From 7b4ec629fb517965f1f331ede7212be31f63d2ff Mon Sep 17 00:00:00 2001 From: Jakub Doka Date: Tue, 19 Nov 2024 20:39:53 +0100 Subject: [PATCH] making the `measurement` module available when `crypto_nossl` is enabled MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jakub Doka Update src/measurement/sev_hashes.rs Co-authored-by: Tyler Fanelli Signed-off-by: Jakub Dóka <60517552+jakubDoka@users.noreply.github.com> Update src/measurement/gctx.rs Co-authored-by: Tyler Fanelli Signed-off-by: Jakub Dóka <60517552+jakubDoka@users.noreply.github.com> Update gctx.rs Signed-off-by: Jakub Dóka <60517552+jakubDoka@users.noreply.github.com> Update sev_hashes.rs Signed-off-by: Jakub Dóka <60517552+jakubDoka@users.noreply.github.com> --- src/certs/snp/builtin/mod.rs | 2 +- src/certs/snp/ca/mod.rs | 4 ++-- src/error.rs | 1 + src/lib.rs | 2 +- src/measurement/gctx.rs | 9 +++++++++ src/measurement/mod.rs | 13 ++++++++++--- src/measurement/sev_hashes.rs | 10 ++++++++++ 7 files changed, 34 insertions(+), 7 deletions(-) diff --git a/src/certs/snp/builtin/mod.rs b/src/certs/snp/builtin/mod.rs index 503b711e..d9cc2e6e 100644 --- a/src/certs/snp/builtin/mod.rs +++ b/src/certs/snp/builtin/mod.rs @@ -1,6 +1,6 @@ // SPDX-License-Identifier: Apache-2.0 -/// Interfaces for retrieving builtin ARKs and ASKs for their respective generations. +//! Interfaces for retrieving builtin ARKs and ASKs for their respective generations. /// Genoa generation. pub mod genoa; diff --git a/src/certs/snp/ca/mod.rs b/src/certs/snp/ca/mod.rs index 43f981f3..5b7df39c 100644 --- a/src/certs/snp/ca/mod.rs +++ b/src/certs/snp/ca/mod.rs @@ -1,11 +1,11 @@ // SPDX-License-Identifier: Apache-2.0 + +//! Operations for a Certificate Authority (CA) chain. #[cfg(feature = "openssl")] use openssl::x509::X509; use super::*; -/// Operations for a Certificate Authority (CA) chain. - /// A Certificate Authority (CA) chain. #[derive(Clone, Debug)] pub struct Chain { diff --git a/src/error.rs b/src/error.rs index 57d41ac4..9949c8d3 100644 --- a/src/error.rs +++ b/src/error.rs @@ -438,6 +438,7 @@ impl From for c_int { impl std::error::Error for SevError {} +#[allow(clippy::too_long_first_doc_paragraph)] /// There are a number of error conditions that can occur between this /// layer all the way down to the SEV platform. Most of these cases have /// been enumerated; however, there is a possibility that some error diff --git a/src/lib.rs b/src/lib.rs index 4ce2a1ef..372d51d3 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -98,7 +98,7 @@ pub mod firmware; pub mod launch; #[cfg(all( any(feature = "sev", feature = "snp"), - feature = "openssl", + any(feature = "openssl", feature = "crypto_nossl"), target_os = "linux" ))] pub mod measurement; diff --git a/src/measurement/gctx.rs b/src/measurement/gctx.rs index ecbca8c9..f304ffe9 100644 --- a/src/measurement/gctx.rs +++ b/src/measurement/gctx.rs @@ -2,6 +2,7 @@ //! Operations to handle and create a Guest Context use std::convert::TryInto; +#[cfg(feature = "openssl")] use openssl::sha::sha384; use crate::error::*; @@ -12,6 +13,14 @@ use crate::{ measurement::snp::{SnpLaunchDigest, LD_BYTES}, }; +#[cfg(all(not(feature = "openssl"), feature = "crypto_nossl"))] +fn sha384(data: &[u8]) -> [u8; 48] { + use sha2::Digest; + let mut sha = sha2::Sha384::default(); + sha.update(data); + sha.finalize().into() +} + // VMSA page is recorded in the RMP table with GPA (u64)(-1). // However, the address is page-aligned, and also all the bits above // 51 are cleared. diff --git a/src/measurement/mod.rs b/src/measurement/mod.rs index f0a8b4b1..06e73dea 100644 --- a/src/measurement/mod.rs +++ b/src/measurement/mod.rs @@ -3,7 +3,11 @@ //! Everything one needs to calculate a launch measurement for a SEV encrypted confidential guest. //! This includes, GCTX, SEV-HASHES, VMSA and OVMF pages. -#[cfg(all(target_os = "linux", feature = "snp", feature = "openssl"))] +#[cfg(all( + target_os = "linux", + feature = "snp", + any(feature = "openssl", feature = "crypto_nossl") +))] pub mod gctx; #[cfg(any(feature = "sev", feature = "snp"))] @@ -12,13 +16,16 @@ pub mod ovmf; #[cfg(any(feature = "sev", feature = "snp"))] pub mod vmsa; -#[cfg(all(any(feature = "sev", feature = "snp"), feature = "openssl"))] +#[cfg(all( + any(feature = "sev", feature = "snp"), + any(feature = "openssl", feature = "crypto_nossl") +))] pub mod sev_hashes; #[cfg(any(feature = "sev", feature = "snp"))] pub mod vcpu_types; -#[cfg(all(feature = "snp", feature = "openssl"))] +#[cfg(all(feature = "snp", any(feature = "openssl", feature = "crypto_nossl")))] pub mod snp; #[cfg(all(feature = "sev", feature = "openssl"))] diff --git a/src/measurement/sev_hashes.rs b/src/measurement/sev_hashes.rs index 5e6d2c5e..7cac8636 100644 --- a/src/measurement/sev_hashes.rs +++ b/src/measurement/sev_hashes.rs @@ -1,7 +1,9 @@ // SPDX-License-Identifier: Apache-2.0 //! Operations to handle OVMF SEV-HASHES +#[cfg(feature = "openssl")] use openssl::sha::sha256; + use serde::Serialize; use std::fs::File; use std::{ @@ -18,6 +20,14 @@ use crate::error::*; type Sha256Hash = [u8; 32]; +#[cfg(all(not(feature = "openssl"), feature = "crypto_nossl"))] +fn sha256(data: &[u8]) -> Sha256Hash { + use sha2::Digest as _; + let mut sha = sha2::Sha256::default(); + sha.update(data); + sha.finalize().into() +} + /// GUID stored as little endian #[derive(Debug, Clone, Copy, Serialize, Default)] struct GuidLe {