Skip to main content

openhcl_attestation_protocol/igvm_attest/
get.rs

1// Copyright (c) Microsoft Corporation.
2// Licensed under the MIT License.
3
4//! The module helps preparing requests and parsing responses that are
5//! sent to and received from the IGVm agent runs on the host via GET
6//! `IGVM_ATTEST` host request.
7
8use bitfield_struct::bitfield;
9use open_enum::open_enum;
10use zerocopy::FromBytes;
11use zerocopy::Immutable;
12use zerocopy::IntoBytes;
13use zerocopy::KnownLayout;
14
15const ATTESTATION_VERSION: u32 = 2;
16const ATTESTATION_SIGNATURE: u32 = 0x414c4348; // 'HCLA'
17/// The value is based on the maximum report size of the supported isolated VM
18/// Currently it's the size of a SNP report.
19const ATTESTATION_REPORT_SIZE_MAX: usize = SNP_VM_REPORT_SIZE;
20
21pub const VBS_VM_REPORT_SIZE: usize = hvdef::vbs::VBS_REPORT_SIZE;
22pub const SNP_VM_REPORT_SIZE: usize = x86defs::snp::SNP_REPORT_SIZE;
23pub const TDX_VM_REPORT_SIZE: usize = x86defs::tdx::TDX_REPORT_SIZE;
24/// No TEE attestation report for TVM
25pub const TVM_REPORT_SIZE: usize = 0;
26
27const PAGE_SIZE: usize = 4096;
28
29/// Number of pages required by the response buffer of WRAPPED_KEY request
30/// Currently the number matches the maximum value defined by `get_protocol`
31pub const WRAPPED_KEY_RESPONSE_BUFFER_SIZE: usize = 16 * PAGE_SIZE;
32/// Number of pages required by the response buffer of KEY_RELEASE request
33/// Currently the number matches the maximum value defined by `get_protocol`
34pub const KEY_RELEASE_RESPONSE_BUFFER_SIZE: usize = 16 * PAGE_SIZE;
35/// Number of pages required by the response buffer of AK_CERT request
36/// Currently the AK cert request only requires 1 page.
37pub const AK_CERT_RESPONSE_BUFFER_SIZE: usize = PAGE_SIZE;
38
39/// Current IGVM Attest response header version.
40pub const IGVM_ATTEST_RESPONSE_CURRENT_VERSION: IgvmAttestResponseVersion =
41    IgvmAttestResponseVersion::VERSION_2;
42
43open_enum! {
44    /// IGVM Attest response header versions.
45    #[derive(Default, IntoBytes, Immutable, KnownLayout, FromBytes)]
46    pub enum IgvmAttestResponseVersion: u32 {
47        /// Version 1
48        VERSION_1 = 1,
49        /// Version 2
50        VERSION_2 = 2,
51    }
52}
53
54/// Current IGVM Attest request header version.
55pub const IGVM_ATTEST_REQUEST_CURRENT_VERSION: IgvmAttestRequestVersion =
56    IgvmAttestRequestVersion::VERSION_2;
57
58open_enum! {
59    /// IGVM Attest request header versions.
60    #[derive(IntoBytes, Immutable, KnownLayout, FromBytes)]
61    pub enum IgvmAttestRequestVersion: u32 {
62        /// Version 1
63        VERSION_1 = 1,
64        /// Version 2
65        VERSION_2 = 2,
66    }
67}
68
69/// Request base structure (C-style)
70/// The struct (includes the appended [`runtime_claims::RuntimeClaims`]) also serves as the
71/// attestation report in vTPM guest attestation.
72#[repr(C)]
73#[derive(Debug, IntoBytes, Immutable, KnownLayout, FromBytes)]
74pub struct IgvmAttestRequestBase {
75    /// Header (unmeasured)
76    pub header: IgvmAttestRequestHeader,
77    /// TEE attestation report
78    pub attestation_report: [u8; ATTESTATION_REPORT_SIZE_MAX],
79    /// Request data (unmeasured)
80    pub request_data: IgvmAttestRequestData,
81    // Data to be appended at the end of the struct:
82    // - Optional Extended request data [`IgvmAttestRequestDataExt`] (request version 2+).
83    // - Variable-length [`runtime_claims::RuntimeClaims`] (JSON string)
84    //   The hash of [`runtime_claims::RuntimeClaims`] in [`IgvmAttestHashType`] will be captured
85    //   in the `report_data` or equivalent field of the TEE attestation report.
86}
87
88open_enum! {
89    /// TEE attestation report type (C-style enum)
90    #[derive(IntoBytes, Immutable, KnownLayout, FromBytes)]
91    pub enum IgvmAttestReportType: u32 {
92        /// Invalid report
93        INVALID_REPORT = 0,
94        /// VBS report
95        VBS_VM_REPORT = 1,
96        /// SNP report
97        SNP_VM_REPORT = 2,
98        /// Trusted VM report
99        TVM_REPORT = 3,
100        /// TDX report
101        TDX_VM_REPORT = 4,
102        /// CCA report
103        CCA_VM_REPORT = 5,
104    }
105}
106
107open_enum! {
108    /// Request type (C-style enum)
109    #[derive(IntoBytes, Immutable, KnownLayout, FromBytes)]
110    pub enum IgvmAttestRequestType: u32 {
111        /// Invalid request
112        INVALID_REQUEST = 0,
113        /// Request for getting wrapped key from AKV.
114        KEY_RELEASE_REQUEST = 1,
115        /// Request to getting attestation key certificate.
116        AK_CERT_REQUEST = 2,
117        /// Request for getting VMMD blob from CPS.
118        WRAPPED_KEY_REQUEST = 3,
119    }
120}
121
122open_enum! {
123    /// Hash algorithm used for content of report data (C-style enum)
124    #[derive(IntoBytes, Immutable, KnownLayout, FromBytes)]
125    pub enum IgvmAttestHashType: u32 {
126        /// Invalid hash
127        INVALID_HASH = 0,
128        /// SHA-256
129        SHA_256 = 1,
130        /// SHA-384
131        SHA_384 = 2,
132        /// SHA-512
133        SHA_512 = 3,
134    }
135}
136
137/// Unmeasured data used to provide transport sanity and versioning (C-style struct)
138#[repr(C)]
139#[derive(Debug, IntoBytes, Immutable, KnownLayout, FromBytes)]
140pub struct IgvmAttestRequestHeader {
141    /// Signature
142    pub signature: u32,
143    /// Version
144    pub version: u32,
145    /// Report size
146    pub report_size: u32,
147    /// Request type
148    pub request_type: IgvmAttestRequestType,
149    /// Status
150    pub status: u32,
151    /// Reserved
152    pub reserved: [u32; 3],
153}
154
155impl IgvmAttestRequestHeader {
156    /// Create an `HardwareKeyProtectorHeader` instance.
157    pub fn new(report_size: u32, request_type: IgvmAttestRequestType, status: u32) -> Self {
158        Self {
159            signature: ATTESTATION_SIGNATURE,
160            version: ATTESTATION_VERSION,
161            report_size,
162            request_type,
163            status,
164            reserved: [0u32; 3],
165        }
166    }
167}
168
169/// Bitmap of additional Igvm request attributes.
170/// 0 - error_code: Requesting IGVM Agent Error code
171/// 1 - retry: Retry preference
172/// 2 - skip_hw_unsealing: Skip hardware unsealing in case key release request fails
173#[bitfield(u32)]
174#[derive(IntoBytes, FromBytes, Immutable, KnownLayout)]
175pub struct IgvmCapabilityBitMap {
176    pub error_code: bool,
177    pub retry: bool,
178    pub skip_hw_unsealing: bool,
179    #[bits(29)]
180    _reserved: u32,
181}
182
183/// Unmeasured user data, used for host attestation requests (C-style struct)
184#[repr(C)]
185#[derive(Debug, IntoBytes, Immutable, KnownLayout, FromBytes)]
186pub struct IgvmAttestRequestData {
187    /// Data size
188    pub data_size: u32,
189    /// Version
190    pub version: IgvmAttestRequestVersion,
191    /// Report type
192    pub report_type: IgvmAttestReportType,
193    /// Report data hash type
194    pub report_data_hash_type: IgvmAttestHashType,
195    /// Size of the appended raw runtime claims
196    pub variable_data_size: u32,
197}
198
199impl IgvmAttestRequestData {
200    /// Create an `IgvmAttestRequestData` instance.
201    pub fn new(
202        version: IgvmAttestRequestVersion,
203        data_size: u32,
204        report_type: IgvmAttestReportType,
205        report_data_hash_type: IgvmAttestHashType,
206        variable_data_size: u32,
207    ) -> Self {
208        Self {
209            data_size,
210            version,
211            report_type,
212            report_data_hash_type,
213            variable_data_size,
214        }
215    }
216}
217
218/// Unmeasured user data appended to `IgvmAttestRequestData` for version 2+,
219/// used for host attestation requests (C-style struct).
220#[repr(C)]
221#[derive(Debug, IntoBytes, Immutable, KnownLayout, FromBytes)]
222pub struct IgvmAttestRequestDataExt {
223    /// Bitmap of additional requested attributes
224    pub capability_bitmap: IgvmCapabilityBitMap,
225}
226
227impl IgvmAttestRequestDataExt {
228    /// Create an `IgvmAttestRequestDataExt` instance.
229    pub fn new(capability_bitmap: IgvmCapabilityBitMap) -> Self {
230        Self { capability_bitmap }
231    }
232}
233
234/// Bitmap indicates a signal to requestor
235/// 0 - IGVM_SIGNAL_RETRY_RECOMMENDED_BIT: Retry recommendation
236/// 1 - IGVM_SIGNAL_SKIP_HW_UNSEALING_RECOMMENDED_BIT: Skip hardware unsealing
237#[bitfield(u32)]
238#[derive(IntoBytes, Immutable, KnownLayout, FromBytes)]
239pub struct IgvmSignal {
240    pub retry: bool,
241    pub skip_hw_unsealing: bool,
242    #[bits(30)]
243    _reserved: u32,
244}
245
246/// The common response header that comply with both V1 and V2 Igvm attest response
247#[repr(C)]
248#[derive(Default, Debug, IntoBytes, FromBytes)]
249pub struct IgvmAttestCommonResponseHeader {
250    /// Data size
251    pub data_size: u32,
252    /// Version
253    pub version: IgvmAttestResponseVersion,
254}
255
256/// The response header for `IGVM_ERROR_INFO` (C-style struct)
257#[repr(C)]
258#[derive(Default, Debug, IntoBytes, Immutable, KnownLayout, FromBytes)]
259pub struct IgvmErrorInfo {
260    /// ErrorCode propagated from IgvmAgent
261    pub error_code: u32,
262    /// HttpStatusCode propagated from IgvmAgent that enhances the ErrorCode
263    pub http_status_code: u32,
264    /// Igvm signal from response
265    pub igvm_signal: IgvmSignal,
266    /// Reserved
267    pub reserved: [u32; 3],
268}
269
270/// The response header for `KEY_RELEASE_REQUEST` (C-style struct)
271#[repr(C)]
272#[derive(Default, Debug, IntoBytes, Immutable, KnownLayout, FromBytes)]
273pub struct IgvmAttestKeyReleaseResponseHeader {
274    /// Data size
275    pub data_size: u32,
276    /// Version
277    pub version: IgvmAttestResponseVersion,
278    /// IgvmErrorInfo that contains RPC result and retry recommendation
279    pub error_info: IgvmErrorInfo,
280}
281
282/// The response header for `WRAPPED_KEY_REQUEST` (C-style struct)
283/// Currently the definition is the same as [`IgvmAttestKeyReleaseResponseHeader`].
284#[repr(C)]
285#[derive(Default, Debug, IntoBytes, Immutable, KnownLayout, FromBytes)]
286pub struct IgvmAttestWrappedKeyResponseHeader {
287    /// Data size
288    pub data_size: u32,
289    /// Version
290    pub version: IgvmAttestResponseVersion,
291    /// IgvmErrorInfo that contains RPC result and retry recommendation
292    pub error_info: IgvmErrorInfo,
293}
294
295/// The response header for `AK_CERT_REQUEST` (C-style struct)
296#[repr(C)]
297#[derive(Default, Debug, IntoBytes, Immutable, KnownLayout, FromBytes)]
298pub struct IgvmAttestAkCertResponseHeader {
299    /// Data size
300    pub data_size: u32,
301    /// Version
302    pub version: IgvmAttestResponseVersion,
303    /// IgvmErrorInfo that contains RPC result and retry recommendation
304    pub error_info: IgvmErrorInfo,
305}
306
307/// Definition of the runt-time claims, which will be appended to the
308/// `IgvmAttestRequestBase` in raw bytes.
309pub mod runtime_claims {
310    use base64_serde::base64_serde_type;
311    use mesh::MeshPayload;
312    use serde::Deserialize;
313    use serde::Serialize;
314
315    base64_serde_type!(Base64Url, base64::engine::general_purpose::URL_SAFE_NO_PAD);
316
317    /// Measured runtime claim in JSON format.
318    /// The hash of the data is expected be put into the user_data field of
319    /// the attestation report.
320    #[derive(Debug, Deserialize, Serialize)]
321    #[serde(rename_all = "kebab-case")]
322    pub struct RuntimeClaims {
323        /// An array of [`RsaJwk`]
324        pub keys: Vec<RsaJwk>,
325        /// VM configuration
326        pub vm_configuration: AttestationVmConfig,
327        /// Optional user data
328        #[serde(default, skip_serializing_if = "String::is_empty")]
329        pub user_data: String,
330    }
331
332    impl RuntimeClaims {
333        /// Create runtime claims for `KEY_RELEASE_REQUEST`.
334        pub fn key_release_request_runtime_claims(
335            exponent: &[u8],
336            modulus: &[u8],
337            attestation_vm_config: &AttestationVmConfig,
338        ) -> Self {
339            let transfer_key_jwks = RsaJwk::get_transfer_key_jwks(exponent, modulus);
340            Self {
341                keys: transfer_key_jwks,
342                vm_configuration: attestation_vm_config.clone(),
343                user_data: "".to_string(),
344            }
345        }
346
347        /// Helper function for creating runtime claims of `AK_CERT_REQUEST`.
348        pub fn ak_cert_runtime_claims(
349            ak_pub_exponent: &[u8],
350            ak_pub_modulus: &[u8],
351            ek_pub_exponent: &[u8],
352            ek_pub_modulus: &[u8],
353            attestation_vm_config: &AttestationVmConfig,
354            user_data: &[u8],
355        ) -> Self {
356            let tpm_jwks = RsaJwk::get_tpm_jwks(
357                ak_pub_exponent,
358                ak_pub_modulus,
359                ek_pub_exponent,
360                ek_pub_modulus,
361            );
362            Self {
363                keys: tpm_jwks,
364                vm_configuration: attestation_vm_config.clone(),
365                user_data: hex::encode(user_data),
366            }
367        }
368    }
369
370    /// JWK for an RSA key
371    #[derive(Debug, Deserialize, Serialize)]
372    pub struct RsaJwk {
373        /// Key id
374        pub kid: String,
375        /// Key operations
376        pub key_ops: Vec<String>,
377        /// Key type
378        pub kty: String,
379        /// RSA public exponent
380        #[serde(with = "Base64Url")]
381        pub e: Vec<u8>,
382        /// RSA public modulus
383        #[serde(with = "Base64Url")]
384        pub n: Vec<u8>,
385    }
386
387    impl RsaJwk {
388        /// Create a JWKS from inputs.
389        pub fn get_transfer_key_jwks(exponent: &[u8], modulus: &[u8]) -> Vec<RsaJwk> {
390            let jwk = RsaJwk {
391                kid: "HCLTransferKey".to_string(),
392                key_ops: vec!["encrypt".to_string()],
393                kty: "RSA".to_string(),
394                e: exponent.to_vec(),
395                n: modulus.to_vec(),
396            };
397
398            vec![jwk]
399        }
400
401        /// Create a JWKS from inputs.
402        pub fn get_tpm_jwks(
403            ak_pub_exponent: &[u8],
404            ak_pub_modulus: &[u8],
405            ek_pub_exponent: &[u8],
406            ek_pub_modulus: &[u8],
407        ) -> Vec<RsaJwk> {
408            let ak_pub = RsaJwk {
409                kid: "HCLAkPub".to_string(),
410                key_ops: vec!["sign".to_string()],
411                kty: "RSA".to_string(),
412                e: ak_pub_exponent.to_vec(),
413                n: ak_pub_modulus.to_vec(),
414            };
415            let ek_pub = RsaJwk {
416                kid: "HCLEkPub".to_string(),
417                key_ops: vec!["encrypt".to_string()],
418                kty: "RSA".to_string(),
419                e: ek_pub_exponent.to_vec(),
420                n: ek_pub_modulus.to_vec(),
421            };
422
423            vec![ak_pub, ek_pub]
424        }
425    }
426
427    /// VM configuration to be included in the `RuntimeClaims`.
428    #[derive(Clone, Debug, Deserialize, Serialize, MeshPayload)]
429    #[serde(rename_all = "kebab-case")]
430    pub struct AttestationVmConfig {
431        /// Time stamp
432        #[serde(skip_serializing_if = "Option::is_none")]
433        pub current_time: Option<i64>,
434        /// Base64-encoded hash of the provisioning cert
435        pub root_cert_thumbprint: String,
436        /// Whether the serial console is enabled
437        pub console_enabled: bool,
438        /// Whether the serial console, if enabled, is interactive
439        pub interactive_console_enabled: bool,
440        /// Whether secure boot is enabled
441        pub secure_boot: bool,
442        /// Whether the TPM is enabled
443        pub tpm_enabled: bool,
444        /// Whether the TPM states is persisted
445        pub tpm_persisted: bool,
446        /// Whether certain vPCI devices are allowed through the device filter
447        pub filtered_vpci_devices_allowed: bool,
448        /// VM id
449        #[serde(rename = "vmUniqueId")]
450        pub vm_unique_id: String,
451    }
452}