Skip to content

Commit

Permalink
Add function measurements for the attestation
Browse files Browse the repository at this point in the history
Signed-off-by: dimstav23 <[email protected]>
  • Loading branch information
dimstav23 committed Dec 17, 2024
1 parent bcbc43c commit f940263
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 7 deletions.
26 changes: 21 additions & 5 deletions kernel/src/attestation/monitor.rs
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ pub struct ProcessMeasurements {
pub init_measurement: [u8; 64],
pub manifest_measurement: [u8; 64],
pub libos_measurement: [u8; 64],
pub function_measurement: [u8; 64],
}

impl Default for ProcessMeasurements {
Expand All @@ -62,6 +63,7 @@ impl Default for ProcessMeasurements {
init_measurement: [0; HASH_SIZE],
manifest_measurement: [0; HASH_SIZE],
libos_measurement: [0; HASH_SIZE],
function_measurement: [0; HASH_SIZE],
}
}
}
Expand Down Expand Up @@ -153,8 +155,8 @@ fn monitor_report(params: &mut RequestParams) -> Result<(), SvsmReqError> {
store_snp_report(report_bytes, report_size);

// Return the report (if requested)
if params.rdx != 0 {
copy_back_report(params.rcx, report_bytes, report_size);
if params.rcx != 0 {
copy_back_report(params.rcx, report_bytes, report_size);
}
}
Ok(())
Expand All @@ -168,6 +170,7 @@ fn zygote_report(params: &mut RequestParams) -> Result<(), SvsmReqError>{
let init_measurement = zygote.measurements.init_measurement;
let manifest_measurement = zygote.measurements.manifest_measurement;
let libos_measurement = zygote.measurements.libos_measurement;
let function_measurement = zygote.measurements.function_measurement;

// Construct the new report
let mut new_report: Vec<u8> = Vec::new();
Expand All @@ -185,12 +188,15 @@ fn zygote_report(params: &mut RequestParams) -> Result<(), SvsmReqError>{
new_report.extend_from_slice(&init_measurement);
new_report.extend_from_slice(&manifest_measurement);
new_report.extend_from_slice(&libos_measurement);
new_report.extend_from_slice(&function_measurement);

// Now new_report holds the existing report data + measurements
let new_report_size = new_report.len();

// Perform the copy_back_report with the new cumulative report
copy_back_report(params.rcx, &new_report, new_report_size);
if params.rcx != 0 {
copy_back_report(params.rcx, &new_report, new_report_size);
}
return Ok(());
}

Expand All @@ -202,6 +208,7 @@ fn trustlet_report(params: &mut RequestParams) -> Result<(), SvsmReqError>{
let init_measurement = trustlet.measurements.init_measurement;
let manifest_measurement = trustlet.measurements.manifest_measurement;
let libos_measurement = trustlet.measurements.libos_measurement;
let function_measurement = trustlet.measurements.function_measurement;

// Construct the new report
let mut new_report: Vec<u8> = Vec::new();
Expand All @@ -219,12 +226,16 @@ fn trustlet_report(params: &mut RequestParams) -> Result<(), SvsmReqError>{
new_report.extend_from_slice(&init_measurement);
new_report.extend_from_slice(&manifest_measurement);
new_report.extend_from_slice(&libos_measurement);
new_report.extend_from_slice(&function_measurement);

// Now new_report holds the existing report data + measurements
let new_report_size = new_report.len();

// Perform the copy_back_report with the new cumulative report
copy_back_report(params.rcx, &new_report, new_report_size);
if params.rcx != 0 {
copy_back_report(params.rcx, &new_report, new_report_size);
}

return Ok(());
}

Expand All @@ -251,6 +262,7 @@ fn function_report(params: &mut RequestParams) -> Result<(), SvsmReqError>{
let init_measurement = trustlet.measurements.init_measurement;
let manifest_measurement = trustlet.measurements.manifest_measurement;
let libos_measurement = trustlet.measurements.libos_measurement;
let function_measurement = trustlet.measurements.function_measurement;

// Get and measure the input data of the function
let (input_data, _) = ProcessPageTableRef::copy_data_from_guest(fn_input_addr, fn_input_size, guest_pgt);
Expand All @@ -276,14 +288,18 @@ fn function_report(params: &mut RequestParams) -> Result<(), SvsmReqError>{
new_report.extend_from_slice(&init_measurement);
new_report.extend_from_slice(&manifest_measurement);
new_report.extend_from_slice(&libos_measurement);
new_report.extend_from_slice(&function_measurement);
new_report.extend_from_slice(&input_hash);
new_report.extend_from_slice(&output_hash);

// Now new_report holds the existing report data + measurements
let new_report_size = new_report.len();

// Perform the copy_back_report with the new cumulative report
copy_back_report(params.rcx, &new_report, new_report_size);
if params.rcx != 0 {
copy_back_report(params.rcx, &new_report, new_report_size);
}

return Ok(());
}

Expand Down
13 changes: 11 additions & 2 deletions kernel/src/process_manager/process.rs
Original file line number Diff line number Diff line change
Expand Up @@ -150,14 +150,17 @@ impl TrustedProcess {
let (pal_data, pal_range) = ProcessPageTableRef::copy_data_from_guest(pal, pal_size, pgt);
base.init_with_data(pal_data, pal_size, pal_range);
measurements.init_measurement = measure(pal_data.into(), pal_size);
log::debug!("TODO: Compare with pal measurement of the policy");

let (manifest_data, manifest_range) = ProcessPageTableRef::copy_data_from_guest(manifest, manifest_size, pgt);
base.add_manifest(manifest_data, manifest_size, manifest_range);
measurements.manifest_measurement = measure(manifest_data.into(), manifest_size);
log::debug!("TODO: Compare with manifest measurement of the policy");

let(libos_data, libos_range) = ProcessPageTableRef::copy_data_from_guest(libos, libos_size, pgt);
let (libos_data, libos_range) = ProcessPageTableRef::copy_data_from_guest(libos, libos_size, pgt);
base.add_libos(libos_data, libos_size, libos_range);
measurements.libos_measurement = measure(libos_data.into(), libos_size);
log::debug!("TODO: Compare with libos measurement of the policy");

// TODO: Free zygote data
Self {
Expand Down Expand Up @@ -190,9 +193,15 @@ impl TrustedProcess {

pub fn trustlet(parent: ProcessID, data: u64, size: u64, pgt: u64) -> Self{
// Inherit the data from the Zygote
let trustlet = TrustedProcess::dublicate(parent);
let mut trustlet = TrustedProcess::dublicate(parent);
if data != 0 {
let (function_code, function_code_range) = ProcessPageTableRef::copy_data_from_guest(data, size, pgt);

log::debug!("Measuring trustlet function");
trustlet.measurements.function_measurement = measure(function_code.into(), size);
log::debug!("TODO: Compare with function measurement of the policy");

log::debug!("Adding trustlet function");
let size = (4096 - (size & 0xFFF)) + size;
trustlet.context.page_table_ref.add_function(function_code, size);
function_code_range.delete();
Expand Down

0 comments on commit f940263

Please sign in to comment.