openhcl_attestation_protocol/igvm_attest/
get.rs

1// Copyright (c) Microsoft Corporation.
2// Licensed under the MIT License.
3
4//! The module helps preparing requests and parsing responses that are
5//! sent to and received from the IGVm agent runs on the host via GET
6//! `IGVM_ATTEST` host request.
7
8use bitfield_struct::bitfield;
9use open_enum::open_enum;
10use zerocopy::FromBytes;
11use zerocopy::Immutable;
12use zerocopy::IntoBytes;
13use zerocopy::KnownLayout;
14
15const ATTESTATION_VERSION: u32 = 2;
16const ATTESTATION_SIGNATURE: u32 = 0x414c4348; // 'HCLA'
17/// The value is based on the maximum report size of the supported isolated VM
18/// Currently it's the size of a SNP report.
19const ATTESTATION_REPORT_SIZE_MAX: usize = SNP_VM_REPORT_SIZE;
20
21pub const VBS_VM_REPORT_SIZE: usize = hvdef::vbs::VBS_REPORT_SIZE;
22pub const SNP_VM_REPORT_SIZE: usize = x86defs::snp::SNP_REPORT_SIZE;
23pub const TDX_VM_REPORT_SIZE: usize = x86defs::tdx::TDX_REPORT_SIZE;
24/// No TEE attestation report for TVM
25pub const TVM_REPORT_SIZE: usize = 0;
26
27const PAGE_SIZE: usize = 4096;
28
29/// Number of pages required by the response buffer of WRAPPED_KEY request
30/// Currently the number matches the maximum value defined by `get_protocol`
31pub const WRAPPED_KEY_RESPONSE_BUFFER_SIZE: usize = 16 * PAGE_SIZE;
32/// Number of pages required by the response buffer of KEY_RELEASE request
33/// Currently the number matches the maximum value defined by `get_protocol`
34pub const KEY_RELEASE_RESPONSE_BUFFER_SIZE: usize = 16 * PAGE_SIZE;
35/// Number of pages required by the response buffer of AK_CERT request
36/// Currently the AK cert request only requires 1 page.
37pub const AK_CERT_RESPONSE_BUFFER_SIZE: usize = PAGE_SIZE;
38
39/// Current IGVM Attest response header version.
40pub const IGVM_ATTEST_RESPONSE_CURRENT_VERSION: IgvmAttestResponseVersion =
41    IgvmAttestResponseVersion::VERSION_2;
42
43open_enum! {
44    /// IGVM Attest response header versions.
45    #[derive(Default, IntoBytes, Immutable, KnownLayout, FromBytes)]
46    pub enum IgvmAttestResponseVersion: u32 {
47        /// Version 1
48        VERSION_1 = 1,
49        /// Version 2
50        VERSION_2 = 2,
51    }
52}
53
54/// Current IGVM Attest request header version.
55pub const IGVM_ATTEST_REQUEST_CURRENT_VERSION: IgvmAttestRequestVersion =
56    IgvmAttestRequestVersion::VERSION_2;
57
58open_enum! {
59    /// IGVM Attest request header versions.
60    #[derive(IntoBytes, Immutable, KnownLayout, FromBytes)]
61    pub enum IgvmAttestRequestVersion: u32 {
62        /// Version 1
63        VERSION_1 = 1,
64        /// Version 2
65        VERSION_2 = 2,
66    }
67}
68
69/// Request base structure (C-style)
70/// The struct (includes the appended [`runtime_claims::RuntimeClaims`]) also serves as the
71/// attestation report in vTPM guest attestation.
72#[repr(C)]
73#[derive(Debug, IntoBytes, Immutable, KnownLayout, FromBytes)]
74pub struct IgvmAttestRequestBase {
75    /// Header (unmeasured)
76    pub header: IgvmAttestRequestHeader,
77    /// TEE attestation report
78    pub attestation_report: [u8; ATTESTATION_REPORT_SIZE_MAX],
79    /// Request data (unmeasured)
80    pub request_data: IgvmAttestRequestData,
81    // Data to be appended at the end of the struct:
82    // - Optional Extended request data [`IgvmAttestRequestDataExt`] (request version 2+).
83    // - Variable-length [`runtime_claims::RuntimeClaims`] (JSON string)
84    //   The hash of [`runtime_claims::RuntimeClaims`] in [`IgvmAttestHashType`] will be captured
85    //   in the `report_data` or equivalent field of the TEE attestation report.
86}
87
88open_enum! {
89    /// TEE attestation report type (C-style enum)
90    #[derive(IntoBytes, Immutable, KnownLayout, FromBytes)]
91    pub enum IgvmAttestReportType: u32 {
92        /// Invalid report
93        INVALID_REPORT = 0,
94        /// VBS report
95        VBS_VM_REPORT = 1,
96        /// SNP report
97        SNP_VM_REPORT = 2,
98        /// Trusted VM report
99        TVM_REPORT = 3,
100        /// TDX report
101        TDX_VM_REPORT = 4,
102    }
103}
104
105open_enum! {
106    /// Request type (C-style enum)
107    #[derive(IntoBytes, Immutable, KnownLayout, FromBytes)]
108    pub enum IgvmAttestRequestType: u32 {
109        /// Invalid request
110        INVALID_REQUEST = 0,
111        /// Request for getting wrapped key from AKV.
112        KEY_RELEASE_REQUEST = 1,
113        /// Request to getting attestation key certificate.
114        AK_CERT_REQUEST = 2,
115        /// Request for getting VMMD blob from CPS.
116        WRAPPED_KEY_REQUEST = 3,
117    }
118}
119
120open_enum! {
121    /// Hash algorithm used for content of report data (C-style enum)
122    #[derive(IntoBytes, Immutable, KnownLayout, FromBytes)]
123    pub enum IgvmAttestHashType: u32 {
124        /// Invalid hash
125        INVALID_HASH = 0,
126        /// SHA-256
127        SHA_256 = 1,
128        /// SHA-384
129        SHA_384 = 2,
130        /// SHA-512
131        SHA_512 = 3,
132    }
133}
134
135/// Unmeasured data used to provide transport sanity and versioning (C-style struct)
136#[repr(C)]
137#[derive(Debug, IntoBytes, Immutable, KnownLayout, FromBytes)]
138pub struct IgvmAttestRequestHeader {
139    /// Signature
140    pub signature: u32,
141    /// Version
142    pub version: u32,
143    /// Report size
144    pub report_size: u32,
145    /// Request type
146    pub request_type: IgvmAttestRequestType,
147    /// Status
148    pub status: u32,
149    /// Reserved
150    pub reserved: [u32; 3],
151}
152
153impl IgvmAttestRequestHeader {
154    /// Create an `HardwareKeyProtectorHeader` instance.
155    pub fn new(report_size: u32, request_type: IgvmAttestRequestType, status: u32) -> Self {
156        Self {
157            signature: ATTESTATION_SIGNATURE,
158            version: ATTESTATION_VERSION,
159            report_size,
160            request_type,
161            status,
162            reserved: [0u32; 3],
163        }
164    }
165}
166
167/// Bitmap of additional Igvm request attributes.
168/// 0 - error_code: Requesting IGVM Agent Error code
169/// 1 - retry: Retry preference
170/// 2 - skip_hw_unsealing: Skip hardware unsealing in case key release request fails
171#[bitfield(u32)]
172#[derive(IntoBytes, FromBytes, Immutable, KnownLayout)]
173pub struct IgvmCapabilityBitMap {
174    pub error_code: bool,
175    pub retry: bool,
176    pub skip_hw_unsealing: bool,
177    #[bits(29)]
178    _reserved: u32,
179}
180
181/// Unmeasured user data, used for host attestation requests (C-style struct)
182#[repr(C)]
183#[derive(Debug, IntoBytes, Immutable, KnownLayout, FromBytes)]
184pub struct IgvmAttestRequestData {
185    /// Data size
186    pub data_size: u32,
187    /// Version
188    pub version: IgvmAttestRequestVersion,
189    /// Report type
190    pub report_type: IgvmAttestReportType,
191    /// Report data hash type
192    pub report_data_hash_type: IgvmAttestHashType,
193    /// Size of the appended raw runtime claims
194    pub variable_data_size: u32,
195}
196
197impl IgvmAttestRequestData {
198    /// Create an `IgvmAttestRequestData` instance.
199    pub fn new(
200        version: IgvmAttestRequestVersion,
201        data_size: u32,
202        report_type: IgvmAttestReportType,
203        report_data_hash_type: IgvmAttestHashType,
204        variable_data_size: u32,
205    ) -> Self {
206        Self {
207            data_size,
208            version,
209            report_type,
210            report_data_hash_type,
211            variable_data_size,
212        }
213    }
214}
215
216/// Unmeasured user data appended to `IgvmAttestRequestData` for version 2+,
217/// used for host attestation requests (C-style struct).
218#[repr(C)]
219#[derive(Debug, IntoBytes, Immutable, KnownLayout, FromBytes)]
220pub struct IgvmAttestRequestDataExt {
221    /// Bitmap of additional requested attributes
222    pub capability_bitmap: IgvmCapabilityBitMap,
223}
224
225impl IgvmAttestRequestDataExt {
226    /// Create an `IgvmAttestRequestDataExt` instance.
227    pub fn new(capability_bitmap: IgvmCapabilityBitMap) -> Self {
228        Self { capability_bitmap }
229    }
230}
231
232/// Bitmap indicates a signal to requestor
233/// 0 - IGVM_SIGNAL_RETRY_RECOMMENDED_BIT: Retry recommendation
234/// 1 - IGVM_SIGNAL_SKIP_HW_UNSEALING_RECOMMENDED_BIT: Skip hardware unsealing
235#[bitfield(u32)]
236#[derive(IntoBytes, Immutable, KnownLayout, FromBytes)]
237pub struct IgvmSignal {
238    pub retry: bool,
239    pub skip_hw_unsealing: bool,
240    #[bits(30)]
241    _reserved: u32,
242}
243
244/// The common response header that comply with both V1 and V2 Igvm attest response
245#[repr(C)]
246#[derive(Default, Debug, IntoBytes, FromBytes)]
247pub struct IgvmAttestCommonResponseHeader {
248    /// Data size
249    pub data_size: u32,
250    /// Version
251    pub version: IgvmAttestResponseVersion,
252}
253
254/// The response header for `IGVM_ERROR_INFO` (C-style struct)
255#[repr(C)]
256#[derive(Default, Debug, IntoBytes, Immutable, KnownLayout, FromBytes)]
257pub struct IgvmErrorInfo {
258    /// ErrorCode propagated from IgvmAgent
259    pub error_code: u32,
260    /// HttpStatusCode propagated from IgvmAgent that enhances the ErrorCode
261    pub http_status_code: u32,
262    /// Igvm signal from response
263    pub igvm_signal: IgvmSignal,
264    /// Reserved
265    pub reserved: [u32; 3],
266}
267
268/// The response header for `KEY_RELEASE_REQUEST` (C-style struct)
269#[repr(C)]
270#[derive(Default, Debug, IntoBytes, Immutable, KnownLayout, FromBytes)]
271pub struct IgvmAttestKeyReleaseResponseHeader {
272    /// Data size
273    pub data_size: u32,
274    /// Version
275    pub version: IgvmAttestResponseVersion,
276    /// IgvmErrorInfo that contains RPC result and retry recommendation
277    pub error_info: IgvmErrorInfo,
278}
279
280/// The response header for `WRAPPED_KEY_REQUEST` (C-style struct)
281/// Currently the definition is the same as [`IgvmAttestKeyReleaseResponseHeader`].
282#[repr(C)]
283#[derive(Default, Debug, IntoBytes, Immutable, KnownLayout, FromBytes)]
284pub struct IgvmAttestWrappedKeyResponseHeader {
285    /// Data size
286    pub data_size: u32,
287    /// Version
288    pub version: IgvmAttestResponseVersion,
289    /// IgvmErrorInfo that contains RPC result and retry recommendation
290    pub error_info: IgvmErrorInfo,
291}
292
293/// The response header for `AK_CERT_REQUEST` (C-style struct)
294#[repr(C)]
295#[derive(Default, Debug, IntoBytes, Immutable, KnownLayout, FromBytes)]
296pub struct IgvmAttestAkCertResponseHeader {
297    /// Data size
298    pub data_size: u32,
299    /// Version
300    pub version: IgvmAttestResponseVersion,
301    /// IgvmErrorInfo that contains RPC result and retry recommendation
302    pub error_info: IgvmErrorInfo,
303}
304
305/// Definition of the runt-time claims, which will be appended to the
306/// `IgvmAttestRequestBase` in raw bytes.
307pub mod runtime_claims {
308    use base64_serde::base64_serde_type;
309    use mesh::MeshPayload;
310    use serde::Deserialize;
311    use serde::Serialize;
312
313    base64_serde_type!(Base64Url, base64::engine::general_purpose::URL_SAFE_NO_PAD);
314
315    /// Measured runtime claim in JSON format.
316    /// The hash of the data is expected be put into the user_data field of
317    /// the attestation report.
318    #[derive(Debug, Deserialize, Serialize)]
319    #[serde(rename_all = "kebab-case")]
320    pub struct RuntimeClaims {
321        /// An array of [`RsaJwk`]
322        pub keys: Vec<RsaJwk>,
323        /// VM configuration
324        pub vm_configuration: AttestationVmConfig,
325        /// Optional user data
326        #[serde(default, skip_serializing_if = "String::is_empty")]
327        pub user_data: String,
328    }
329
330    impl RuntimeClaims {
331        /// Create runtime claims for `KEY_RELEASE_REQUEST`.
332        pub fn key_release_request_runtime_claims(
333            exponent: &[u8],
334            modulus: &[u8],
335            attestation_vm_config: &AttestationVmConfig,
336        ) -> Self {
337            let transfer_key_jwks = RsaJwk::get_transfer_key_jwks(exponent, modulus);
338            Self {
339                keys: transfer_key_jwks,
340                vm_configuration: attestation_vm_config.clone(),
341                user_data: "".to_string(),
342            }
343        }
344
345        /// Helper function for creating runtime claims of `AK_CERT_REQUEST`.
346        pub fn ak_cert_runtime_claims(
347            ak_pub_exponent: &[u8],
348            ak_pub_modulus: &[u8],
349            ek_pub_exponent: &[u8],
350            ek_pub_modulus: &[u8],
351            attestation_vm_config: &AttestationVmConfig,
352            user_data: &[u8],
353        ) -> Self {
354            let tpm_jwks = RsaJwk::get_tpm_jwks(
355                ak_pub_exponent,
356                ak_pub_modulus,
357                ek_pub_exponent,
358                ek_pub_modulus,
359            );
360            Self {
361                keys: tpm_jwks,
362                vm_configuration: attestation_vm_config.clone(),
363                user_data: hex::encode(user_data),
364            }
365        }
366    }
367
368    /// JWK for an RSA key
369    #[derive(Debug, Deserialize, Serialize)]
370    pub struct RsaJwk {
371        /// Key id
372        pub kid: String,
373        /// Key operations
374        pub key_ops: Vec<String>,
375        /// Key type
376        pub kty: String,
377        /// RSA public exponent
378        #[serde(with = "Base64Url")]
379        pub e: Vec<u8>,
380        /// RSA public modulus
381        #[serde(with = "Base64Url")]
382        pub n: Vec<u8>,
383    }
384
385    impl RsaJwk {
386        /// Create a JWKS from inputs.
387        pub fn get_transfer_key_jwks(exponent: &[u8], modulus: &[u8]) -> Vec<RsaJwk> {
388            let jwk = RsaJwk {
389                kid: "HCLTransferKey".to_string(),
390                key_ops: vec!["encrypt".to_string()],
391                kty: "RSA".to_string(),
392                e: exponent.to_vec(),
393                n: modulus.to_vec(),
394            };
395
396            vec![jwk]
397        }
398
399        /// Create a JWKS from inputs.
400        pub fn get_tpm_jwks(
401            ak_pub_exponent: &[u8],
402            ak_pub_modulus: &[u8],
403            ek_pub_exponent: &[u8],
404            ek_pub_modulus: &[u8],
405        ) -> Vec<RsaJwk> {
406            let ak_pub = RsaJwk {
407                kid: "HCLAkPub".to_string(),
408                key_ops: vec!["sign".to_string()],
409                kty: "RSA".to_string(),
410                e: ak_pub_exponent.to_vec(),
411                n: ak_pub_modulus.to_vec(),
412            };
413            let ek_pub = RsaJwk {
414                kid: "HCLEkPub".to_string(),
415                key_ops: vec!["encrypt".to_string()],
416                kty: "RSA".to_string(),
417                e: ek_pub_exponent.to_vec(),
418                n: ek_pub_modulus.to_vec(),
419            };
420
421            vec![ak_pub, ek_pub]
422        }
423    }
424
425    /// VM configuration to be included in the `RuntimeClaims`.
426    #[derive(Clone, Debug, Deserialize, Serialize, MeshPayload)]
427    #[serde(rename_all = "kebab-case")]
428    pub struct AttestationVmConfig {
429        /// Time stamp
430        #[serde(skip_serializing_if = "Option::is_none")]
431        pub current_time: Option<i64>,
432        /// Base64-encoded hash of the provisioning cert
433        pub root_cert_thumbprint: String,
434        /// Whether the serial console is enabled
435        pub console_enabled: bool,
436        /// Whether the serial console, if enabled, is interactive
437        pub interactive_console_enabled: bool,
438        /// Whether secure boot is enabled
439        pub secure_boot: bool,
440        /// Whether the TPM is enabled
441        pub tpm_enabled: bool,
442        /// Whether the TPM states is persisted
443        pub tpm_persisted: bool,
444        /// Whether certain vPCI devices are allowed through the device filter
445        pub filtered_vpci_devices_allowed: bool,
446        /// VM id
447        #[serde(rename = "vmUniqueId")]
448        pub vm_unique_id: String,
449    }
450}
openhcl_attestation_protocol/igvm_attest/get.rs

openhcl_attestation_protocol/igvm_attest/
get.rs
