dC5kmQzsZ/HtAjQnLE
+PI1jh3gJbLxL6gf3K8jxctzOWnkYcbdfMOOr28KT35IaAR20rekKRFptTHhe+DFr
+3AFzZLDD7cWK29/GpPitPJDKCvI7A4Ug06rk7J0zBe1fz/qe4i2/F12rvfwCGYhc
+RxPy7QF3q8fR6GCJdB1UQ5SlwCjFxD4uezURztIlIAjMkt7DFvKRh+2zK+5plVGG
+FsjDJtMz2ud9y0pvOE4j3dH5IW9jGxaSGStqNrabnnpF236ETr1/a43b8FFKL5QN
+mt8Vr9xnXRpznqCRvqjr+kVrb6dlfuTlliXeQTMlBoRWFJORL8AcBJxGZ4K2mXft
+l1jU5TLeh5KXL9NW7a/qAOIUs2FiOhqrtzAhJRg9Ij8QkQ9Pk+cKGzw6El3T3kFr
+Eg6zkxmvMuabZOsdKfRkWfhH2ZKcTlDfmH1H0zq0Q2bG3uvaVdiCtFY1LlWyB38J
+S2fNsR/Py6t5brEJCFNvzaDky6KeC4ion/cVgUai7zzS3bGQWzKDKU35SqNU2WkP
+I8xCZ00WtIiKKFnXWUQxvlKmmgZBIYPe01zD0N8atFxmWiSnfJl690B9rJpNR/fI
+ajxCW3Seiws6r1Zm+tCuVbMiNtpS9ThjNX4uve5thyfE2DgoxRFvY1CsoF5M
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGYzCCBBKgAwIBAgIDAQAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS
+BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg
+Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp
+Y2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTcyMzA1WhcNNDUxMDIy
+MTcyMzA1WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS
+BgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j
+ZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLU1pbGFuMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEA0Ld52RJOdeiJlqK2JdsVmD7FktuotWwX1fNg
+W41XY9Xz1HEhSUmhLz9Cu9DHRlvgJSNxbeYYsnJfvyjx1MfU0V5tkKiU1EesNFta
+1kTA0szNisdYc9isqk7mXT5+KfGRbfc4V/9zRIcE8jlHN61S1ju8X93+6dxDUrG2
+SzxqJ4BhqyYmUDruPXJSX4vUc01P7j98MpqOS95rORdGHeI52Naz5m2B+O+vjsC0
+60d37jY9LFeuOP4Meri8qgfi2S5kKqg/aF6aPtuAZQVR7u3KFYXP59XmJgtcog05
+gmI0T/OitLhuzVvpZcLph0odh/1IPXqx3+MnjD97A7fXpqGd/y8KxX7jksTEzAOg
+bKAeam3lm+3yKIcTYMlsRMXPcjNbIvmsBykD//xSniusuHBkgnlENEWx1UcbQQrs
++gVDkuVPhsnzIRNgYvM48Y+7LGiJYnrmE8xcrexekBxrva2V9TJQqnN3Q53kt5vi
+Qi3+gCfmkwC0F0tirIZbLkXPrPwzZ0M9eNxhIySb2npJfgnqz55I0u33wh4r0ZNQ
+eTGfw03MBUtyuzGesGkcw+loqMaq1qR4tjGbPYxCvpCq7+OgpCCoMNit2uLo9M18
+fHz10lOMT8nWAUvRZFzteXCm+7PHdYPlmQwUw3LvenJ/ILXoQPHfbkH0CyPfhl1j
+WhJFZasCAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSFrBrRQ/fI
+rFXUxR1BSKvVeErUUzAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG
+KWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvTWlsYW4vY3JsMEYGCSqG
+SIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI
+AWUDBAICBQCiAwIBMKMDAgEBA4ICAQC6m0kDp6zv4Ojfgy+zleehsx6ol0ocgVel
+ETobpx+EuCsqVFRPK1jZ1sp/lyd9+0fQ0r66n7kagRk4Ca39g66WGTJMeJdqYriw
+STjjDCKVPSesWXYPVAyDhmP5n2v+BYipZWhpvqpaiO+EGK5IBP+578QeW/sSokrK
+dHaLAxG2LhZxj9aF73fqC7OAJZ5aPonw4RE299FVarh1Tx2eT3wSgkDgutCTB1Yq
+zT5DuwvAe+co2CIVIzMDamYuSFjPN0BCgojl7V+bTou7dMsqIu/TW/rPCX9/EUcp
+KGKqPQ3P+N9r1hjEFY1plBg93t53OOo49GNI+V1zvXPLI6xIFVsh+mto2RtgEX/e
+pmMKTNN6psW88qg7c1hTWtN6MbRuQ0vm+O+/2tKBF2h8THb94OvvHHoFDpbCELlq
+HnIYhxy0YKXGyaW1NjfULxrrmxVW4wcn5E8GddmvNa6yYm8scJagEi13mhGu4Jqh
+3QU3sf8iUSUr09xQDwHtOQUVIqx4maBZPBtSMf+qUDtjXSSq8lfWcd8bLr9mdsUn
+JZJ0+tuPMKmBnSH860llKk+VpVQsgqbzDIvOLvD6W1Umq25boxCYJ+TuBoa4s+HH
+CViAvgT9kf/rBq1d+ivj6skkHxuzcxbk1xv6ZGxrteJxVH7KlX7YRdZ6eARKwLe4
+AFZEAwoKCQ==
+-----END CERTIFICATE-----

package/bindings/sp-sev/tests/certs_data/cert_chain_turin

@@ -0,0 +1,74 @@
+-----BEGIN CERTIFICATE-----
+MIIGiTCCBDigAwIBAgIDAwABMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS
+BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg
+Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp
+Y2VzMRIwEAYDVQQDDAlBUkstVHVyaW4wHhcNMjMwNTE1MjAyNTIxWhcNNDgwNTE1
+MjAyNTIxWjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS
+BgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j
+ZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJU0VWLVR1cmluMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAnvg5Grv2Emd9lAhKdO64RXU3UESb6JTm0Hhz
+evx1PyxinxYqJL329qTJM0XmdozLYb7rsHxgM5I2pU18M8gect2pN/YB2LQ1/bIq
+37TPDbg7ym0MN6KkZ6aERxAX0voYtdDyNxjDAUjpRpCe1FccAev/Es2n/Fz1G1Tm
+C2XepTQqaKpmt6mnDWSCHCVsQoY0gSibeaG6doM6OiNUCbKXaC7KHH5b/96BD1DJ
+84M+JHqPClFhHqUJwzKF5Qxj4wgWAZzK8UPhiNGjrF6+TBdlFGdSzEqw1jOrCTHd
+uYyLK+5OQ3OIw4S+vZeOVoxJajTIWdsqYP2DLc0HkL0qWOumEOrrc2/4DeETShB0
+MyIpH05kSalyQN2eN5P6ptOB84hddCdbJPEepnD+FqQap1ukw3K8uBcgeBSAF23r
+6UtT8Uc5h7MsWX3MoZiEHcSkDQQ8IedTk7CLjsK6S7b/lfKqfYiRhKgGkRvsEd/M
+DNcumHZKIgzasJwgagzSggiUo9jXp3EWm84fqyxNXzSutPB7qD5P/ULAB+q9Qgvr
+zC8XneaLP0MNrHhM80UejmsBTIktMvFoWVIelYDLdcoi0eMD5DRccfsgrYaY6h/+
+/qf9tgg+mX09UJpuSPRF38oyqnNNFMl5v/tWLgUsChPU6NCQC17Qaqr8mu2ynyyu
+HEs5JVUCAwEAAaOBozCBoDAdBgNVHQ4EFgQUbYJXt6v2sMgUALjxD0WvG9aq628w
+HwYDVR0jBBgwFoAUZKBfceMMCmTYO3XlAVmeK+4GA0QwEgYDVR0TAQH/BAgwBgEB
+/wIBADAOBgNVHQ8BAf8EBAMCAQQwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cHM6Ly9r
+ZHNpbnRmLmFtZC5jb20vdmNlay92MS9UdXJpbi9jcmwwRgYJKoZIhvcNAQEKMDmg
+DzANBglghkgBZQMEAgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIFAKID
+AgEwowMCAQEDggIBAAXWJ3DPahralt5kXLPMm9oKlFRqeU3HcS7kA+VBlBA1lQRU
+hXkbXnTvW1GZcgdZvNCB/VlET61KbCzoFIhPIESVjjb/xWX2kg3X0HHmh1EtCDbH
+aUFM5rq6l+S1h7qOauRZebvrwApDzAANvW0LTHRumfGm/kqh9NDtVCIWPUZ1VQIg
+Gx1T3dwmgOK8ncT1J3W5xIyS0Xu3KC6w7oBlq8G2pPgTcCBJ4JBCTXCEXiAAGaTR
+/TJIaSzoZFLhxYhCMjP8WQGToPGDK2i/lZhkcGHnJOQ+lgrXfpLGqBtLlS3QODyV
+P0MomczG4dqw3THP3Y8Aq9c2KE7SylAKsS/bBKCqkj4OrABkDSkMQEz3BBoFD63a
+D5ZG/Qiz+tmhnptyPVcweC9uJlSWYm25KiV4lT52uBjxatDZKQcrpdgcU8+ozzKU
+8ICnZPOwfWeyuNMq/juyd/rzg5IePyyvt+13aJ5MlZBXZxJKoxCYIMKUwZigf0Xs
+BteT8gw10/xk5smIFIB2ERtTQPMuTENgrPTUjOeiqmBg663c2dLVol+MDiT4ltqf
+Em4Kl/cc4f+H6bEwhj1QKAN2ipRf+mP0NfzJb+6ZHNsOvyq/WByYpLXV9JJoiDW/
+8RZwPU/Mn7IuQBauCy78G7FS0ta3q1et74faYBBgeJ6awEasa25CvmsmlU0R
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGYzCCBBKgAwIBAgIDAwAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS
+BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg
+Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp
+Y2VzMRIwEAYDVQQDDAlBUkstVHVyaW4wHhcNMjMwNTE1MjAwMzEyWhcNNDgwNTE1
+MjAwMzEyWjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS
+BgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j
+ZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLVR1cmluMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAwaAriB7EIuVc4ZB1wD3YfDxL+9eyS7+izm0J
+j3W772NINCWl8Bj3w/JD2ZjmbRxWdIq/4d9iarCKorXloJUB1jRdgxqccTx1aOoi
+g4+2w1XhVVJT7K457wT5ZLNJgQaxqa9Etkwjd6+9sOhlCDE9l43kQ0R2BikVJa/u
+yyVOSwEk5w5tXKOuG9jvq6QtAMJasW38wlqRDaKEGtZ9VUgGon27ZuL4sTJuC/az
+z9/iQBw8kEilzOl95AiTkeY5jSEBDWbAqnZk5qlM7kISKG20kgQm14mhNKDI2p2o
+ua+zuAG7i52epoRF2GfU0TYk/yf+vCNB2tnechFQuP2e8bLk95ZdqPi9/UWw4JXj
+tdEA4u2JYplSSUPQVAXKt6LVqujtJcM59JKr2u0XQ75KwxcMp15gSXhBfInvPAwu
+AY4dEwwGqT8oIg4esPHwEsmChhYeDIxPG9R4fx9O0q6p8Gb+HXlTiS47P9YNeOpi
+dOUKzDl/S1OvyhDtSL8LJc24QATFydo/iD/KUdvFTRlD0crkAMkZLoWQ8hLDGc6B
+ZJXsdd7Zf2e4UW3tI/1oh/2t23Ot3zyhTcv5gDbABu0LjVe98uRnS15SMwK//lJt
+9e5BqKvgABkSoABf+B4VFtPVEX0ygrYaFaI9i5ABrxnVBmzXpRb21iI1NlNCfOGU
+PIhVpWECAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRkoF9x4wwK
+ZNg7deUBWZ4r7gYDRDAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG
+KWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvVHVyaW4vY3JsMEYGCSqG
+SIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI
+AWUDBAICBQCiAwIBMKMDAgEBA4ICAQA/i6Mz4IETMK8YU/HxP7Bfej5i4aXhenJo
+TuiDX0nqx5CDJm9ELhskxAkJ/oLA1O92UoLybfFk4gEpKFtyfiUYex9LogZj5ix0
+sb2qfSSy9CRnOktGqfpel4e3KAhLgF5n2qZrqyq/8EPPldtSjEXn78sZMlIlUcQK
+SnnNCQZVFpktDfDiEiGNuitux3ghHUrcVuxSbZcrXDbsbMF7NDdfLUUS9TijrL33
+lrCXJs7m8kggGyCusiRQKHli1AEswiA4xU+8xsZrByYTopiGYtbJK8s0UCCXylyO
+uKSubvdAnMDJ5GDD0+DX46LSfv7fgGNSG+LOBWdif7KoQf9cIhKJtxGxZCn/tvHm
+wMzu4Jnx8N2vRnT+8DpBqhxtNvdXmrZUelSeQakx4djMKvmTR8Gd25EnC4RppCkj
+bmPxY3zPd1X7raalTn34EOF9DeLsC9JfzkDuojxpHWMm30wKnDo20mlDQk/zKCDa
+2Zc+YjtsTZCrTbvdgCukTKNZOUUVlWRu+sO/OwrmS2p16seHTIqHEbE1LntPv3gk
+CcHGDSUAKx9c0Aol+Dj9xpb2nmGqoDeJ59Ja6REkHCdw5TduXyqqMqfD1AX0/QDN
+devCMKlWBRCQ7DFlog3H1a+r/kuMUZ/Ij9yyKlSgYZMJ4VgNKDgTQdcsAL0MCEMr
+zpacMwFusA==
+-----END CERTIFICATE-----

package/bindings/sp-sev/tests/certs_data/report_milan.hex

@@ -0,0 +1 @@
+0200000000000000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000030000000000087301000000000000000000000000000000D447B55D197491BFE15CF298F9DE9986B7A7C4BE2468B4F6E2D53B71D7C645810B0F2CDFCA0040433BE063FC1A8293F0F3F8DAE7B79FECB3D1CD82BD6A93EBFD7A1E5C266C0108DBC9BB94FA926951320940915D0AAFB42464BD88B579EA158D3E1A0DC39B2C60BD95B9C480CD81841F000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000092B3B47D59F0A2A10A74C5678868A80238CF593C01A82F3CFFB878E904C28D5BFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0300000000000873000000000000000000000000000000000000000000000000D49554EC717F4E5B0FE6B143BCF0405BD7AE304727EDF46603F2A76AEF6A3ABC15D7AF38DB757039029F0EFACFD08E244324884738C72B082E2F87A44D541EB603000000000008730434010004340100030000000000087300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000061AB4F11AA661997625F233DF42A4AD54440EEB7A96EA63DE170CBC29C37C005CB54054881EC7D2BEE569B02D07F8272000000000000000000000000000000000000000000000000209D7EB9BE919A1D0BAF1D57FE6EBFEABBC53B778C6E977E40B15CA931BB6D44C5AB9E30CFDC7346CB41AC083B90BF490000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

package/bindings/sp-sev/tests/guest.rs

@@ -0,0 +1,56 @@
+// SPDX-License-Identifier: Apache-2.0
+
+#![cfg(all(feature = "snp", target_os = "linux"))]
+
+use sev::firmware::guest::*;
+
+#[cfg_attr(not(guest), ignore)]
+#[test]
+fn get_report() {
+    let unique_data = [0u8; 64];
+
+    let mut fw = Firmware::open().unwrap();
+
+    fw.get_report(None, Some(unique_data), None).unwrap();
+}
+
+#[cfg_attr(not(guest), ignore)]
+#[test]
+fn get_ext_report() {
+    let unique_data = [0u8; 64];
+
+    let mut fw = Firmware::open().unwrap();
+
+    fw.get_ext_report(None, Some(unique_data), None).unwrap();
+}
+
+#[cfg_attr(not(guest), ignore)]
+#[test]
+fn get_derived_key() {
+    let derived_key = DerivedKey::new(false, GuestFieldSelect(1), 0, 0, 0);
+
+    let mut fw = Firmware::open().unwrap();
+
+    fw.get_derived_key(None, derived_key).unwrap();
+}
+
+#[cfg_attr(not(guest), ignore)]
+#[test]
+fn guest_fw_error() {
+    let derived_key = DerivedKey::new(
+        false,
+        GuestFieldSelect(48),
+        0xFFFFFFFF,
+        0xFFFFFFFF,
+        0xFFFFFFFFFFFFFFFF,
+    );
+
+    let mut fw = Firmware::open().unwrap();
+
+    let fw_err = fw
+        .get_derived_key(None, derived_key)
+        .unwrap_err()
+        .to_string();
+
+    assert_eq!(fw_err, "Firmware Error Encountered: Known SEV FW Error: Status Code: 0x16: Given parameter is invalid.")
+}