@super-protocol/addons-tee 1.0.0 → 2.0.1

package/bindings/sp-sev/tests/naples/pdh.rs

@@ -1,28 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-
-use super::*;
-
-#[test]
-fn decode() {
-    sev::Certificate::decode(&mut &PDH[..], ()).unwrap();
-}
-
-#[test]
-fn encode() {
-    let pdh = sev::Certificate::decode(&mut &PDH[..], ()).unwrap();
-
-    let mut output = Vec::new();
-    pdh.encode(&mut output, ()).unwrap();
-    assert_eq!(PDH.len(), output.len());
-    assert_eq!(PDH.to_vec(), output);
-}
-
-#[cfg(feature = "openssl")]
-#[test]
-fn verify() {
-    let pek = sev::Certificate::decode(PEK, ()).unwrap();
-    let pdh = sev::Certificate::decode(PDH, ()).unwrap();
-
-    (&pek, &pdh).verify().unwrap();
-    assert!((&pdh, &pek).verify().is_err());
-}

package/bindings/sp-sev/tests/naples/pek.rs

@@ -1,32 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-
-use super::*;
-
-#[test]
-fn decode() {
-    sev::Certificate::decode(&mut &PEK[..], ()).unwrap();
-}
-
-#[test]
-fn encode() {
-    let pek = sev::Certificate::decode(&mut &PEK[..], ()).unwrap();
-
-    let mut output = Vec::new();
-    pek.encode(&mut output, ()).unwrap();
-    assert_eq!(PEK.len(), output.len());
-    assert_eq!(PEK.to_vec(), output);
-}
-
-#[cfg(feature = "openssl")]
-#[test]
-fn verify() {
-    let cek = sev::Certificate::decode(CEK, ()).unwrap();
-    let oca = sev::Certificate::decode(OCA, ()).unwrap();
-    let pek = sev::Certificate::decode(PEK, ()).unwrap();
-
-    (&cek, &pek).verify().unwrap();
-    assert!((&pek, &cek).verify().is_err());
-
-    (&oca, &pek).verify().unwrap();
-    assert!((&pek, &oca).verify().is_err());
-}

package/bindings/sp-sev/tests/rome/ark.rs

@@ -1,33 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-
-use super::*;
-use ::sev::certs::sev::builtin::rome::*;
-
-#[test]
-fn decode() {
-    ca::Certificate::decode(&mut &ARK[..], ()).unwrap();
-}
-
-#[test]
-fn encode() {
-    let ark = ca::Certificate::decode(&mut &ARK[..], ()).unwrap();
-
-    let mut output = Vec::new();
-    ark.encode(&mut output, ()).unwrap();
-    assert_eq!(ARK.len(), output.len());
-    assert_eq!(ARK.to_vec(), output);
-
-    let ark = ca::Certificate::decode(&mut &ARK[..], ()).unwrap();
-
-    let mut output = Vec::new();
-    ark.encode(&mut output, ()).unwrap();
-    assert_eq!(ARK.len(), output.len());
-    assert_eq!(ARK.to_vec(), output);
-}
-
-#[cfg(feature = "openssl")]
-#[test]
-fn verify() {
-    let ark = ca::Certificate::decode(&mut &ARK[..], ()).unwrap();
-    (&ark, &ark).verify().unwrap();
-}

package/bindings/sp-sev/tests/rome/ask.rs

@@ -1,29 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-
-use super::*;
-use ::sev::certs::sev::builtin::rome::*;
-
-#[test]
-fn decode() {
-    ca::Certificate::decode(&mut &ASK[..], ()).unwrap();
-}
-
-#[test]
-fn encode() {
-    let ask = ca::Certificate::decode(&mut &ASK[..], ()).unwrap();
-
-    let mut output = Vec::new();
-    ask.encode(&mut output, ()).unwrap();
-    assert_eq!(ASK.len(), output.len());
-    assert_eq!(ASK.to_vec(), output);
-}
-
-#[cfg(feature = "openssl")]
-#[test]
-fn verify() {
-    let ark = ca::Certificate::decode(ARK, ()).unwrap();
-    let ask = ca::Certificate::decode(ASK, ()).unwrap();
-
-    (&ark, &ask).verify().unwrap();
-    assert!((&ask, &ark).verify().is_err());
-}

package/bindings/sp-sev/tests/rome/cek.rs

@@ -1,29 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-
-use super::*;
-
-#[test]
-fn decode() {
-    sev::Certificate::decode(&mut &CEK[..], ()).unwrap();
-}
-
-#[test]
-fn encode() {
-    let cek = sev::Certificate::decode(&mut &CEK[..], ()).unwrap();
-
-    let mut output = Vec::new();
-    cek.encode(&mut output, ()).unwrap();
-    assert_eq!(CEK.len(), output.len());
-    assert_eq!(CEK.to_vec(), output);
-}
-
-#[cfg(feature = "openssl")]
-#[test]
-fn verify() {
-    use ::sev::certs::sev::builtin::rome::ASK;
-
-    let ask = ca::Certificate::decode(ASK, ()).unwrap();
-    let cek = sev::Certificate::decode(CEK, ()).unwrap();
-
-    (&ask, &cek).verify().unwrap();
-}

package/bindings/sp-sev/tests/rome/mod.rs

@@ -1,16 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-
-mod ark;
-mod ask;
-mod cek;
-mod oca;
-mod pdh;
-mod pek;
-
-const OCA: &[u8] = include_bytes!("oca.cert");
-const CEK: &[u8] = include_bytes!("cek.cert");
-const PEK: &[u8] = include_bytes!("pek.cert");
-const PDH: &[u8] = include_bytes!("pdh.cert");
-
-use ::sev::certs::sev::*;
-use codicon::{Decoder, Encoder};

package/bindings/sp-sev/tests/rome/oca.rs

@@ -1,45 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-
-use super::*;
-
-#[test]
-fn decode() {
-    sev::Certificate::decode(&mut &OCA[..], ()).unwrap();
-}
-
-#[test]
-fn encode() {
-    let oca = sev::Certificate::decode(&mut &OCA[..], ()).unwrap();
-
-    let mut output = Vec::new();
-    oca.encode(&mut output, ()).unwrap();
-    assert_eq!(OCA.len(), output.len());
-    assert_eq!(OCA.to_vec(), output);
-}
-
-#[cfg(feature = "openssl")]
-#[test]
-fn verify() {
-    let oca = sev::Certificate::decode(OCA, ()).unwrap();
-    (&oca, &oca).verify().unwrap();
-}
-
-#[cfg(feature = "openssl")]
-#[test]
-fn create() {
-    let mut pdh = sev::Certificate::decode(&mut &PDH[..], ()).unwrap();
-    let (mut oca, key) = sev::Certificate::generate(sev::Usage::OCA).unwrap();
-
-    assert!((&pdh, &pdh).verify().is_err());
-    assert!((&oca, &pdh).verify().is_err());
-    assert!((&oca, &oca).verify().is_err());
-
-    key.sign(&mut oca).unwrap();
-
-    assert!((&pdh, &pdh).verify().is_err());
-    assert!((&oca, &pdh).verify().is_err());
-    (&oca, &oca).verify().unwrap();
-
-    key.sign(&mut pdh).unwrap();
-    (&oca, &pdh).verify().unwrap();
-}

package/bindings/sp-sev/tests/rome/pdh.rs

@@ -1,28 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-
-use super::*;
-
-#[test]
-fn decode() {
-    sev::Certificate::decode(&mut &PDH[..], ()).unwrap();
-}
-
-#[test]
-fn encode() {
-    let pdh = sev::Certificate::decode(&mut &PDH[..], ()).unwrap();
-
-    let mut output = Vec::new();
-    pdh.encode(&mut output, ()).unwrap();
-    assert_eq!(PDH.len(), output.len());
-    assert_eq!(PDH.to_vec(), output);
-}
-
-#[cfg(feature = "openssl")]
-#[test]
-fn verify() {
-    let pek = sev::Certificate::decode(PEK, ()).unwrap();
-    let pdh = sev::Certificate::decode(PDH, ()).unwrap();
-
-    (&pek, &pdh).verify().unwrap();
-    assert!((&pdh, &pek).verify().is_err());
-}

package/bindings/sp-sev/tests/rome/pek.rs

@@ -1,32 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-
-use super::*;
-
-#[test]
-fn decode() {
-    sev::Certificate::decode(&mut &PEK[..], ()).unwrap();
-}
-
-#[test]
-fn encode() {
-    let pek = sev::Certificate::decode(&mut &PEK[..], ()).unwrap();
-
-    let mut output = Vec::new();
-    pek.encode(&mut output, ()).unwrap();
-    assert_eq!(PEK.len(), output.len());
-    assert_eq!(PEK.to_vec(), output);
-}
-
-#[cfg(feature = "openssl")]
-#[test]
-fn verify() {
-    let cek = sev::Certificate::decode(CEK, ()).unwrap();
-    let oca = sev::Certificate::decode(OCA, ()).unwrap();
-    let pek = sev::Certificate::decode(PEK, ()).unwrap();
-
-    (&cek, &pek).verify().unwrap();
-    assert!((&pek, &cek).verify().is_err());
-
-    (&oca, &pek).verify().unwrap();
-    assert!((&pek, &oca).verify().is_err());
-}

package/bindings/sp-sev/tests/session.rs

@@ -1,39 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-
-#![cfg(feature = "openssl")]
-
-#[cfg(all(target_os = "linux", feature = "sev"))]
-mod initialized {
-    use ::sev::{certs::sev::builtin::naples::*, certs::sev::*, launch, session::Session};
-    use codicon::Decoder;
-    use std::convert::*;
-
-    #[test]
-    fn create() {
-        Session::try_from(launch::sev::Policy::default()).unwrap();
-    }
-
-    #[test]
-    fn start() {
-        const CEK: &[u8] = include_bytes!("naples/cek.cert");
-        const OCA: &[u8] = include_bytes!("naples/oca.cert");
-        const PEK: &[u8] = include_bytes!("naples/pek.cert");
-        const PDH: &[u8] = include_bytes!("naples/pdh.cert");
-
-        let session = Session::try_from(launch::sev::Policy::default()).unwrap();
-        session
-            .start(Chain {
-                ca: ca::Chain {
-                    ark: ca::Certificate::decode(&mut &ARK[..], ()).unwrap(),
-                    ask: ca::Certificate::decode(&mut &ASK[..], ()).unwrap(),
-                },
-                sev: sev::Chain {
-                    cek: sev::Certificate::decode(&mut &CEK[..], ()).unwrap(),
-                    oca: sev::Certificate::decode(&mut &OCA[..], ()).unwrap(),
-                    pek: sev::Certificate::decode(&mut &PEK[..], ()).unwrap(),
-                    pdh: sev::Certificate::decode(&mut &PDH[..], ()).unwrap(),
-                },
-            })
-            .unwrap();
-    }
-}

package/bindings/sp-sev/tests/sev_launch.rs

@@ -1,120 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-
-#![cfg(all(
-    feature = "openssl",
-    target_os = "linux",
-    feature = "sev",
-    feature = "dangerous_hw_tests"
-))]
-
-use kvm_bindings::kvm_userspace_memory_region;
-use kvm_ioctls::{Kvm, VcpuExit};
-use serial_test::serial;
-use sev::certs::sev::sev::Usage;
-use sev::certs::sev::{sev::Certificate, Signer};
-use sev::{cached_chain, firmware::host::Firmware, launch::sev::*, session::Session};
-use std::slice::from_raw_parts;
-use std::{convert::TryFrom, os::unix::io::AsRawFd};
-
-// Has to be a multiple of 16
-const CODE: &[u8; 16] = &[
-    0xf4; 16 // hlt
-];
-
-#[cfg_attr(not(host), ignore)]
-#[test]
-#[serial]
-fn sev_launch_test() {
-    // KVM SEV type
-    const KVM_X86_SEV_VM: u64 = 2;
-
-    let mut sev = Firmware::open().unwrap();
-    let build = sev.platform_status().unwrap().build;
-
-    // Generating OCA cert and private key
-    let (mut oca, prv) = Certificate::generate(Usage::OCA).expect("Generating OCA key pair");
-    prv.sign(&mut oca).expect("OCA key signing");
-
-    // Provisioning the PEK with the generated OCA key pair
-    let mut pek = sev.pek_csr().expect("Cross signing request");
-    prv.sign(&mut pek).expect("Sign PEK with OCA private key");
-    sev.pek_cert_import(&pek, &oca)
-        .expect("Import the newly-signed PEK");
-
-    // Export the full chain to launch SEV guest
-    let chain = cached_chain::get_chain();
-
-    let policy = Policy::default();
-    let session = Session::try_from(policy).unwrap();
-    let start = session.start(chain).unwrap();
-
-    let kvm = Kvm::new().unwrap();
-
-    // Create VMft with SEV type
-    let vm = kvm.create_vm_with_type(KVM_X86_SEV_VM).unwrap();
-
-    // Allocate a 1kB page of memory for the address space of the VM.
-    const MEM_SIZE: usize = 0x1000;
-    let address_space = unsafe { libc::mmap(0 as _, MEM_SIZE, 3, 34, -1, 0) };
-
-    if address_space == libc::MAP_FAILED {
-        panic!("mmap() failed");
-    }
-
-    let address_space: &[u8] = unsafe { from_raw_parts(address_space as *mut u8, MEM_SIZE) };
-
-    let mem_region = kvm_userspace_memory_region {
-        slot: 0,
-        guest_phys_addr: 0,
-        memory_size: MEM_SIZE as _,
-        userspace_addr: address_space.as_ptr() as _,
-        flags: 0,
-    };
-
-    unsafe {
-        vm.set_user_memory_region(mem_region).unwrap();
-    }
-
-    let mut session = session.measure().unwrap();
-    session.update_data(address_space.as_ref()).unwrap();
-
-    let (mut launcher, measurement) = {
-        let launcher = Launcher::new(vm.as_raw_fd(), sev.as_raw_fd()).unwrap();
-        let mut launcher = launcher.start(start).unwrap();
-        launcher.update_data(address_space.as_ref()).unwrap();
-        let launcher = launcher.measure().unwrap();
-        let measurement = launcher.measurement();
-        (launcher, measurement)
-    };
-
-    let session = session.verify(build, measurement).unwrap();
-    let secret = session.secret(HeaderFlags::default(), CODE).unwrap();
-
-    launcher
-        .inject(&secret, address_space.as_ptr() as usize)
-        .unwrap();
-
-    let _handle = launcher.finish().unwrap();
-
-    let mut vcpu = vm.create_vcpu(0).unwrap();
-    let mut sregs = vcpu.get_sregs().unwrap();
-    sregs.cs.base = 0;
-    sregs.cs.selector = 0;
-    vcpu.set_sregs(&sregs).unwrap();
-
-    let mut regs = vcpu.get_regs().unwrap();
-    regs.rip = std::ptr::null::<u64>() as u64;
-    regs.rflags = 2;
-    vcpu.set_regs(&regs).unwrap();
-
-    match vcpu.run().unwrap() {
-        VcpuExit::Hlt => (),
-        exit_reason => panic!("unexpected exit reason: {:?}", exit_reason),
-    }
-
-    drop(vcpu);
-    drop(vm);
-
-    sev.platform_reset().unwrap();
-    cached_chain::rm_cached_chain();
-}

package/bindings/sp-sev/tests/snp_launch.rs

@@ -1,108 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-
-#![cfg(all(feature = "snp", target_os = "linux"))]
-
-use kvm_bindings::{kvm_create_guest_memfd, kvm_userspace_memory_region2, KVM_MEM_GUEST_MEMFD};
-use kvm_ioctls::{Kvm, VcpuExit};
-use sev::firmware::{guest::GuestPolicy, host::Firmware};
-use sev::launch::snp::*;
-use std::os::fd::RawFd;
-use std::slice::from_raw_parts_mut;
-
-// one page of `hlt
-const CODE: &[u8; 4096] = &[
-    0xf4; 4096 // hlt
-];
-
-const KVM_X86_SNP_VM: u64 = 4;
-
-#[cfg_attr(not(host), ignore)]
-#[test]
-fn snp_launch_test() {
-    let kvm_fd = Kvm::new().unwrap();
-
-    // Create VM-fd with SEV-SNP type
-    let vm_fd = kvm_fd.create_vm_with_type(KVM_X86_SNP_VM).unwrap();
-
-    const MEM_ADDR: u64 = 0x1000;
-
-    // Allocate a 1kB page of memory for the address space of the VM.
-    let address_space = unsafe { libc::mmap(0 as _, CODE.len(), 3, 34, -1, 0) };
-
-    if address_space == libc::MAP_FAILED {
-        panic!("mmap() failed");
-    }
-
-    let address_space: &mut [u8] =
-        unsafe { from_raw_parts_mut(address_space as *mut u8, CODE.len()) };
-
-    address_space[..CODE.len()].copy_from_slice(&CODE[..]);
-
-    let userspace_addr = address_space as *const [u8] as *const u8 as u64;
-
-    // Create KVM guest_memfd struct
-    let gmem = kvm_create_guest_memfd {
-        size: 0x1000,
-        flags: 0,
-        reserved: [0; 6],
-    };
-
-    // Create KVM guest_memfd
-    let fd: RawFd = vm_fd.create_guest_memfd(gmem).unwrap();
-
-    // Create memory region
-    let mem_region = kvm_userspace_memory_region2 {
-        slot: 0,
-        flags: KVM_MEM_GUEST_MEMFD,
-        guest_phys_addr: 0x1000_u64,
-        memory_size: 0x1000_u64,
-        userspace_addr,
-        guest_memfd_offset: 0,
-        guest_memfd: fd as u32,
-        pad1: 0,
-        pad2: [0; 14],
-    };
-
-    unsafe {
-        vm_fd.set_user_memory_region2(mem_region).unwrap();
-    };
-
-    let sev = Firmware::open().unwrap();
-    let launcher = Launcher::new(vm_fd, sev).unwrap();
-
-    let mut policy = GuestPolicy(0);
-    policy.set_smt_allowed(true);
-    let start = Start::new(policy, [0; 16]);
-
-    let mut launcher = launcher.start(start).unwrap();
-
-    let update = Update::new(
-        mem_region.guest_phys_addr >> 12,
-        address_space,
-        PageType::Normal,
-    );
-
-    launcher
-        .update_data(update, mem_region.guest_phys_addr, mem_region.memory_size)
-        .unwrap();
-
-    let finish = Finish::new(None, None, [0u8; 32]);
-
-    let mut vcpu_fd = launcher.as_mut().create_vcpu(0).unwrap();
-
-    let mut regs = vcpu_fd.get_regs().unwrap();
-    regs.rip = MEM_ADDR;
-    regs.rflags = 2;
-    vcpu_fd.set_regs(&regs).unwrap();
-
-    let mut sregs = vcpu_fd.get_sregs().unwrap();
-    sregs.cs.base = 0;
-    sregs.cs.selector = 0;
-    vcpu_fd.set_sregs(&sregs).unwrap();
-
-    let (_vm_fd, _sev) = launcher.finish(finish).unwrap();
-
-    let ret = vcpu_fd.run();
-
-    assert!(matches!(ret, Ok(VcpuExit::Hlt)));
-}

package/dto/src/AmdSevSnp.proto

@@ -1,31 +0,0 @@
-syntax = "proto3";
-
-enum SevSNPCertType {
-  ARK = 0;
-  ASK = 1;
-  VCEK = 2;
-}
-
-enum SevSnpCertificateFormat {
-  PEM = 0;
-  DER = 1;
-}
-
-message SnpCert {
-  SevSNPCertType type = 1;
-  bytes cert = 2;
-  SevSnpCertificateFormat format = 3;
-}
-
-message SNPReport {
-  bytes rawReport = 1;
-  uint32 cpuSig = 2;
-  uint32 cores = 3;
-  bytes cmdLineHash = 4;
-  string build = 5;
-}
-
-message SNPReportWithChain {
-  SNPReport snpReport = 1;
-  repeated SnpCert certs = 2;
-}

package/dto/src/Compression.proto

@@ -1,11 +0,0 @@
-syntax = "proto3";
-
-message Compression {
-    enum TYPE {
-        Uncompressed = 0;
-        GZIP = 1;
-    }
-
-    TYPE type = 1;
-    bytes data = 2;
-}

package/dto/src/Hash.proto

@@ -1,6 +0,0 @@
-syntax = "proto3";
-
-message Hash {
-    string algo = 1;
-    bytes hash = 2;
-}

package/dto/src/OrderReport.proto

@@ -1,21 +0,0 @@
-syntax = "proto3";
-
-import "Hash.proto";
-
-message OrderReportProto {
-    repeated bytes certificates = 1;
-    WorkloadInfo workloadInfo = 2;
-}
-
-message WorkloadInfo {
-    repeated RuntimeInfo runtimeInfo = 1;
-    int64 created = 2;
-}
-
-message RuntimeInfo {
-    string type = 1;
-    int64 size = 2;
-    Hash hash = 3;
-    optional Hash signatureKeyHash = 4;
-    optional Hash argsHash = 5;
-}

package/dto/src/TRI.proto

@@ -1,22 +0,0 @@
-syntax = "proto3";
-
-import "Hash.proto";
-
-message Encryption {
-    string algo = 1;
-    optional bytes key = 2;
-    optional string cipher = 3;
-    optional bytes ciphertext = 4;
-    optional bytes iv = 6;
-    optional bytes mac = 7;
-    string encoding = 8;
-}
-
-message TRI {
-    repeated Hash solutionHashes = 1;
-    bytes mrenclave = 2;
-    string args = 3;
-    Encryption encryption = 4;
-    bytes mrsigner = 5;
-    repeated Hash imageHashes = 6;
-}