Message ID | 20220127141559.35250-5-seiden@linux.ibm.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | s390x: Attestation tests | expand |
On 1/27/22 15:15, Steffen Eiden wrote: > Adds several tests to verify correct error paths of attestation. > > Signed-off-by: Steffen Eiden <seiden@linux.ibm.com> > --- > lib/s390x/asm/uv.h | 5 +- > s390x/uv-guest.c | 164 +++++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 168 insertions(+), 1 deletion(-) > > diff --git a/lib/s390x/asm/uv.h b/lib/s390x/asm/uv.h > index 38c322bf..e8e1698e 100644 > --- a/lib/s390x/asm/uv.h > +++ b/lib/s390x/asm/uv.h > @@ -109,7 +109,10 @@ struct uv_cb_qui { > u8 reserved88[158 - 136]; /* 0x0088 */ > uint16_t max_guest_cpus; /* 0x009e */ > u64 uv_feature_indications; /* 0x00a0 */ > - u8 reserveda8[200 - 168]; /* 0x00a8 */ > + u8 reserveda8[224 - 168]; /* 0x00a8 */ > + u64 supported_att_hdr_versions; /* 0x00e0 */ > + u64 supported_paf; /* 0x00e8 */ > + u8 reservedf0[256 - 240]; /* 0x00f0 */ > } __attribute__((packed)) __attribute__((aligned(8))); > > struct uv_cb_cgc { > diff --git a/s390x/uv-guest.c b/s390x/uv-guest.c > index 909b7256..92b9a53b 100644 > --- a/s390x/uv-guest.c > +++ b/s390x/uv-guest.c > @@ -6,6 +6,7 @@ > * > * Authors: > * Janosch Frank <frankja@linux.ibm.com> > + * Steffen Eiden <seiden@linux.ibm.com> > */ > > #include <libcflat.h> > @@ -53,6 +54,15 @@ static void test_priv(void) > check_pgm_int_code(PGM_INT_CODE_PRIVILEGED_OPERATION); > report_prefix_pop(); > > + report_prefix_push("attest"); > + uvcb.cmd = UVC_CMD_ATTESTATION; > + uvcb.len = sizeof(struct uv_cb_attest); > + expect_pgm_int(); > + enter_pstate(); > + uv_call_once(0, (u64)&uvcb); > + check_pgm_int_code(PGM_INT_CODE_PRIVILEGED_OPERATION); > + report_prefix_pop(); > + > report_prefix_pop(); > } > > @@ -111,7 +121,160 @@ static void test_sharing(void) > cc = uv_call(0, (u64)&uvcb); > report(cc == 0 && uvcb.header.rc == UVC_RC_EXECUTED, "unshare"); > report_prefix_pop(); > +} > + > +/* arcb with one key slot and no nonce */ > +struct uv_arcb_v1 { > + uint64_t reserved0; /* 0x0000 */ > + uint32_t arvn; /* 0x0008 */ > + uint32_t arl; /* 0x000c */ req_ver and req_len ? > + uint8_t iv[12]; /* 0x0010 */ > + uint32_t reserved1c; /* 0x001c */ > + uint8_t reserved20[7]; /* 0x0020 */ > + uint8_t nks; /* 0x0027 */ > + uint32_t reserved28; /* 0x0028 */ > + uint32_t sea; /* 0x002c */ sea and nks are also used elsewhere so I'm mostly fine with them. > + uint64_t paf; /* 0x0030 */ plaint_att_flags > + uint32_t mai; /* 0x0038 */ meass_alg_id > + uint32_t reserved3c; /* 0x003c */ > + uint8_t cpk[160]; /* 0x0040 */ > + uint8_t key_slot[80]; /* 0x00e0 */ > + uint8_t m_key[64]; /* 0x0130 */ meass_key Although, to be honest I don't like the "meass" prefix > + uint8_t tag[16]; /* 0x0170 */ > +} __attribute__((packed)); The amount of three letter abbreviations is too high in this struct. > + > +static void test_attest_v1(u64 supported_paf) > +{ > + struct uv_cb_attest uvcb = { > + .header.cmd = UVC_CMD_ATTESTATION, > + .header.len = sizeof(uvcb), > + }; > + struct uv_arcb_v1 *arcb = (void *)page; > + uint64_t measurement = page + sizeof(*arcb); > + size_t measurement_size = 64; > + uint64_t additional = measurement + measurement_size; > + size_t additional_size = 64; > + int cc; > + > + memset((void *) page, 0, PAGE_SIZE); > + > + /* create a minimal arcb/uvcb such that FW has everything to start unsealing the request. */ > + arcb->arvn = 0x0100; Magic numbers > + arcb->arl = sizeof(*arcb); > + arcb->nks = 1; > + arcb->sea = 64; sizeof(arcb->m_key) ? It's sizeof(arcb->m_key) + sizeof(arcb->nonce_opt) (which doesn't exist in our struct above) for everyone wondering what's in sea. > + /* HMAC SHA512 */ > + arcb->mai = 1; Add a constant then you won't need the comment anymore. > + uvcb.arcb_addr = page; > + uvcb.measurement_address = measurement; > + uvcb.measurement_length = measurement_size; > + uvcb.add_data_address = additional; > + uvcb.add_data_length = additional_size; > + > + uvcb.continuation_token = 0xff; > + cc = uv_call(0, (u64)&uvcb); > + report(cc == 1 && uvcb.header.rc == 0x0101, "invalid continuation token"); > + uvcb.continuation_token = 0; > + > + uvcb.user_data_length = sizeof(uvcb.user_data) + 1; > + cc = uv_call(0, (u64)&uvcb); > + report(cc == 1 && uvcb.header.rc == 0x0102, "invalid user data size"); > + uvcb.user_data_length = 0; > + > + uvcb.arcb_addr = 0; > + cc = uv_call(0, (u64)&uvcb); > + report(cc == 1 && uvcb.header.rc == 0x0103, "invalid address arcb"); > + uvcb.arcb_addr = page; > + > + /* 0104 - 0105 need an unseal-able request */ > + > + /* version 0000 is an illegal version number */ > + arcb->arvn = 0x0000; > + cc = uv_call(0, (u64)&uvcb); > + report(cc == 1 && uvcb.header.rc == 0x0106, "unsupported version"); > + arcb->arvn = 0x0100; > + > + arcb->arl += 1; > + cc = uv_call(0, (u64)&uvcb); > + report(cc == 1 && uvcb.header.rc == 0x0107, "invalid arcb size 1"); > + arcb->arl -= 1; > + arcb->nks = 2; > + cc = uv_call(0, (u64)&uvcb); > + report(cc == 1 && uvcb.header.rc == 0x0107, "invalid arcb size 2"); > + arcb->nks = 1; > + > + arcb->nks = 0; > + cc = uv_call(0, (u64)&uvcb); > + report(cc == 1 && uvcb.header.rc == 0x0108, "invalid num key slots low"); > + arcb->nks = 1; > > + /* possible valid size (when using nonce). However, arl to small to host a nonce */ s/to/too/ > + arcb->sea = 80; > + cc = uv_call(0, (u64)&uvcb); > + report(cc == 1 && uvcb.header.rc == 0x0109, "invalid encrypted size 1"); > + arcb->sea = 17; > + cc = uv_call(0, (u64)&uvcb); > + report(cc == 1 && uvcb.header.rc == 0x0109, "invalid encrypted size 2"); > + arcb->sea = 64; > + > + arcb->paf = supported_paf ^ ((u64) -1); > + cc = uv_call(0, (u64)&uvcb); > + report(cc == 1 && uvcb.header.rc == 0x010a, "invalid paf"); > + arcb->paf = 0; > + > + /* reserved value */ > + arcb->mai = 0; > + cc = uv_call(0, (u64)&uvcb); > + report(cc == 1 && uvcb.header.rc == 0x010b, "invalid mai"); > + arcb->mai = 1; > + > + cc = uv_call(0, (u64)&uvcb); > + report(cc == 1 && uvcb.header.rc == 0x010c, "unable unseal"); > + > + uvcb.measurement_length = 0; > + cc = uv_call(0, (u64)&uvcb); > + report(cc == 1 && uvcb.header.rc == 0x010d, "invalid measurement size"); > + uvcb.measurement_length = 64; > +} > + > +static void test_attest(void) > +{ > + struct uv_cb_attest uvcb = { > + .header.cmd = UVC_CMD_ATTESTATION, > + .header.len = sizeof(uvcb), > + }; > + const struct uv_cb_qui *uvcb_qui = uv_get_info(); > + int cc; > + > + report_prefix_push("attest"); > + > + if (!uv_query_test_call(BIT_UVC_CMD_ATTESTATION)) { > + report_skip("Attestation not supported."); > + goto done; > + } > + > + /* Verify that the uv supports at least one header version */ > + report(uvcb_qui->supported_att_hdr_versions, "has hdr support"); > + > + memset((void *) page, 0, PAGE_SIZE); > + > + uvcb.header.len -= 1; > + cc = uv_call(0, (u64)&uvcb); > + report(cc && uvcb.header.rc == UVC_RC_INV_LEN, "invalid uvcb size 1"); > + uvcb.header.len += 1; > + > + uvcb.header.len += 1; > + cc = uv_call(0, (u64)&uvcb); > + report(cc && uvcb.header.rc == UVC_RC_INV_LEN, "invalid uvcb size 2"); > + uvcb.header.len -= 1; > + > + report_prefix_push("v1"); > + if (test_bit_inv(0, &uvcb_qui->supported_att_hdr_versions)) > + test_attest_v1(uvcb_qui->supported_paf); > + else > + report_skip("Attestation version 1 not supported"); > + report_prefix_pop(); > +done: > report_prefix_pop(); > } > > @@ -179,6 +342,7 @@ int main(void) > test_invalid(); > test_query(); > test_sharing(); > + test_attest(); > free_page((void *)page); > done: > report_prefix_pop(); >
diff --git a/lib/s390x/asm/uv.h b/lib/s390x/asm/uv.h index 38c322bf..e8e1698e 100644 --- a/lib/s390x/asm/uv.h +++ b/lib/s390x/asm/uv.h @@ -109,7 +109,10 @@ struct uv_cb_qui { u8 reserved88[158 - 136]; /* 0x0088 */ uint16_t max_guest_cpus; /* 0x009e */ u64 uv_feature_indications; /* 0x00a0 */ - u8 reserveda8[200 - 168]; /* 0x00a8 */ + u8 reserveda8[224 - 168]; /* 0x00a8 */ + u64 supported_att_hdr_versions; /* 0x00e0 */ + u64 supported_paf; /* 0x00e8 */ + u8 reservedf0[256 - 240]; /* 0x00f0 */ } __attribute__((packed)) __attribute__((aligned(8))); struct uv_cb_cgc { diff --git a/s390x/uv-guest.c b/s390x/uv-guest.c index 909b7256..92b9a53b 100644 --- a/s390x/uv-guest.c +++ b/s390x/uv-guest.c @@ -6,6 +6,7 @@ * * Authors: * Janosch Frank <frankja@linux.ibm.com> + * Steffen Eiden <seiden@linux.ibm.com> */ #include <libcflat.h> @@ -53,6 +54,15 @@ static void test_priv(void) check_pgm_int_code(PGM_INT_CODE_PRIVILEGED_OPERATION); report_prefix_pop(); + report_prefix_push("attest"); + uvcb.cmd = UVC_CMD_ATTESTATION; + uvcb.len = sizeof(struct uv_cb_attest); + expect_pgm_int(); + enter_pstate(); + uv_call_once(0, (u64)&uvcb); + check_pgm_int_code(PGM_INT_CODE_PRIVILEGED_OPERATION); + report_prefix_pop(); + report_prefix_pop(); } @@ -111,7 +121,160 @@ static void test_sharing(void) cc = uv_call(0, (u64)&uvcb); report(cc == 0 && uvcb.header.rc == UVC_RC_EXECUTED, "unshare"); report_prefix_pop(); +} + +/* arcb with one key slot and no nonce */ +struct uv_arcb_v1 { + uint64_t reserved0; /* 0x0000 */ + uint32_t arvn; /* 0x0008 */ + uint32_t arl; /* 0x000c */ + uint8_t iv[12]; /* 0x0010 */ + uint32_t reserved1c; /* 0x001c */ + uint8_t reserved20[7]; /* 0x0020 */ + uint8_t nks; /* 0x0027 */ + uint32_t reserved28; /* 0x0028 */ + uint32_t sea; /* 0x002c */ + uint64_t paf; /* 0x0030 */ + uint32_t mai; /* 0x0038 */ + uint32_t reserved3c; /* 0x003c */ + uint8_t cpk[160]; /* 0x0040 */ + uint8_t key_slot[80]; /* 0x00e0 */ + uint8_t m_key[64]; /* 0x0130 */ + uint8_t tag[16]; /* 0x0170 */ +} __attribute__((packed)); + +static void test_attest_v1(u64 supported_paf) +{ + struct uv_cb_attest uvcb = { + .header.cmd = UVC_CMD_ATTESTATION, + .header.len = sizeof(uvcb), + }; + struct uv_arcb_v1 *arcb = (void *)page; + uint64_t measurement = page + sizeof(*arcb); + size_t measurement_size = 64; + uint64_t additional = measurement + measurement_size; + size_t additional_size = 64; + int cc; + + memset((void *) page, 0, PAGE_SIZE); + + /* create a minimal arcb/uvcb such that FW has everything to start unsealing the request. */ + arcb->arvn = 0x0100; + arcb->arl = sizeof(*arcb); + arcb->nks = 1; + arcb->sea = 64; + /* HMAC SHA512 */ + arcb->mai = 1; + uvcb.arcb_addr = page; + uvcb.measurement_address = measurement; + uvcb.measurement_length = measurement_size; + uvcb.add_data_address = additional; + uvcb.add_data_length = additional_size; + + uvcb.continuation_token = 0xff; + cc = uv_call(0, (u64)&uvcb); + report(cc == 1 && uvcb.header.rc == 0x0101, "invalid continuation token"); + uvcb.continuation_token = 0; + + uvcb.user_data_length = sizeof(uvcb.user_data) + 1; + cc = uv_call(0, (u64)&uvcb); + report(cc == 1 && uvcb.header.rc == 0x0102, "invalid user data size"); + uvcb.user_data_length = 0; + + uvcb.arcb_addr = 0; + cc = uv_call(0, (u64)&uvcb); + report(cc == 1 && uvcb.header.rc == 0x0103, "invalid address arcb"); + uvcb.arcb_addr = page; + + /* 0104 - 0105 need an unseal-able request */ + + /* version 0000 is an illegal version number */ + arcb->arvn = 0x0000; + cc = uv_call(0, (u64)&uvcb); + report(cc == 1 && uvcb.header.rc == 0x0106, "unsupported version"); + arcb->arvn = 0x0100; + + arcb->arl += 1; + cc = uv_call(0, (u64)&uvcb); + report(cc == 1 && uvcb.header.rc == 0x0107, "invalid arcb size 1"); + arcb->arl -= 1; + arcb->nks = 2; + cc = uv_call(0, (u64)&uvcb); + report(cc == 1 && uvcb.header.rc == 0x0107, "invalid arcb size 2"); + arcb->nks = 1; + + arcb->nks = 0; + cc = uv_call(0, (u64)&uvcb); + report(cc == 1 && uvcb.header.rc == 0x0108, "invalid num key slots low"); + arcb->nks = 1; + /* possible valid size (when using nonce). However, arl to small to host a nonce */ + arcb->sea = 80; + cc = uv_call(0, (u64)&uvcb); + report(cc == 1 && uvcb.header.rc == 0x0109, "invalid encrypted size 1"); + arcb->sea = 17; + cc = uv_call(0, (u64)&uvcb); + report(cc == 1 && uvcb.header.rc == 0x0109, "invalid encrypted size 2"); + arcb->sea = 64; + + arcb->paf = supported_paf ^ ((u64) -1); + cc = uv_call(0, (u64)&uvcb); + report(cc == 1 && uvcb.header.rc == 0x010a, "invalid paf"); + arcb->paf = 0; + + /* reserved value */ + arcb->mai = 0; + cc = uv_call(0, (u64)&uvcb); + report(cc == 1 && uvcb.header.rc == 0x010b, "invalid mai"); + arcb->mai = 1; + + cc = uv_call(0, (u64)&uvcb); + report(cc == 1 && uvcb.header.rc == 0x010c, "unable unseal"); + + uvcb.measurement_length = 0; + cc = uv_call(0, (u64)&uvcb); + report(cc == 1 && uvcb.header.rc == 0x010d, "invalid measurement size"); + uvcb.measurement_length = 64; +} + +static void test_attest(void) +{ + struct uv_cb_attest uvcb = { + .header.cmd = UVC_CMD_ATTESTATION, + .header.len = sizeof(uvcb), + }; + const struct uv_cb_qui *uvcb_qui = uv_get_info(); + int cc; + + report_prefix_push("attest"); + + if (!uv_query_test_call(BIT_UVC_CMD_ATTESTATION)) { + report_skip("Attestation not supported."); + goto done; + } + + /* Verify that the uv supports at least one header version */ + report(uvcb_qui->supported_att_hdr_versions, "has hdr support"); + + memset((void *) page, 0, PAGE_SIZE); + + uvcb.header.len -= 1; + cc = uv_call(0, (u64)&uvcb); + report(cc && uvcb.header.rc == UVC_RC_INV_LEN, "invalid uvcb size 1"); + uvcb.header.len += 1; + + uvcb.header.len += 1; + cc = uv_call(0, (u64)&uvcb); + report(cc && uvcb.header.rc == UVC_RC_INV_LEN, "invalid uvcb size 2"); + uvcb.header.len -= 1; + + report_prefix_push("v1"); + if (test_bit_inv(0, &uvcb_qui->supported_att_hdr_versions)) + test_attest_v1(uvcb_qui->supported_paf); + else + report_skip("Attestation version 1 not supported"); + report_prefix_pop(); +done: report_prefix_pop(); } @@ -179,6 +342,7 @@ int main(void) test_invalid(); test_query(); test_sharing(); + test_attest(); free_page((void *)page); done: report_prefix_pop();
Adds several tests to verify correct error paths of attestation. Signed-off-by: Steffen Eiden <seiden@linux.ibm.com> --- lib/s390x/asm/uv.h | 5 +- s390x/uv-guest.c | 164 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 168 insertions(+), 1 deletion(-)