constellation/internal/attestation/aws/snp/issuer.go

/*
Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only
*/

package snp

import (
	"context"
	"crypto/sha512"
	"crypto/x509"
	"encoding/json"
	"encoding/pem"
	"fmt"
	"io"

	"github.com/edgelesssys/constellation/v2/internal/attestation"
	"github.com/edgelesssys/constellation/v2/internal/attestation/snp"
	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
	"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"

	"github.com/google/go-sev-guest/abi"
	sevclient "github.com/google/go-sev-guest/client"
	"github.com/google/go-tpm-tools/client"
	tpmclient "github.com/google/go-tpm-tools/client"
)

// Issuer for AWS SNP attestation.
type Issuer struct {
	variant.AWSSEVSNP
	*vtpm.Issuer
}

// NewIssuer creates a SEV-SNP based issuer for AWS.
func NewIssuer(log attestation.Logger) *Issuer {
	return &Issuer{
		Issuer: vtpm.NewIssuer(
			vtpm.OpenVTPM,
			getAttestationKey,
			getInstanceInfo,
			log,
		),
	}
}

// getAttestationKey returns a new attestation key.
func getAttestationKey(tpm io.ReadWriter) (*tpmclient.Key, error) {
	tpmAk, err := client.AttestationKeyRSA(tpm)
	if err != nil {
		return nil, fmt.Errorf("creating RSA Endorsement key: %w", err)
	}

	return tpmAk, nil
}

// getInstanceInfo generates an extended SNP report, i.e. the report and any loaded certificates.
// Report generation is triggered by sending ioctl syscalls to the SNP guest device, the AMD PSP generates the report.
// The returned bytes will be written into the attestation document.
func getInstanceInfo(_ context.Context, tpm io.ReadWriteCloser, _ []byte) ([]byte, error) {
	tpmAk, err := client.AttestationKeyRSA(tpm)
	if err != nil {
		return nil, fmt.Errorf("creating RSA Endorsement key: %w", err)
	}

	encoded, err := x509.MarshalPKIXPublicKey(tpmAk.PublicKey())
	if err != nil {
		return nil, fmt.Errorf("marshalling public key: %w", err)
	}

	akDigest := sha512.Sum512(encoded)

	device, err := sevclient.OpenDevice()
	if err != nil {
		return nil, fmt.Errorf("opening sev device: %w", err)
	}
	defer device.Close()

	report, certs, err := sevclient.GetRawExtendedReportAtVmpl(device, akDigest, 0)
	if err != nil {
		return nil, fmt.Errorf("getting extended report: %w", err)
	}

	vlek, err := pemEncodedVLEK(certs)
	if err != nil {
		return nil, fmt.Errorf("parsing vlek: %w", err)
	}

	raw, err := json.Marshal(snp.InstanceInfo{AttestationReport: report, ReportSigner: vlek})
	if err != nil {
		return nil, fmt.Errorf("marshalling instance info: %w", err)
	}

	return raw, nil
}

// pemEncodedVLEK takes a marshalled SNP certificate table and returns the PEM-encoded VLEK certificate.
// AMD documentation on certificate tables can be found in section 4.1.8.1, revision 2.03 "SEV-ES Guest-Hypervisor Communication Block Standardization".
// https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf
func pemEncodedVLEK(certs []byte) ([]byte, error) {
	certTable := abi.CertTable{}
	if err := certTable.Unmarshal(certs); err != nil {
		return nil, fmt.Errorf("unmarshalling SNP certificate table: %w", err)
	}

	vlekRaw, err := certTable.GetByGUIDString(abi.VlekGUID)
	if err != nil {
		return nil, fmt.Errorf("getting VLEK certificate: %w", err)
	}

	// An optional check for certificate well-formedness. vlekRaw == cert.Raw.
	cert, err := x509.ParseCertificate(vlekRaw)
	if err != nil {
		return nil, fmt.Errorf("parsing certificate: %w", err)
	}

	certPEM := pem.EncodeToMemory(&pem.Block{
		Type:  "CERTIFICATE",
		Bytes: cert.Raw,
	})

	return certPEM, nil
}
add license headers sed -i '1i/\nCopyright (c) Edgeless Systems GmbH\n\nSPDX-License-Identifier: AGPL-3.0-only\n/\n' `grep -rL --include='*.go' 'DO NOT EDIT'` gofumpt -w . 2022-09-05 03:06:08 -04:00			`/*`
			`Copyright (c) Edgeless Systems GmbH`

			`SPDX-License-Identifier: AGPL-3.0-only`
			`*/`

attestation: add `awsSEVSNP` as new variant (#1900) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic. 2023-06-09 09:41:02 -04:00			`package snp`
monorepo Co-authored-by: Malte Poll <mp@edgeless.systems> Co-authored-by: katexochen <katexochen@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> Co-authored-by: Benedict Schlueter <bs@edgeless.systems> Co-authored-by: leongross <leon.gross@rub.de> Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com> 2022-03-22 11:03:15 -04:00
AB#2458 AWS NitroTPM attestation (#339) * add aws tpm attestation * fix typos * Fix return value issue Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Daniel Weiße <dw@edgeless.systems> 2022-10-27 05:04:23 -04:00			`import (`
			`"context"`
attestation: use SNP-based attestation for AWS SNP 2023-11-06 08:22:44 -05:00			`"crypto/sha512"`
			`"crypto/x509"`
AB#2458 AWS NitroTPM attestation (#339) * add aws tpm attestation * fix typos * Fix return value issue Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Daniel Weiße <dw@edgeless.systems> 2022-10-27 05:04:23 -04:00			`"encoding/json"`
attestation: use SNP-based attestation for AWS SNP 2023-11-06 08:22:44 -05:00			`"encoding/pem"`
attestation: add `awsSEVSNP` as new variant (#1900) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic. 2023-06-09 09:41:02 -04:00			`"fmt"`
AB#2458 AWS NitroTPM attestation (#339) * add aws tpm attestation * fix typos * Fix return value issue Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Daniel Weiße <dw@edgeless.systems> 2022-10-27 05:04:23 -04:00			`"io"`
monorepo Co-authored-by: Malte Poll <mp@edgeless.systems> Co-authored-by: katexochen <katexochen@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> Co-authored-by: Benedict Schlueter <bs@edgeless.systems> Co-authored-by: leongross <leon.gross@rub.de> Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com> 2022-03-22 11:03:15 -04:00
attestation: tdx issuer/validator (#1265) * Add TDX validator * Add TDX issuer --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-08 08:13:57 -05:00			`"github.com/edgelesssys/constellation/v2/internal/attestation"`
attestation: use SNP-based attestation for AWS SNP 2023-11-06 08:22:44 -05:00			`"github.com/edgelesssys/constellation/v2/internal/attestation/snp"`
attestation: add `awsSEVSNP` as new variant (#1900) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic. 2023-06-09 09:41:02 -04:00			`"github.com/edgelesssys/constellation/v2/internal/attestation/variant"`
AB#2458 AWS NitroTPM attestation (#339) * add aws tpm attestation * fix typos * Fix return value issue Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Daniel Weiße <dw@edgeless.systems> 2022-10-27 05:04:23 -04:00			`"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"`

attestation: use SNP-based attestation for AWS SNP 2023-11-06 08:22:44 -05:00			`"github.com/google/go-sev-guest/abi"`
			`sevclient "github.com/google/go-sev-guest/client"`
AB#2458 AWS NitroTPM attestation (#339) * add aws tpm attestation * fix typos * Fix return value issue Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Daniel Weiße <dw@edgeless.systems> 2022-10-27 05:04:23 -04:00			`"github.com/google/go-tpm-tools/client"`
			`tpmclient "github.com/google/go-tpm-tools/client"`
			`)`

attestation: add `awsSEVSNP` as new variant (#1900) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic. 2023-06-09 09:41:02 -04:00			`// Issuer for AWS SNP attestation.`
monorepo Co-authored-by: Malte Poll <mp@edgeless.systems> Co-authored-by: katexochen <katexochen@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> Co-authored-by: Benedict Schlueter <bs@edgeless.systems> Co-authored-by: leongross <leon.gross@rub.de> Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com> 2022-03-22 11:03:15 -04:00			`type Issuer struct {`
attestation: add `awsSEVSNP` as new variant (#1900) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic. 2023-06-09 09:41:02 -04:00			`variant.AWSSEVSNP`
AB#2458 AWS NitroTPM attestation (#339) * add aws tpm attestation * fix typos * Fix return value issue Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Daniel Weiße <dw@edgeless.systems> 2022-10-27 05:04:23 -04:00			`*vtpm.Issuer`
			`}`

attestation: add `awsSEVSNP` as new variant (#1900) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic. 2023-06-09 09:41:02 -04:00			`// NewIssuer creates a SEV-SNP based issuer for AWS.`
attestation: tdx issuer/validator (#1265) * Add TDX validator * Add TDX issuer --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-03-08 08:13:57 -05:00			`func NewIssuer(log attestation.Logger) *Issuer {`
AB#2458 AWS NitroTPM attestation (#339) * add aws tpm attestation * fix typos * Fix return value issue Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Daniel Weiße <dw@edgeless.systems> 2022-10-27 05:04:23 -04:00			`return &Issuer{`
			`Issuer: vtpm.NewIssuer(`
			`vtpm.OpenVTPM,`
			`getAttestationKey,`
attestation: use SNP-based attestation for AWS SNP 2023-11-06 08:22:44 -05:00			`getInstanceInfo,`
intenal: add logging to attestation issuer (#1264) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-02-28 10:34:18 -05:00			`log,`
AB#2458 AWS NitroTPM attestation (#339) * add aws tpm attestation * fix typos * Fix return value issue Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Daniel Weiße <dw@edgeless.systems> 2022-10-27 05:04:23 -04:00			`),`
			`}`
			`}`

			`// getAttestationKey returns a new attestation key.`
			`func getAttestationKey(tpm io.ReadWriter) (*tpmclient.Key, error) {`
			`tpmAk, err := client.AttestationKeyRSA(tpm)`
			`if err != nil {`
attestation: use SNP-based attestation for AWS SNP 2023-11-06 08:22:44 -05:00			`return nil, fmt.Errorf("creating RSA Endorsement key: %w", err)`
AB#2458 AWS NitroTPM attestation (#339) * add aws tpm attestation * fix typos * Fix return value issue Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Daniel Weiße <dw@edgeless.systems> 2022-10-27 05:04:23 -04:00			`}`

			`return tpmAk, nil`
			`}`

attestation: use SNP-based attestation for AWS SNP 2023-11-06 08:22:44 -05:00			`// getInstanceInfo generates an extended SNP report, i.e. the report and any loaded certificates.`
			`// Report generation is triggered by sending ioctl syscalls to the SNP guest device, the AMD PSP generates the report.`
AB#2458 AWS NitroTPM attestation (#339) * add aws tpm attestation * fix typos * Fix return value issue Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Daniel Weiße <dw@edgeless.systems> 2022-10-27 05:04:23 -04:00			`// The returned bytes will be written into the attestation document.`
attestation: use SNP-based attestation for AWS SNP 2023-11-06 08:22:44 -05:00			`func getInstanceInfo(_ context.Context, tpm io.ReadWriteCloser, _ []byte) ([]byte, error) {`
			`tpmAk, err := client.AttestationKeyRSA(tpm)`
			`if err != nil {`
			`return nil, fmt.Errorf("creating RSA Endorsement key: %w", err)`
			`}`

			`encoded, err := x509.MarshalPKIXPublicKey(tpmAk.PublicKey())`
			`if err != nil {`
			`return nil, fmt.Errorf("marshalling public key: %w", err)`
			`}`

			`akDigest := sha512.Sum512(encoded)`

			`device, err := sevclient.OpenDevice()`
			`if err != nil {`
			`return nil, fmt.Errorf("opening sev device: %w", err)`
			`}`
			`defer device.Close()`

			`report, certs, err := sevclient.GetRawExtendedReportAtVmpl(device, akDigest, 0)`
			`if err != nil {`
			`return nil, fmt.Errorf("getting extended report: %w", err)`
			`}`

			`vlek, err := pemEncodedVLEK(certs)`
			`if err != nil {`
			`return nil, fmt.Errorf("parsing vlek: %w", err)`
			`}`

			`raw, err := json.Marshal(snp.InstanceInfo{AttestationReport: report, ReportSigner: vlek})`
			`if err != nil {`
			`return nil, fmt.Errorf("marshalling instance info: %w", err)`
AB#2458 AWS NitroTPM attestation (#339) * add aws tpm attestation * fix typos * Fix return value issue Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Daniel Weiße <dw@edgeless.systems> 2022-10-27 05:04:23 -04:00			`}`
attestation: use SNP-based attestation for AWS SNP 2023-11-06 08:22:44 -05:00
			`return raw, nil`
monorepo Co-authored-by: Malte Poll <mp@edgeless.systems> Co-authored-by: katexochen <katexochen@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> Co-authored-by: Benedict Schlueter <bs@edgeless.systems> Co-authored-by: leongross <leon.gross@rub.de> Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com> 2022-03-22 11:03:15 -04:00			`}`

attestation: use SNP-based attestation for AWS SNP 2023-11-06 08:22:44 -05:00			`// pemEncodedVLEK takes a marshalled SNP certificate table and returns the PEM-encoded VLEK certificate.`
			`// AMD documentation on certificate tables can be found in section 4.1.8.1, revision 2.03 "SEV-ES Guest-Hypervisor Communication Block Standardization".`
			`// https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf`
			`func pemEncodedVLEK(certs []byte) ([]byte, error) {`
			`certTable := abi.CertTable{}`
			`if err := certTable.Unmarshal(certs); err != nil {`
			`return nil, fmt.Errorf("unmarshalling SNP certificate table: %w", err)`
			`}`

			`vlekRaw, err := certTable.GetByGUIDString(abi.VlekGUID)`
			`if err != nil {`
			`return nil, fmt.Errorf("getting VLEK certificate: %w", err)`
			`}`

			`// An optional check for certificate well-formedness. vlekRaw == cert.Raw.`
			`cert, err := x509.ParseCertificate(vlekRaw)`
			`if err != nil {`
			`return nil, fmt.Errorf("parsing certificate: %w", err)`
			`}`

			`certPEM := pem.EncodeToMemory(&pem.Block{`
			`Type: "CERTIFICATE",`
			`Bytes: cert.Raw,`
			`})`

			`return certPEM, nil`
monorepo Co-authored-by: Malte Poll <mp@edgeless.systems> Co-authored-by: katexochen <katexochen@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> Co-authored-by: Benedict Schlueter <bs@edgeless.systems> Co-authored-by: leongross <leon.gross@rub.de> Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com> 2022-03-22 11:03:15 -04:00			`}`