Skip to content

Commit a39bf21

Browse files
committed
aproxy: implement decoupled KBS backend utilizing sev crate
Running SVSM against a trustee KBS service to verify the attestation report and get the attestation token back fails with the error "Deserialize SNP Evidence failed" [1] On further inspection, here are a few problems identified with the current attestation flow: 1. The trustee KBS service depends on the virtee sev crate AttestationReport structure [2] and it does not match with the structure of AttestationReport that SVSM sends to aproxy. As a result the deserialization fails. 2. The additional_evidence is not passed in the report at all. 3. Runtime data is hashed using sha512 whereas KBS service expects to use Sha384 hash function. 4. nonce should be stored from the negotiation response, so that it can be sent back in the attestation request. In this commit, we add the official 'sev' crate (from virtee, with snp and serde features enabled) to aproxy's dependencies, and implement a decoupled KBS backend in tools/aproxy. [3] The aproxy KBS backend parses the raw report bytes received from SVSM using sev::firmware::guest::AttestationReport. This completely decouples the SVSM kernel from KBS serialization format requirements. The standard parser utilized by the KBS evidence verifier is used in the aproxy, resolving previous deserialization failures. aproxy backend now constructs the complete, KBS-compliant runtime_data JSON object (which contains the nonce and the tee-pubkey formatted with JWS parameters like alg: 'ECDH-ES+A256KW' and crv: 'P-521'). aproxy serializes this entire JSON object, computes its SHA-384 hash, and returns this combined hash to SVSM as the NegotiationResponse challenge. SVSM then simply hashes this single challenge into its SEV-SNP report. Update the hash function in kernel/src/attest.rs to directly copy the 48 byte challenge into a zero padded 64 byte array. Hashing is actually performed in the aproxy and the hash function used is Sha384 Casting SNP report bytes into sev crate's AttestationReport structure via read_unaligned causes undefined behaviour due to optimized Option enums. Replace unsafe cast with sev::parser::Decoder to safely decode the report byte-by-byte into the correct memory layout. Adding resource_id: Option<String> to KbsProtocol prevents the Protocol enum from implementing Copy. Therefore pattern matching on self.protocol directly inside HttpClient method now borrows self, and that conflicts with subsequently passing self as mutable reference to the backend method calls like negotiation and attestation. Use idiomatic mem::replace pattern to avoid this. [1] https://github.com/confidential-containers/trustee/blob/main/deps/verifier/src/snp/mod.rs#L351 [2] https://github.com/confidential-containers/trustee/blob/main/deps/verifier/Cargo.toml#L96 [3] https://docs.rs/crate/sev/8.0.0/source/src/firmware/guest/types/snp.rs#255 Signed-off-by: Arun Menon <armenon@redhat.com>
1 parent 54850e0 commit a39bf21

6 files changed

Lines changed: 538 additions & 400 deletions

File tree

0 commit comments

Comments
 (0)