[WIP] Attestation protocol

[dubek]

Implement most of the attestation protocol with its two calls, according to the SVSM spec.

This is still WIP because it still misses:

1. Call to openssl SHA-512 routine to build the report data
2. Actual call to hypervisor to get the attestation report

Once we have these features in linux-svsm I can rebase and plug them into the mocks that I left in src/protocols/attestation.rs (functions todo_sha_512() and get_snp_attestation_report()).

---

In order to test this I implemented an attestation SVSM call in OVMF during boot.
I had to modify AsmVmgExitSvsm to optionally fill a struct with the response register values. I'll point to these changes soon.

[dubek]

I pushed a v2 of this branch (7 patches) to https://github.com/svsm-vtpm/linux-svsm/tree/attestation-protocol-v2 :

• it is based on @cclaudio 's Attestation report support with openssl #55.
• it removes the WIP parts: it actually calls openssl's SHA-512 and actually requests the attestation report from the PSP.

I have a PoC guest linux kernel support of getting the attestation report via SVSM; I implemented it as another ioctl in /dev/sev-guest. I'll probably share these patches soon.

I succeeded starting a guest and fetching a VMPL0 report via SVSM and a VMPL1 report via "regular" guest message request.

[dubek]

Update: I published the guest kernel RFC patch series for getting SVSM attestation report
https://lore.kernel.org/linux-coco/20230607150646.97208-1-dovmurik@linux.ibm.com/

It uses the SVSM_ATTEST_SERVICES call implemented in the attestation-protocol-v2 branch (mentioned in the previous comment).

[dubek]

... and here is a simple guest userspace program to call the new SNP_SVSM_ATTEST_SERVICES ioctl (defined in the kernel RFC patches mentioned above) and save the responses in local files:
https://gist.github.com/dubek/0e0a419fecf2ca87dd65d483d5c446d5