@super-protocol/addons-tee 0.8.17-beta.1 → 0.8.17-beta.2

package/bindings/sp-sev/tests/naples/pdh.rs

@@ -0,0 +1,28 @@
+// SPDX-License-Identifier: Apache-2.0
+
+use super::*;
+
+#[test]
+fn decode() {
+    sev::Certificate::decode(&mut &PDH[..], ()).unwrap();
+}
+
+#[test]
+fn encode() {
+    let pdh = sev::Certificate::decode(&mut &PDH[..], ()).unwrap();
+
+    let mut output = Vec::new();
+    pdh.encode(&mut output, ()).unwrap();
+    assert_eq!(PDH.len(), output.len());
+    assert_eq!(PDH.to_vec(), output);
+}
+
+#[cfg(feature = "openssl")]
+#[test]
+fn verify() {
+    let pek = sev::Certificate::decode(PEK, ()).unwrap();
+    let pdh = sev::Certificate::decode(PDH, ()).unwrap();
+
+    (&pek, &pdh).verify().unwrap();
+    assert!((&pdh, &pek).verify().is_err());
+}

package/bindings/sp-sev/tests/naples/pek.rs

@@ -0,0 +1,32 @@
+// SPDX-License-Identifier: Apache-2.0
+
+use super::*;
+
+#[test]
+fn decode() {
+    sev::Certificate::decode(&mut &PEK[..], ()).unwrap();
+}
+
+#[test]
+fn encode() {
+    let pek = sev::Certificate::decode(&mut &PEK[..], ()).unwrap();
+
+    let mut output = Vec::new();
+    pek.encode(&mut output, ()).unwrap();
+    assert_eq!(PEK.len(), output.len());
+    assert_eq!(PEK.to_vec(), output);
+}
+
+#[cfg(feature = "openssl")]
+#[test]
+fn verify() {
+    let cek = sev::Certificate::decode(CEK, ()).unwrap();
+    let oca = sev::Certificate::decode(OCA, ()).unwrap();
+    let pek = sev::Certificate::decode(PEK, ()).unwrap();
+
+    (&cek, &pek).verify().unwrap();
+    assert!((&pek, &cek).verify().is_err());
+
+    (&oca, &pek).verify().unwrap();
+    assert!((&pek, &oca).verify().is_err());
+}

package/bindings/sp-sev/tests/rome/ark.rs

@@ -0,0 +1,33 @@
+// SPDX-License-Identifier: Apache-2.0
+
+use super::*;
+use ::sev::certs::sev::builtin::rome::*;
+
+#[test]
+fn decode() {
+    ca::Certificate::decode(&mut &ARK[..], ()).unwrap();
+}
+
+#[test]
+fn encode() {
+    let ark = ca::Certificate::decode(&mut &ARK[..], ()).unwrap();
+
+    let mut output = Vec::new();
+    ark.encode(&mut output, ()).unwrap();
+    assert_eq!(ARK.len(), output.len());
+    assert_eq!(ARK.to_vec(), output);
+
+    let ark = ca::Certificate::decode(&mut &ARK[..], ()).unwrap();
+
+    let mut output = Vec::new();
+    ark.encode(&mut output, ()).unwrap();
+    assert_eq!(ARK.len(), output.len());
+    assert_eq!(ARK.to_vec(), output);
+}
+
+#[cfg(feature = "openssl")]
+#[test]
+fn verify() {
+    let ark = ca::Certificate::decode(&mut &ARK[..], ()).unwrap();
+    (&ark, &ark).verify().unwrap();
+}

package/bindings/sp-sev/tests/rome/ask.rs

@@ -0,0 +1,29 @@
+// SPDX-License-Identifier: Apache-2.0
+
+use super::*;
+use ::sev::certs::sev::builtin::rome::*;
+
+#[test]
+fn decode() {
+    ca::Certificate::decode(&mut &ASK[..], ()).unwrap();
+}
+
+#[test]
+fn encode() {
+    let ask = ca::Certificate::decode(&mut &ASK[..], ()).unwrap();
+
+    let mut output = Vec::new();
+    ask.encode(&mut output, ()).unwrap();
+    assert_eq!(ASK.len(), output.len());
+    assert_eq!(ASK.to_vec(), output);
+}
+
+#[cfg(feature = "openssl")]
+#[test]
+fn verify() {
+    let ark = ca::Certificate::decode(ARK, ()).unwrap();
+    let ask = ca::Certificate::decode(ASK, ()).unwrap();
+
+    (&ark, &ask).verify().unwrap();
+    assert!((&ask, &ark).verify().is_err());
+}

package/bindings/sp-sev/tests/rome/cek.rs

@@ -0,0 +1,29 @@
+// SPDX-License-Identifier: Apache-2.0
+
+use super::*;
+
+#[test]
+fn decode() {
+    sev::Certificate::decode(&mut &CEK[..], ()).unwrap();
+}
+
+#[test]
+fn encode() {
+    let cek = sev::Certificate::decode(&mut &CEK[..], ()).unwrap();
+
+    let mut output = Vec::new();
+    cek.encode(&mut output, ()).unwrap();
+    assert_eq!(CEK.len(), output.len());
+    assert_eq!(CEK.to_vec(), output);
+}
+
+#[cfg(feature = "openssl")]
+#[test]
+fn verify() {
+    use ::sev::certs::sev::builtin::rome::ASK;
+
+    let ask = ca::Certificate::decode(ASK, ()).unwrap();
+    let cek = sev::Certificate::decode(CEK, ()).unwrap();
+
+    (&ask, &cek).verify().unwrap();
+}

package/bindings/sp-sev/tests/rome/mod.rs

@@ -0,0 +1,16 @@
+// SPDX-License-Identifier: Apache-2.0
+
+mod ark;
+mod ask;
+mod cek;
+mod oca;
+mod pdh;
+mod pek;
+
+const OCA: &[u8] = include_bytes!("oca.cert");
+const CEK: &[u8] = include_bytes!("cek.cert");
+const PEK: &[u8] = include_bytes!("pek.cert");
+const PDH: &[u8] = include_bytes!("pdh.cert");
+
+use ::sev::certs::sev::*;
+use codicon::{Decoder, Encoder};

package/bindings/sp-sev/tests/rome/oca.rs

@@ -0,0 +1,45 @@
+// SPDX-License-Identifier: Apache-2.0
+
+use super::*;
+
+#[test]
+fn decode() {
+    sev::Certificate::decode(&mut &OCA[..], ()).unwrap();
+}
+
+#[test]
+fn encode() {
+    let oca = sev::Certificate::decode(&mut &OCA[..], ()).unwrap();
+
+    let mut output = Vec::new();
+    oca.encode(&mut output, ()).unwrap();
+    assert_eq!(OCA.len(), output.len());
+    assert_eq!(OCA.to_vec(), output);
+}
+
+#[cfg(feature = "openssl")]
+#[test]
+fn verify() {
+    let oca = sev::Certificate::decode(OCA, ()).unwrap();
+    (&oca, &oca).verify().unwrap();
+}
+
+#[cfg(feature = "openssl")]
+#[test]
+fn create() {
+    let mut pdh = sev::Certificate::decode(&mut &PDH[..], ()).unwrap();
+    let (mut oca, key) = sev::Certificate::generate(sev::Usage::OCA).unwrap();
+
+    assert!((&pdh, &pdh).verify().is_err());
+    assert!((&oca, &pdh).verify().is_err());
+    assert!((&oca, &oca).verify().is_err());
+
+    key.sign(&mut oca).unwrap();
+
+    assert!((&pdh, &pdh).verify().is_err());
+    assert!((&oca, &pdh).verify().is_err());
+    (&oca, &oca).verify().unwrap();
+
+    key.sign(&mut pdh).unwrap();
+    (&oca, &pdh).verify().unwrap();
+}

package/bindings/sp-sev/tests/rome/pdh.rs

@@ -0,0 +1,28 @@
+// SPDX-License-Identifier: Apache-2.0
+
+use super::*;
+
+#[test]
+fn decode() {
+    sev::Certificate::decode(&mut &PDH[..], ()).unwrap();
+}
+
+#[test]
+fn encode() {
+    let pdh = sev::Certificate::decode(&mut &PDH[..], ()).unwrap();
+
+    let mut output = Vec::new();
+    pdh.encode(&mut output, ()).unwrap();
+    assert_eq!(PDH.len(), output.len());
+    assert_eq!(PDH.to_vec(), output);
+}
+
+#[cfg(feature = "openssl")]
+#[test]
+fn verify() {
+    let pek = sev::Certificate::decode(PEK, ()).unwrap();
+    let pdh = sev::Certificate::decode(PDH, ()).unwrap();
+
+    (&pek, &pdh).verify().unwrap();
+    assert!((&pdh, &pek).verify().is_err());
+}

package/bindings/sp-sev/tests/rome/pek.rs

@@ -0,0 +1,32 @@
+// SPDX-License-Identifier: Apache-2.0
+
+use super::*;
+
+#[test]
+fn decode() {
+    sev::Certificate::decode(&mut &PEK[..], ()).unwrap();
+}
+
+#[test]
+fn encode() {
+    let pek = sev::Certificate::decode(&mut &PEK[..], ()).unwrap();
+
+    let mut output = Vec::new();
+    pek.encode(&mut output, ()).unwrap();
+    assert_eq!(PEK.len(), output.len());
+    assert_eq!(PEK.to_vec(), output);
+}
+
+#[cfg(feature = "openssl")]
+#[test]
+fn verify() {
+    let cek = sev::Certificate::decode(CEK, ()).unwrap();
+    let oca = sev::Certificate::decode(OCA, ()).unwrap();
+    let pek = sev::Certificate::decode(PEK, ()).unwrap();
+
+    (&cek, &pek).verify().unwrap();
+    assert!((&pek, &cek).verify().is_err());
+
+    (&oca, &pek).verify().unwrap();
+    assert!((&pek, &oca).verify().is_err());
+}

package/bindings/sp-sev/tests/session.rs

@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: Apache-2.0
+
+#![cfg(feature = "openssl")]
+
+#[cfg(all(target_os = "linux", feature = "sev"))]
+mod initialized {
+    use ::sev::{certs::sev::builtin::naples::*, certs::sev::*, launch, session::Session};
+    use codicon::Decoder;
+    use std::convert::*;
+
+    #[test]
+    fn create() {
+        Session::try_from(launch::sev::Policy::default()).unwrap();
+    }
+
+    #[test]
+    fn start() {
+        const CEK: &[u8] = include_bytes!("naples/cek.cert");
+        const OCA: &[u8] = include_bytes!("naples/oca.cert");
+        const PEK: &[u8] = include_bytes!("naples/pek.cert");
+        const PDH: &[u8] = include_bytes!("naples/pdh.cert");
+
+        let session = Session::try_from(launch::sev::Policy::default()).unwrap();
+        session
+            .start(Chain {
+                ca: ca::Chain {
+                    ark: ca::Certificate::decode(&mut &ARK[..], ()).unwrap(),
+                    ask: ca::Certificate::decode(&mut &ASK[..], ()).unwrap(),
+                },
+                sev: sev::Chain {
+                    cek: sev::Certificate::decode(&mut &CEK[..], ()).unwrap(),
+                    oca: sev::Certificate::decode(&mut &OCA[..], ()).unwrap(),
+                    pek: sev::Certificate::decode(&mut &PEK[..], ()).unwrap(),
+                    pdh: sev::Certificate::decode(&mut &PDH[..], ()).unwrap(),
+                },
+            })
+            .unwrap();
+    }
+}

package/bindings/sp-sev/tests/sev_launch.rs

@@ -0,0 +1,120 @@
+// SPDX-License-Identifier: Apache-2.0
+
+#![cfg(all(
+    feature = "openssl",
+    target_os = "linux",
+    feature = "sev",
+    feature = "dangerous_hw_tests"
+))]
+
+use kvm_bindings::kvm_userspace_memory_region;
+use kvm_ioctls::{Kvm, VcpuExit};
+use serial_test::serial;
+use sev::certs::sev::sev::Usage;
+use sev::certs::sev::{sev::Certificate, Signer};
+use sev::{cached_chain, firmware::host::Firmware, launch::sev::*, session::Session};
+use std::slice::from_raw_parts;
+use std::{convert::TryFrom, os::unix::io::AsRawFd};
+
+// Has to be a multiple of 16
+const CODE: &[u8; 16] = &[
+    0xf4; 16 // hlt
+];
+
+#[cfg_attr(not(host), ignore)]
+#[test]
+#[serial]
+fn sev_launch_test() {
+    // KVM SEV type
+    const KVM_X86_SEV_VM: u64 = 2;
+
+    let mut sev = Firmware::open().unwrap();
+    let build = sev.platform_status().unwrap().build;
+
+    // Generating OCA cert and private key
+    let (mut oca, prv) = Certificate::generate(Usage::OCA).expect("Generating OCA key pair");
+    prv.sign(&mut oca).expect("OCA key signing");
+
+    // Provisioning the PEK with the generated OCA key pair
+    let mut pek = sev.pek_csr().expect("Cross signing request");
+    prv.sign(&mut pek).expect("Sign PEK with OCA private key");
+    sev.pek_cert_import(&pek, &oca)
+        .expect("Import the newly-signed PEK");
+
+    // Export the full chain to launch SEV guest
+    let chain = cached_chain::get_chain();
+
+    let policy = Policy::default();
+    let session = Session::try_from(policy).unwrap();
+    let start = session.start(chain).unwrap();
+
+    let kvm = Kvm::new().unwrap();
+
+    // Create VMft with SEV type
+    let vm = kvm.create_vm_with_type(KVM_X86_SEV_VM).unwrap();
+
+    // Allocate a 1kB page of memory for the address space of the VM.
+    const MEM_SIZE: usize = 0x1000;
+    let address_space = unsafe { libc::mmap(0 as _, MEM_SIZE, 3, 34, -1, 0) };
+
+    if address_space == libc::MAP_FAILED {
+        panic!("mmap() failed");
+    }
+
+    let address_space: &[u8] = unsafe { from_raw_parts(address_space as *mut u8, MEM_SIZE) };
+
+    let mem_region = kvm_userspace_memory_region {
+        slot: 0,
+        guest_phys_addr: 0,
+        memory_size: MEM_SIZE as _,
+        userspace_addr: address_space.as_ptr() as _,
+        flags: 0,
+    };
+
+    unsafe {
+        vm.set_user_memory_region(mem_region).unwrap();
+    }
+
+    let mut session = session.measure().unwrap();
+    session.update_data(address_space.as_ref()).unwrap();
+
+    let (mut launcher, measurement) = {
+        let launcher = Launcher::new(vm.as_raw_fd(), sev.as_raw_fd()).unwrap();
+        let mut launcher = launcher.start(start).unwrap();
+        launcher.update_data(address_space.as_ref()).unwrap();
+        let launcher = launcher.measure().unwrap();
+        let measurement = launcher.measurement();
+        (launcher, measurement)
+    };
+
+    let session = session.verify(build, measurement).unwrap();
+    let secret = session.secret(HeaderFlags::default(), CODE).unwrap();
+
+    launcher
+        .inject(&secret, address_space.as_ptr() as usize)
+        .unwrap();
+
+    let _handle = launcher.finish().unwrap();
+
+    let mut vcpu = vm.create_vcpu(0).unwrap();
+    let mut sregs = vcpu.get_sregs().unwrap();
+    sregs.cs.base = 0;
+    sregs.cs.selector = 0;
+    vcpu.set_sregs(&sregs).unwrap();
+
+    let mut regs = vcpu.get_regs().unwrap();
+    regs.rip = std::ptr::null::<u64>() as u64;
+    regs.rflags = 2;
+    vcpu.set_regs(&regs).unwrap();
+
+    match vcpu.run().unwrap() {
+        VcpuExit::Hlt => (),
+        exit_reason => panic!("unexpected exit reason: {:?}", exit_reason),
+    }
+
+    drop(vcpu);
+    drop(vm);
+
+    sev.platform_reset().unwrap();
+    cached_chain::rm_cached_chain();
+}

package/bindings/sp-sev/tests/snp_launch.rs

@@ -0,0 +1,108 @@
+// SPDX-License-Identifier: Apache-2.0
+
+#![cfg(all(feature = "snp", target_os = "linux"))]
+
+use kvm_bindings::{kvm_create_guest_memfd, kvm_userspace_memory_region2, KVM_MEM_GUEST_MEMFD};
+use kvm_ioctls::{Kvm, VcpuExit};
+use sev::firmware::{guest::GuestPolicy, host::Firmware};
+use sev::launch::snp::*;
+use std::os::fd::RawFd;
+use std::slice::from_raw_parts_mut;
+
+// one page of `hlt
+const CODE: &[u8; 4096] = &[
+    0xf4; 4096 // hlt
+];
+
+const KVM_X86_SNP_VM: u64 = 4;
+
+#[cfg_attr(not(host), ignore)]
+#[test]
+fn snp_launch_test() {
+    let kvm_fd = Kvm::new().unwrap();
+
+    // Create VM-fd with SEV-SNP type
+    let vm_fd = kvm_fd.create_vm_with_type(KVM_X86_SNP_VM).unwrap();
+
+    const MEM_ADDR: u64 = 0x1000;
+
+    // Allocate a 1kB page of memory for the address space of the VM.
+    let address_space = unsafe { libc::mmap(0 as _, CODE.len(), 3, 34, -1, 0) };
+
+    if address_space == libc::MAP_FAILED {
+        panic!("mmap() failed");
+    }
+
+    let address_space: &mut [u8] =
+        unsafe { from_raw_parts_mut(address_space as *mut u8, CODE.len()) };
+
+    address_space[..CODE.len()].copy_from_slice(&CODE[..]);
+
+    let userspace_addr = address_space as *const [u8] as *const u8 as u64;
+
+    // Create KVM guest_memfd struct
+    let gmem = kvm_create_guest_memfd {
+        size: 0x1000,
+        flags: 0,
+        reserved: [0; 6],
+    };
+
+    // Create KVM guest_memfd
+    let fd: RawFd = vm_fd.create_guest_memfd(gmem).unwrap();
+
+    // Create memory region
+    let mem_region = kvm_userspace_memory_region2 {
+        slot: 0,
+        flags: KVM_MEM_GUEST_MEMFD,
+        guest_phys_addr: 0x1000_u64,
+        memory_size: 0x1000_u64,
+        userspace_addr,
+        guest_memfd_offset: 0,
+        guest_memfd: fd as u32,
+        pad1: 0,
+        pad2: [0; 14],
+    };
+
+    unsafe {
+        vm_fd.set_user_memory_region2(mem_region).unwrap();
+    };
+
+    let sev = Firmware::open().unwrap();
+    let launcher = Launcher::new(vm_fd, sev).unwrap();
+
+    let mut policy = GuestPolicy(0);
+    policy.set_smt_allowed(1);
+    let start = Start::new(policy, [0; 16]);
+
+    let mut launcher = launcher.start(start).unwrap();
+
+    let update = Update::new(
+        mem_region.guest_phys_addr >> 12,
+        address_space,
+        PageType::Normal,
+    );
+
+    launcher
+        .update_data(update, mem_region.guest_phys_addr, mem_region.memory_size)
+        .unwrap();
+
+    let finish = Finish::new(None, None, [0u8; 32]);
+
+    let mut vcpu_fd = launcher.as_mut().create_vcpu(0).unwrap();
+
+    let mut regs = vcpu_fd.get_regs().unwrap();
+    regs.rip = MEM_ADDR;
+    regs.rflags = 2;
+    vcpu_fd.set_regs(&regs).unwrap();
+
+    let mut sregs = vcpu_fd.get_sregs().unwrap();
+    sregs.cs.base = 0;
+    sregs.cs.selector = 0;
+    vcpu_fd.set_sregs(&sregs).unwrap();
+
+    let (_vm_fd, _sev) = launcher.finish(finish).unwrap();
+
+    let ret = vcpu_fd.run();
+
+    assert!(matches!(ret, Ok(VcpuExit::Hlt)));
+}

package/dist/sgx-native-module/sev-snp.d.ts

@@ -97,6 +97,7 @@ export declare class SevSNP {
         trustedHashes?: ArkHashes;
         timeoutMs?: number;
         snpGuestBinaryPath?: string;
+        tmpDir?: string;
     }): Promise<void>;
     protected static calcMrEnclave(measure: Buffer, vmpl: number, policy: bigint): Buffer;
     /**