Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature(measurement): allowing measurements under crypto_nossl feature #250

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feature(measurement): allowing measurements under crypto_nossl feature #250

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7b4ec62
making the `measurement` module available when `crypto_nossl` is enabled
jakubDoka Nov 19, 2024
8adc5c6
enabling the tests for measurement for crypto_nossl and also supporti…
jakubDoka Nov 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/certs/snp/builtin/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// SPDX-License-Identifier: Apache-2.0

/// Interfaces for retrieving builtin ARKs and ASKs for their respective generations.
//! Interfaces for retrieving builtin ARKs and ASKs for their respective generations.

/// Genoa generation.
pub mod genoa;
Expand Down
4 changes: 2 additions & 2 deletions src/certs/snp/ca/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
// SPDX-License-Identifier: Apache-2.0

//! Operations for a Certificate Authority (CA) chain.
jakubDoka marked this conversation as resolved.
Show resolved Hide resolved
#[cfg(feature = "openssl")]
use openssl::x509::X509;

use super::*;

/// Operations for a Certificate Authority (CA) chain.

/// A Certificate Authority (CA) chain.
#[derive(Clone, Debug)]
pub struct Chain {
Expand Down
1 change: 1 addition & 0 deletions src/error.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -438,6 +438,7 @@ impl From<SevError> for c_int {

impl std::error::Error for SevError {}

#[allow(clippy::too_long_first_doc_paragraph)]
/// There are a number of error conditions that can occur between this
/// layer all the way down to the SEV platform. Most of these cases have
/// been enumerated; however, there is a possibility that some error
Expand Down
2 changes: 1 addition & 1 deletion src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ pub mod firmware;
pub mod launch;
#[cfg(all(
any(feature = "sev", feature = "snp"),
feature = "openssl",
any(feature = "openssl", feature = "crypto_nossl"),
target_os = "linux"
))]
pub mod measurement;
Expand Down
9 changes: 9 additions & 0 deletions src/measurement/gctx.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
//! Operations to handle and create a Guest Context
use std::convert::TryInto;

#[cfg(feature = "openssl")]
use openssl::sha::sha384;

use crate::error::*;
Expand All @@ -12,6 +13,14 @@ use crate::{
measurement::snp::{SnpLaunchDigest, LD_BYTES},
};

#[cfg(all(not(feature = "openssl"), feature = "crypto_nossl"))]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The library won't compile if both crypto_nossl and openssl are both passed as features, so you can just gate under crypto_nossl

Suggested change
#[cfg(all(not(feature = "openssl"), feature = "crypto_nossl"))]
#[cfg(feature = "crypto_nossl")]

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was my mistake, apologies @jakubDoka

fn sha384(data: &[u8]) -> [u8; 48] {
use sha2::Digest;
let mut sha = sha2::Sha384::default();
sha.update(data);
sha.finalize().into()
}

// VMSA page is recorded in the RMP table with GPA (u64)(-1).
// However, the address is page-aligned, and also all the bits above
// 51 are cleared.
Expand Down
15 changes: 11 additions & 4 deletions src/measurement/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,11 @@
//! Everything one needs to calculate a launch measurement for a SEV encrypted confidential guest.
//! This includes, GCTX, SEV-HASHES, VMSA and OVMF pages.

#[cfg(all(target_os = "linux", feature = "snp", feature = "openssl"))]
#[cfg(all(
target_os = "linux",
feature = "snp",
any(feature = "openssl", feature = "crypto_nossl")
))]
pub mod gctx;

#[cfg(any(feature = "sev", feature = "snp"))]
Expand All @@ -12,16 +16,19 @@ pub mod ovmf;
#[cfg(any(feature = "sev", feature = "snp"))]
pub mod vmsa;

#[cfg(all(any(feature = "sev", feature = "snp"), feature = "openssl"))]
#[cfg(all(
any(feature = "sev", feature = "snp"),
any(feature = "openssl", feature = "crypto_nossl")
))]
pub mod sev_hashes;

#[cfg(any(feature = "sev", feature = "snp"))]
pub mod vcpu_types;

#[cfg(all(feature = "snp", feature = "openssl"))]
#[cfg(all(feature = "snp", any(feature = "openssl", feature = "crypto_nossl")))]
pub mod snp;

#[cfg(all(feature = "sev", feature = "openssl"))]
#[cfg(all(feature = "sev", any(feature = "openssl", feature = "crypto_nossl")))]
pub mod sev;

#[cfg(all(feature = "snp", feature = "openssl"))]
Expand Down
24 changes: 22 additions & 2 deletions src/measurement/sev.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,12 @@ use std::path::PathBuf;

use crate::error::*;

#[cfg(feature = "openssl")]
use openssl::sha::Sha256;

#[cfg(all(not(feature = "openssl"), feature = "crypto_nossl"))]
use {sha2::Digest, sha2::Sha256};

const _PAGE_MASK: u64 = 0xfff;

/// Get the launch digest as a hex string
Expand Down Expand Up @@ -44,7 +48,10 @@ pub fn seves_calc_launch_digest(
sev_es_measurement: SevEsMeasurementArgs,
) -> Result<[u8; 32], MeasurementError> {
let ovmf = OVMF::new(sev_es_measurement.ovmf_file)?;
#[cfg(feature = "openssl")]
let mut launch_hash = Sha256::new();
#[cfg(all(not(feature = "openssl"), feature = "crypto_nossl"))]
let mut launch_hash = Sha256::default();
launch_hash.update(ovmf.data().as_slice());

if let Some(kernel) = sev_es_measurement.kernel_file {
Expand Down Expand Up @@ -77,7 +84,12 @@ pub fn seves_calc_launch_digest(
launch_hash.update(vmsa_page.as_slice())
}

Ok(launch_hash.finish())
#[cfg(feature = "openssl")]
{
Ok(launch_hash.finish())
}
Comment on lines +87 to +90
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Attribute macros do not allow you to define scope in this way, so this won't actually work. If you are attempting to check at run-time, you will have to use a declarative function-like macro (cfg!), instead.

#[cfg(all(not(feature = "openssl"), feature = "crypto_nossl"))]
Ok(launch_hash.finalize().into())
}

/// Arguments required to calculate the SEV measurement
Expand All @@ -97,7 +109,10 @@ pub fn sev_calc_launch_digest(
sev_measurement: SevMeasurementArgs,
) -> Result<[u8; 32], MeasurementError> {
let ovmf = OVMF::new(sev_measurement.ovmf_file)?;
#[cfg(feature = "openssl")]
let mut launch_hash = Sha256::new();
#[cfg(all(not(feature = "openssl"), feature = "crypto_nossl"))]
let mut launch_hash = Sha256::default();
launch_hash.update(ovmf.data().as_slice());

if let Some(kernel) = sev_measurement.kernel_file {
Expand All @@ -110,5 +125,10 @@ pub fn sev_calc_launch_digest(
launch_hash.update(sev_hashes.as_slice());
};

Ok(launch_hash.finish())
#[cfg(feature = "openssl")]
{
Ok(launch_hash.finish())
}
Comment on lines +128 to +131
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same applies here. Attribute macros have no concept of scope in this way.

#[cfg(all(not(feature = "openssl"), feature = "crypto_nossl"))]
Ok(launch_hash.finalize().into())
}
10 changes: 10 additions & 0 deletions src/measurement/sev_hashes.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
// SPDX-License-Identifier: Apache-2.0

//! Operations to handle OVMF SEV-HASHES
#[cfg(feature = "openssl")]
use openssl::sha::sha256;

use serde::Serialize;
use std::fs::File;
use std::{
Expand All @@ -18,6 +20,14 @@ use crate::error::*;

type Sha256Hash = [u8; 32];

#[cfg(all(not(feature = "openssl"), feature = "crypto_nossl"))]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same thing

Suggested change
#[cfg(all(not(feature = "openssl"), feature = "crypto_nossl"))]
#[cfg(feature = "crypto_nossl")]

Copy link
Member

@tylerfanelli tylerfanelli Nov 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, my mistake. I asked @jakubDoka to add this forgetting that it won't compile with both features.

fn sha256(data: &[u8]) -> Sha256Hash {
use sha2::Digest as _;
let mut sha = sha2::Sha256::default();
sha.update(data);
sha.finalize().into()
}

/// GUID stored as little endian
#[derive(Debug, Clone, Copy, Serialize, Default)]
struct GuidLe {
Expand Down
2 changes: 1 addition & 1 deletion tests/measurement.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// SPDX-License-Identifier: Apache-2.0

#![cfg(feature = "openssl")]
#![cfg(any(feature = "openssl", feature = "crypto_nossl"))]

#[cfg(all(target_os = "linux", feature = "snp"))]
mod snp_tests {
Expand Down
Loading