Re: [PATCH v3 4/5] machine/nitro-enclave: Add built-in Nitro Secure Module device

[Dorjoy Chowdhury]

Hi Daniel,

On Mon, Aug 12, 2024 at 8:07 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> On Sat, Aug 10, 2024 at 10:45:01PM +0600, Dorjoy Chowdhury wrote:
> > AWS Nitro Enclaves have built-in Nitro Secure Module (NSM) device which
> > is used for stripped down TPM functionality like attestation. This commit
> > adds the built-in NSM device in the nitro-enclave machine type.
> >
> > In Nitro Enclaves, all the PCRs start in a known zero state and the first
> > 16 PCRs are locked from boot and reserved. The PCR0, PCR1, PCR2 and PCR8
> > contain the SHA384 hashes related to the EIF file used to boot the
> > VM for validation.
> >
> > A new optional nitro-enclave machine option 'id' has been added which will
> > be the enclave identifier reflected in the module-id of the NSM device.
> > Otherwise, the device will have a default id set.
> >
> > Signed-off-by: Dorjoy Chowdhury <dorjoychy111@gmail.com>
> > ---
> >  hw/core/eif.c                   | 205 +++++++++++++++++++++++++++++++-
> >  hw/core/eif.h                   |   5 +-
> >  hw/core/meson.build             |   4 +-
> >  hw/i386/Kconfig                 |   1 +
> >  hw/i386/nitro_enclave.c         |  85 ++++++++++++-
> >  include/hw/i386/nitro_enclave.h |  19 +++
> >  6 files changed, 310 insertions(+), 9 deletions(-)
> >
> > diff --git a/hw/core/eif.c b/hw/core/eif.c
> > index 5558879a96..d2c65668ef 100644
> > --- a/hw/core/eif.c
> > +++ b/hw/core/eif.c
> > @@ -12,6 +12,9 @@
> >  #include "qemu/bswap.h"
> >  #include "qapi/error.h"
> >  #include <zlib.h> /* for crc32 */
> > +#include <cbor.h>
> > +#include <gnutls/gnutls.h>
> > +#include <gnutls/x509.h>
> >
> >  #include "hw/core/eif.h"
> >
>
> > @@ -269,6 +284,125 @@ static bool read_eif_ramdisk(FILE *eif, FILE *initrd, 
> > uint64_t size,
> >      return false;
> >  }
> >
> > +static bool get_fingerprint_sha384_from_cert(uint8_t *cert, size_t size,
> > +                                             uint8_t *sha384, Error **errp)
> > +{
> > +    gnutls_x509_crt_t crt;
> > +    size_t hash_size = 48;
> > +    gnutls_datum_t datum = {.data = cert, .size = size};
> > +
> > +    gnutls_global_init();
> > +    gnutls_x509_crt_init(&crt);
> > +
> > +    if (gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM) != 0) {
> > +        error_setg(errp, "Failed to import certificate");
> > +        goto cleanup;
> > +    }
> > +
> > +    if (gnutls_x509_crt_get_fingerprint(crt, GNUTLS_DIG_SHA384, sha384,
> > +                                        &hash_size) != 0) {
> > +        error_setg(errp, "Failed to compute SHA384 fingerprint");
> > +        goto cleanup;
> > +    }
> > +
> > +    return true;
> > +
> > + cleanup:
> > +    gnutls_x509_crt_deinit(crt);
> > +    gnutls_global_deinit();
> > +    return false;
> > +}
>
> I'd suggest this go into  qcrypto/x509-utils.c & include/qcrypto/x509-utils.h,
> as:
>
>     int qcrypto_get_x509_cert_fingerprint(uint8_t *cert,
>                                           size_t size,
>                                           QCryptoHashAlgorith hash,
>                                           Error **errp);
>
> there's no need to be calling gnutls_global_init() / deinit() either.
>
>
> > @@ -299,7 +433,9 @@ static long get_file_size(FILE *f, Error **errp)
> >   */
> >  bool read_eif_file(const char *eif_path, const char *machine_initrd,
> >                     char **kernel_path, char **initrd_path, char **cmdline,
> > -                   Error **errp)
> > +                   uint8_t *image_sha384, uint8_t *bootstrap_sha384,
> > +                   uint8_t *app_sha384, uint8_t *fingerprint_sha384,
> > +                   bool *signature_found, Error **errp)
> >  {
> >      FILE *f = NULL;
> >      FILE *machine_initrd_f = NULL;
> > @@ -308,9 +444,33 @@ bool read_eif_file(const char *eif_path, const char 
> > *machine_initrd,
> >      uint32_t crc = 0;
> >      EifHeader eif_header;
> >      bool seen_sections[EIF_SECTION_MAX] = {false};
> > -
> > +    /* kernel + ramdisks + cmdline sha384 hash */
> > +    GChecksum *image_hasher = NULL;
> > +    /* kernel + boot ramdisk + cmdline sha384 hash */
> > +    GChecksum *bootstrap_hasher = NULL;
> > +    /* application ramdisk(s) hash */
> > +    GChecksum *app_hasher = NULL;
> > +    size_t digest_len;
> > +
> > +    *signature_found = false;
> >      *kernel_path = *initrd_path = *cmdline = NULL;
> >
> > +    image_hasher = g_checksum_new(G_CHECKSUM_SHA384);
> > +    if (image_hasher == NULL) {
> > +        error_setg(errp, "Failed to initialize sha384 hash for image");
> > +        goto cleanup;
> > +    }
> > +    bootstrap_hasher = g_checksum_new(G_CHECKSUM_SHA384);
> > +    if (bootstrap_hasher == NULL) {
> > +        error_setg(errp, "Failed to initialize sha384 hash for bootstrap");
> > +        goto cleanup;
> > +    }
> > +    app_hasher = g_checksum_new(G_CHECKSUM_SHA384);
> > +    if (app_hasher == NULL) {
> > +        error_setg(errp, "Failed to initialize sha384 hash for app");
> > +        goto cleanup;
> > +    }
>
> Don't use GChecksum APIs please, use the qcrypto hash APIs instead,
> as we need all code to be using the designated QEMU crypto backend.
>

Thanks for the reviews. I was looking into replacing the GChecksum
uses with qcrypto apis and was able to do it in the extendPCR function
but I need some help with how I can do this in the eif.c file. For
example, the "image_hash" needs to be a SHA384 hash of the kernel,
cmdline, ramdisks sections' data as they appear in the order that is
in the EIF file. Using GChecksum it was easy as I was able to just
pass the hashers to the "read_eif_kernel", "read_eif_ramdisk" etc
functions and call "update" on them. But the qcrypto apis are
stateless i.e., I would need to pass all the buffers in a single api
call so it wouldn't work right now out of the box. Do you have any
suggestions how I should modify/create qcrypto apis so that I can
easily do this (considering that I would need to implement for
different qcrypto backends)? Thanks!

Regards,
Dorjoy