From b11f34dddf2149fd1d4571b13b294072442b111e Mon Sep 17 00:00:00 2001 From: Harika Nittala Date: Thu, 23 Jan 2025 23:37:46 +0000 Subject: [PATCH 1/4] snp.sh: Verify if SNP(security) bits are set This module verifies if all the security bits are set to 1 for any given instruction set Signed-off-by: Harika Nittala --- tools/snp.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tools/snp.sh b/tools/snp.sh index 61e836f..74a56bf 100755 --- a/tools/snp.sh +++ b/tools/snp.sh @@ -156,6 +156,21 @@ cleanup() { return $exit_code } +verify_all_security_bits() { + + local feature_error='' + for feature in "${!security_bit_values[@]}" + do + if [[ ${security_bit_values[$feature]} != 1 ]]; then + feature_error+=$(echo "${feature} bit value is ${security_bit_values[$feature]} .\n"); + fi + done + + if [[ -n "${feature_error}" ]]; then + echo ${feature_error} + fi +} + verify_snp_host() { if ! sudo dmesg | grep -i "SEV-SNP enabled\|SEV-SNP supported" 2>&1 >/dev/null; then echo -e "SEV-SNP not enabled on the host. Please follow these steps to enable:\n\ From 49d854c44dc5060065a3741be3ebf7a6829ff343 Mon Sep 17 00:00:00 2001 From: Harika Nittala Date: Thu, 23 Jan 2025 23:43:23 +0000 Subject: [PATCH 2/4] snp.sh: Added CPUID check to verify the SNP feature support in host CPU This verifies if CPU is capable of SNP based on the SNP bit value present in the CPUID 0x8000001f Signed-off-by: Harika Nittala --- tools/snp.sh | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/tools/snp.sh b/tools/snp.sh index 74a56bf..a0ddbc8 100755 --- a/tools/snp.sh +++ b/tools/snp.sh @@ -171,6 +171,26 @@ verify_all_security_bits() { fi } +verify_host_snp_support() { + echo -e "Verifying host CPU support for SNP from CPUID 0x8000001f ..." + local host_cpuid_eax=$(get_cpuid 0x8000001f eax) + + # Map all the security bit values in a single associative array + declare -A security_bit_values=( + [SME]=$(( (${host_cpuid_eax} >> 0) & 1)) + [SEV]=$(( (${host_cpuid_eax} >> 1) & 1)) + [SEV-ES]=$(( (${host_cpuid_eax} >> 3) & 1)) + [SNP]=$(( (${host_cpuid_eax} >> 4) & 1)) + ) + + local feature_error=$(verify_all_security_bits "${security_bit_values[@]}") + if [[ -n "${feature_error}" ]]; then + >&2 echo -e "ERROR: SNP feature is not supported by the host CPU" + >&2 echo -e "${feature_error}" + return 1 + fi +} + verify_snp_host() { if ! sudo dmesg | grep -i "SEV-SNP enabled\|SEV-SNP supported" 2>&1 >/dev/null; then echo -e "SEV-SNP not enabled on the host. Please follow these steps to enable:\n\ @@ -1381,6 +1401,7 @@ main() { ;; setup-host) + verify_host_snp_support install_dependencies if $UPM; then From 0136c397e9f38cffbd14ff0296b1d02135a8f9f1 Mon Sep 17 00:00:00 2001 From: Harika Nittala Date: Fri, 24 Jan 2025 04:23:13 +0000 Subject: [PATCH 3/4] snp.sh: Added MSR check to confirm if SNP is enabled in host BIOS This verifies if SME, SNP are enabled in the host BIOS settings by reading SME and SNP bit status from MSR 0xC0010010 Bit #23 corresponds to the SME bit status Bit #24 corresponds to the SNP bit status Signed-off-by: Harika Nittala --- tools/snp.sh | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/tools/snp.sh b/tools/snp.sh index a0ddbc8..0a55305 100755 --- a/tools/snp.sh +++ b/tools/snp.sh @@ -191,6 +191,30 @@ verify_host_snp_support() { fi } +verify_host_snp_enablement() { + echo -e "Verifying if SME, SNP are enabled in the host from MSR 0xC0010010..." + + if ! sudo modprobe msr; then + >&2 echo "ERROR: Failed to load MSR kernel module. Ensure you have the necessary sudo permissions." + return 1 + fi + + local host_msr_read=$(echo "$(sudo rdmsr -d 0xc0010010)") + + # Map all the security bit values in a single associative array + declare -A security_bit_values=( + [SME]=$(echo $((((${host_msr_read} & (1 << 23)) >> 23)))) + [SNP]=$(echo $((((${host_msr_read} & (1 << 24)) >> 24)))) + ) + + local feature_error=$(verify_all_security_bits "${security_bit_values[@]}") + if [[ -n "${feature_error}" ]]; then + >&2 echo -e "ERROR: SME, SNP are not enabled in the host BIOS" + >&2 echo -e "${feature_error}" + return 1 + fi +} + verify_snp_host() { if ! sudo dmesg | grep -i "SEV-SNP enabled\|SEV-SNP supported" 2>&1 >/dev/null; then echo -e "SEV-SNP not enabled on the host. Please follow these steps to enable:\n\ @@ -1402,6 +1426,7 @@ main() { setup-host) verify_host_snp_support + verify_host_snp_enablement install_dependencies if $UPM; then @@ -1424,6 +1449,7 @@ main() { copy_launch_binaries source "${LAUNCH_WORKING_DIR}/source-bins" + verify_host_snp_enablement verify_snp_host install_dependencies From e82f96e9782d37bf03ba6adfc5799e0086792450 Mon Sep 17 00:00:00 2001 From: Harika Nittala Date: Fri, 24 Jan 2025 04:27:11 +0000 Subject: [PATCH 4/4] snp.sh: Added guest MSR check to verify SNP bit status Added MSR 0xC0010010 check to validate if guest SEV, SEV-ES and SNP are enabled by reading SEV, SEV-ES and SNP bits from MSR 0xC0010010 instruction set Bit #0 corresponds to the SEV bit status Bit #1 corresponds to SEV-ES bit status Bit #2 corresponds to SNP bit status Signed-off-by: Harika Nittala --- tools/snp.sh | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/tools/snp.sh b/tools/snp.sh index 0a55305..6a08268 100755 --- a/tools/snp.sh +++ b/tools/snp.sh @@ -1158,6 +1158,55 @@ setup_guest_attestation() { echo "true" > "${guest_setup_file}" } +install_guest_rdmsr_dependencies() { + wait_and_retry_command "ssh_guest_command "uname -r"" + + # Retrieve guest linux distribution + local guest_linux_distro=$(ssh_guest_command "lsb_release -is") + guest_linux_distro=$(echo "${guest_linux_distro}" | tr -d '\r') + guest_linux_distro="${guest_linux_distro,,}" + + case ${guest_linux_distro} in + ubuntu) + ssh_guest_command "sudo DEBIAN_FRONTEND=noninteractive sudo apt install -y msr-tools > /dev/null 2>&1" > /dev/null 2>&1 + ;; + *) + >&2 echo -e "ERROR: Unsupported guest linux distribution: ${guest_linux_distro}" + return 1 + ;; + esac +} + +verify_guest_snp_bit_status() { + if [ ! -f "${GUEST_SSH_KEY_PATH}" ]; then + >&2 echo -e "Guest SSH key not present [${GUEST_SSH_KEY_PATH}], so cannot verify guest SNP enabled" + return 1 + fi + + # Install guest rdmsr package dependencies & insert guest msr module + install_guest_rdmsr_dependencies + ssh_guest_command "sudo modprobe msr" > /dev/null 2>&1 + + # Read the guest (MSR_AMD64_SEV) value + local guest_msr_read=$(ssh_guest_command "sudo rdmsr -p 0 0xc0010131") + guest_msr_read=$(echo "${guest_msr_read}" | tr -d '\r' | bc) + + # Map all the security bit values in a single associative array + declare -A security_bit_values=( + [SEV]=$(( ( ${guest_msr_read} >> 0) & 1)) + [SEV-ES]=$(( (${guest_msr_read} >> 1) & 1)) + [SNP]=$(( (${guest_msr_read} >> 2) & 1)) + ) + + local feature_error=$(verify_all_security_bits "${security_bit_values[@]}") + + if [[ -n "${feature_error}" ]]; then + >&2 echo -e "ERROR: SEV/SEV-ES/SNP is not active in the guest" + >&2 echo -e "${feature_error}" + return 1 + fi +} + # Pass a function and a register to collect its value get_cpuid() { local function=$1 @@ -1454,6 +1503,7 @@ main() { install_dependencies setup_and_launch_guest + verify_guest_snp_bit_status wait_and_retry_command verify_snp_guest echo -e "Guest SSH port forwarded to host port: ${HOST_SSH_PORT}" @@ -1465,6 +1515,7 @@ main() { install_rust install_sev_snp_measure install_dependencies + verify_guest_snp_bit_status wait_and_retry_command verify_snp_guest setup_guest_attestation attest_guest