Skip to content

Commit

Permalink
Set and enforce VMPL in SNP attestation (#6583)
Browse files Browse the repository at this point in the history
  • Loading branch information
achamayou authored Oct 21, 2024
1 parent 94f65a2 commit d3ba218
Show file tree
Hide file tree
Showing 6 changed files with 26 additions and 4 deletions.
2 changes: 1 addition & 1 deletion .snpcc_canary
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,4 @@
/-xXx--//-----x=x--/-xXx--/---x---->>>--/
...
/\/\d(-_-)b/\/\
----
----vmpl
8 changes: 8 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [6.0.0-dev3]

[6.0.0-dev3]: https://github.com/microsoft/CCF/releases/tag/6.0.0-dev3

### Changed

- Set VMPL value when creating SNP attestations, and check VMPL value is in guest range when verifiying attestation, since recent [updates allow host-initiated attestations](https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/programmer-references/56860.pdf) (#6583).

## [6.0.0-dev2]

[6.0.0-dev2]: https://github.com/microsoft/CCF/releases/tag/6.0.0-dev2
Expand Down
14 changes: 14 additions & 0 deletions include/ccf/pal/attestation.h
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,20 @@ namespace ccf::pal
fmt::format("SEV-SNP: Mask chip key must not be set"));
}

// Introduced in
// https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/programmer-references/56860.pdf
// The guest sets the VMPL field to a value from 0 thru 3 which indicates a
// request from the guest. For a Guest requested attestation report this
// field will contain the value (0-3). A Host requested attestation report
// will have a value of 0xffffffff. CCF current always sets VMPL to 0, and
// rejects non-guest values.
if (quote.vmpl > 3)
{
throw std::logic_error(fmt::format(
"SEV-SNP: VMPL for guest attestations must be in 0-3 range, not {}",
quote.vmpl));
}

report_data = SnpAttestationReportData(quote.report_data);
measurement = SnpAttestationMeasurement(quote.measurement);

Expand Down
2 changes: 1 addition & 1 deletion include/ccf/pal/snp_ioctl5.h
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ namespace ccf::pal::snp::ioctl5
struct AttestationReq
{
uint8_t report_data[snp_attestation_report_data_size];
uint32_t vmpl;
uint32_t vmpl = 0;
uint8_t reserved[28];
};

Expand Down
2 changes: 1 addition & 1 deletion include/ccf/pal/snp_ioctl6.h
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ namespace ccf::pal::snp::ioctl6
struct AttestationReq
{
uint8_t report_data[snp_attestation_report_data_size];
uint32_t vmpl;
uint32_t vmpl = 0;
uint8_t reserved[28]; // needs to be zero
}; // aka snp_report_req in (linux) include/uapi/linux/sev-guest.h

Expand Down
2 changes: 1 addition & 1 deletion python/pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"

[project]
name = "ccf"
version = "6.0.0-dev2"
version = "6.0.0-dev3"
authors = [
{ name="CCF Team", email="CCF-Sec@microsoft.com" },
]
Expand Down

0 comments on commit d3ba218

Please sign in to comment.