Local attestation

[wojciechozga]

Description of the changes

Security monitor authenticates and authorizes a confidential VM during promotion based on the TVM attestation payload (TAP). TAP is attached to the VM image and present in the confidential VM's memory at the time promotion.

This PR adds also initial tooling that generates TAP in the desired format and attaches it to the Linux kernel.

Local attestation mechanism is an alternative attestation method to remote attestation. Confidential VMs that do not use local attestation can still use remote attestation if only the security monitor supports it.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Formal verification
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactorization (non-breaking change which improves code quality)

How to test this PR?

1. Generate fresh Linux kernel images, both for hypervisor and confidential VM
2. Run the hypervisor and then inside the hypervisor start a confidential VM (./run_linux_vm.sh)
3. Store the reference measurements reported by the security monitor. Example:

PCR4=1db615e28960a3c68391b23007069c30428cd63f9d372a210083721ead714490fcf7a0b08fe1a554c92acab610658531
PCR5=519bb669396da4becaf53f53d21f48eb35f7f5ce486077e05070b8e648165f9ac711158a2264ade6705b0d890e3a43c5

4. Generate new TAP

cove-tap-tool generate --output-file=~/tap --pcrs 4=0x1db615e28960a3c68391b23007069c30428cd63f9d372a210083721ead714490fcf7a0b08fe1a554c92acab610658531 --pcrs 5=0x519bb669396da4becaf53f53d21f48eb35f7f5ce486077e05070b8e648165f9ac711158a2264ade6705b0d890e3a43c5 --secrets 0=0xc0ffee --secrets 1=0xbeef

Attach TAP to the Image

cove-tap-tool append --input-file=$ACE_DIR/confidential_vms/linux_vm/buildroot/images/Image --tap-file=$ACE_DIR/tap

5. Run the hypervisor again and then the confidential VM again (./run_linux_vm.sh)
6. You should see the output

#ACE: Reference PCR4=Sha512=0x1db615e28960a3c68391b23007069c30428cd63f9d372a210083721ead714490fcf7a0b08fe1a554c92acab610658531
#ACE: Reference PCR5=Sha512=0x519bb669396da4becaf53f53d21f48eb35f7f5ce486077e05070b8e648165f9ac711158a2264ade6705b0d890e3a43c5
#ACE: Attestation succeeded, read 2 secrets

7. After login to the confidential VM instance you can use the kernel module to read the secret

mount /dev/vda /root
cd /root/root/ace_module
insmod ace.ko

You should see the secret

[  203.051959] Requesting secret from the security monitor
[  203.107150] Secret=0xc0ffee