Add SVSM e-vTPM support to go-tpm-tools #600
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
chrisfenner
left a comment
There was a problem hiding this comment.
No serious complaints from my end, although I focused my review on the crypto & attestation flow rather than the proto design.
alexmwu
left a comment
There was a problem hiding this comment.
Can we add tests for these new additions? I remember go-sev-guest supports a mock https://github.com/google/go-sev-guest/blob/main/testing/test_cases.go#L304 but I'm not too familiar with it tbh
I'll need to do another round on the library crypto; thankfully Chris has already taken a look.
I've uploaded another revision, still working on unit tests. I'll be updating the SVSMOpts to include configfsi and LeveledQuoteProvider interfaces so that I can inject a test double there |
|
Updated with unit tests |
| // for reference: https://github.com/TrustedComputingGroup/tpm-fw-attestation-reference-code | ||
|
|
||
| var ( | ||
| errCertifiedWrongName = errors.New("incorrect name") |
There was a problem hiding this comment.
nit: capitalize name or call it a TPM name
There was a problem hiding this comment.
I wasn't clear on what to do here, could you clarify?
jkl73
left a comment
There was a problem hiding this comment.
lgtm two overall thoughts:
- The cmd looks a bit complicated, we might think how to streamline it.
- svsm specific code in client/server might be more suitable to put into go-sev-guest repo
I've removed SVSM logic from tpm registration, so hopefully it's a bit simpler now.
I've moved svsm specific code to the cmd package instead of client/server. This way we can do a drop-in replacement when i move some of that to either go-sev-guest or tcb-verifier I've uploaded a new revision which includes these changes:
@alexmwu @jkl73 lemme know how the changes look Notably we no longer need to separately call gce-tcb-verifier CLI |
|
/gcbrun |
24e2ac1 to
14ca5bd
Compare
|
/gcbrun |
1 similar comment
|
/gcbrun |
|
/gcbrun |
These two messages are needed for TPM registration and SVSM support in the next patches. The generated code is the result of running `go generate ./...` inside proto/
gce-tcb-verifier is used to verify the launch measurement in the SNP attestation report, and also to verify the endorsement that is used to verify the launch measurement. go-sev-guest is updated so as to avoid an attestation report parsing error for the v4 SNP attestation report format. go-tpm is updated to make use of new commands needed by TPM registration. go-configfs-tsm updated to retrieve the manifest blob which will contain the vtpm service manifest for SVSM attestation. the go.mod and go.sum updates were generated by running these commands: go get github.com/google/[email protected] go get github.com/google/[email protected] pushd cmd/ go get github.com/google/[email protected] go get github.com/google/[email protected] go get github.com/google/gce-tcb-verifier/gcetcbendorsement@latest popd go mod tidy pushd cmd go mod tidy popd pushd verifier go mod tidy popd pushd launcher go mod tidy popd
The client server files for import_certify.go corresponds to the spec for EK-based Key attestation with firmware version. See https://trustedcomputinggroup.org/wp-content/uploads/EK-Based-Key-Attestation-with-TPM-Firmware-Version-V1-RC1_9July2025.pdf#page=8 This will be used for SVSM attestation in the next patches. This is required for SVSM attestation because Coconut SVSM currently only attests to a single EK.
EK-based TPM registration consists of requesting a challenge, creating a challenge, solving the challenge, and verifying the challenge. Requesting a challenge corresponds to getting the EK public key via cmd/pubkey.go. Creating, solving and verifying the challenge correspond to subcommands defined in cmd/register.go. We also add some helpers for reading and writing files to flags.go and use them.
`gotpm attest svsm` and `gotpm verify debug svsm` add svsm specific logic for verifying an SNP attestation report that is requested by Coconut SVSM on behalf of the linux guest. The SVSM spec defines a vTPM single service attestation protocol which allows the SNP attestation report instead of an EK certificate for creating trust in the TPM EK. We use SVSM's service attestation and the SNP hardware attestation report to create trust for the EK, instead of an EK certificate. See https://github.com/coconut-svsm/svsm for Coconut SVSM code which implements the SVSM spec interface. SVSM spec is found at https://www.amd.com/en/developer/sev.html We add the SevSnp attestation inside the SevSnpSvsmAttestation message instead of the Attestation message. AttestOpts is modified to allow running attest in a CVM without attempting to add the tee technology attestation. The full SVSM attestation flow follows these example commands: TEE_NONCE="123456789012345678901234567890123456789012345678901234567890123456789012345 " ALGO="ecc" "${gotpm}" pubkey endorsement --key-format=tpmt-public \ --algo=rsa --output=ek.bin "${gotpm}" register create-challenge --input=ek.bin \ --output=challenge.bin --secret-output=secret.bin "${gotpm}" register solve-challenge --input=challenge.bin --algo=${ALGO} \ --output=certified_blob.bin "${gotpm}" register verify-challenge --input=certified_blob.bin \ --secret-input=secret.bin "${gotpm}" attest svsm --nonce=1234 --output=svsm_attestation.bin \ --algo=${ALGO} --key=AK --tee-nonce="${TEE_NONCE}" \ --tee-technology=sev-snp "${gotpm}" verify debug svsm --nonce=1234 --input=svsm_attestation.bin \ --tee-technology=sev-snp --certified-ak-blob=certified_blob.bin \ --ek-pub=ek.bin --tee-nonce="${TEE_NONCE}"
made these manual edits to auto generated files the presubmit runs go generate commands and then checks for diffs with: git diff -G'^[^/]' --exit-code however, these are comment lines? and i think the diff command shoulda skipped those? oh well, let's try it now.
|
/gcbrun |
| {"RSA", tpm2.TPMAlgRSA}, | ||
| {"ECC", tpm2.TPMAlgECC}, | ||
| } | ||
| for _, tc := range testcases { |
There was a problem hiding this comment.
nit: could the CreateCertifiedAKBlob be a receiver method on the ek Key. You can then call ek.PublicArea() below and ek.CreateCertifiedAKBlob(tpm, challenge, tc.keyAlgo)
| // for reference: https://github.com/TrustedComputingGroup/tpm-fw-attestation-reference-code | ||
|
|
||
| var ( | ||
| errCertifiedWrongName = errors.New("incorrect name") |
| bytes certify_info = 2; | ||
| // TPM2 signature, encoded as a TPMT_Signature | ||
| bytes raw_sig = 3; | ||
| } |
There was a problem hiding this comment.
nit: newline at end of file
| // constraints. | ||
| SevSnpPolicy sev_snp = 3; | ||
| } | ||
| } |
There was a problem hiding this comment.
nit: newline at end of file.
SVSM e-vTPM currently can only attest to an EK, so we need EK-based key attestation for the TPM.
This PR implements https://trustedcomputinggroup.org/wp-content/uploads/EK-Based-Key-Attestation-with-TPM-Firmware-Version-V1-RC1_9July2025.pdf#page=8 and is based on the reference code https://github.com/TrustedComputingGroup/tpm-fw-attestation-reference-code