blueprint-tee 0.2.0-alpha.7

First-class TEE (Trusted Execution Environment) support for the Blueprint SDK
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

//! AMD SEV-SNP attestation verifier.
//!
//! This module provides a backward-compatible `SevSnpVerifier` type that wraps
//! the unified [`NativeVerifier`](super::native::NativeVerifier).

use crate::attestation::report::AttestationReport;
use crate::attestation::verifier::{AttestationVerifier, VerifiedAttestation};
use crate::config::TeeProvider;
use crate::errors::TeeError;

use super::native::NativeVerifier;

/// Verifier for AMD SEV-SNP attestation reports.
///
/// Wraps [`NativeVerifier`] with SEV-SNP-specific defaults. TDX and SEV-SNP
/// share the same ioctl-based attestation pattern; see the `native` module for
/// the unified implementation.
pub struct SevSnpVerifier {
    /// Expected launch measurement, if enforced.
    pub expected_measurement: Option<String>,
    /// Whether to allow debug guests.
    pub allow_debug: bool,
}

impl SevSnpVerifier {
    /// Create a new SEV-SNP verifier.
    pub fn new() -> Self {
        Self {
            expected_measurement: None,
            allow_debug: false,
        }
    }

    /// Set the expected launch measurement.
    pub fn with_expected_measurement(mut self, measurement: impl Into<String>) -> Self {
        self.expected_measurement = Some(measurement.into());
        self
    }

    /// Allow debug-mode guests (not recommended for production).
    pub fn allow_debug(mut self, allow: bool) -> Self {
        self.allow_debug = allow;
        self
    }

    fn to_native(&self) -> NativeVerifier {
        let mut v = NativeVerifier::sev_snp().with_allow_debug(self.allow_debug);
        if let Some(m) = &self.expected_measurement {
            v = v.with_expected_measurement(m.clone());
        }
        v
    }
}

impl Default for SevSnpVerifier {
    fn default() -> Self {
        Self::new()
    }
}

impl AttestationVerifier for SevSnpVerifier {
    fn verify(&self, report: &AttestationReport) -> Result<VerifiedAttestation, TeeError> {
        self.to_native().verify(report)
    }

    fn supported_provider(&self) -> TeeProvider {
        TeeProvider::AmdSevSnp
    }
}