On Wed, 23 Mar 2022 09:39:27 +0100 Janosch Frank <frankja@xxxxxxxxxxxxx> wrote: > On 2/22/22 15:54, Steffen Eiden wrote: > > Adds several tests to verify correct error paths of attestation. > > > > Signed-off-by: Steffen Eiden <seiden@xxxxxxxxxxxxx> > > I think this test deserves its own file: pv-attest.c sounds like a good idea > > But I'd leave the priv check in uv-guest.c. > @Claudio: Any opinion about having all priv checks here and doing the > actual execution tests in pv-*.c files? fine for me maybe put a comment in pv-attest.c to explain that the priv check is covered somewhere else already > > > --- > > lib/s390x/asm/uv.h | 5 +- > > s390x/uv-guest.c | 193 ++++++++++++++++++++++++++++++++++++++++++++- > > 2 files changed, 196 insertions(+), 2 deletions(-) > > > > diff --git a/lib/s390x/asm/uv.h b/lib/s390x/asm/uv.h > > index c330c0f8..e5f7aa72 100644 > > --- a/lib/s390x/asm/uv.h > > +++ b/lib/s390x/asm/uv.h > > @@ -108,7 +108,10 @@ struct uv_cb_qui { > > u8 reserved88[158 - 136]; /* 0x0088 */ > > uint16_t max_guest_cpus; /* 0x009e */ > > u64 uv_feature_indications; /* 0x00a0 */ > > - u8 reserveda8[200 - 168]; /* 0x00a8 */ > > + uint8_t reserveda8[224 - 168]; /* 0x00a8 */ > > + uint64_t supp_att_hdr_ver; /* 0x00e0 */ > > + uint64_t supp_paf; /* 0x00e8 */ > > + uint8_t reservedf0[256 - 240]; /* 0x00f0 */ > > } __attribute__((packed)) __attribute__((aligned(8))); > > > > struct uv_cb_cgc { > > diff --git a/s390x/uv-guest.c b/s390x/uv-guest.c > > index 77057bd2..77edbba2 100644 > > --- a/s390x/uv-guest.c > > +++ b/s390x/uv-guest.c > > @@ -2,10 +2,11 @@ > > /* > > * Guest Ultravisor Call tests > > * > > - * Copyright (c) 2020 IBM Corp > > + * Copyright IBM Corp. 2020, 2022 > > * > > * Authors: > > * Janosch Frank <frankja@xxxxxxxxxxxxx> > > + * Steffen Eiden <seiden@xxxxxxxxxxxxx> > > */ > > > > #include <libcflat.h> > > @@ -53,6 +54,15 @@ static void test_priv(void) > > check_pgm_int_code(PGM_INT_CODE_PRIVILEGED_OPERATION); > > report_prefix_pop(); > > > > + report_prefix_push("attest"); > > + uvcb.cmd = UVC_CMD_ATTESTATION; > > + uvcb.len = sizeof(struct uv_cb_attest); > > + expect_pgm_int(); > > + enter_pstate(); > > + uv_call_once(0, (uint64_t)&uvcb); > > + check_pgm_int_code(PGM_INT_CODE_PRIVILEGED_OPERATION); > > + report_prefix_pop(); > > + > > report_prefix_pop(); > > } > > > > @@ -111,7 +121,187 @@ static void test_sharing(void) > > cc = uv_call(0, (u64)&uvcb); > > report(cc == 0 && uvcb.header.rc == UVC_RC_EXECUTED, "unshare"); > > report_prefix_pop(); > > +} > > + > > +#define ARCB_VERSION_NONE 0 > > +#define ARCB_VERSION_1 0x0100 > > +#define ARCB_MEAS_NONE 0 > > +#define ARCB_MEAS_HMAC_SHA512 1 > > +#define MEASUREMENT_SIZE_HMAC_SHA512 64 > > +#define PAF_PHKH_ATT (1ULL << 61) > > +#define ADDITIONAL_SIZE_PAF_PHKH_ATT 32 > > +/* arcb with one key slot and no nonce */ > > +struct uv_arcb_v1 { > > + uint64_t reserved0; /* 0x0000 */ > > + uint32_t req_ver; /* 0x0008 */ > > + uint32_t req_len; /* 0x000c */ > > + uint8_t iv[12]; /* 0x0010 */ > > + uint32_t reserved1c; /* 0x001c */ > > + uint8_t reserved20[7]; /* 0x0020 */ > > + uint8_t nks; /* 0x0027 */ > > + uint32_t reserved28; /* 0x0028 */ > > + uint32_t sea; /* 0x002c */ > > + uint64_t plaint_att_flags; /* 0x0030 */ > > + uint32_t meas_alg_id; /* 0x0038 */ > > + uint32_t reserved3c; /* 0x003c */ > > + uint8_t cpk[160]; /* 0x0040 */ > > + uint8_t key_slot[80]; /* 0x00e0 */ > > + uint8_t meas_key[64]; /* 0x0130 */ > > + uint8_t tag[16]; /* 0x0170 */ > > +} __attribute__((packed)); > > + > > +struct attest_request_v1 { > > + struct uv_arcb_v1 arcb; > > + uint8_t measurement[MEASUREMENT_SIZE_HMAC_SHA512]; > > + uint8_t additional[ADDITIONAL_SIZE_PAF_PHKH_ATT]; > > +}; > > + > > +static void test_attest_v1(u64 supported_paf) > > +{ > > + struct uv_cb_attest uvcb = { > > + .header.cmd = UVC_CMD_ATTESTATION, > > + .header.len = sizeof(uvcb), > > + }; > > + struct attest_request_v1 *attest_req = (void *)page; > > + struct uv_arcb_v1 *arcb = &attest_req->arcb; > > + int cc; > > + > > + memset((void *)page, 0, PAGE_SIZE); > > + > > + /* > > + * Create a minimal arcb/uvcb such that FW has everything to start > > + * unsealing the request. However, this unsealing will fail as the > > + * kvm-unit-test framework provides no cryptography functions that > > + * would be needed to seal such requests. > > + */ > > + arcb->req_ver = ARCB_VERSION_1; > > + arcb->req_len = sizeof(*arcb); > > + arcb->nks = 1; > > + arcb->sea = sizeof(arcb->meas_key); > > + arcb->plaint_att_flags = PAF_PHKH_ATT; > > + arcb->meas_alg_id = ARCB_MEAS_HMAC_SHA512; > > + uvcb.arcb_addr = (uint64_t)&attest_req->arcb; > > + uvcb.measurement_address = (uint64_t)attest_req->measurement; > > + uvcb.measurement_length = sizeof(attest_req->measurement); > > + uvcb.add_data_address = (uint64_t)attest_req->additional; > > + uvcb.add_data_length = sizeof(attest_req->additional); > > + > > + uvcb.continuation_token = 0xff; > > + cc = uv_call(0, (uint64_t)&uvcb); > > + report(cc == 1 && uvcb.header.rc == 0x0101, "invalid continuation token"); > > + uvcb.continuation_token = 0; > > + > > + uvcb.user_data_length = sizeof(uvcb.user_data) + 1; > > + cc = uv_call(0, (uint64_t)&uvcb); > > + report(cc == 1 && uvcb.header.rc == 0x0102, "invalid user data size"); > > + uvcb.user_data_length = 0; > > + > > + uvcb.arcb_addr = get_ram_size() + PAGE_SIZE; > > + cc = uv_call(0, (uint64_t)&uvcb); > > + report(cc == 1 && uvcb.header.rc == 0x0103, "invalid address arcb"); > > + uvcb.arcb_addr = page; > > + > > + /* 0104 - 0105 need an unseal-able request */ > > + > > + arcb->req_ver = ARCB_VERSION_NONE; > > + cc = uv_call(0, (uint64_t)&uvcb); > > + report(cc == 1 && uvcb.header.rc == 0x0106, "unsupported version"); > > + arcb->req_ver = ARCB_VERSION_1; > > + > > + arcb->req_len += 1; > > + cc = uv_call(0, (uint64_t)&uvcb); > > + report(cc == 1 && uvcb.header.rc == 0x0107, "invalid arcb size 1"); > > + arcb->req_len -= 1; > > + > > + /* > > + * The arcb needs to grow as well if number of key slots (nks) > > + * is increased. However, this is not the case and there is no explicit > > + * 'too many/less nks for that arcb size' error code -> expect 0x0107 > > + */ > > + arcb->nks = 2; > > + cc = uv_call(0, (uint64_t)&uvcb); > > + report(cc == 1 && uvcb.header.rc == 0x0107, "invalid arcb size 2"); > > + arcb->nks = 1; > > + > > + arcb->nks = 0; > > + cc = uv_call(0, (uint64_t)&uvcb); > > + report(cc == 1 && uvcb.header.rc == 0x0108, "invalid num key slots"); > > + arcb->nks = 1; > > + > > + /* > > + * Possible valid size (when using nonce). > > + * However, req_len too small to host a nonce > > + */ > > + arcb->sea = 80; > > + cc = uv_call(0, (uint64_t)&uvcb); > > + report(cc == 1 && uvcb.header.rc == 0x0109, "invalid encrypted size 1"); > > + arcb->sea = 17; > > + cc = uv_call(0, (uint64_t)&uvcb); > > + report(cc == 1 && uvcb.header.rc == 0x0109, "invalid encrypted size 2"); > > + arcb->sea = 64; > > + > > + arcb->plaint_att_flags = supported_paf ^ GENMASK_ULL(63, 0); > > + cc = uv_call(0, (uint64_t)&uvcb); > > + report(cc == 1 && uvcb.header.rc == 0x010a, "invalid flag"); > > + arcb->plaint_att_flags = PAF_PHKH_ATT; > > + > > + arcb->meas_alg_id = ARCB_MEAS_NONE; > > + cc = uv_call(0, (uint64_t)&uvcb); > > + report(cc == 1 && uvcb.header.rc == 0x010b, "invalid measurement algorithm"); > > + arcb->meas_alg_id = ARCB_MEAS_HMAC_SHA512; > > > > + cc = uv_call(0, (uint64_t)&uvcb); > > + report(cc == 1 && uvcb.header.rc == 0x010c, "unable unseal"); > > + > > + uvcb.measurement_length = 0; > > + cc = uv_call(0, (uint64_t)&uvcb); > > + report(cc == 1 && uvcb.header.rc == 0x010d, "invalid measurement size"); > > + uvcb.measurement_length = sizeof(attest_req->measurement); > > + > > + uvcb.add_data_length = 0; > > + cc = uv_call(0, (uint64_t)&uvcb); > > + report(cc == 1 && uvcb.header.rc == 0x010e, "invalid additional size"); > > + uvcb.add_data_length = sizeof(attest_req->additional); > > +} > > + > > +static void test_attest(void) > > +{ > > + struct uv_cb_attest uvcb = { > > + .header.cmd = UVC_CMD_ATTESTATION, > > + .header.len = sizeof(uvcb), > > + }; > > + const struct uv_cb_qui *uvcb_qui = uv_get_query_data(); > > + int cc; > > + > > + report_prefix_push("attest"); > > + > > + if (!uv_query_test_call(BIT_UVC_CMD_ATTESTATION)) { > > + report_skip("Attestation not supported."); > > + goto done; > > + } > > + > > + /* Verify that the UV supports at least one header version */ > > + report(uvcb_qui->supp_att_hdr_ver, "has hdr support"); > > + > > + memset((void *)page, 0, PAGE_SIZE); > > + > > + uvcb.header.len -= 1; > > + cc = uv_call(0, (uint64_t)&uvcb); > > + report(cc && uvcb.header.rc == UVC_RC_INV_LEN, "invalid uvcb size 1"); > > + uvcb.header.len += 1; > > + > > + uvcb.header.len += 1; > > + cc = uv_call(0, (uint64_t)&uvcb); > > + report(cc && uvcb.header.rc == UVC_RC_INV_LEN, "invalid uvcb size 2"); > > + uvcb.header.len -= 1; > > + > > + report_prefix_push("v1"); > > + if (test_bit_inv(0, &uvcb_qui->supp_att_hdr_ver)) > > + test_attest_v1(uvcb_qui->supp_paf); > > + else > > + report_skip("Attestation version 1 not supported"); > > + report_prefix_pop(); > > +done: > > report_prefix_pop(); > > } > > > > @@ -193,6 +383,7 @@ int main(void) > > test_invalid(); > > test_query(); > > test_sharing(); > > + test_attest(); > > free_page((void *)page); > > done: > > report_prefix_pop(); >