Skip to content

Avoid use vdm payload struct with slices #679

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
IntelCaisui wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Avoid use vdm payload struct with slices #679

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion deps/spdm-rs
Open in desktop
Submodule spdm-rs updated 42 files
+1 −1 .github/workflows/codeql.yml
+4 −4 .github/workflows/coverage.yml
+2 −2 .github/workflows/deny.yml
+2 −2 .github/workflows/dependency-review.yml
+5 −5 .github/workflows/format.yml
+1 −1 .github/workflows/fuzz.yml
+2 −2 .github/workflows/main.yml
+1 −1 .github/workflows/oss-fuzz.yml
+2 −2 .github/workflows/scorecards.yml
+7 −0 Cargo.lock
+1 −0 Cargo.toml
+11 −0 README.md
+25 −13 sh_script/build.sh
+26 −24 spdmlib/src/crypto/fips/asym_verify_st/mod.rs
+2 −3 spdmlib/src/crypto/fips/cavs_vectors/dhe_vectors_p256.rs
+2 −3 spdmlib/src/crypto/fips/cavs_vectors/dhe_vectors_p384.rs
+2 −3 spdmlib/src/crypto/fips/cavs_vectors/ecdsa_p256_sha256_sig_ver.rs
+2 −3 spdmlib/src/crypto/fips/cavs_vectors/ecdsa_p256_sha384_sig_ver.rs
+2 −3 spdmlib/src/crypto/fips/cavs_vectors/ecdsa_p384_sha256_sig_ver.rs
+2 −3 spdmlib/src/crypto/fips/cavs_vectors/ecdsa_p384_sha384_sig_ver.rs
+2 −3 spdmlib/src/crypto/fips/cavs_vectors/gcm_decrypt256.rs
+2 −3 spdmlib/src/crypto/fips/cavs_vectors/gcm_encrypt_ext_iv256.rs
+2 −3 spdmlib/src/crypto/fips/cavs_vectors/hmac_sha256.rs
+2 −3 spdmlib/src/crypto/fips/cavs_vectors/hmac_sha384.rs
+2 −3 spdmlib/src/crypto/fips/cavs_vectors/hmac_sha512.rs
+2 −3 spdmlib/src/crypto/fips/cavs_vectors/rsa_sig_ver.rs
+2 −3 spdmlib/src/crypto/fips/cavs_vectors/scripts/cavs_to_rust.py
+2 −3 spdmlib/src/crypto/fips/cavs_vectors/sha256_short_msg.rs
+2 −3 spdmlib/src/crypto/fips/cavs_vectors/sha384_short_msg.rs
+8 −8 spdmlib/src/crypto/fips/dhe_st/mod.rs
+2 −2 spdmlib/src/crypto/fips/hash_st/mod.rs
+23 −4 spdmlib/src/crypto/x509v3.rs
+35 −7 spdmlib/src/message/vendor.rs
+56 −0 spdmlib/src/requester/vendor_req.rs
+5 −4 spdmlib/src/responder/context.rs
+14 −8 spdmlib/src/responder/vendor_rsp.rs
+38 −23 test/spdm-emu/src/crypto_callback.rs
+48 −33 test/spdm-responder-emu/src/main.rs
+13 −0 test/spdmlib-fips-test/Cargo.toml
+6 −0 test/spdmlib-fips-test/src/lib.rs
+9 −0 test/spdmlib-fips-test/src/test_fips.rs
+1 −0 test/spdmlib-test/Cargo.toml
9 changes: 4 additions & 5 deletions doc/memory_usage_test.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -255,20 +255,19 @@ echo "qom-set /objects/tdx0/ vsockport 1237" | nc -U /tmp/qmp-sock-dst-2

Wait all sessions complete pre-migration, and check the data logged in terminal for memory using status:

(example result)
(example result, migtd-dst)

```bash
INFO - MSK exchange completed
max stack usage: 118128
max heap usage: 190585
max stack usage: b3f38
max heap usage: 140c07
```

### Current SPDM attestation memory data

Current test result for spdm attestation are determined by destination migtd with policy v2 configuration.

```bash
Stack Size = 0x16_0000
Stack Size = 0x10_0000
Heap Size = 0x12_0000 + 0x5_0000 * session_num
```

Expand Down
179 changes: 85 additions & 94 deletions src/migtd/src/spdm/spdm_req.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ async fn send_and_receive_pub_key(spdm_requester: &mut RequesterContext) -> Spdm
vendor_id[..VDM_MESSAGE_VENDOR_ID_LEN].copy_from_slice(&VDM_MESSAGE_VENDOR_ID);
let vendor_id = VendorIDStruct { len: 4, vendor_id };

let mut payload = [0u8; MAX_SPDM_VENDOR_DEFINED_PAYLOAD_SIZE];
let mut payload = vec![0u8; MAX_SPDM_VENDOR_DEFINED_PAYLOAD_SIZE];
let mut writer = Writer::init(&mut payload);
let mut cnt = 0;

Expand All @@ -162,46 +162,39 @@ async fn send_and_receive_pub_key(spdm_requester: &mut RequesterContext) -> Spdm
.extend_from_slice(my_pub_key.as_slice())
.ok_or(SPDM_STATUS_BUFFER_FULL)?;

let vdm_payload = VendorDefinedReqPayloadStruct {
req_length: cnt as u32,
vendor_defined_req_payload: payload,
};

spdm_requester.common.reset_buffer_via_request_code(
SpdmRequestResponseCode::SpdmRequestVendorDefinedRequest,
None,
);

let mut send_buffer = [0u8; config::MAX_SPDM_MSG_SIZE];
let mut writer = Writer::init(&mut send_buffer);
let request = SpdmMessage {
header: SpdmMessageHeader {
version: spdm_requester.common.negotiate_info.spdm_version_sel,
request_response_code: SpdmRequestResponseCode::SpdmRequestVendorDefinedRequest,
},
payload: SpdmMessagePayload::SpdmVendorDefinedRequest(SpdmVendorDefinedRequestPayload {
standard_id: RegistryOrStandardsBodyID::IANA,
vendor_id,
req_payload: vdm_payload,
}),
let request_header = SpdmMessageHeader {
version: spdm_requester.common.negotiate_info.spdm_version_sel,
request_response_code: SpdmRequestResponseCode::SpdmRequestVendorDefinedRequest,
};
let used = request.spdm_encode(&mut spdm_requester.common, &mut writer)?;

spdm_requester
.send_message(None, &send_buffer[..used], false)
.await?;
let request_payload = SpdmVdmRequestPayload {
standard_id: RegistryOrStandardsBodyID::IANA,
vendor_id,
req_length: cnt as u32,
req_payload: payload,
};
let mut used = 0;
used += request_header
.encode(&mut writer)
.map_err(|_| SPDM_STATUS_BUFFER_FULL)?;
used += request_payload.spdm_encode(&mut spdm_requester.common, &mut writer)?;

let mut receive_buffer = [0u8; config::MAX_SPDM_MSG_SIZE];
let receive_used = spdm_requester
.receive_message(None, &mut receive_buffer, false)
let response = spdm_requester
.send_spdm_vendor_defined_request_ex(None, &send_buffer[..used], &mut receive_buffer)
.await?;

let vdm_payload =
spdm_requester.handle_spdm_vendor_defined_respond(None, &receive_buffer[..receive_used])?;

// Format checks and save the received public key
let mut reader = Reader::init(response);
let _response_header =
SpdmMessageHeader::read(&mut reader).ok_or(SPDM_STATUS_INVALID_MSG_SIZE)?;
let response_payload =
SpdmVdmResponsePayload::spdm_read(&mut spdm_requester.common, &mut reader)
.ok_or(SPDM_STATUS_INVALID_MSG_SIZE)?;

let mut reader =
Reader::init(&vdm_payload.vendor_defined_rsp_payload[..vdm_payload.rsp_length as usize]);
Reader::init(&response_payload.rsp_payload[..response_payload.rsp_length as usize]);
let vdm_message = VdmMessage::read(&mut reader).ok_or(SPDM_STATUS_INVALID_MSG_SIZE)?;
if vdm_message.major_version != VDM_MESSAGE_MAJOR_VERSION {
error!(
Expand Down Expand Up @@ -272,8 +265,7 @@ async fn send_and_receive_pub_key(spdm_requester: &mut RequesterContext) -> Spdm

let vdm_pub_key_src_hash =
digest_sha384(&send_buffer[..used]).map_err(|_| SPDM_STATUS_CRYPTO_ERROR)?;
let vdm_pub_key_dst_hash =
digest_sha384(&receive_buffer[..receive_used]).map_err(|_| SPDM_STATUS_CRYPTO_ERROR)?;
let vdm_pub_key_dst_hash = digest_sha384(response).map_err(|_| SPDM_STATUS_CRYPTO_ERROR)?;
let mut transcript_before_key_exchange = ManagedVdmBuffer::default();
transcript_before_key_exchange
.append_message(vdm_pub_key_src_hash.as_slice())
Expand Down Expand Up @@ -306,7 +298,7 @@ pub async fn send_and_receive_sdm_migration_attest_info(
vendor_id[..VDM_MESSAGE_VENDOR_ID_LEN].copy_from_slice(&VDM_MESSAGE_VENDOR_ID);
let vendor_id = VendorIDStruct { len: 4, vendor_id };

let mut payload = [0u8; MAX_SPDM_VENDOR_DEFINED_PAYLOAD_SIZE];
let mut payload = vec![0u8; MAX_SPDM_VENDOR_DEFINED_PAYLOAD_SIZE];
let mut writer = Writer::init(&mut payload);
let mut cnt = 0;

Expand Down Expand Up @@ -411,47 +403,44 @@ pub async fn send_and_receive_sdm_migration_attest_info(
.extend_from_slice(&mig_policy_src_hash)
.ok_or(SPDM_STATUS_BUFFER_FULL)?;

let vdm_payload = VendorDefinedReqPayloadStruct {
req_length: cnt as u32,
vendor_defined_req_payload: payload,
};

spdm_requester.common.reset_buffer_via_request_code(
SpdmRequestResponseCode::SpdmRequestVendorDefinedRequest,
None,
);

let mut send_buffer = [0u8; config::MAX_SPDM_MSG_SIZE];
let mut writer = Writer::init(&mut send_buffer);
let request = SpdmMessage {
header: SpdmMessageHeader {
version: spdm_requester.common.negotiate_info.spdm_version_sel,
request_response_code: SpdmRequestResponseCode::SpdmRequestVendorDefinedRequest,
},
payload: SpdmMessagePayload::SpdmVendorDefinedRequest(SpdmVendorDefinedRequestPayload {
standard_id: RegistryOrStandardsBodyID::IANA,
vendor_id,
req_payload: vdm_payload,
}),
let request_header = SpdmMessageHeader {
version: spdm_requester.common.negotiate_info.spdm_version_sel,
request_response_code: SpdmRequestResponseCode::SpdmRequestVendorDefinedRequest,
};
let used = request.spdm_encode(&mut spdm_requester.common, &mut writer)?;

spdm_requester
.send_message(None, &send_buffer[..used], false)
.await?;
let request_payload = SpdmVdmRequestPayload {
standard_id: RegistryOrStandardsBodyID::IANA,
vendor_id,
req_length: cnt as u32,
req_payload: payload,
};
let mut send_used = 0;
send_used += request_header
.encode(&mut writer)
.map_err(|_| SPDM_STATUS_BUFFER_FULL)?;
send_used += request_payload.spdm_encode(&mut spdm_requester.common, &mut writer)?;

let mut receive_buffer = [0u8; config::MAX_SPDM_MSG_SIZE];
let receive_used = spdm_requester
.receive_message(None, &mut receive_buffer, false)
let response = spdm_requester
.send_spdm_vendor_defined_request_ex(None, &send_buffer[..send_used], &mut receive_buffer)
.await?;

let vdm_payload =
spdm_requester.handle_spdm_vendor_defined_respond(None, &receive_buffer[..receive_used])?;

//Format checks
let reader = &mut Reader::init(
&vdm_payload.vendor_defined_rsp_payload[..vdm_payload.rsp_length as usize],
);
let mut reader = Reader::init(response);
let _response_header =
SpdmMessageHeader::read(&mut reader).ok_or(SPDM_STATUS_INVALID_MSG_SIZE)?;
let response_payload =
SpdmVdmResponsePayload::spdm_read(&mut spdm_requester.common, &mut reader)
.ok_or(SPDM_STATUS_INVALID_MSG_SIZE)?;

let reader =
&mut Reader::init(&response_payload.rsp_payload[..response_payload.rsp_length as usize]);
let vdm_message = VdmMessage::read(reader).ok_or(SPDM_STATUS_INVALID_MSG_SIZE)?;
if vdm_message.major_version != VDM_MESSAGE_MAJOR_VERSION {
error!(
Expand Down Expand Up @@ -591,9 +580,8 @@ pub async fn send_and_receive_sdm_migration_attest_info(
}

let vdm_attest_info_src_hash =
digest_sha384(&send_buffer[..used]).map_err(|_| SPDM_STATUS_CRYPTO_ERROR)?;
let vdm_attest_info_dst_hash =
digest_sha384(&receive_buffer[..receive_used]).map_err(|_| SPDM_STATUS_CRYPTO_ERROR)?;
digest_sha384(&send_buffer[..send_used]).map_err(|_| SPDM_STATUS_CRYPTO_ERROR)?;
let vdm_attest_info_dst_hash = digest_sha384(response).map_err(|_| SPDM_STATUS_CRYPTO_ERROR)?;
let mut transcript_before_finish = ManagedVdmBuffer::default();
transcript_before_finish
.append_message(vdm_attest_info_src_hash.as_slice())
Expand Down Expand Up @@ -622,7 +610,7 @@ async fn send_and_receive_sdm_exchange_migration_info(

let mut exchange_information = exchange_info(mig_info, false)?;

let mut payload = [0u8; MAX_SPDM_VENDOR_DEFINED_PAYLOAD_SIZE];
let mut payload = vec![0u8; MAX_SPDM_VENDOR_DEFINED_PAYLOAD_SIZE];
let mut writer = Writer::init(&mut payload);
let mut cnt = 0;

Expand Down Expand Up @@ -668,46 +656,49 @@ async fn send_and_receive_sdm_exchange_migration_info(
.encode(&mut writer)
.map_err(|_| SPDM_STATUS_BUFFER_FULL)?;

let vdm_payload = VendorDefinedReqPayloadStruct {
req_length: cnt as u32,
vendor_defined_req_payload: payload,
};

spdm_requester.common.reset_buffer_via_request_code(
SpdmRequestResponseCode::SpdmRequestVendorDefinedRequest,
None,
);

let mut send_buffer = [0u8; config::MAX_SPDM_MSG_SIZE];
let mut writer = Writer::init(&mut send_buffer);
let request = SpdmMessage {
header: SpdmMessageHeader {
version: spdm_requester.common.negotiate_info.spdm_version_sel,
request_response_code: SpdmRequestResponseCode::SpdmRequestVendorDefinedRequest,
},
payload: SpdmMessagePayload::SpdmVendorDefinedRequest(SpdmVendorDefinedRequestPayload {
standard_id: RegistryOrStandardsBodyID::IANA,
vendor_id,
req_payload: vdm_payload,
}),
};
let used = request.spdm_encode(&mut spdm_requester.common, &mut writer)?;

spdm_requester
.send_message(session_id, &send_buffer[..used], false)
.await?;
let request_header = SpdmMessageHeader {
version: spdm_requester.common.negotiate_info.spdm_version_sel,
request_response_code: SpdmRequestResponseCode::SpdmRequestVendorDefinedRequest,
};
let request_payload = SpdmVdmRequestPayload {
standard_id: RegistryOrStandardsBodyID::IANA,
vendor_id,
req_length: cnt as u32,
req_payload: payload,
};
let mut send_used = 0;
send_used += request_header
.encode(&mut writer)
.map_err(|_| SPDM_STATUS_BUFFER_FULL)?;
send_used += request_payload.spdm_encode(&mut spdm_requester.common, &mut writer)?;

let mut receive_buffer = [0u8; config::MAX_SPDM_MSG_SIZE];
let receive_used = spdm_requester
.receive_message(session_id, &mut receive_buffer, false)
let response = spdm_requester
.send_spdm_vendor_defined_request_ex(
session_id,
&send_buffer[..send_used],
&mut receive_buffer,
)
.await?;

let vdm_payload = spdm_requester
.handle_spdm_vendor_defined_respond(session_id, &receive_buffer[..receive_used])?;
// Format checks
let mut reader = Reader::init(response);
let _response_header =
SpdmMessageHeader::read(&mut reader).ok_or(SPDM_STATUS_INVALID_MSG_SIZE)?;
let response_payload =
SpdmVdmResponsePayload::spdm_read(&mut spdm_requester.common, &mut reader)
.ok_or(SPDM_STATUS_INVALID_MSG_SIZE)?;

let reader = &mut Reader::init(
&vdm_payload.vendor_defined_rsp_payload[..vdm_payload.rsp_length as usize],
);
let reader =
&mut Reader::init(&response_payload.rsp_payload[..response_payload.rsp_length as usize]);
let vdm_message = VdmMessage::read(reader).ok_or(SPDM_STATUS_INVALID_MSG_SIZE)?;
if vdm_message.major_version != VDM_MESSAGE_MAJOR_VERSION {
error!(
Expand Down
Loading
Loading