Re: [PATCH v2 6/6] tools/tdx: Add a sample attestation user app

[Mian Yousaf Kaukab <ykaukab@suse.de>]

On Wed, Jul 07, 2021 at 01:42:49PM -0700, Kuppuswamy Sathyanarayanan wrote:
> This application uses the misc device /dev/tdx-attest to get TDREPORT
> from the TDX Module or request quote from the VMM.
> 
> It tests following attestation features:
> 
>   - Get report using TDX_CMD_GET_TDREPORT IOCTL.
>   - Using report data request quote from VMM using TDX_CMD_GEN_QUOTE IOCTL.
>   - Get the quote size using TDX_CMD_GET_QUOTE_SIZE IOCTL.
> 
> Reviewed-by: Tony Luck <tony.luck@intel.com>
> Reviewed-by: Andi Kleen <ak@linux.intel.com>
> Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
> ---
>  tools/Makefile                     |  13 +-
>  tools/tdx/Makefile                 |  19 +++
>  tools/tdx/attest/.gitignore        |   2 +
>  tools/tdx/attest/Makefile          |  24 +++
>  tools/tdx/attest/tdx-attest-test.c | 232 +++++++++++++++++++++++++++++
>  5 files changed, 284 insertions(+), 6 deletions(-)
>  create mode 100644 tools/tdx/Makefile
>  create mode 100644 tools/tdx/attest/.gitignore
>  create mode 100644 tools/tdx/attest/Makefile
>  create mode 100644 tools/tdx/attest/tdx-attest-test.c
> 
> diff --git a/tools/Makefile b/tools/Makefile
> index 7e9d34ddd74c..5d68084511cb 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -30,6 +30,7 @@ help:
>  	@echo '  selftests              - various kernel selftests'
>  	@echo '  bootconfig             - boot config tool'
>  	@echo '  spi                    - spi tools'
> +	@echo '  tdx                    - TDX related test tools'
>  	@echo '  tmon                   - thermal monitoring and tuning tool'
>  	@echo '  tracing                - misc tracing tools'
>  	@echo '  turbostat              - Intel CPU idle stats and freq reporting tool'
> @@ -65,7 +66,7 @@ acpi: FORCE
>  cpupower: FORCE
>  	$(call descend,power/$@)
>  
> -cgroup firewire hv guest bootconfig spi usb virtio vm bpf iio gpio objtool leds wmi pci firmware debugging tracing: FORCE
> +cgroup firewire hv guest bootconfig spi usb virtio vm bpf iio gpio objtool leds wmi pci firmware debugging tracing tdx: FORCE
>  	$(call descend,$@)
>  
>  bpf/%: FORCE
> @@ -104,7 +105,7 @@ all: acpi cgroup cpupower gpio hv firewire liblockdep \
>  		perf selftests bootconfig spi turbostat usb \
>  		virtio vm bpf x86_energy_perf_policy \
>  		tmon freefall iio objtool kvm_stat wmi \
> -		pci debugging tracing
> +		pci debugging tracing tdx
>  
>  acpi_install:
>  	$(call descend,power/$(@:_install=),install)
> @@ -112,7 +113,7 @@ acpi_install:
>  cpupower_install:
>  	$(call descend,power/$(@:_install=),install)
>  
> -cgroup_install firewire_install gpio_install hv_install iio_install perf_install bootconfig_install spi_install usb_install virtio_install vm_install bpf_install objtool_install wmi_install pci_install debugging_install tracing_install:
> +cgroup_install firewire_install gpio_install hv_install iio_install perf_install bootconfig_install spi_install usb_install virtio_install vm_install bpf_install objtool_install wmi_install pci_install debugging_install tracing_install tdx_install:
>  	$(call descend,$(@:_install=),install)
>  
>  liblockdep_install:
> @@ -139,7 +140,7 @@ install: acpi_install cgroup_install cpupower_install gpio_install \
>  		virtio_install vm_install bpf_install x86_energy_perf_policy_install \
>  		tmon_install freefall_install objtool_install kvm_stat_install \
>  		wmi_install pci_install debugging_install intel-speed-select_install \
> -		tracing_install
> +		tracing_install tdx_install
>  
>  acpi_clean:
>  	$(call descend,power/acpi,clean)
> @@ -147,7 +148,7 @@ acpi_clean:
>  cpupower_clean:
>  	$(call descend,power/cpupower,clean)
>  
> -cgroup_clean hv_clean firewire_clean bootconfig_clean spi_clean usb_clean virtio_clean vm_clean wmi_clean bpf_clean iio_clean gpio_clean objtool_clean leds_clean pci_clean firmware_clean debugging_clean tracing_clean:
> +cgroup_clean hv_clean firewire_clean bootconfig_clean spi_clean usb_clean virtio_clean vm_clean wmi_clean bpf_clean iio_clean gpio_clean objtool_clean leds_clean pci_clean firmware_clean debugging_clean tracing_clean tdx_clean:
>  	$(call descend,$(@:_clean=),clean)
>  
>  liblockdep_clean:
> @@ -186,6 +187,6 @@ clean: acpi_clean cgroup_clean cpupower_clean hv_clean firewire_clean \
>  		vm_clean bpf_clean iio_clean x86_energy_perf_policy_clean tmon_clean \
>  		freefall_clean build_clean libbpf_clean libsubcmd_clean liblockdep_clean \
>  		gpio_clean objtool_clean leds_clean wmi_clean pci_clean firmware_clean debugging_clean \
> -		intel-speed-select_clean tracing_clean
> +		intel-speed-select_clean tracing_clean tdx_clean
>  
>  .PHONY: FORCE
> diff --git a/tools/tdx/Makefile b/tools/tdx/Makefile
> new file mode 100644
> index 000000000000..e2564557d463
> --- /dev/null
> +++ b/tools/tdx/Makefile
> @@ -0,0 +1,19 @@
> +# SPDX-License-Identifier: GPL-2.0
> +include ../scripts/Makefile.include
> +
> +all: attest
> +
> +clean: attest_clean
> +
> +install: attest_install
> +
> +attest:
> +	$(call descend,attest)
> +
> +attest_install:
> +	$(call descend,attest,install)
> +
> +attest_clean:
> +	$(call descend,attest,clean)
> +
> +.PHONY: all install clean attest latency_install latency_clean
> diff --git a/tools/tdx/attest/.gitignore b/tools/tdx/attest/.gitignore
> new file mode 100644
> index 000000000000..5f819a8a6c49
> --- /dev/null
> +++ b/tools/tdx/attest/.gitignore
> @@ -0,0 +1,2 @@
> +# SPDX-License-Identifier: GPL-2.0
> +tdx-attest-test
> diff --git a/tools/tdx/attest/Makefile b/tools/tdx/attest/Makefile
> new file mode 100644
> index 000000000000..bf47ba718386
> --- /dev/null
> +++ b/tools/tdx/attest/Makefile
> @@ -0,0 +1,24 @@
> +# SPDX-License-Identifier: GPL-2.0
> +# Makefile for vm tools
> +#
> +VAR_CFLAGS := $(shell pkg-config --cflags libtracefs 2>/dev/null)
> +VAR_LDLIBS := $(shell pkg-config --libs libtracefs 2>/dev/null)
> +
> +TARGETS = tdx-attest-test
> +CFLAGS = -static -Wall -Wextra -g -O2 $(VAR_CFLAGS)
> +LDFLAGS = -lpthread $(VAR_LDLIBS)
> +
> +all: $(TARGETS)
> +
> +%: %.c
> +	$(CC) $(CFLAGS) -o $@ $< $(LDFLAGS)
> +
> +clean:
> +	$(RM) tdx-attest-test
> +
> +prefix ?= /usr/local
> +sbindir ?= ${prefix}/sbin
> +
> +install: all
> +	install -d $(DESTDIR)$(sbindir)
> +	install -m 755 -p $(TARGETS) $(DESTDIR)$(sbindir)
> diff --git a/tools/tdx/attest/tdx-attest-test.c b/tools/tdx/attest/tdx-attest-test.c
> new file mode 100644
> index 000000000000..7634ec6a084c
> --- /dev/null
> +++ b/tools/tdx/attest/tdx-attest-test.c
> @@ -0,0 +1,232 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/*
> + * tdx-attest-test.c - utility to test TDX attestation feature.
> + *
> + * Copyright (C) 2020 - 2021 Intel Corporation. All rights reserved.
> + *
> + * Author: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
> + *
> + */
> +
> +#include <linux/types.h>
> +#include <linux/ioctl.h>
> +#include <sys/ioctl.h>
> +#include <sys/stat.h>
> +#include <sys/types.h>
> +#include <stdio.h>
> +#include <ctype.h>
> +#include <errno.h>
> +#include <fcntl.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <unistd.h>
> +#include <string.h>
> +#include <limits.h>
> +#include <stdbool.h>
> +#include <getopt.h>
> +#include <stdint.h> /* uintmax_t */
> +#include <sys/mman.h>
> +#include <unistd.h> /* sysconf */
> +#include <time.h>
> +
> +#include "../../../include/uapi/misc/tdx.h"
> +
> +#define devname		"/dev/tdx-attest"
> +
> +#define HEX_DUMP_SIZE	16
> +#define MAX_ROW_SIZE	70
> +
> +#define ATTESTATION_TEST_BIN_VERSION "0.1"
> +
> +struct tdx_attest_args {
> +	bool is_dump_data;
> +	bool is_get_tdreport;
> +	bool is_get_quote_size;
> +	bool is_gen_quote;
> +	bool debug_mode;
> +	char *out_file;
> +};
> +
> +static void print_hex_dump(const char *title, const char *prefix_str,
> +			   const void *buf, int len)
> +{
> +	const __u8 *ptr = buf;
> +	int i, rowsize = HEX_DUMP_SIZE;
> +
> +	if (!len || !buf)
> +		return;
> +
> +	printf("\t\t%s", title);
> +
> +	for (i = 0; i < len; i++) {
> +		if (!(i % rowsize))
> +			printf("\n%s%.8x:", prefix_str, i);
> +		printf(" %.2x", ptr[i])
> +	}
> +
> +	printf("\n");
> +}
> +
> +static void gen_report_data(__u8 *report_data, bool dump_data)
> +{
> +	int i;
> +
> +	srand(time(NULL));
> +
> +	for (i = 0; i < TDX_REPORT_DATA_LEN; i++)
> +		report_data[i] = rand();
> +
> +	if (dump_data)
> +		print_hex_dump("\n\t\tTDX report data\n", " ",
> +			       report_data, TDX_REPORT_DATA_LEN);
> +}
> +
> +static int get_tdreport(int devfd, bool dump_data, __u8 *report_data)
> +{
> +	__u8 tdrdata[TDX_TDREPORT_LEN] = {0};
> +	int ret;
> +
> +	if (!report_data)
> +		report_data = tdrdata;
> +
> +	gen_report_data(report_data, dump_data);
> +
> +	ret = ioctl(devfd, TDX_CMD_GET_TDREPORT, report_data);
> +	if (ret) {
> +		printf("TDX_CMD_GET_TDREPORT ioctl() %d failed\n", ret);
> +		return -EIO;
> +	}
> +
> +	if (dump_data)
> +		print_hex_dump("\n\t\tTDX tdreport data\n", " ", report_data,
> +			       TDX_TDREPORT_LEN);
> +
> +	return 0;
> +}
> +
> +static __u64 get_quote_size(int devfd)
> +{
> +	int ret;
> +	__u64 quote_size;
> +
> +	ret = ioctl(devfd, TDX_CMD_GET_QUOTE_SIZE, &quote_size);
> +	if (ret) {
> +		printf("TDX_CMD_GET_QUOTE_SIZE ioctl() %d failed\n", ret);
> +		return -EIO;
> +	}
> +
> +	printf("Quote size: %lld\n", quote_size);
> +
> +	return quote_size;
> +}
> +
> +static int gen_quote(int devfd, bool dump_data)
> +{
> +	__u8 *quote_data;
> +	__u64 quote_size;
> +	int ret;
> +
> +	quote_size = get_quote_size(devfd);
> +
> +	quote_data = malloc(sizeof(char) * quote_size);
> +	if (!quote_data) {
> +		printf("%s queue data alloc failed\n", devname);
> +		return -ENOMEM;
> +	}
> +
> +	ret = get_tdreport(devfd, dump_data, quote_data);
In tdg_attest_ioctl() TDX_CMD_GEN_QUOTE case is calling
tdx_mcall_tdreport() same as TDX_CMD_GET_TDREPORT case. Then what is
the point of calling get_tdreport() here? Do you mean to call
gen_report_data()?
> +	if (ret) {
> +		printf("TDX_CMD_GET_TDREPORT ioctl() %d failed\n", ret);
> +		goto done;
> +	}
> +
> +	ret = ioctl(devfd, TDX_CMD_GEN_QUOTE, quote_data);
> +	if (ret) {
> +		printf("TDX_CMD_GEN_QUOTE ioctl() %d failed\n", ret);
> +		goto done;
> +	}
> +
> +	print_hex_dump("\n\t\tTDX Quote MMIO data\n", " ", quote_data,
> +		       quote_size);
> +
> +done:
> +	free(quote_data);
> +
> +	return ret;
> +}
> +
> +static void usage(void)
> +{
> +	puts("\nUsage:\n");
> +	puts("tdx_attest [options] \n");
> +
> +	puts("Attestation device test utility.");
> +
> +	puts("\nOptions:\n");
> +	puts(" -d, --dump                Dump tdreport/tdquote data");
> +	puts(" -r, --get-tdreport        Get TDREPORT data");
> +	puts(" -g, --gen-quote           Generate TDQUOTE");
> +	puts(" -s, --get-quote-size      Get TDQUOTE size");
> +}
> +
> +int main(int argc, char **argv)
> +{
> +	int ret, devfd;
> +	struct tdx_attest_args args = {0};
> +
> +	static const struct option longopts[] = {
> +		{ "dump",           no_argument,       NULL, 'd' },
> +		{ "get-tdreport",   required_argument, NULL, 'r' },
> +		{ "gen-quote",      required_argument, NULL, 'g' },
> +		{ "gen-quote-size", required_argument, NULL, 's' },
> +		{ "version",        no_argument,       NULL, 'V' },
> +		{ NULL,             0, NULL, 0 }
> +	};
> +
> +	while ((ret = getopt_long(argc, argv, "hdrgsV", longopts,
> +				  NULL)) != -1) {
> +		switch (ret) {
> +		case 'd':
> +			args.is_dump_data = true;
> +			break;
> +		case 'r':
> +			args.is_get_tdreport = true;
> +			break;
> +		case 'g':
> +			args.is_gen_quote = true;
> +			break;
> +		case 's':
> +			args.is_get_quote_size = true;
> +			break;
> +		case 'h':
> +			usage();
> +			return 0;
> +		case 'V':
> +			printf("Version: %s\n", ATTESTATION_TEST_BIN_VERSION);
> +			return 0;
> +		default:
> +			printf("Invalid options\n");
> +			usage();
> +			return -EINVAL;
> +		}
> +	}
> +
> +	devfd = open(devname, O_RDWR | O_SYNC);
> +	if (devfd < 0) {
> +		printf("%s open() failed\n", devname);
> +		return -ENODEV;
> +	}
> +
> +	if (args.is_get_quote_size)
> +		get_quote_size(devfd);
> +
> +	if (args.is_get_tdreport)
> +		get_tdreport(devfd, args.is_dump_data, NULL);
> +
> +	if (args.is_gen_quote)
> +		gen_quote(devfd, args.is_dump_data);
> +
> +	close(devfd);
> +
> +	return 0;
> +}
> -- 
> 2.25.1

BR,
Yousaf