Support stateless CVM mode with hardware sealing policy #3485
Support stateless CVM mode with hardware sealing policy #3485mingweishih wants to merge 2 commits into
Conversation
Signed-off-by: Ming-Wei Shih <mishih@microsoft.com>
There was a problem hiding this comment.
Pull request overview
This PR adds stateless CVM mode with hardware sealing as the primary VMGS encryption source, in addition to the existing use of hardware sealing as a backup recovery path. It introduces a new HardwareSealingPolicy (Hash / Signer / None) communicated end-to-end from Hyper-V (Set-ManagementVtlEncryptionPolicy) through DPS JSON, the GET/GED channel, runtime claims, and into the underhill attestation flow. The hardware key protector format is bumped to V2 to include a mix_measurement flag, and the test infrastructure (petri / Hyper-V powershell) plus new VMM tests for hw_unseal and hw_seal_{hash,signer} are added.
Changes:
- Protocol/config plumbing: new
HardwareSealingPolicyenum threaded throughget_protocol, GED, runtime claims, and underhill worker; new event log IDs for hardware sealing failures. - Attestation logic: extends
get_derived_keys/try_unlock_vmgsto support exclusive hardware sealing (first-boot key generation, per-boot rotation, V2 HWKP withmix_measurement), with policy-mismatch and skip-unseal handling. - Test infrastructure: petri builder API for
PetriHardwareSealingPolicy, Hyper-V powershell wrapper, new TPM NV-index subcommands intpm_guest_tests, and three new VMM tests.
Reviewed changes
Copilot reviewed 24 out of 24 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| openhcl/tee_call/src/lib.rs | New KeyDerivationPolicy struct passed to get_derived_key, exposing mix_measurement. |
| openhcl/tee_call/Cargo.toml | Trivial whitespace. |
| openhcl/openhcl_attestation_protocol/src/vmgs.rs | HWKP V1/V2 constants; header gains mix_measurement field replacing reserved byte. |
| openhcl/openhcl_attestation_protocol/src/igvm_attest/get.rs | Adds HardwareSealingPolicy to runtime claims. |
| openhcl/underhill_attestation/src/hardware_key_sealing.rs | Derive keys with policy; enforce policy/vm_config consistency; expanded unit tests. |
| openhcl/underhill_attestation/src/lib.rs | Core stateless hardware sealing flow, recovery via HWKP V2, new errors, tests. |
| openhcl/underhill_attestation/src/vmgs.rs | Test fixture updated for new HWKP header signature. |
| openhcl/underhill_attestation/src/igvm_attest/mod.rs | Test JSON updated to include hardware-sealing-policy. |
| openhcl/underhill_core/src/worker.rs | Computes hardware_sealing_policy, recomputes no_persistent_secrets, adds logs. |
| vm/devices/get/get_protocol/src/lib.rs | New EventLogId entries for HW sealing failures. |
| vm/devices/get/get_protocol/src/dps_json.rs | New HardwareSealingPolicy enum and DPS field; doc fixes. |
| vm/devices/get/guest_emulation_transport/{api,client}.rs | Plumb new field through platform settings. |
| vm/devices/get/guest_emulation_device/{lib,resolver,test_utilities}.rs | Plumb new field through GED. |
| petri/src/vm/mod.rs | New PetriHardwareSealingPolicy + with_hardware_sealing_policy. |
| petri/src/vm/openvmm/construct.rs | Pattern destructuring updated for new TpmConfig field. |
| petri/src/vm/hyperv/{mod,vm,powershell,hyperv.psm1} | Hyper-V wiring for Set-ManagementVtlEncryptionPolicy. |
| vm/devices/tpm/tpm_guest_tests/src/main.rs | New nv_define / nv_write / nv_read subcommands. |
| vmm_tests/.../tpm.rs | New hw_unseal, hw_seal_hash, hw_seal_signer VMM tests. |
| // VMGS should now be unlockable with only the egress key (ingress zeroed) | ||
| vmgs.unlock_with_encryption_key(&[0; AES_GCM_KEY_LENGTH]) | ||
| .await | ||
| .unwrap_err(); |
| // TODO: update this doc comment once hardware sealing is implemented | ||
| /// Use hardware sealing exclusively. | ||
| /// | ||
| /// Expect to be set only when `no_persistent_secrets` is true on CVMs. |
| #[derive(Debug, Copy, Clone, Deserialize, Serialize, Default)] | ||
| pub enum HardwareSealingPolicy { | ||
| /// No hardware sealing | ||
| #[default] | ||
| NoSealing, | ||
| /// Hash-based hardware sealing | ||
| HashPolicy, | ||
| /// Signer-based hardware sealing | ||
| SignerPolicy, | ||
| } |
|
This is out of scope for this PR, but I think the logic in the underhill_attestation crate is very hard to follow, and this is adding even more complexity. If we need to get this in soon, then we can go ahead and change what we have but I think it would be valuable to take a pass at refactoring the entire crate to make it more Rust-y and have an easier to follow flow. |
Agreed. it's mainly because the side effect of porting C/C++ logic over. Let me look into this. |
No description provided.