sev 7.1.0

Library for AMD SEV
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114

// SPDX-License-Identifier: Apache-2.0

//! Operations to calculate guest measurement for different SEV modes
use crate::measurement::{
    ovmf::OVMF,
    sev_hashes::SevHashes,
    vcpu_types::CpuType,
    vmsa::{GuestFeatures, VMMType, VMSA},
};

use std::path::PathBuf;

use crate::error::*;

use openssl::sha::Sha256;

const _PAGE_MASK: u64 = 0xfff;

/// Get the launch digest as a hex string
pub fn get_hex_ld(ld: Vec<u8>) -> String {
    hex::encode(ld)
}

/// Arguments required to calculate the SEV-ES measurement
pub struct SevEsMeasurementArgs<'a> {
    /// Number of vcpus
    pub vcpus: u32,
    /// vcpu type
    pub vcpu_type: CpuType,
    /// Path to OVMF file
    pub ovmf_file: PathBuf,
    /// Path to kernel file
    pub kernel_file: Option<PathBuf>,
    /// Path to initrd file
    pub initrd_file: Option<PathBuf>,
    /// Append arguments for kernel
    pub append: Option<&'a str>,
    /// vmm type
    pub vmm_type: Option<VMMType>,
}

/// Calculate an SEV-ES launch digest
pub fn seves_calc_launch_digest(
    sev_es_measurement: SevEsMeasurementArgs,
) -> Result<[u8; 32], MeasurementError> {
    let ovmf = OVMF::new(sev_es_measurement.ovmf_file)?;
    let mut launch_hash = Sha256::new();
    launch_hash.update(ovmf.data().as_slice());

    if let Some(kernel) = sev_es_measurement.kernel_file {
        if !ovmf.is_sev_hashes_table_supported() {
            return Err(MeasurementError::InvalidOvmfKernelError);
        }
        let sev_hashes = SevHashes::new(
            kernel,
            sev_es_measurement.initrd_file,
            sev_es_measurement.append,
        )?
        .construct_table()?;
        launch_hash.update(sev_hashes.as_slice());
    };

    let official_vmm_type = match sev_es_measurement.vmm_type {
        Some(vmm) => vmm,
        None => VMMType::QEMU,
    };

    let vmsa = VMSA::new(
        ovmf.sev_es_reset_eip()?.into(),
        sev_es_measurement.vcpu_type,
        official_vmm_type,
        Some(sev_es_measurement.vcpus as u64),
        GuestFeatures(0x0),
    );

    for vmsa_page in vmsa.pages(sev_es_measurement.vcpus as usize)?.iter() {
        launch_hash.update(vmsa_page.as_slice())
    }

    Ok(launch_hash.finish())
}

/// Arguments required to calculate the SEV measurement
pub struct SevMeasurementArgs<'a> {
    /// Path to OVMF file
    pub ovmf_file: PathBuf,
    /// Path to kernel file
    pub kernel_file: Option<PathBuf>,
    /// Path to initrd file
    pub initrd_file: Option<PathBuf>,
    /// Append arguments for kernel
    pub append: Option<&'a str>,
}

/// Calculate an SEV launch digest
pub fn sev_calc_launch_digest(
    sev_measurement: SevMeasurementArgs,
) -> Result<[u8; 32], MeasurementError> {
    let ovmf = OVMF::new(sev_measurement.ovmf_file)?;
    let mut launch_hash = Sha256::new();
    launch_hash.update(ovmf.data().as_slice());

    if let Some(kernel) = sev_measurement.kernel_file {
        if !ovmf.is_sev_hashes_table_supported() {
            return Err(MeasurementError::InvalidOvmfKernelError);
        }
        let sev_hashes =
            SevHashes::new(kernel, sev_measurement.initrd_file, sev_measurement.append)?
                .construct_table()?;
        launch_hash.update(sev_hashes.as_slice());
    };

    Ok(launch_hash.finish())
}