Skip to content

Commit

Permalink
Set and enforced VMPL in SNP attestation
Browse files Browse the repository at this point in the history
  • Loading branch information
achamayou committed Oct 21, 2024
1 parent 65fe3d8 commit 90d2581
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 3 deletions.
2 changes: 1 addition & 1 deletion .snpcc_canary
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,4 @@
/-xXx--//-----x=x--/-xXx--/---x---->>>--/
...
/\/\d(-_-)b/\/\
----
----vmpl
8 changes: 8 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [6.0.0-dev3]

[6.0.0-dev3]: https://github.com/microsoft/CCF/releases/tag/6.0.0-dev3

### Changed

- Set VMPL value when creating SNP attestations, and check VMPL value is in guest range when verifiying attestation, since recent [updates allow host-initiated attestations](https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/programmer-references/56860.pdf).

## [6.0.0-dev2]

[6.0.0-dev2]: https://github.com/microsoft/CCF/releases/tag/6.0.0-dev2
Expand Down
10 changes: 10 additions & 0 deletions include/ccf/pal/attestation.h
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,16 @@ namespace ccf::pal
fmt::format("SEV-SNP: Mask chip key must not be set"));
}

// Introduced in https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/programmer-references/56860.pdf
// The guest sets the VMPL field to a value from 0 thru 3 which indicates a request from the guest.
// For a Guest requested attestation report this field will contain the value (0-3). A Host requested attestation report will have a value of 0xffffffff.
// CCF current always sets VMPL to 0, and rejects non-guest values.
if (quote.vmpl > 3)
{
throw std::logic_error(
fmt::format("SEV-SNP: VMPL for guest attestations must be in 0-3 range, not {}", quote.vmpl));
}

report_data = SnpAttestationReportData(quote.report_data);
measurement = SnpAttestationMeasurement(quote.measurement);

Expand Down
2 changes: 1 addition & 1 deletion include/ccf/pal/snp_ioctl5.h
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ namespace ccf::pal::snp::ioctl5
struct AttestationReq
{
uint8_t report_data[snp_attestation_report_data_size];
uint32_t vmpl;
uint32_t vmpl = 0;
uint8_t reserved[28];
};

Expand Down
2 changes: 1 addition & 1 deletion include/ccf/pal/snp_ioctl6.h
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ namespace ccf::pal::snp::ioctl6
struct AttestationReq
{
uint8_t report_data[snp_attestation_report_data_size];
uint32_t vmpl;
uint32_t vmpl = 0;
uint8_t reserved[28]; // needs to be zero
}; // aka snp_report_req in (linux) include/uapi/linux/sev-guest.h

Expand Down

0 comments on commit 90d2581

Please sign in to comment.