opensource/cocos
1
0
Fork 0
mirror of https://github.com/ultravioletrs/cocos.git synced 2026-06-23 04:10:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

COCOS-456 Remove SEV support from repo (#472)

Browse Source 
* Remove SEV support from repo

* Remove SEV references
This commit is contained in:
dorcaslitunya
2025-07-10 11:58:36 +03:00
committed by GitHub
parent cef47baed7
commit f543cb4363
18 changed files with 79 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cli/attestation_snp.go
+4 -4
View File
@@ -36,8 +36,8 @@ const (
defaultMinVersion = "0.0"
vtpmFilePath = "../quote.dat"
attestationReportJson = "attestation.json"
sevProductNameMilan = "Milan"
sevProductNameGenoa = "Genoa"
sevSnpProductMilan = "Milan"
sevSnpProductGenoa = "Genoa"
FormatBinaryPB = "binarypb"
FormatTextProto = "textproto"
exampleJSONConfig = `
@@ -86,7 +86,7 @@ const (
"GSvLKpfu59Y9QOF6vhq0vQsOIvb4+5O/UOHLGLBTkdw="
],
"product":{
"name":"SEV_PRODUCT_MILAN",
"name":1,
"stepping":1,
"machineStepping":1
}
@@ -418,7 +418,7 @@ func getBase(val string) int {
"GSvLKpfu59Y9QOF6vhq0vQsOIvb4+5O/UOHLGLBTkdw="
],
"product":{
"name":"SEV_PRODUCT_MILAN",
"name":"1",
"stepping":1,
"machineStepping":1
}
cmd/manager/main.go
-2
View File
@@ -95,8 +95,6 @@ func main() {
logger.Info("Manager started with TDX enabled")
} else if qemuCfg.EnableSEVSNP {
logger.Info("Manager started with SEV-SNP enabled")
} else if qemuCfg.EnableSEV {
logger.Info("Manager started with SEV enabled")
} else {
logger.Info("Manager started without confidential computing support")
}
cocos-manager.env
+3 -4
View File
@@ -40,9 +40,9 @@ MANAGER_QEMU_VIRTIO_NET_PCI_ADDR=0x2
MANAGER_QEMU_VIRTIO_NET_PCI_ROMFILE=
MANAGER_QEMU_DISK_IMG_KERNEL_FILE=/etc/cocos/bzImage
MANAGER_QEMU_DISK_IMG_ROOTFS_FILE=/etc/cocos/rootfs.cpio.gz
MANAGER_QEMU_SEV_ID=sev0
MANAGER_QEMU_SEV_CBITPOS=51
MANAGER_QEMU_SEV_REDUCED_PHYS_BITS=1
MANAGER_QEMU_SEV_SNP_ID=sev0
MANAGER_QEMU_SEV_SNP_CBITPOS=51
MANAGER_QEMU_SEV_SNP_REDUCED_PHYS_BITS=1
MANAGER_QEMU_HOST_DATA=
MANAGER_QEMU_TDX_ID=tdx0
MANAGER_QEMU_QUOTE_GENERATION_PORT=4050
@@ -52,7 +52,6 @@ MANAGER_QEMU_VSOCK_GUEST_CID=3
MANAGER_QEMU_VSOCK_VNC=0
MANAGER_QEMU_BIN_PATH=qemu-system-x86_64
MANAGER_QEMU_USE_SUDO=true
MANAGER_QEMU_ENABLE_SEV=false
MANAGER_QEMU_ENABLE_SEV_SNP=false
MANAGER_QEMU_ENABLE_TDX=false
MANAGER_QEMU_IGVM_FILE=/etc/cocos/coconut-qemu.igvm
hal/cloud/.env
+5 -6
View File
@@ -35,11 +35,11 @@ DISK_IMG_ROOTFS_FILE=
KERNEL_COMMAND_LINE="quiet console=null"
#### Sev Config
SEV_ID=sev0
SEV_CBIT_POS=51
SEV_REDUCED_PHYS_BITS=1
SEV_HOST_DATA=
#### Sev-Snp Config
SEV_SNP_ID=sev0
SEV_SNP_CBIT_POS=51
SEV_SNP_REDUCED_PHYS_BITS=1
SEV_SNP_HOST_DATA=
#### VSock Config
VSOCK_ID=vhost-vsock-pci0
@@ -47,7 +47,6 @@ VSOCK_GUEST_CID=3
BIN_PATH=qemu-system-x86_64
USE_SUDO=false
ENABLE_SEV=false
ENABLE_SEV_SNP=false
ENABLE_KVM=true
hal/cloud/qemu.sh
+8 -11
View File
@@ -74,21 +74,18 @@ construct_qemu_args() {
args+=("-device" "virtio-net-pci,disable-legacy=$VIRTIO_NET_PCI_DISABLE_LEGACY,iommu_platform=$VIRTIO_NET_PCI_IOMMU_PLATFORM,netdev=$NET_DEV_ID,addr=$VIRTIO_NET_PCI_ADDR,romfile=$VIRTIO_NET_PCI_ROMFILE")
args+=("-device" "vhost-vsock-pci,id=$VSOCK_ID,guest-cid=$VSOCK_GUEST_CID")
# SEV (if enabled)
if [ "$ENABLE_SEV" == "true" ] || [ "$ENABLE_SEV_SNP" == "true" ]; then
sev_type="sev-guest"
# SEV_SNP (if enabled)
if [ "$ENABLE_SEV_SNP" == "true" ]; then
kernel_hash=""
host_data=""
args+=("-machine" "confidential-guest-support=$SEV_ID,memory-backend=$MEM_ID")
args+=("-machine" "confidential-guest-support=$SEV_SNP_ID,memory-backend=$MEM_ID")
if [ "$ENABLE_SEV_SNP" == "true" ]; then
args+=("-bios" "$OVMF_CODE_FILE")
sev_type="sev-snp-guest"
args+=("-bios" "$OVMF_CODE_FILE")
sev_snp_type="sev-snp-guest"
if [ -n "$SEV_HOST_DATA" ]; then
host_data=",host-data=$SEV_HOST_DATA"
fi
if [ -n "$SEV_SNP_HOST_DATA" ]; then
host_data=",host-data=$SEV_SNP_HOST_DATA"
fi
if [ "$ENABLE_KERNEL_HASH" == "true" ]; then
@@ -96,7 +93,7 @@ construct_qemu_args() {
fi
args+=("-object" "memory-backend-memfd,id=$MEM_ID,size=$MEMORY_SIZE,share=true,prealloc=false")
args+=("-object" "$sev_type,id=$SEV_ID,cbitpos=$SEV_CBIT_POS,reduced-phys-bits=$SEV_REDUCED_PHYS_BITS$kernel_hash$host_data")
args+=("-object" "$sev_snp_type,id=$SEV_SNP_ID,cbitpos=$SEV_SNP_CBIT_POS,reduced-phys-bits=$SEV_SNP_REDUCED_PHYS_BITS$kernel_hash$host_data")
fi
# Disk image configuration
manager/README.md
+6 -22
View File
@@ -43,11 +43,11 @@ The service is configured using the environment variables from the following tab
| MANAGER_QEMU_VIRTIO_NET_PCI_ROMFILE | The file path for the ROM image for the virtio-net PCI device. | |
| MANAGER_QEMU_DISK_IMG_KERNEL_FILE | The file path for the kernel image. | img/bzImage |
| MANAGER_QEMU_DISK_IMG_ROOTFS_FILE | The file path for the root filesystem image. | img/rootfs.cpio.gz |
| MANAGER_QEMU_SEV_ID | The ID for the Secure Encrypted Virtualization (SEV) device. | sev0 |
| MANAGER_QEMU_SEV_CBITPOS | The position of the C-bit in the physical address. | 51 |
| MANAGER_QEMU_SEV_REDUCED_PHYS_BITS | The number of reduced physical address bits for SEV. | 1 |
| MANAGER_QEMU_ENABLE_HOST_DATA | Enable additional data for the SEV host. | false |
| MANAGER_QEMU_HOST_DATA | Additional data for the SEV host. | |
| MANAGER_QEMU_SEV_SNP_ID | The ID for the Secure Encrypted Virtualization (SEV-SNP) device. | sev0 |
| MANAGER_QEMU_SEV_SNP_CBITPOS | The position of the C-bit in the physical address. | 51 |
| MANAGER_QEMU_SEV_SNP_REDUCED_PHYS_BITS | The number of reduced physical address bits for SEV-SNP. | 1 |
| MANAGER_QEMU_ENABLE_HOST_DATA | Enable additional data for the SEV-SNP host. | false |
| MANAGER_QEMU_HOST_DATA | Additional data for the SEV-SNP host. | |
| MANAGER_QEMU_TDX_ID | The ID for the Trust Domain Extensions (TDX) device. | tdx0 |
| MANAGER_QEMU_QUOTE_GENERATION_PORT | The port number for virtual socket used to communicate with the Quote Generation Service (QGS). | 4050 |
| MANAGER_QEMU_OVMF_FILE | The file path for the OVMF file (combined OVMF_CODE and OVMF_VARS file). | /usr/share/ovmf/OVMF.fd |
@@ -58,7 +58,6 @@ The service is configured using the environment variables from the following tab
| MANAGER_QEMU_VSOCK_VNC | Whether to enable the virtual socket device for VNC. | 0 |
| MANAGER_QEMU_BIN_PATH | The file path for the QEMU binary. | qemu-system-x86_64 |
| MANAGER_QEMU_USE_SUDO | Whether to use sudo to run QEMU. | false |
| MANAGER_QEMU_ENABLE_SEV | Whether to enable Secure Encrypted Virtualization (SEV). | false |
| MANAGER_QEMU_ENABLE_SEV_SNP | Whether to enable Secure Nested Paging (SEV-SNP). | true |
| MANAGER_QEMU_ENABLE_TDX | Whether to enable Trust Domain Extensions (TDX). | false |
| MANAGER_QEMU_ENABLE_KVM | Whether to enable the Kernel-based Virtual Machine (KVM) acceleration. | true |
@@ -241,19 +240,6 @@ make manager
MANAGER_GRPC_URL=localhost:7001 \
MANAGER_LOG_LEVEL=debug \
MANAGER_QEMU_USE_SUDO=false \
MANAGER_QEMU_ENABLE_SEV=false \
./build/cocos-manager
```
To enable [AMD SEV](https://www.amd.com/en/developer/sev.html) support, start manager like this
```sh
MANAGER_GRPC_URL=localhost:7001
MANAGER_LOG_LEVEL=debug \
MANAGER_QEMU_USE_SUDO=true \
MANAGER_QEMU_ENABLE_SEV=true \
MANAGER_QEMU_SEV_CBITPOS=51 \
./build/cocos-manager
```
@@ -264,9 +250,8 @@ To enable [AMD SEV-SNP](https://www.amd.com/en/developer/sev.html) support, star
```sh
MANAGER_GRPC_URL=localhost:7001 \
MANAGER_LOG_LEVEL=debug \
MANAGER_QEMU_ENABLE_SEV=false \
MANAGER_QEMU_ENABLE_SEV_SNP=true \
MANAGER_QEMU_SEV_CBITPOS=51 \
MANAGER_QEMU_SEV_SNP_CBITPOS=51 \
MANAGER_QEMU_BIN_PATH=<path to QEMU binary> \
MANAGER_QEMU_IGVM_FILE=<path to IGVM file> \
./build/cocos-manager
@@ -277,7 +262,6 @@ To enable [TDX](https://www.intel.com/content/www/us/en/developer/tools/trust-do
```sh
MANAGER_GRPC_URL=localhost:7001 \
MANAGER_LOG_LEVEL=debug \
MANAGER_QEMU_ENABLE_SEV=false \
MANAGER_QEMU_ENABLE_SEV_SNP=false \
MANAGER_QEMU_ENABLE_TDX=true \
MANAGER_QEMU_CPU=host \
manager/attestation_policy.go
+2 -13
View File
@@ -13,7 +13,6 @@ import (
"encoding/base64"
"encoding/hex"
"fmt"
"strconv"
"strings"
"github.com/google/go-sev-guest/proto/check"
@@ -21,13 +20,8 @@ import (
"github.com/ultravioletrs/cocos/pkg/attestation"
"github.com/ultravioletrs/cocos/pkg/attestation/cmdconfig"
"github.com/ultravioletrs/cocos/pkg/attestation/vtpm"
"github.com/virtee/sev-snp-measure-go/cpuid"
"github.com/virtee/sev-snp-measure-go/guest"
"github.com/virtee/sev-snp-measure-go/vmmtypes"
)
const defGuestFeatures = 0x1
func (ms *managerService) FetchAttestationPolicy(_ context.Context, computationId string) ([]byte, error) {
ms.mu.Lock()
vm, exists := ms.vms[computationId]
@@ -125,11 +119,6 @@ func readSEVSNPPolicy(stdOutByte []byte, ms *managerService, vmi qemu.VMInfo) ([
var measurement []byte
var err error
switch {
case vmi.Config.EnableSEV:
measurement, err = guest.CalcLaunchDigest(guest.SEV, vmi.Config.SMPCount, uint64(cpuid.CpuSigs[ms.qemuCfg.CPU]), vmi.Config.OVMFCodeConfig.File, vmi.Config.KernelFile, vmi.Config.RootFsFile, strconv.Quote(qemu.KernelCommandLine), defGuestFeatures, "", vmmtypes.QEMU, false, "", 0)
if err != nil {
return nil, err
}
case vmi.Config.EnableSEVSNP:
stderr := bufio.NewWriter(&stderrBuffer)
options := cmdconfig.IgvmMeasureOptions
@@ -164,8 +153,8 @@ func readSEVSNPPolicy(stdOutByte []byte, ms *managerService, vmi qemu.VMInfo) ([
attestationPolicy.Config.Policy.Measurement = measurement
}
if vmi.Config.SEVConfig.EnableHostData {
hostData, err := base64.StdEncoding.DecodeString(vmi.Config.SEVConfig.HostData)
if vmi.Config.SEVSNPConfig.EnableHostData {
hostData, err := base64.StdEncoding.DecodeString(vmi.Config.SEVSNPConfig.HostData)
if err != nil {
return nil, err
}
manager/attestation_policy_test.go
-1
View File
@@ -58,7 +58,6 @@ func TestFetchAttestationPolicy(t *testing.T) {
binaryBehavior: "success",
vmConfig: qemu.VMInfo{
Config: qemu.Config{
EnableSEV: false,
EnableSEVSNP: true,
SMPCount: 2,
CPU: "EPYC",
manager/qemu/config.go
+16 -22
View File
@@ -55,10 +55,10 @@ type DiskImgConfig struct {
RootFsFile string `env:"DISK_IMG_ROOTFS_FILE" envDefault:"img/rootfs.cpio.gz"`
}
type SEVConfig struct {
ID string `env:"SEV_ID" envDefault:"sev0"`
CBitPos int `env:"SEV_CBITPOS" envDefault:"51"`
ReducedPhysBits int `env:"SEV_REDUCED_PHYS_BITS" envDefault:"1"`
type SEVSNPConfig struct {
ID string `env:"SEV_SNP_ID" envDefault:"sev0"`
CBitPos int `env:"SEV_SNP_CBIT_POS" envDefault:"51"`
ReducedPhysBits int `env:"SEV_SNP_REDUCED_PHYS_BITS" envDefault:"1"`
EnableHostData bool `env:"ENABLE_HOST_DATA" envDefault:"false"`
HostData string `env:"HOST_DATA" envDefault:""`
}
@@ -80,7 +80,6 @@ type VSockConfig struct {
}
type Config struct {
EnableSEV bool
EnableSEVSNP bool
EnableTDX bool
QemuBinPath string `env:"BIN_PATH" envDefault:"qemu-system-x86_64"`
@@ -110,8 +109,8 @@ type Config struct {
// disk
DiskImgConfig
// SEV
SEVConfig
// SEV-SNP
SEVSNPConfig
// TDX
TDXConfig
@@ -189,23 +188,19 @@ func (config Config) ConstructQemuArgs() []string {
args = append(args, "-device", fmt.Sprintf("vhost-vsock-pci,id=%s,guest-cid=%d", config.VSockConfig.ID, config.VSockConfig.GuestCID))
// SEV
if config.EnableSEV || config.EnableSEVSNP {
sevType := "sev-guest"
// SEV-SNP
if config.EnableSEVSNP {
sevSnpType := "sev-snp-guest"
hostData := ""
args = append(args, "-machine",
fmt.Sprintf("confidential-guest-support=%s,memory-backend=%s,igvm-cfg=%s",
config.SEVConfig.ID,
config.SEVSNPConfig.ID,
config.MemID,
config.IGVMConfig.ID))
if config.EnableSEVSNP {
sevType = "sev-snp-guest"
if config.SEVConfig.EnableHostData {
hostData = fmt.Sprintf(",host-data=%s", config.SEVConfig.HostData)
}
if config.SEVSNPConfig.EnableHostData {
hostData = fmt.Sprintf(",host-data=%s", config.SEVSNPConfig.HostData)
}
args = append(args, "-object",
@@ -215,10 +210,10 @@ func (config Config) ConstructQemuArgs() []string {
args = append(args, "-object",
fmt.Sprintf("%s,id=%s,cbitpos=%d,reduced-phys-bits=%d%s",
sevType,
config.SEVConfig.ID,
config.SEVConfig.CBitPos,
config.SEVConfig.ReducedPhysBits,
sevSnpType,
config.SEVSNPConfig.ID,
config.SEVSNPConfig.CBitPos,
config.SEVSNPConfig.ReducedPhysBits,
hostData))
args = append(args, "-object",
@@ -278,7 +273,6 @@ func NewConfig() (*Config, error) {
return nil, err
}
cfg.EnableSEV = SEVEnabledOnHost()
cfg.EnableSEVSNP = SEVSNPEnabledOnHost()
cfg.EnableTDX = TDXEnabledOnHost()
manager/qemu/config_test.go
+2 -2
View File
@@ -127,7 +127,7 @@ func TestConstructQemuArgs(t *testing.T) {
KernelFile: "img/bzImage",
RootFsFile: "img/rootfs.cpio.gz",
},
SEVConfig: SEVConfig{
SEVSNPConfig: SEVSNPConfig{
ID: "sev0",
CBitPos: 51,
ReducedPhysBits: 1,
@@ -174,7 +174,7 @@ func TestConstructQemuArgs(t *testing.T) {
func TestConstructQemuArgs_HostData(t *testing.T) {
config := Config{
EnableSEVSNP: true,
SEVConfig: SEVConfig{
SEVSNPConfig: SEVSNPConfig{
ID: "sev0",
CBitPos: 51,
ReducedPhysBits: 1,
manager/qemu/vm.go
+1 -16
View File
@@ -61,7 +61,7 @@ func (v *qemuVM) Start() (err error) {
}
v.vmi.Config.NetDevConfig.ID = fmt.Sprintf("%s-%s", v.vmi.Config.NetDevConfig.ID, id)
v.vmi.Config.SEVConfig.ID = fmt.Sprintf("%s-%s", v.vmi.Config.SEVConfig.ID, id)
v.vmi.Config.SEVSNPConfig.ID = fmt.Sprintf("%s-%s", v.vmi.Config.SEVSNPConfig.ID, id)
v.vmi.Config.TDXConfig.ID = fmt.Sprintf("%s-%s", v.vmi.Config.TDXConfig.ID, id)
if !v.vmi.Config.EnableSEVSNP && !v.vmi.Config.EnableTDX {
@@ -200,10 +200,6 @@ func (v *qemuVM) GetConfig() interface{} {
return v.vmi
}
func SEVEnabled(cpuinfo string, sevPresent bool) bool {
return strings.Contains(cpuinfo, "sev") && sevPresent
}
func SEVSNPEnabled(cpuinfo, kernelParam string) bool {
return strings.Contains(cpuinfo, "sev_snp") && strings.TrimSpace(kernelParam) == "Y"
}
@@ -212,17 +208,6 @@ func TDXEnabled(cpuinfo, kernelParam string) bool {
return strings.Contains(cpuinfo, "tdx_host_platform") && strings.TrimSpace(kernelParam) == "Y"
}
// Checks if SEV is supported and usable by verifying both CPU flags and the /dev/sev device.
func SEVEnabledOnHost() bool {
cpuinfo, err := os.ReadFile("/proc/cpuinfo")
if err != nil {
return false
}
_, err = os.Stat("/dev/sev")
return SEVEnabled(string(cpuinfo), err == nil)
}
func SEVSNPEnabledOnHost() bool {
cpuinfo, err := os.ReadFile("/proc/cpuinfo")
if err != nil {
manager/qemu/vm_test.go
-14
View File
@@ -162,20 +162,6 @@ func TestGetConfig(t *testing.T) {
assert.Equal(t, expectedConfig, config)
}
func TestSEVEnabled(t *testing.T) {
t.Run("cpuinfo contains sev and device exists", func(t *testing.T) {
assert.True(t, SEVEnabled("flags: xyz sev abc", true))
})
t.Run("cpuinfo missing sev", func(t *testing.T) {
assert.False(t, SEVEnabled("flags: xyz abc", true))
})
t.Run("device does not exist", func(t *testing.T) {
assert.False(t, SEVEnabled("flags: sev abc", false))
})
}
func TestSEVSNPEnabled(t *testing.T) {
t.Run("cpuinfo and kvm param correct", func(t *testing.T) {
assert.True(t, SEVSNPEnabled("flags: sev_snp abc", "Y"))
manager/service.go
+2 -2
View File
@@ -158,7 +158,7 @@ func (ms *managerService) CreateVM(ctx context.Context, req *CreateReq) (string,
cfg.Config.CertsMount = tmpCertsDir
cfg.Config.EnvMount = tmpEnvDir
if ms.qemuCfg.EnableSEVSNP || ms.qemuCfg.EnableSEV {
if ms.qemuCfg.EnableSEVSNP {
attestPolicyCmd, err := fetchSNPAttestationPolicy(ms)
if err != nil {
return "", id, err
@@ -207,7 +207,7 @@ func (ms *managerService) CreateVM(ctx context.Context, req *CreateReq) (string,
if cfg.Config.EnableSEVSNP {
todo := sha3.Sum256([]byte("TODO"))
// Define host-data value of QEMU for SEV-SNP, with a base64 encoding of the computation hash.
cfg.Config.SEVConfig.HostData = base64.StdEncoding.EncodeToString(todo[:])
cfg.Config.SEVSNPConfig.HostData = base64.StdEncoding.EncodeToString(todo[:])
}
cvm := ms.vmFactory(cfg, id, ms.logger)
pkg/attestation/attestation.go
+5 -5
View File
@@ -70,8 +70,8 @@ type Verifier interface {
// CCPlatform returns the type of the confidential computing platform.
func CCPlatform() PlatformType {
checks := []ccCheck{
{SevGuestvTPMExists, SNPvTPM},
{SevGuesDeviceExists, SNP},
{SevSnpGuestvTPMExists, SNPvTPM},
{SevSnpGuestDeviceExists, SNP},
{isAzureVM, Azure},
{TDXGuestDeviceExists, TDX},
}
@@ -84,7 +84,7 @@ func CCPlatform() PlatformType {
return NoCC
}
func SevGuesDeviceExists() bool {
func SevSnpGuestDeviceExists() bool {
d, err := client.OpenDevice()
if err != nil {
return false
@@ -94,8 +94,8 @@ func SevGuesDeviceExists() bool {
return true
}
func SevGuestvTPMExists() bool {
return vTPMExists() && SevGuesDeviceExists()
func SevSnpGuestvTPMExists() bool {
return vTPMExists() && SevSnpGuestDeviceExists()
}
func vTPMExists() bool {
pkg/attestation/azure/snp.go
+2 -2
View File
@@ -254,7 +254,7 @@ func GenerateAttestationPolicy(token, product string, policy uint64) (*attestati
return nil, fmt.Errorf("failed to decode reportID: %w", err)
}
sevProduct := quoteprovider.GetProductName(product)
sevSnpProduct := quoteprovider.GetProductName(product)
return &attestation.Config{
Config: &check.Config{
@@ -268,7 +268,7 @@ func GenerateAttestationPolicy(token, product string, policy uint64) (*attestati
MinimumGuestSvn: uint32(guestSVN),
TrustedIdKeyHashes: [][]byte{idKeyDigest},
ReportId: reportID,
Product: &sevsnp.SevProduct{Name: sevProduct},
Product: &sevsnp.SevProduct{Name: sevSnpProduct},
Policy: policy,
},
},
pkg/attestation/quoteprovider/sev.go
+8 -8
View File
@@ -25,11 +25,11 @@ import (
)
const (
cocosDirectory = ".cocos"
caBundleName = "ask_ark.pem"
Nonce = 64
sevProductNameMilan = "Milan"
sevProductNameGenoa = "Genoa"
cocosDirectory = ".cocos"
caBundleName = "ask_ark.pem"
Nonce = 64
sevSnpProductMilan = "Milan"
sevSnpProductGenoa = "Genoa"
)
var (
@@ -38,7 +38,7 @@ var (
)
var (
ErrProductLine = errors.New(fmt.Sprintf("product name must be %s or %s", sevProductNameMilan, sevProductNameGenoa))
ErrProductLine = errors.New(fmt.Sprintf("product name must be %s or %s", sevSnpProductMilan, sevSnpProductGenoa))
ErrAttVerification = errors.New("attestation verification failed")
errAttValidation = errors.New("attestation validation failed")
)
@@ -176,9 +176,9 @@ func FetchAttestation(reportDataSlice []byte, vmpl uint) ([]byte, error) {
func GetProductName(product string) sevsnp.SevProduct_SevProductName {
switch product {
case sevProductNameMilan:
case sevSnpProductMilan:
return sevsnp.SevProduct_SEV_PRODUCT_MILAN
case sevProductNameGenoa:
case sevSnpProductGenoa:
return sevsnp.SevProduct_SEV_PRODUCT_GENOA
default:
return sevsnp.SevProduct_SEV_PRODUCT_UNKNOWN
pkg/attestation/vtpm/vtpm_test.go
+2 -2
View File
@@ -20,7 +20,7 @@ import (
"google.golang.org/protobuf/encoding/protojson"
)
const sevProductNameMilan = "Milan"
const sevSnpProductMilan = "Milan"
var policy = attestation.Config{Config: &check.Config{Policy: &check.Policy{}, RootOfTrust: &check.RootOfTrust{}}, PcrConfig: &attestation.PcrConfig{}}
@@ -192,7 +192,7 @@ func setAttestationPolicy(rr *sevsnp.Attestation, policyDirectory string) error
policy.Config.Policy.Measurement = rr.Report.Measurement
policy.Config.Policy.HostData = rr.Report.HostData
policy.Config.Policy.ReportIdMa = rr.Report.ReportIdMa
policy.Config.RootOfTrust.ProductLine = sevProductNameMilan
policy.Config.RootOfTrust.ProductLine = sevSnpProductMilan
policyByte, err := ConvertPolicyToJSON(&policy)
if err != nil {
scripts/attestation_policy/src/main.rs
+13 -13
View File
@@ -14,9 +14,9 @@ const SEV_FAMILY: u32 = 0xF;
const MILAN_EXTENDED_MODEL: u32 = 0x0;
const GENOA_EXTENDED_MODEL: u32 = 0x1;
const SEV_PRODUCT_UNKNOWN: i32 = 0;
const SEV_PRODUCT_MILAN: i32 = 1;
const SEV_PRODUCT_GENOA: i32 = 2;
const SEV_SNP_PRODUCT_UNKNOWN: i32 = 0;
const SEV_SNP_PRODUCT_MILAN: i32 = 1;
const SEV_SNP_PRODUCT_GENOA: i32 = 2;
#[derive(Clone, Copy, Serialize)]
struct SevProduct {
@@ -64,8 +64,8 @@ fn get_sev_snp_processor() -> u32 {
fn get_product_name(product: i32) -> String {
match product {
SEV_PRODUCT_MILAN => "Milan".to_string(),
SEV_PRODUCT_GENOA => "Genoa".to_string(),
SEV_SNP_PRODUCT_MILAN => "Milan".to_string(),
SEV_SNP_PRODUCT_GENOA => "Genoa".to_string(),
_ => "Unknown".to_string(),
}
}
@@ -84,15 +84,15 @@ fn sev_product(eax: u32) -> SevProduct {
let extended_model = (eax >> EXTENDED_MODEL_SHIFT) & 0xf;
let family = (eax >> FAMILY_SHIFT) & 0xf;
let mut product_name = SEV_PRODUCT_UNKNOWN;
let mut product_name = SEV_SNP_PRODUCT_UNKNOWN;
if extended_family == SEV_EXTENDED_FAMILY && family == SEV_FAMILY {
product_name = match extended_model {
MILAN_EXTENDED_MODEL => SEV_PRODUCT_MILAN,
GENOA_EXTENDED_MODEL => SEV_PRODUCT_GENOA,
MILAN_EXTENDED_MODEL => SEV_SNP_PRODUCT_MILAN,
GENOA_EXTENDED_MODEL => SEV_SNP_PRODUCT_GENOA,
_ => {
return SevProduct {
name: SEV_PRODUCT_UNKNOWN,
name: SEV_SNP_PRODUCT_UNKNOWN,
};
}
};
@@ -184,15 +184,15 @@ fn main() {
// If the PCR file path was provided, read and merge its JSON content.
if let Some(pcr_path) = pcr_path {
let pcr_content = read_to_string(pcr_path)
.unwrap_or_else(|_| panic!("Failed to read PCR file at {}", pcr_path));
.unwrap_or_else(|_| panic!("Failed to read PCR file at {pcr_path}"));
let pcr_value: Value = serde_json::from_str(&pcr_content)
.unwrap_or_else(|_| panic!("Failed to parse PCR JSON file at {}", pcr_path));
.unwrap_or_else(|_| panic!("Failed to parse PCR JSON file at {pcr_path}"));
if let Value::Object(ref mut main_map) = computation_value {
if let Value::Object(pcr_map) = pcr_value {
main_map.extend(pcr_map);
} else {
eprintln!("PCR file {} is not a JSON object.", pcr_path);
eprintln!("PCR file {pcr_path} is not a JSON object.");
}
} else {
eprintln!("The computed JSON is not an object.");
@@ -203,5 +203,5 @@ fn main() {
let merged_json =
serde_json::to_string_pretty(&computation_value).expect("Failed to serialize merged JSON");
println!("{}", merged_json);
println!("{merged_json}");
}