Merge pull request #40 from dongx1x/configfs-tsm

vmsdk/rust: support configfs-tsm to get cc report

.github/workflows/vmsdk-test-rust.yaml

@@ -19,7 +19,7 @@ env:
 
 jobs:
   vmsdk_rust_test:
-    runs-on: [self-hosted, tdx-guest]
+    runs-on: [self-hosted, configfs-tsm]
     defaults:
       run:
         working-directory: ${{env.VMSDK_RUST_TEST_DIR}}

src/rust/cctrusted_vm/Cargo.toml

@@ -18,6 +18,8 @@ log = "0.4.20"
 nix = "0.26.2"
 base64 = "0.13.0"
 rand = "0.8.5"
+sha2 = "0.10"
+tempfile = "3.0"
 vsock = "0.4.0"
 tokio = { version = "1.0", features = ["macros", "rt-multi-thread"] }
-tokio-stream = "0.1.14"
+tokio-stream = "0.1.14"

src/rust/cctrusted_vm/src/cvm.rs

@@ -1,12 +1,99 @@
 use crate::tdvm::TdxVM;
 use anyhow::*;
+use cctrusted_base::api_data::CcReport;
 use cctrusted_base::cc_type::*;
 use cctrusted_base::tcg::EventLogEntry;
 use cctrusted_base::tcg::{TcgAlgorithmRegistry, TcgDigest};
-use std::path::Path;
+use core::result::Result::Ok;
+use sha2::{Digest, Sha512};
+use std::{fs, path::Path};
+use tempfile::tempdir_in;
 
 // the interfaces a CVM should implement
 pub trait CVM {
+    /***
+        retrive ConfigFS-TSM report
+
+        Args:
+            nonce (String): against replay attacks
+            data (String): user data
+
+        Returns:
+            the CcReport or error information
+    */
+    fn process_tsm_report(
+        &mut self,
+        nonce: Option<String>,
+        data: Option<String>,
+    ) -> Result<CcReport, anyhow::Error> {
+        let tsm_dir = Path::new(TSM_PREFIX);
+        if !tsm_dir.exists() {
+            return Err(anyhow!(
+                "[process_tsm_report] TSM is not supported in the current environment"
+            ));
+        }
+
+        // Update the hash value if nonce or data exists
+        let mut hasher = Sha512::new();
+        if nonce.is_some() {
+            match base64::decode(nonce.unwrap()) {
+                Ok(v) => hasher.update(v),
+                Err(e) => return Err(anyhow!("[process_tsm_report] nonce decode failed: {}", e)),
+            }
+        }
+        if data.is_some() {
+            match base64::decode(data.unwrap()) {
+                Ok(v) => hasher.update(v),
+                Err(e) => return Err(anyhow!("[process_tsm_report] data decode failed: {}", e)),
+            }
+        }
+
+        let inblob: [u8; 64] = hasher
+            .finalize()
+            .as_slice()
+            .try_into()
+            .expect("[process_tsm_report] Wrong length of data");
+
+        let tsm_report = tempdir_in(tsm_dir)?;
+        // Write hash array to inblob
+        fs::write(tsm_report.path().join("inblob"), inblob)
+            .expect("[process_tsm_report] Write to inblob failed");
+        // Read outblob
+        let outblob = fs::read(tsm_report.path().join("outblob"))
+            .expect("[process_tsm_report] outblob read failed");
+        // Read provider
+        let provider = fs::read_to_string(tsm_report.path().join("provider"))
+            .expect("[process_tsm_report] provider read failed");
+        // Read auxblob if exists
+        let auxblob = match fs::read(tsm_report.path().join("auxblob")) {
+            Ok(v) => Some(v),
+            Err(_) => None,
+        };
+        // Read generation and check the generation
+        let generation = fs::read_to_string(tsm_report.path().join("generation"))
+            .expect("[process_tsm_report] generation read failed")
+            .trim()
+            .parse::<u32>()
+            .expect("[process_tsm_report] generation parse failed");
+        if generation > 1 {
+            return Err(anyhow!("[process_tsm_report] check write race failed"));
+        }
+        // Convert provider to TeeType
+        let cc_type = match provider.as_str() {
+            "tdx_guest\n" => TeeType::TDX,
+            "sev_guest\n" => TeeType::SEV,
+            &_ => todo!(),
+        };
+
+        Ok(CcReport {
+            cc_report: outblob,
+            cc_type,
+            cc_report_generation: Some(generation),
+            cc_provider: Some(provider),
+            cc_aux_blob: auxblob,
+        })
+    }
+
     /***
         retrive CVM signed report
 
@@ -21,7 +108,7 @@ pub trait CVM {
         &mut self,
         nonce: Option<String>,
         data: Option<String>,
-    ) -> Result<Vec<u8>, anyhow::Error>;
+    ) -> Result<CcReport, anyhow::Error>;
 
     /***
         retrive CVM max number of measurement registers
@@ -115,6 +202,5 @@ pub fn get_cvm_type() -> CcType {
 
     CcType {
         tee_type: tee_type.clone(),
-        tee_type_str: TEE_NAME_MAP.get(&tee_type).unwrap().to_owned(),
     }
 }

src/rust/cctrusted_vm/src/sdk.rs

@@ -22,15 +22,7 @@ impl CCTrustedApi for API {
             Ok(mut cvm) => {
                 // call CVM trait defined methods
                 // cvm.dump();
-                Ok(CcReport {
-                    cc_report: match cvm.process_cc_report(nonce, data) {
-                        Ok(r) => r,
-                        Err(e) => {
-                            return Err(anyhow!("[get_cc_report] error get cc report: {:?}", e));
-                        }
-                    },
-                    cc_type: cvm.get_cc_type().tee_type,
-                })
+                cvm.process_cc_report(nonce, data)
             }
             Err(e) => Err(anyhow!("[get_cc_report] error create cvm: {:?}", e)),
         }

src/rust/cctrusted_vm/src/tdvm.rs

@@ -2,6 +2,7 @@
 
 use crate::cvm::*;
 use anyhow::*;
+use cctrusted_base::api_data::CcReport;
 use cctrusted_base::cc_type::*;
 use cctrusted_base::eventlog::EventLogs;
 use cctrusted_base::tcg::*;
@@ -53,7 +54,6 @@ impl TdxVM {
     pub fn new() -> TdxVM {
         let cc_type = CcType {
             tee_type: TeeType::TDX,
-            tee_type_str: TEE_NAME_MAP.get(&TeeType::TDX).unwrap().to_owned(),
         };
 
         let version = Self::get_tdx_version();
@@ -198,7 +198,12 @@ impl CVM for TdxVM {
         &mut self,
         nonce: Option<String>,
         data: Option<String>,
-    ) -> Result<Vec<u8>, anyhow::Error> {
+    ) -> Result<CcReport, anyhow::Error> {
+        match self.process_tsm_report(nonce.clone(), data.clone()) {
+            Ok(v) => return Ok(v),
+            Err(e) => log::info!("[process_cc_report] try TSM failed: {}", e),
+        };
+
         let tdreport = match self.get_td_report(nonce, data) {
             Ok(r) => r,
             Err(e) => {
@@ -348,7 +353,11 @@ impl CVM for TdxVM {
 
             let _ = shutdown(qgs_vsocket.as_raw_fd(), Shutdown::Both);
 
-            return Ok(qgs_msg_resp.id_quote[0..(qgs_msg_resp.quote_size as usize)].to_vec());
+            let report = qgs_msg_resp.id_quote[0..(qgs_msg_resp.quote_size as usize)].to_vec();
+            return Ok(CcReport {
+                cc_report: report,
+                ..Default::default()
+            });
         }
 
         log::info!("[process_cc_report] get TDX quote with TDVMCALL");
@@ -454,7 +463,11 @@ impl CVM for TdxVM {
             ));
         }
 
-        Ok(qgs_msg_resp.id_quote[0..(qgs_msg_resp.quote_size as usize)].to_vec())
+        let report = qgs_msg_resp.id_quote[0..(qgs_msg_resp.quote_size as usize)].to_vec();
+        Ok(CcReport {
+            cc_report: report,
+            ..Default::default()
+        })
     }
 
     // CVM trait function: get tdx rtmr max index
@@ -600,7 +613,7 @@ impl CVM for TdxVM {
     // CVM trait function: dump CVM basic information
     fn dump(&self) {
         info!("======================================");
-        info!("CVM type = {}", self.cc_type.tee_type_str);
+        info!("CVM type = {}", String::from(self.get_cc_type().tee_type));
         info!(
             "CVM version = {}",
             TDX_VERSION_MAP.get(&self.version).unwrap().to_owned()