Add basic monitor interactions

Cargo.toml

@@ -26,6 +26,7 @@ svsm = { path = "kernel" }
 elf = { path = "elf" }
 libmstpm = { path = "libmstpm" }
 syscall = { path = "syscall" }
+monitorcrypto = { path = "monitorcrypto" }
 
 # crates.io
 aes-gcm = { version = "0.10.3", default-features = false }
@@ -45,6 +46,8 @@ uuid = "1.6.1"
 # Add the derive feature by default because all crates use it.
 zerocopy = { version = "0.7.32", features = ["derive"] }
 
+#rsa = { version= "0.9.6", default-features = false, features = [] }
+#getrandom ={version="0.2.12", default-features = false, features = ["rdrand"]}
 # other repos
 packit = { git = "https://github.com/coconut-svsm/packit", version = "0.1.1" }
 

Makefile

@@ -113,7 +113,7 @@ bin/stage2.bin: bin
 	objcopy -O binary ${STAGE2_ELF} $@
 
 bin/svsm-kernel.elf: bin
-	cargo build ${CARGO_ARGS} ${SVSM_ARGS} --bin svsm
+	cargo build --manifest-path kernel/Cargo.toml ${CARGO_ARGS} ${SVSM_ARGS} --bin svsm
 	objcopy -O elf64-x86-64 --strip-unneeded ${SVSM_KERNEL_ELF} $@
 
 bin/test-kernel.elf: bin

cpuarch/src/vmsa.rs

@@ -7,7 +7,7 @@
 // AE Exitcodes
 // Table 15-35, AMD64 Architecture Programmer’s Manual, Vol. 2
 #[repr(u64)]
-#[derive(Clone, Copy, Default, Debug)]
+#[derive(Clone, Copy, Default, Debug, PartialEq)]
 #[allow(dead_code, non_camel_case_types)]
 pub enum GuestVMExit {
     MC = 0x52,
@@ -44,7 +44,7 @@ pub enum GuestVMExit {
 }
 
 #[repr(C, packed)]
-#[derive(Debug, Default, Clone, Copy)]
+#[derive(Debug, Default, Clone, Copy, PartialEq)]
 pub struct VMSASegment {
     pub selector: u16,
     pub flags: u16,
@@ -53,7 +53,7 @@ pub struct VMSASegment {
 }
 
 #[repr(C, packed)]
-#[derive(Debug)]
+#[derive(Debug, Copy, Clone, PartialEq)]
 pub struct VMSA {
     pub es: VMSASegment,
     pub cs: VMSASegment,
@@ -280,6 +280,7 @@ impl Default for VMSA {
     }
 }
 
+
 impl VMSA {
     pub fn enable(&mut self) {
         self.efer |= 1u64 << 12;

kernel/Cargo.toml

@@ -25,6 +25,13 @@ syscall.workspace = true
 
 aes-gcm = { workspace = true, features = ["aes", "alloc"] }
 bitflags.workspace = true
+#getrandom.workspace = true
+#num-bigint = { path="../../num-bigint", version = "0.8.4", default-features = false, features = ["prime"], package = "num-bigint-dig"}
+#num-traits = { version = "0.2.19", default-features = false, features = [] }
+#getrandom = { version = "0.2.15", default-features = false, features = ["rdrand"]}
+#rsa = { version= "0.9.6", default-features = false, features = [] }
+#rsa = { path = "../../RSA", default-features = false, features = [] }
+#sha2 = { version="0.10.8", default_features = false, features = ["force-soft"]}
 gdbstub = { workspace = true, optional = true }
 gdbstub_arch = { workspace = true, optional = true }
 igvm_defs = { workspace = true, features = ["unstable"] }

kernel/src/attestation/mod.rs

@@ -0,0 +1,9 @@
+pub mod monitor;
+pub mod process;
+pub mod policy;
+//pub mod ClientExchange {
+
+
+
+
+//}

kernel/src/attestation/monitor.rs

@@ -0,0 +1,35 @@
+use crate::{address::PhysAddr, greq::services::{get_regular_report, REPORT_RESPONSE_SIZE}};
+use crate::greq::pld_report::SnpReportResponse;
+use crate::protocols::errors::SvsmReqError;
+use crate::protocols::RequestParams;
+use crate::mm::PerCPUPageMappingGuard;
+
+pub fn attest_monitor(params: &mut RequestParams) -> Result<(), SvsmReqError>{
+    let mut rep: [u8; REPORT_RESPONSE_SIZE] = [0u8;REPORT_RESPONSE_SIZE];
+
+    rep[0] = 1;
+    log::info!("Requesting Monitor Attestation Report");
+    let rep_size = get_regular_report(&mut rep)?;
+
+    if params.rdx == 0 {
+        /* Here we only query for the size of the report */
+        params.rdx = rep_size.try_into().unwrap();
+        return Ok(());
+    }
+
+    params.rdx = rep_size.try_into().unwrap();
+
+    log::info!("Size of Report: {rep_size}");
+    let r = SnpReportResponse::try_from_as_ref(&mut rep)?;
+    log::info!("Report: {:?}\n",r);
+    log::info!("Report: {:?}\n",rep);
+    //TODO: Check if address is valid for this request
+    let target_address = PhysAddr::from(params.rcx);
+    let mapped_target_page = PerCPUPageMappingGuard::create_4k(target_address).unwrap();
+    let target = unsafe {mapped_target_page.virt_addr().as_mut_ptr::<[u8;4096]>().as_mut().unwrap()};
+    target[0..rep_size].copy_from_slice(&rep);
+
+
+    Ok(())
+}
+

kernel/src/attestation/process.rs

@@ -0,0 +1,12 @@
+use crate::process_manager::process::TrustedProcess;
+
+pub fn attest_process() -> bool {
+    log::info!("attest(): Attesting Monitor");
+    true
+}
+
+pub fn hash_process(process: &mut TrustedProcess) {
+    log::info!("Hash of Process is: 0");
+    process.hash = [0u8;32];
+
+}

kernel/src/cpu/percpu.rs

@@ -193,7 +193,7 @@ impl GuestVmsaRef {
 
 #[derive(Debug)]
 pub struct PerCpuShared {
-    guest_vmsa: SpinLock<GuestVmsaRef>,
+    pub guest_vmsa: SpinLock<GuestVmsaRef>,
     online: AtomicBool,
 }
 
@@ -245,7 +245,7 @@ impl PerCpuShared {
 pub struct PerCpuUnsafe {
     shared: PerCpuShared,
     private: RefCell<PerCpu>,
-    ghcb: *mut GHCB,
+    pub ghcb: *mut GHCB,
     init_stack: Option<VirtAddr>,
     ist: IstStacks,
 

kernel/src/greq/services.rs

@@ -17,7 +17,7 @@ use crate::{
 use core::mem::size_of;
 
 const REPORT_REQUEST_SIZE: usize = size_of::<SnpReportRequest>();
-const REPORT_RESPONSE_SIZE: usize = size_of::<SnpReportResponse>();
+pub const REPORT_RESPONSE_SIZE: usize = size_of::<SnpReportResponse>();
 
 fn get_report(buffer: &mut [u8], certs: Option<&mut [u8]>) -> Result<usize, SvsmReqError> {
     let request: &SnpReportRequest = SnpReportRequest::try_from_as_ref(buffer)?;

kernel/src/lib.rs

@@ -42,6 +42,9 @@ pub mod utils;
 #[cfg(all(feature = "mstpm", not(test)))]
 pub mod vtpm;
 
+pub mod attestation;
+pub mod process_manager;
+pub mod sp_pagetable;
 #[test]
 fn test_nop() {}
 

kernel/src/process_manager/call_handler.rs

@@ -0,0 +1,54 @@
+//use crate::address::PhysAddr;
+use crate::protocols::errors::SvsmReqError;
+use crate::protocols::RequestParams;
+use crate::attestation;
+use crate::process_manager::process::TrustedProcessType;
+
+const MONITOR_INIT: u32 = 0;
+const ATTEST_MONITOR: u32 = 1;
+//const LOAD_POLICY: u32 = 2;
+const CREATE_ZYGOTE: u32 = 4;
+const DELETE_ZYGOTE: u32 = 5;
+const CREATE_TRUSTLET: u32 = 6;
+const DELETE_TRUSTLET: u32 = 7;
+
+pub fn attest_monitor(params: &mut RequestParams) -> Result<(), SvsmReqError>{
+    attestation::monitor::attest_monitor(params)
+}
+pub fn monitor_init(_params: &mut RequestParams) -> Result<(), SvsmReqError>{
+
+    log::info!("Initilization Monitor");
+    super::process::PROCESS_STORE.init(10);
+    crate::sp_pagetable::set_ecryption_mask_address_size();
+    log::info!("Initilization Done");
+    Ok(())
+}
+
+pub fn create_zygote(params: &mut RequestParams) -> Result<(), SvsmReqError>{
+    super::process::create_trusted_process(params,TrustedProcessType::Zygote)
+}
+
+pub fn delete_zygote(params: &mut RequestParams) -> Result<(), SvsmReqError> {
+    super::process::delete_trusted_process(params)
+}
+
+pub fn create_trustlet(params: &mut RequestParams) -> Result<(), SvsmReqError> {
+    super::process::create_trusted_process(params, TrustedProcessType::Trustlet)
+}
+
+pub fn delete_trustlet(params: &mut RequestParams) -> Result<(), SvsmReqError> {
+    super::process::delete_trusted_process(params)
+}
+
+
+pub fn monitor_call_handler(request: u32, params: &mut RequestParams) -> Result<(), SvsmReqError> {
+    match request {
+        MONITOR_INIT => monitor_init(params),
+        ATTEST_MONITOR => attest_monitor(params),
+        CREATE_ZYGOTE => create_zygote(params),
+        DELETE_ZYGOTE => delete_zygote(params),
+        CREATE_TRUSTLET => create_trustlet(params),
+        DELETE_TRUSTLET => delete_trustlet(params),
+        _ => Err(SvsmReqError::unsupported_call()),
+    }
+}

kernel/src/process_manager/mod.rs

@@ -0,0 +1,2 @@
+pub mod call_handler;
+pub mod process;