sev 7.1.0

Library for AMD SEV
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

// SPDX-License-Identifier: Apache-2.0

//! Utilities for adhering to a cached SEV chain convention.
//!
//! The search path for the SEV chain is:
//!   1. The path specified in the "SEV_CHAIN" environment variable
//!      (if present).
//!   2. `$HOME/.cache/amd-sev/chain`
//!   3. `/var/cache/amd-sev/chain`
//!
//! An entire certificate chain can be created using the `sevctl`
//! utility.

#![cfg(all(feature = "sev", feature = "dangerous_hw_tests"))]

#[cfg(feature = "openssl")]
use crate::{
    certs::sev::{ca::Chain as CaChain, Chain as FullChain},
    firmware::host::Firmware,
    sev::Certificate,
    Generation,
};

#[cfg(feature = "openssl")]
use reqwest::{
    blocking::{get, Response},
    StatusCode,
};

use std::{
    env,
    path::{Path, PathBuf},
};

#[cfg(feature = "openssl")]
use std::io::Cursor;

#[cfg(feature = "openssl")]
use crate::parser::Decoder;

fn append_rest<P: AsRef<Path>>(path: P) -> PathBuf {
    let mut path = path.as_ref().to_path_buf();
    path.push("amd-sev");
    path.push("chain");
    path
}

/// Returns the path stored in the optional `SEV_CHAIN`
/// environment variable.
pub fn env_var() -> Option<PathBuf> {
    env::var("SEV_CHAIN").ok().map(PathBuf::from)
}

/// Returns the "user-level" search path for the SEV
/// certificate chain (`$HOME/.cache/amd-sev/chain`).
pub fn home() -> Option<PathBuf> {
    dirs::cache_dir().map(append_rest)
}

/// Returns the "system-level" search path for the SEV
/// certificate chain (`/var/cache/amd-sev/chain`).
pub fn sys() -> Option<PathBuf> {
    let sys = PathBuf::from("/var/cache");
    if sys.exists() {
        Some(append_rest(sys))
    } else {
        None
    }
}

/// Returns the list of search paths in the order that they
/// will be searched for the SEV certificate chain.
pub fn path() -> Vec<PathBuf> {
    vec![env_var(), home(), sys()]
        .into_iter()
        .flatten()
        .collect()
}

/// Remove any certificates that may have been chached to reset
/// testing for SEV APIS.
pub fn rm_cached_chain() {
    let paths = path();
    if let Some(path) = paths.first() {
        if path.exists() {
            std::fs::remove_file(path).unwrap();
        }
    }
}

/// Request CEK certificate from AMD KDS and generate a full chain.
#[cfg(all(feature = "sev", feature = "openssl"))]
pub fn get_chain() -> FullChain {
    use std::convert::TryFrom;

    let mut firmware = Firmware::open().unwrap();

    const CEK_SVC: &str = "https://kdsintf.amd.com/cek/id";

    let mut sev_chain = firmware.pdh_cert_export().unwrap();

    let id = firmware.get_identifier().unwrap();

    let url = format!("{}/{}", CEK_SVC, id);

    // VCEK in DER format
    let vcek_rsp: Response = get(url).expect("Failed to get CEK certificate");

    let cek_resp_bytes = match vcek_rsp.status() {
        StatusCode::OK => {
            let vcek_rsp_bytes: Vec<u8> = vcek_rsp.bytes().unwrap().to_vec();
            vcek_rsp_bytes
        }
        _ => panic!("Cek request returned an error"),
    };

    // Create a Cursor around the byte vector
    let mut cursor = Cursor::new(cek_resp_bytes);

    sev_chain.cek = Certificate::decode(&mut cursor, ()).expect("Failed to decode CEK cert");

    let ca_chain: CaChain = Generation::try_from(&sev_chain)
        .expect("Failed to generate SEV CA chain")
        .into();

    FullChain {
        ca: ca_chain,
        sev: sev_chain,
    }
}