-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attestation driver and proxy (with KBS attestation) #528
base: main
Are you sure you want to change the base?
Conversation
Do you have any insight on why this is so slow, or is it remaining for a future debugging effort ? |
Have you tried using RdRand instead of RdSeed? |
As a general point, I wonder whether these should really all live in the 'svsm' git repo. Consider that the execution context of the proxy is the host OS, and the context of SVSM's driver is in guest VM. With this we're defining an ABI for a protocol between the host OS and guest VM, that potentially needs to remain stable & backwards compatible more or less indefinitely (forever). ie it is unlikely to be viable to mandate that the deployed host side proxy is upgraded in lock-step with SVSM releases, and thus we need to expect mis-matched releases of the two and ensure things continue to work. Splitting the proxy off as a separate repository, and defining a formal document specifying the interaction between SVSM & the proxy, will re-inforce the message that these two sides are independent and need to retain backwards compatibility as their respective impls evolve over time. |
@berrange I'm not sure yet, I haven't looked in much detail besides seeing some other issues in the rust RSA crate discussing it.
@tlendacky I have, and my tests suggest RdRand is about 100% slower than RdSeed (~90 seconds for creation+decryption on a 3072-bit RSA key). |
faf75aa
to
39727d1
Compare
They're saying RustCrypto is x3 slower than native, but that still doesn't feel like it is a root cause here. That bug reports says generating 100 keys takes 18 seconds. If we need 1 key, that's on the order of 0.2 secs to generate. The actual encryption/decryption operations shouldn't be even measurable given the small size of the data we're processing. So I'm surprised anything crypto related can add up to as much as a 1 minute - that's orders of magnitude slower than it ought to be.
That's surprising, as I wouldn't have thought either of those two should be "hot path" calls. There's something altogether strange going on here to make this so slow. |
From advice during the weekly call, I've dropped support for RSA keys (at least for now) and replaced with EC keys. See 5dc6dac for more details and review. The initial implementation uses ECDH384+SHA256+AES128 (no salt) encryption. The previous performance issues seen from RSA keys have been resolved by this. To support this, changes were made to the testing attestation server ( Furthermore, I listed one of the goals before this can be supported upstream as: Ensure that aproxy's KBS backend works with production KBS servers such as Trustee. Although in future plans, none of the servers support EC keys yet. Therefore, this goal will be put on TODO and the proxy can be marked experimental until this support is available. I've also added an There still exists 56ccb1b which simply prints a secret for the demo. Once this is approved, I can remove that commit. |
@joergroedel can you approve the workflow on this PR? so we can eventually fix simple issues highlighted by our CI. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did a quick review and left some comments, thanks for working on this!
39e6fef
to
ce0301b
Compare
@stefano-garzarella Can you re-review? I've resolved all comments. |
Thanks, I'll do ASAP! In the meantime, the following patch should fix CI and Makefile (I tested only with
|
7a66785
to
9abbf4c
Compare
d902674
to
5117026
Compare
I believe I've fixed the final CI issue. @joergroedel would you mind re-approving the workflow? |
You did, but the CI decided to break xD (see #583 now merged in main) so, I guess another rebase is needed. |
@stefano-garzarella I've addressed your latest review. Would you mind re-reviewing? |
For a universal interface when reading or writing multiple bytes over a transport channel, introduce generic Read/Write traits. Implement these traits over the serial::SerialPort for use in the attestation driver. This is an attempt to mimic the std::io::{Read, Write} traits. Co-developed-by: Stefano Garzarella <[email protected]> Signed-off-by: Tyler Fanelli <[email protected]>
The attestation driver requires a method to fetch an attestation report from the SNP report response message. Signed-off-by: Tyler Fanelli <[email protected]>
Creating a new EC private/public key pair results in a stack overflow with a stack size of less than 12 pages. Signed-off-by: Tyler Fanelli <[email protected]>
The attestation module provides services early attestation and measurement of the SVSM environment. This commits initializes the attestation driver and sends an initial negotiation request to the attestation proxy. Co-developed-by: Stefano Garzarella <[email protected]> Signed-off-by: Tyler Fanelli <[email protected]>
To validate the freshness of attestation evidence, KBS servers return a challenge upon client authentication. This challenge contains a ephemeral nonce in the form of base64-encoded bytes. This nonce *must* be hashed into the attestation report along with the components of the TEE public key. This commit reads the negotiation request from SVSM, and depending on the backend, fetches the negotiation parameters accordingly. As KBS is the backend used in the initial implementation, this translates into a call to the KBS /auth handler to fetch the nonce, and then a specification of both the nonce and TEE public components to be included in the attestation evidence (in the form of negotiation parameters). Co-developed-by: Stefano Garzarella <[email protected]> Signed-off-by: Tyler Fanelli <[email protected]>
Given the negotiation parameters from the proxy, SVSM can now hash the parameters and embed them in the attestation evidence. It can also read the negotiation key specified and create key accordingly. As SEV-SNP is the only supported TEE architecture at the moment, there's also a few changes required to serialize a SEV-SNP attestation report into bytes. Co-developed-by: Stefano Garzarella <[email protected]> Signed-off-by: Tyler Fanelli <[email protected]>
With serialized TEE evidence and key, the proxy can now transfer these to the attestation server for evaluation. KBS will first transfer the evidence to the /attest endpoint for evaluation. Upon successful attestation, the client can then retrieve resources from the server. Co-developed-by: Stefano Garzarella <[email protected]> Signed-off-by: Tyler Fanelli <[email protected]>
Use the TEE key to decrypt the secret received from the proxy. Co-developed-by: Stefano Garzarella <[email protected]> Signed-off-by: Tyler Fanelli <[email protected]>
When other attestation protocols are implemented for the backend attestation server communication, they can register themselves with the BACKEND registrar as well. Signed-off-by: Tyler Fanelli <[email protected]>
aproxy can be excluded from non-`target=x86_64-unknown-linux-gnu` clippy checks. Co-developed-by: Stefano Garzarella <[email protected]> Signed-off-by: Tyler Fanelli <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
@joergroedel Can you re-enable the CI workflows? |
This series introduces the attestation module in SVSM as well as the attestation proxy to facilitate communication between SVSM and a remote server for TEE evidence evaluation.
Abstract
To unlock early persistent state in SVSM (for example, persistent vTPM data), an attestation of the launch environment must take place to ensure that SVSM is running on trusted hardware and launched correctly. As SVSM does not have a network stack available, we have opted to introduce a proxy that would run on the host (for now, although this may change as other options are explored) and facilitate attestation between SVSM and a remote verification server such as KBS.
Much of what is implemented here is described in the Early Attestation and Measurement Architecture in COCONUT SVSM document.
Changes
There are three main modules introduced into SVSM with this series:
kernel/attest.rs
: Attestation driver that communicates with the proxy through the COM3 serial port. This will eventually communicate over another channel (virtio-vsock, etc..) when available.aproxy
: Attestation proxy that runs on a host and facilitates communication with a remote attestation server.libaproxy
: Shared types betweenkernel/attest.rs
andaproxy
for (de)serialization of data.Attestation
There exists two different phases of attestation:
As there exists multiple protocols for TEE attestation, the proxy was built to be configurable to different protocols. As such, SVSM can be completely agnostic of the attestation protocol used. This is done by splitting the proxy up into two main components:
Front-end: To keep SVSM agnostic to the underlying attestation protocol, we define a standard front-end interface between SVSM and the proxy, the types of this interface for both negotiation and attestation are defined in the
libaproxy
crate. In the negotiation phase, SVSM will write aNegotiationRequest
and receive aNegotiationResponse
from the proxy. In the attestation phase, SVSM will write aAttestationRequest
and receive aAttestationResponse
from the proxy. This allows SVSM to not be tied to a specific attestation protocol, leaving the possibility for new protocols to be enabled in the future (for example, aTLS).Back-end: This implements the specific attestation protocol that the communicating server implements. It is configurable with the
--backend
argument when launching the proxy. The initial backend option allowed is KBS, but the proxy can be configured to implement something like aTLS support if desired.Try for yourself
To try for yourself, I've set up a quick demo with a "dummy" KBS server that requires no configuration and simply returns a secret:
hello, SVSM!
that SVSM can then print. This requires a SEV-SNP machine with a SVSM-enabled kernel.This will run a "KBS server" (at least suitable for testing) at http://0.0.0.0:8080.
This runs the proxy with the following specified in the arguments:
--url http://0.0.0.0:8080
: The attestation server is running at http://0.0.0.0:8080.--protocol kbs
: The attestation server communicates via the KBS protocol, configure the backend to use the KBS protocol.--unix /tmp/svsm-proxy.sock
: Listen for messages from SVSM on a socket created in file/tmp/svsm-proxy-sock
.--force
: Remove the/tmp/svsm-proxy.sock
file (if it already exists) before creating the socket.Initially, SVSM communicates over the COM3 serial port. The attestation proxy socket will need to be available in the correct
-serial
port argument position to ensure it communicates with the right socket.NOTE
Upon running, you may think that there is a hang in the proxy, as SVSM seems to freeze:
This is not a hang, but rather, the creation of a 3072-bit RSA (as well as decryption with this key) is very slow at present (sometimes taking around ~1 minute for creation+decryption in my tests). Eventually, SVSM should begin running again and show the following message:
[SVSM] Decrypted secret from attestation server: hello, SVSM!
And thus we have decrypted secrets from a KBS attestation server (via the proxy).
TODO
The only purpose of b192792 is for others to see a secret decrypted from the server available and printed by SVSM. This must be removed once others have tried for themselves.
Other TODOs before this can be considered for merging:
kernel/attest
module behind a feature flag in thekernel
module. Perhaps a feature calledattest
?Makefile
to build thekernel
module with theattest
feature.Future work:
Co-developed-by: Stefano Garzarella [email protected]
Signed-off-by: Tyler Fanelli [email protected]
cc/ @stefano-garzarella @joergroedel @deeglaze @berrange @fitzthum @stringlytyped @IT302 @Isaac-Matthews