This patch series is provided to allow the guest application to query AMD SEV(-ES) runtime attestation evidence by communicating with the host service (Attestation Evidence Broker). The following is the design document. > Background Compared with SEV-SNP and Intel TDX, the runtime attestation of SEV(-ES) does NOT support guest-provided data included in the attestation report [1,2]. In addition, SEV(-ES) also does NOT support the dynamic measurement. During runtime, it can only generate static attestation report with the constant launch digest reflecting the initial measurement. Although SEV(-ES) has above limitations, its runtime attestation is still useful. When the SEV(-ES) guest is running, it can report the attestation report with fixed launch digest as a heartbeat for trusted healthy check. SEV(-ES) runtime attestation includes two participants: attester and verifier. - The attester running in a SEV(-ES) guest is responsible for collecting attestation evidence. - The verifier running in a trusted environment is responsible for verifying the attestation evidence provided by the attester. Note that the verifier can run on any platform even non-TEE. > SEV(-ES) Attestation Evidence Verifier uses the following SEV(-ES) certificate chains to verify the signature of the attestation report generated by the `ATTESTATION` command [2]: 1. certificate chain for device identity: ARK -> ASK -> CEK -> PEK -> report 2. certificate chain for platform owner identity: OCA -> PEK -> report - `foo -> bar` indicates using the public key of `foo` to verify the signature of `bar`. - ARK is the root of trust of AMD and OCA is the root of trust for platform owners. OCA has two ways: 1. Self-owned: The OCA Key Pair and self-signed OCA certificate are automatically generated by the SEV(-ES) firmware. 2. Externally-owned: External users use OCA Key Pair to generate self-signed OCA certificates in a trusted environment. Verifier needs to verify the attestation report with the certificate chain. ARK and ASK can be obtained directly from the AMD KDS server. CEK, PEK, OCA, and attestation report are related to the specific SEV(-ES) platform, therefore SEV(-ES) Attestation Evidence collected by attester should include attestation report (with the constant launch digest), PEK, CEK, and OCA certificate. | Contents of SEV(-ES) Attestation Evidence | SEV(-ES) firmware command | | :-: | :-: | | attestation report | ATTESTATION | | CEK | GET_ID | | OCA,PEK | PDH_CERT_EXPORT | > Query SEV(-ES) Attestation Evidence According to the official feedback[3], SEV(-ES) firmware APIs don't support query attestation report in SEV(-ES) guest and there is no plan to support it in the future. Instead, this capability will be available in SEV-SNP. In some scenarios, the guest application needs to query the attestation report to establish an attested channel with the remote peer. There are two approaches for a guest application to query an attestation evidence: - Hypercall approach - VSOCK approach Considering time and cost, we only need to implement one of them. - Hypercall approach SEV(-ES) guest exits to VMM using `hypercall` and then interacts with SEV firmware to query the components composing an attestation evidence, including attestation report, PEK, CEK, OCA certificate. To build an attestation evidence, the steps include: 1. The guest application requests a shared memory page, initiates a hypercall, and switches from the guest mode to the host mode. 2. In the host mode, KVM sends the `GET_ID, PDH_CERT_EXPORT, ATTESTATION` command requests to SEV firmware. 3. The shared memory page is filled with the data returned by the SEV firmware. 4. The guest application can obtain attestation evidence by reading the data in the shared memory. Although this method can meet our requirements, it requires a lot of modifications to the guest kernel and KVM. - VSOCK approach In the current implementation, QEMU provides the QMP interface "query-sev-attestation-report" to query the attestation report in the host. However, QEMU is not the only VMM. In order to support various VMM in different scenarios, it is necessary to design a general host service, such as attestation evidence Broker (AEB) to query attestation evidence from the host. The workflow of AEB is as followed: 1. The user-level application in the guest sends a request (including guest firmware handle) to AEB through VSOCK. 2. AEB requests to query attestation report, PEK, CEK, OCA certificate by calling multiple SEV firmware APIs (refer to the table above for specific API commands) and assembles these information into the attestation evidence. 3. AEB returns the attestation evidence to the application in the guest. To query the attestation report in host with AEB, we provides three patches to achieve the following two goals. 1. It is necessary to add a `SEV_GET_REPORT` interface in ccp driver so that AEB can execute `ioctl` on the `/dev/sev` device and then call the `SEV_GET_REPORT` interface to send the `ATTESTATION` command to the SEV firmware to query attestation report. 2. In order to obtain the guest handle required by the `ATTESTATION` command to the SEV firmware, a new hypercall needs to be added to the KVM. The application in the guest obtains the guest handle through this newly added hypercal, and then sends it to the AEB service through VSOCK. The AEB service uses the guest handle as the input parameter of the `ATTESTATION` command to interact with the SEV firmware. Note that hypercall is not the only way to obtain the guest handle. Actually the qmp interface `query-sev` can query the guest handle as well. However, as mentioned previously, qemu is not the only VMM. > Communication protocol Below is the communication protocol between the guest application and AEB. ```protobuf syntax = "proto3"; ... message RetrieveAttestationEvidenceSizeRequest{ uint32 guest_handle = 1; } message RetrieveAttestationEvidenceRequest{ uint32 guest_handle = 1; uint32 evidence_size = 2; } message RetrieveAttestationEvidenceSizeResponse{ uint32 error_code = 1; uint32 evidence_size = 2; } message RetrieveAttestationEvidenceResponse{ uint32 error_code = 1; uint32 evidence_size = 2; bytes evidence = 3; } service AEBService { rpc RetrieveAttestationEvidenceSize (RetrieveAttestationEvidenceSizeRequest) returns (RetrieveAttestationEvidenceSizeResponse); rpc RetrieveAttestationEvidence(RetrieveAttestationEvidenceRequest) returns (RetrieveAttestationEvidenceResponse); } ``` > Reference [1] https://www.amd.com/system/files/TechDocs/ 55766_SEV-KM_API_Specification.pdf [2] https://www.amd.com/system/files/TechDocs/56860.pdf [3] https://github.com/AMDESE/AMDSEV/issues/71#issuecomment-926118314 Shirong Hao (3): KVM: X86: Introduce KVM_HC_VM_HANDLE hypercall KVM/SVM: move the implementation of sev_get_attestation_report to ccp driver crypto: ccp: Implement SEV_GET_REPORT ioctl command arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kvm/svm/sev.c | 49 +++------------------- arch/x86/kvm/svm/svm.c | 11 +++++ arch/x86/kvm/x86.c | 7 +++- drivers/crypto/ccp/sev-dev.c | 74 +++++++++++++++++++++++++++++++++ include/linux/psp-sev.h | 7 ++++ include/uapi/linux/kvm_para.h | 1 + include/uapi/linux/psp-sev.h | 17 ++++++++ 8 files changed, 123 insertions(+), 44 deletions(-) -- 2.27.0