From: Janosch Frank <frankja@linux.ibm.com>
To: Steffen Eiden <seiden@linux.ibm.com>,
Thomas Huth <thuth@redhat.com>,
Claudio Imbrenda <imbrenda@linux.ibm.com>,
David Hildenbrand <david@redhat.com>
Cc: kvm@vger.kernel.org, linux-s390@vger.kernel.org
Subject: Re: [kvm-unit-tests PATCH 4/4] s390x: uv-guest: Add attestation tests
Date: Fri, 28 Jan 2022 10:54:03 +0100 [thread overview]
Message-ID: <d348d29f-c20a-717f-7124-d1c228f3213b@linux.ibm.com> (raw)
In-Reply-To: <20220127141559.35250-5-seiden@linux.ibm.com>
On 1/27/22 15:15, Steffen Eiden wrote:
> Adds several tests to verify correct error paths of attestation.
>
> Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
> ---
> lib/s390x/asm/uv.h | 5 +-
> s390x/uv-guest.c | 164 +++++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 168 insertions(+), 1 deletion(-)
>
> diff --git a/lib/s390x/asm/uv.h b/lib/s390x/asm/uv.h
> index 38c322bf..e8e1698e 100644
> --- a/lib/s390x/asm/uv.h
> +++ b/lib/s390x/asm/uv.h
> @@ -109,7 +109,10 @@ struct uv_cb_qui {
> u8 reserved88[158 - 136]; /* 0x0088 */
> uint16_t max_guest_cpus; /* 0x009e */
> u64 uv_feature_indications; /* 0x00a0 */
> - u8 reserveda8[200 - 168]; /* 0x00a8 */
> + u8 reserveda8[224 - 168]; /* 0x00a8 */
> + u64 supported_att_hdr_versions; /* 0x00e0 */
> + u64 supported_paf; /* 0x00e8 */
> + u8 reservedf0[256 - 240]; /* 0x00f0 */
> } __attribute__((packed)) __attribute__((aligned(8)));
>
> struct uv_cb_cgc {
> diff --git a/s390x/uv-guest.c b/s390x/uv-guest.c
> index 909b7256..92b9a53b 100644
> --- a/s390x/uv-guest.c
> +++ b/s390x/uv-guest.c
> @@ -6,6 +6,7 @@
> *
> * Authors:
> * Janosch Frank <frankja@linux.ibm.com>
> + * Steffen Eiden <seiden@linux.ibm.com>
> */
>
> #include <libcflat.h>
> @@ -53,6 +54,15 @@ static void test_priv(void)
> check_pgm_int_code(PGM_INT_CODE_PRIVILEGED_OPERATION);
> report_prefix_pop();
>
> + report_prefix_push("attest");
> + uvcb.cmd = UVC_CMD_ATTESTATION;
> + uvcb.len = sizeof(struct uv_cb_attest);
> + expect_pgm_int();
> + enter_pstate();
> + uv_call_once(0, (u64)&uvcb);
> + check_pgm_int_code(PGM_INT_CODE_PRIVILEGED_OPERATION);
> + report_prefix_pop();
> +
> report_prefix_pop();
> }
>
> @@ -111,7 +121,160 @@ static void test_sharing(void)
> cc = uv_call(0, (u64)&uvcb);
> report(cc == 0 && uvcb.header.rc == UVC_RC_EXECUTED, "unshare");
> report_prefix_pop();
> +}
> +
> +/* arcb with one key slot and no nonce */
> +struct uv_arcb_v1 {
> + uint64_t reserved0; /* 0x0000 */
> + uint32_t arvn; /* 0x0008 */
> + uint32_t arl; /* 0x000c */
req_ver and req_len ?
> + uint8_t iv[12]; /* 0x0010 */
> + uint32_t reserved1c; /* 0x001c */
> + uint8_t reserved20[7]; /* 0x0020 */
> + uint8_t nks; /* 0x0027 */
> + uint32_t reserved28; /* 0x0028 */
> + uint32_t sea; /* 0x002c */
sea and nks are also used elsewhere so I'm mostly fine with them.
> + uint64_t paf; /* 0x0030 */
plaint_att_flags
> + uint32_t mai; /* 0x0038 */
meass_alg_id
> + uint32_t reserved3c; /* 0x003c */
> + uint8_t cpk[160]; /* 0x0040 */
> + uint8_t key_slot[80]; /* 0x00e0 */
> + uint8_t m_key[64]; /* 0x0130 */
meass_key
Although, to be honest I don't like the "meass" prefix
> + uint8_t tag[16]; /* 0x0170 */
> +} __attribute__((packed));
The amount of three letter abbreviations is too high in this struct.
> +
> +static void test_attest_v1(u64 supported_paf)
> +{
> + struct uv_cb_attest uvcb = {
> + .header.cmd = UVC_CMD_ATTESTATION,
> + .header.len = sizeof(uvcb),
> + };
> + struct uv_arcb_v1 *arcb = (void *)page;
> + uint64_t measurement = page + sizeof(*arcb);
> + size_t measurement_size = 64;
> + uint64_t additional = measurement + measurement_size;
> + size_t additional_size = 64;
> + int cc;
> +
> + memset((void *) page, 0, PAGE_SIZE);
> +
> + /* create a minimal arcb/uvcb such that FW has everything to start unsealing the request. */
> + arcb->arvn = 0x0100;
Magic numbers
> + arcb->arl = sizeof(*arcb);
> + arcb->nks = 1;
> + arcb->sea = 64;
sizeof(arcb->m_key) ?
It's sizeof(arcb->m_key) + sizeof(arcb->nonce_opt) (which doesn't exist
in our struct above) for everyone wondering what's in sea.
> + /* HMAC SHA512 */
> + arcb->mai = 1;
Add a constant then you won't need the comment anymore.
> + uvcb.arcb_addr = page;
> + uvcb.measurement_address = measurement;
> + uvcb.measurement_length = measurement_size;
> + uvcb.add_data_address = additional;
> + uvcb.add_data_length = additional_size;
> +
> + uvcb.continuation_token = 0xff;
> + cc = uv_call(0, (u64)&uvcb);
> + report(cc == 1 && uvcb.header.rc == 0x0101, "invalid continuation token");
> + uvcb.continuation_token = 0;
> +
> + uvcb.user_data_length = sizeof(uvcb.user_data) + 1;
> + cc = uv_call(0, (u64)&uvcb);
> + report(cc == 1 && uvcb.header.rc == 0x0102, "invalid user data size");
> + uvcb.user_data_length = 0;
> +
> + uvcb.arcb_addr = 0;
> + cc = uv_call(0, (u64)&uvcb);
> + report(cc == 1 && uvcb.header.rc == 0x0103, "invalid address arcb");
> + uvcb.arcb_addr = page;
> +
> + /* 0104 - 0105 need an unseal-able request */
> +
> + /* version 0000 is an illegal version number */
> + arcb->arvn = 0x0000;
> + cc = uv_call(0, (u64)&uvcb);
> + report(cc == 1 && uvcb.header.rc == 0x0106, "unsupported version");
> + arcb->arvn = 0x0100;
> +
> + arcb->arl += 1;
> + cc = uv_call(0, (u64)&uvcb);
> + report(cc == 1 && uvcb.header.rc == 0x0107, "invalid arcb size 1");
> + arcb->arl -= 1;
> + arcb->nks = 2;
> + cc = uv_call(0, (u64)&uvcb);
> + report(cc == 1 && uvcb.header.rc == 0x0107, "invalid arcb size 2");
> + arcb->nks = 1;
> +
> + arcb->nks = 0;
> + cc = uv_call(0, (u64)&uvcb);
> + report(cc == 1 && uvcb.header.rc == 0x0108, "invalid num key slots low");
> + arcb->nks = 1;
>
> + /* possible valid size (when using nonce). However, arl to small to host a nonce */
s/to/too/
> + arcb->sea = 80;
> + cc = uv_call(0, (u64)&uvcb);
> + report(cc == 1 && uvcb.header.rc == 0x0109, "invalid encrypted size 1");
> + arcb->sea = 17;
> + cc = uv_call(0, (u64)&uvcb);
> + report(cc == 1 && uvcb.header.rc == 0x0109, "invalid encrypted size 2");
> + arcb->sea = 64;
> +
> + arcb->paf = supported_paf ^ ((u64) -1);
> + cc = uv_call(0, (u64)&uvcb);
> + report(cc == 1 && uvcb.header.rc == 0x010a, "invalid paf");
> + arcb->paf = 0;
> +
> + /* reserved value */
> + arcb->mai = 0;
> + cc = uv_call(0, (u64)&uvcb);
> + report(cc == 1 && uvcb.header.rc == 0x010b, "invalid mai");
> + arcb->mai = 1;
> +
> + cc = uv_call(0, (u64)&uvcb);
> + report(cc == 1 && uvcb.header.rc == 0x010c, "unable unseal");
> +
> + uvcb.measurement_length = 0;
> + cc = uv_call(0, (u64)&uvcb);
> + report(cc == 1 && uvcb.header.rc == 0x010d, "invalid measurement size");
> + uvcb.measurement_length = 64;
> +}
> +
> +static void test_attest(void)
> +{
> + struct uv_cb_attest uvcb = {
> + .header.cmd = UVC_CMD_ATTESTATION,
> + .header.len = sizeof(uvcb),
> + };
> + const struct uv_cb_qui *uvcb_qui = uv_get_info();
> + int cc;
> +
> + report_prefix_push("attest");
> +
> + if (!uv_query_test_call(BIT_UVC_CMD_ATTESTATION)) {
> + report_skip("Attestation not supported.");
> + goto done;
> + }
> +
> + /* Verify that the uv supports at least one header version */
> + report(uvcb_qui->supported_att_hdr_versions, "has hdr support");
> +
> + memset((void *) page, 0, PAGE_SIZE);
> +
> + uvcb.header.len -= 1;
> + cc = uv_call(0, (u64)&uvcb);
> + report(cc && uvcb.header.rc == UVC_RC_INV_LEN, "invalid uvcb size 1");
> + uvcb.header.len += 1;
> +
> + uvcb.header.len += 1;
> + cc = uv_call(0, (u64)&uvcb);
> + report(cc && uvcb.header.rc == UVC_RC_INV_LEN, "invalid uvcb size 2");
> + uvcb.header.len -= 1;
> +
> + report_prefix_push("v1");
> + if (test_bit_inv(0, &uvcb_qui->supported_att_hdr_versions))
> + test_attest_v1(uvcb_qui->supported_paf);
> + else
> + report_skip("Attestation version 1 not supported");
> + report_prefix_pop();
> +done:
> report_prefix_pop();
> }
>
> @@ -179,6 +342,7 @@ int main(void)
> test_invalid();
> test_query();
> test_sharing();
> + test_attest();
> free_page((void *)page);
> done:
> report_prefix_pop();
>
prev parent reply other threads:[~2022-01-28 9:54 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-27 14:15 [kvm-unit-tests PATCH 0/4] s390x: Attestation tests Steffen Eiden
2022-01-27 14:15 ` [kvm-unit-tests PATCH 1/4] s390x: uv-host: Add attestation test Steffen Eiden
2022-01-28 9:00 ` Janosch Frank
2022-01-28 9:29 ` Thomas Huth
2022-01-28 9:58 ` Claudio Imbrenda
2022-01-27 14:15 ` [kvm-unit-tests PATCH 2/4] s390x: lib: Add QUI getter Steffen Eiden
2022-01-28 9:02 ` Janosch Frank
2022-01-27 14:15 ` [kvm-unit-tests PATCH 3/4] s390x: uv-guest: remove duplicated checks Steffen Eiden
2022-01-28 9:06 ` Janosch Frank
2022-01-27 14:15 ` [kvm-unit-tests PATCH 4/4] s390x: uv-guest: Add attestation tests Steffen Eiden
2022-01-28 9:54 ` Janosch Frank [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d348d29f-c20a-717f-7124-d1c228f3213b@linux.ibm.com \
--to=frankja@linux.ibm.com \
--cc=david@redhat.com \
--cc=imbrenda@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=seiden@linux.ibm.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).