2022-09-05 03:06:08 -04:00
|
|
|
/*
|
|
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
*/
|
|
|
|
|
2023-06-09 09:41:02 -04:00
|
|
|
package snp
|
2022-03-22 11:03:15 -04:00
|
|
|
|
|
|
|
import (
|
2022-10-27 05:04:23 -04:00
|
|
|
"context"
|
|
|
|
"crypto"
|
2023-11-06 08:22:44 -05:00
|
|
|
"crypto/sha512"
|
|
|
|
"crypto/x509"
|
2022-10-27 05:04:23 -04:00
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
|
|
|
|
2023-03-08 08:13:57 -05:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation"
|
2023-11-06 08:22:44 -05:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/snp"
|
2023-06-09 09:41:02 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
|
2022-10-27 05:04:23 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
2023-04-06 11:00:56 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/config"
|
2023-11-06 08:22:44 -05:00
|
|
|
"github.com/google/go-sev-guest/abi"
|
|
|
|
"github.com/google/go-sev-guest/kds"
|
|
|
|
"github.com/google/go-sev-guest/proto/sevsnp"
|
|
|
|
"github.com/google/go-sev-guest/validate"
|
|
|
|
"github.com/google/go-sev-guest/verify"
|
|
|
|
"github.com/google/go-sev-guest/verify/trust"
|
2023-03-06 03:15:52 -05:00
|
|
|
"github.com/google/go-tpm-tools/proto/attest"
|
2023-07-07 07:17:58 -04:00
|
|
|
"github.com/google/go-tpm/legacy/tpm2"
|
2022-03-22 11:03:15 -04:00
|
|
|
)
|
|
|
|
|
2022-10-27 05:04:23 -04:00
|
|
|
// Validator for AWS TPM attestation.
|
2022-03-22 11:03:15 -04:00
|
|
|
type Validator struct {
|
2024-05-10 07:53:01 -04:00
|
|
|
// Embed variant to identify the Validator using variant.OID().
|
2023-06-09 09:41:02 -04:00
|
|
|
variant.AWSSEVSNP
|
2023-11-06 08:22:44 -05:00
|
|
|
// Embed validator to implement Validate method for aTLS handshake.
|
2022-10-27 05:04:23 -04:00
|
|
|
*vtpm.Validator
|
2023-11-06 08:22:44 -05:00
|
|
|
// cfg contains version numbers required for the SNP report validation.
|
|
|
|
cfg *config.AWSSEVSNP
|
|
|
|
// reportValidator validates a SNP report. reportValidator is required for testing.
|
|
|
|
reportValidator snpReportValidator
|
|
|
|
// log is used for logging.
|
|
|
|
log attestation.Logger
|
2022-10-27 05:04:23 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewValidator create a new Validator structure and returns it.
|
2023-06-09 09:41:02 -04:00
|
|
|
func NewValidator(cfg *config.AWSSEVSNP, log attestation.Logger) *Validator {
|
2023-11-06 08:22:44 -05:00
|
|
|
v := &Validator{
|
|
|
|
cfg: cfg,
|
|
|
|
reportValidator: &awsValidator{httpsGetter: trust.DefaultHTTPSGetter(), verifier: &reportVerifierImpl{}, validator: &reportValidatorImpl{}},
|
|
|
|
log: log,
|
|
|
|
}
|
|
|
|
|
2022-10-27 05:04:23 -04:00
|
|
|
v.Validator = vtpm.NewValidator(
|
2023-04-06 11:00:56 -04:00
|
|
|
cfg.Measurements,
|
2023-11-06 08:22:44 -05:00
|
|
|
v.getTrustedKey,
|
|
|
|
func(vtpm.AttestationDocument, *attest.MachineState) error { return nil },
|
2022-10-27 05:04:23 -04:00
|
|
|
log,
|
|
|
|
)
|
|
|
|
return v
|
|
|
|
}
|
|
|
|
|
2023-11-06 08:22:44 -05:00
|
|
|
// getTrustedKeys return the public area of the provided attestation key (AK).
|
|
|
|
// Ideally, the AK should be bound to the TPM via an endorsement key, but currently AWS does not provide one.
|
|
|
|
// The AK's digest is written to the SNP report's userdata field during report generation.
|
|
|
|
// The AK is trusted if the report can be verified and the AK's digest matches the digest of the AK in attDoc.
|
|
|
|
func (v *Validator) getTrustedKey(_ context.Context, attDoc vtpm.AttestationDocument, _ []byte) (crypto.PublicKey, error) {
|
2023-03-21 07:46:49 -04:00
|
|
|
pubArea, err := tpm2.DecodePublic(attDoc.Attestation.AkPub)
|
2022-10-27 05:04:23 -04:00
|
|
|
if err != nil {
|
2023-11-06 08:22:44 -05:00
|
|
|
return nil, newDecodeError(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
pubKey, err := pubArea.Key()
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("getting public key: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
akDigest, err := sha512sum(pubKey)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("calculating hash of attestation key: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := v.reportValidator.validate(attDoc, (*x509.Certificate)(&v.cfg.AMDSigningKey), (*x509.Certificate)(&v.cfg.AMDRootKey), akDigest, v.cfg, v.log); err != nil {
|
|
|
|
return nil, fmt.Errorf("validating SNP report: %w", err)
|
2022-10-27 05:04:23 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
return pubArea.Key()
|
|
|
|
}
|
|
|
|
|
2023-11-06 08:22:44 -05:00
|
|
|
// sha512sum PEM-encodes a public key and calculates the SHA512 hash of the encoded key.
|
|
|
|
func sha512sum(key crypto.PublicKey) ([64]byte, error) {
|
|
|
|
pub, err := x509.MarshalPKIXPublicKey(key)
|
2022-10-27 05:04:23 -04:00
|
|
|
if err != nil {
|
2023-11-06 08:22:44 -05:00
|
|
|
return [64]byte{}, fmt.Errorf("marshalling public key: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return sha512.Sum512(pub), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// snpReportValidator validates a given SNP report.
|
|
|
|
type snpReportValidator interface {
|
|
|
|
validate(attestation vtpm.AttestationDocument, ask *x509.Certificate, ark *x509.Certificate, ak [64]byte, config *config.AWSSEVSNP, log attestation.Logger) error
|
|
|
|
}
|
|
|
|
|
|
|
|
// awsValidator implements the validation for AWS SNP attestation.
|
|
|
|
// The properties exist for unittesting.
|
|
|
|
type awsValidator struct {
|
|
|
|
verifier reportVerifier
|
|
|
|
validator reportValidator
|
|
|
|
httpsGetter trust.HTTPSGetter
|
|
|
|
}
|
|
|
|
|
|
|
|
type reportVerifier interface {
|
|
|
|
SnpAttestation(att *sevsnp.Attestation, opts *verify.Options) error
|
|
|
|
}
|
|
|
|
type reportValidator interface {
|
|
|
|
SnpAttestation(att *sevsnp.Attestation, opts *validate.Options) error
|
|
|
|
}
|
|
|
|
|
|
|
|
type reportValidatorImpl struct{}
|
|
|
|
|
|
|
|
func (r *reportValidatorImpl) SnpAttestation(att *sevsnp.Attestation, opts *validate.Options) error {
|
|
|
|
return validate.SnpAttestation(att, opts)
|
|
|
|
}
|
|
|
|
|
|
|
|
type reportVerifierImpl struct{}
|
|
|
|
|
|
|
|
func (r *reportVerifierImpl) SnpAttestation(att *sevsnp.Attestation, opts *verify.Options) error {
|
|
|
|
return verify.SnpAttestation(att, opts)
|
|
|
|
}
|
|
|
|
|
|
|
|
// validate the report by checking if it has a valid VLEK signature.
|
|
|
|
// The certificate chain ARK -> ASK -> VLEK is also validated.
|
|
|
|
// Checks that the report's userData matches the connection's userData.
|
|
|
|
func (a *awsValidator) validate(attestation vtpm.AttestationDocument, ask *x509.Certificate, ark *x509.Certificate, akDigest [64]byte, config *config.AWSSEVSNP, log attestation.Logger) error {
|
|
|
|
var info snp.InstanceInfo
|
|
|
|
if err := json.Unmarshal(attestation.InstanceInfo, &info); err != nil {
|
|
|
|
return newValidationError(fmt.Errorf("unmarshalling instance info: %w", err))
|
2022-10-27 05:04:23 -04:00
|
|
|
}
|
|
|
|
|
2023-11-06 08:22:44 -05:00
|
|
|
certchain := snp.NewCertificateChain(ask, ark)
|
2022-10-27 05:04:23 -04:00
|
|
|
|
2023-11-06 08:22:44 -05:00
|
|
|
att, err := info.AttestationWithCerts(a.httpsGetter, certchain, log)
|
2022-10-27 05:04:23 -04:00
|
|
|
if err != nil {
|
2023-11-06 08:22:44 -05:00
|
|
|
return newValidationError(fmt.Errorf("getting attestation with certs: %w", err))
|
2022-10-27 05:04:23 -04:00
|
|
|
}
|
2023-11-06 08:22:44 -05:00
|
|
|
|
|
|
|
verifyOpts, err := getVerifyOpts(att)
|
2022-10-27 05:04:23 -04:00
|
|
|
if err != nil {
|
2023-11-06 08:22:44 -05:00
|
|
|
return newValidationError(fmt.Errorf("getting verify options: %w", err))
|
2022-10-27 05:04:23 -04:00
|
|
|
}
|
2023-11-06 08:22:44 -05:00
|
|
|
|
|
|
|
if err := a.verifier.SnpAttestation(att, verifyOpts); err != nil {
|
|
|
|
return newValidationError(fmt.Errorf("verifying SNP attestation: %w", err))
|
2023-09-08 02:08:09 -04:00
|
|
|
}
|
2023-11-06 08:22:44 -05:00
|
|
|
|
|
|
|
validateOpts := &validate.Options{
|
|
|
|
// Check that the attestation key's digest is included in the report.
|
|
|
|
ReportData: akDigest[:],
|
|
|
|
GuestPolicy: abi.SnpPolicy{
|
|
|
|
Debug: false, // Debug means the VM can be decrypted by the host for debugging purposes and thus is not allowed.
|
|
|
|
SMT: true, // Allow Simultaneous Multi-Threading (SMT). Normally, we would want to disable SMT
|
|
|
|
// but AWS machines are currently facing issues if it's disabled.
|
|
|
|
},
|
|
|
|
VMPL: new(int), // Checks that Virtual Machine Privilege Level (VMPL) is 0.
|
|
|
|
// This checks that the reported LaunchTCB version is equal or greater than the minimum specified in the config.
|
|
|
|
// We don't specify Options.MinimumTCB as it only restricts the allowed TCB for Current_ and Reported_TCB.
|
|
|
|
// Because we allow Options.ProvisionalFirmware, there is not security gained in also checking Current_ and Reported_TCB.
|
|
|
|
// We always have to check Launch_TCB as this value indicated the smallest TCB version a VM has seen during
|
|
|
|
// it's lifetime.
|
|
|
|
MinimumLaunchTCB: kds.TCBParts{
|
|
|
|
BlSpl: config.BootloaderVersion.Value, // Bootloader
|
|
|
|
TeeSpl: config.TEEVersion.Value, // TEE (Secure OS)
|
|
|
|
SnpSpl: config.SNPVersion.Value, // SNP
|
|
|
|
UcodeSpl: config.MicrocodeVersion.Value, // Microcode
|
|
|
|
},
|
|
|
|
// Check that CurrentTCB >= CommittedTCB.
|
|
|
|
PermitProvisionalFirmware: true,
|
2023-09-08 02:08:09 -04:00
|
|
|
}
|
2022-10-27 05:04:23 -04:00
|
|
|
|
2023-11-06 08:22:44 -05:00
|
|
|
// Checks if the attestation report matches the given constraints.
|
|
|
|
// Some constraints are implicitly checked by validate.SnpAttestation:
|
|
|
|
// - the report is not expired
|
|
|
|
if err := a.validator.SnpAttestation(att, validateOpts); err != nil {
|
|
|
|
return newValidationError(fmt.Errorf("validating SNP attestation: %w", err))
|
2022-10-27 05:04:23 -04:00
|
|
|
}
|
|
|
|
|
2023-11-06 08:22:44 -05:00
|
|
|
return nil
|
2022-10-27 05:04:23 -04:00
|
|
|
}
|
|
|
|
|
2023-11-06 08:22:44 -05:00
|
|
|
func getVerifyOpts(att *sevsnp.Attestation) (*verify.Options, error) {
|
|
|
|
ask, err := x509.ParseCertificate(att.CertificateChain.AskCert)
|
2022-10-27 05:04:23 -04:00
|
|
|
if err != nil {
|
2024-04-16 12:13:47 -04:00
|
|
|
return nil, fmt.Errorf("parsing ASK certificate: %w", err)
|
2023-11-06 08:22:44 -05:00
|
|
|
}
|
|
|
|
ark, err := x509.ParseCertificate(att.CertificateChain.ArkCert)
|
|
|
|
if err != nil {
|
2024-04-16 12:13:47 -04:00
|
|
|
return nil, fmt.Errorf("parsing ARK certificate: %w", err)
|
2023-11-06 08:22:44 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
verifyOpts := &verify.Options{
|
|
|
|
DisableCertFetching: true,
|
|
|
|
TrustedRoots: map[string][]*trust.AMDRootCerts{
|
|
|
|
"Milan": {
|
|
|
|
{
|
|
|
|
Product: "Milan",
|
|
|
|
ProductCerts: &trust.ProductCerts{
|
|
|
|
// When using a VLEK signer, the intermediate certificate has to be stored in Asvk instead of Ask.
|
|
|
|
Asvk: ask,
|
|
|
|
Ark: ark,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2022-10-27 05:04:23 -04:00
|
|
|
}
|
2022-03-22 11:03:15 -04:00
|
|
|
|
2023-11-06 08:22:44 -05:00
|
|
|
return verifyOpts, nil
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|