Add Azure support

Co-authored-by: Dominic Ayre <[email protected]>
Co-authored-by: Joe Powell <[email protected]>
Co-authored-by: Kapil Vaswani <[email protected]>
Co-authored-by: Ken Gordon <[email protected]>
Co-authored-by: Mahati Chamarthy <[email protected]>
Co-authored-by: Ronny Bjones <[email protected]>

.bazelrc

@@ -111,8 +111,12 @@ build:instance_gcp --//:instance=gcp
 
 build:instance_aws --//:instance=aws
 
+build:instance_azure --//:instance=azure
+
 build:platform_aws --//:platform=aws
 
+build:platform_azure --//:platform=azure
+
 build:platform_gcp --//:platform=gcp
 
 build:local_aws --config=instance_local
@@ -128,5 +132,12 @@ build:gcp_gcp --config=platform_gcp
 build:aws_aws --config=instance_aws
 build:aws_aws --config=platform_aws
 
+
+build:local_azure --config=instance_local
+build:local_azure --config=platform_azure
+
+build:azure_azure --config=instance_azure
+build:azure_azure --config=platform_azure
+
 build:non_prod --//:build_flavor=non_prod
 build:prod --//:build_flavor=prod

BUILD.bazel

@@ -1,4 +1,5 @@
 # Copyright 2023 Google LLC
+# Copyright (C) Microsoft Corporation. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,6 +21,7 @@ string_flag(
     build_setting_default = "aws",
     values = [
         "aws",
+        "azure",
         "gcp",
         "local",
     ],
@@ -34,6 +36,14 @@ config_setting(
     visibility = ["//visibility:public"],
 )
 
+config_setting(
+    name = "azure_platform",
+    flag_values = {
+        ":platform": "azure",
+    },
+    visibility = ["//visibility:public"],
+)
+
 config_setting(
     name = "gcp_platform",
     flag_values = {
@@ -55,6 +65,7 @@ string_flag(
     build_setting_default = "aws",
     values = [
         "aws",
+        "azure",
         "gcp",
         "local",
     ],
@@ -69,6 +80,14 @@ config_setting(
     visibility = ["//visibility:public"],
 )
 
+config_setting(
+    name = "azure_instance",
+    flag_values = {
+        ":instance": "azure",
+    },
+    visibility = ["//visibility:public"],
+)
+
 config_setting(
     name = "gcp_instance",
     flag_values = {

scp/cc/azure/BUILD.bazel

@@ -0,0 +1,23 @@
+# Portions Copyright (c) Microsoft Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+load("@rules_cc//cc:defs.bzl", "cc_library")
+
+package(default_visibility = ["//scp/cc/azure:__subpackages__"])
+
+# A dummy library to propagate the include directories.
+cc_library(
+    name = "include_dir",
+    includes = ["."],
+)

scp/cc/azure/attestation/BUILD.bazel

@@ -0,0 +1,53 @@
+# Portions Copyright (c) Microsoft Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+load("@rules_cc//cc:defs.bzl", "cc_library")
+
+package(default_visibility = ["//visibility:public"])
+
+cc_library(
+    name = "aci_attestation_lib",
+    srcs = glob(
+        [
+            "**/*.cc",
+            "**/*.h",
+        ],
+    ),
+    deps = [
+        "@boost//:system",
+        "@com_google_absl//absl/strings",
+        "@com_google_absl//absl/log:check",
+        ":get-snp-report",
+        "@nlohmann_json//:lib",
+        "//scp/cc/core/utils/src:core_utils",
+    ],
+)
+
+cc_library(
+    name="get-snp-report",
+    srcs=glob(["get-snp-report/*.c"]),
+    hdrs=glob(["get-snp-report/*.h"]),
+)
+
+cc_binary(
+    name = "print_snp_json",
+    srcs = ["print_snp_json.cc"],
+    linkopts=['-static'],
+    linkstatic=True,
+    features = ["fully_static_link"],
+    visibility = ["//visibility:public"],
+    deps = [
+        "aci_attestation_lib",
+    ],
+)

scp/cc/azure/attestation/get-snp-report/fetch5.h

@@ -0,0 +1,22 @@
+/*
+ * Portions Copyright (c) Microsoft Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+bool fetchAttestationReport5(const char* report_data_hexstring, void **snp_report);
+
+// does /dev/sev exists. This is where the PSP is exposed in 5.15.*
+bool supportsDevSev();

scp/cc/azure/attestation/get-snp-report/fetch6.h

@@ -0,0 +1,23 @@
+/*
+ * Portions Copyright (c) Microsoft Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+bool fetchAttestationReport6(const char* report_data_hexstring, void **snp_report);
+
+// 6.1 linux exposees the PSP via /dev/sev-guest
+
+bool supportsDevSevGuest();

scp/cc/azure/attestation/get-snp-report/get-snp-report.c

@@ -0,0 +1,37 @@
+/*
+ * Portions Copyright (c) Microsoft Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "get-snp-report.h"
+
+bool fetchSnpReport(const char* report_data_hexstring, void** snp_report) {
+  bool success = false;
+  uint8_t *snp_report_hex;
+
+  if (supportsDevSev()) {
+      success = fetchAttestationReport5(report_data_hexstring, (void*) &snp_report_hex);
+  } else if (supportsDevSevGuest()) {
+      success = fetchAttestationReport6(report_data_hexstring, (void*) &snp_report_hex);
+  } else {
+      fprintf(stderr, "No supported SNP device found\n");
+  }
+
+  if (success) {
+      *snp_report = snp_report_hex;
+      return 0;
+  }
+
+  return -1;
+}

scp/cc/azure/attestation/get-snp-report/get-snp-report.h

@@ -0,0 +1,31 @@
+/*
+ * Portions Copyright (c) Microsoft Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include "fetch5.h"
+#include "fetch6.h"
+#include "snp-attestation.h"
+
+bool fetchSnpReport(const char* report_data_hexstring, void** snp_report);

scp/cc/azure/attestation/get-snp-report/get-snp-report5.c

@@ -0,0 +1,101 @@
+/*
+ * Portions Copyright (c) Microsoft Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include "snp-attestation.h"
+#include "snp-ioctl5.h"
+
+#include "helpers.h"
+
+bool supportsDevSev()
+{
+    return access("/dev/sev", W_OK) == 0;
+}
+
+bool fetchAttestationReport5(const char* report_data_hexstring, void **snp_report)
+{
+    msg_report_req msg_report_in;    
+    msg_response_resp msg_report_out;
+
+    int fd, rc;
+
+    struct sev_snp_guest_request payload = {
+        .req_msg_type = SNP_MSG_REPORT_REQ,
+        .rsp_msg_type = SNP_MSG_REPORT_RSP,
+        .msg_version = 1,        
+        .request_len = sizeof(msg_report_in),
+        .request_uaddr = (uint64_t) (void*) &msg_report_in,
+        .response_len = sizeof(msg_report_out),
+        .response_uaddr = (uint64_t) (void*) &msg_report_out,
+        .error = 0
+    };
+
+    memset((void*) &msg_report_in, 0, sizeof(msg_report_in));        
+    memset((void*) &msg_report_out, 0, sizeof(msg_report_out));
+
+    // the report data is passed as a hexstring which needs to be decoded into an array of 
+    // unsigned bytes
+    // MAA expects a SHA-256. So we use left align the bytes in the report data
+
+    uint8_t *reportData = decodeHexString(report_data_hexstring, sizeof(msg_report_in.report_data));   
+    memcpy(msg_report_in.report_data, reportData, sizeof(msg_report_in.report_data));
+
+    // open the file descriptor of the PSP
+    fd = open("/dev/sev", O_RDWR | O_CLOEXEC);
+
+    if (fd < 0) {
+        fprintf(stderr, "Failed to open /dev/sev\n");        
+        return false;
+    }
+
+    // issue the custom SEV_SNP_GUEST_MSG_REPORT sys call to the sev driver
+    rc = ioctl(fd, SEV_SNP_GUEST_MSG_REPORT, &payload);
+
+    if (rc < 0) {
+        fprintf(stderr, "Failed to issue ioctl SEV_SNP_GUEST_MSG_REPORT\n");        
+        return false;    
+    }
+
+    #ifdef DEBUG_OUTPUT   
+    fprintf(stderr, "Response header:\n");
+    uint8_t *hdr = (uint8_t*) &msg_report_out;
+
+    for (size_t i = 0; i < 32; i++) {
+        fprintf(stderr, "%02x", hdr[i]);
+        if (i % 16 == 15)
+            fprintf(stderr, "\n");
+        else
+            fprintf(stderr, " ");
+    }
+    fprintf(stderr, "Attestation report:\n");
+    printReport(&msg_report_out.report);
+    #endif
+
+    *snp_report = (snp_attestation_report *) malloc (sizeof(snp_attestation_report));        
+    memcpy(*snp_report, &msg_report_out.report, sizeof(snp_attestation_report));
+
+    return true;
+}