Management CLI for SEV-SNP host system administrators
Please consult docs/snphost.1.adoc
for an overview of snphost
and
descriptions of each snphost
subcommand.
Administrative utility for SEV-SNP
License: Apache License 2.0
snphost requires, but ignores encoding format argument on export and exports certificates as-is. Probably it should convert certificates to the specified encoding or encoding-fmt may be removed at all.
$ ls certs
ark.der ask.der vcek.der
$ file -i certs/*
certs/ark.der: application/octet-stream; charset=binary
certs/ask.der: application/octet-stream; charset=binary
certs/vcek.der: application/octet-stream; charset=binary
$ ./snphost/target/debug/snphost import certs
$ mkdir out
$ ./snphost/target/debug/snphost export pem out
$ file -i out/*
out/ark.pem: application/octet-stream; charset=binary
out/ask.pem: application/octet-stream; charset=binary
out/vcek.pem: application/octet-stream; charset=binary
$ diff certs/ark.der out/ark.pem
$ diff certs/ask.der out/ask.pem
$ diff certs/vcek.der out/vcek.pem
Hi there,
I'm running into the following issue when I tried to build the latest snphost
with the latest rustc (1.77.1
) on Cent OS 7. Did I miss prerequisite?
-bash-4.2$ cargo b
Downloaded anyhow v1.0.80
Downloaded 1 crate (45.1 KB) in 1.13s
Compiling anyhow v1.0.80
Compiling snphost v0.3.0 (/home/iawang/snphost)
Compiling curl-sys v0.4.72+curl-8.6.0
Compiling curl v0.4.46
Compiling sev v3.0.0
error[E0599]: no method named `digest_sign` found for struct `MdCtx` in the current scope
--> /home/cowbon/.cargo/registry/src/index.crates.io-6f17d22bba15001f/sev-3.0.0/src/measurement/idblock_types.rs:105:14
|
104 | let sig_size = ctx
| ________________________-
105 | | .digest_sign(data, None)
| | -^^^^^^^^^^^ help: there is a method with a similar name: `digest_sign_init`
| |_____________|
|
error[E0599]: no method named `digest_sign` found for struct `MdCtx` in the current scope
--> /home/cowbon/.cargo/registry/src/index.crates.io-6f17d22bba15001f/sev-3.0.0/src/measurement/idblock_types.rs:110:13
|
110 | ctx.digest_sign(data, Some(&mut signature))
| ^^^^^^^^^^^ help: there is a method with a similar name: `digest_sign_init`
error[E0599]: no method named `to_vec_padded` found for reference `&BigNumRef` in the current scope
--> /home/cowbon/.cargo/registry/src/index.crates.io-6f17d22bba15001f/sev-3.0.0/src/measurement/idblock_types.rs:126:14
|
124 | let mut pad_r = ecdsa_sig
| _________________________-
125 | | .r()
126 | | .to_vec_padded(ECDSA_POINT_SIZE_BYTES as i32)
| | -^^^^^^^^^^^^^ method not found in `&BigNumRef`
| |_____________|
|
error[E0599]: no method named `to_vec_padded` found for reference `&BigNumRef` in the current scope
--> /home/cowbon/.cargo/registry/src/index.crates.io-6f17d22bba15001f/sev-3.0.0/src/measurement/idblock_types.rs:132:14
|
130 | let mut pad_s = ecdsa_sig
| _________________________-
131 | | .s()
132 | | .to_vec_padded(ECDSA_POINT_SIZE_BYTES as i32)
| | -^^^^^^^^^^^^^ method not found in `&BigNumRef`
| |_____________|
|
error[E0599]: no method named `affine_coordinates` found for reference `&EcPointRef` in the current scope
--> /home/cowbon/.cargo/registry/src/index.crates.io-6f17d22bba15001f/sev-3.0.0/src/measurement/idblock_types.rs:186:14
|
185 | / pub_key
186 | | .affine_coordinates(&curve_group, &mut x, &mut y, &mut big_num_ctx)
| | -^^^^^^^^^^^^^^^^^^ help: there is a method with a similar name: `affine_coordinates_gfp`
| |_____________|
|
error[E0599]: no method named `to_vec_padded` found for struct `BigNum` in the current scope
--> /home/cowbon/.cargo/registry/src/index.crates.io-6f17d22bba15001f/sev-3.0.0/src/measurement/idblock_types.rs:190:14
|
189 | let mut pad_x = x
| _________________________-
190 | | .to_vec_padded(ECDSA_POINT_SIZE_BYTES as i32)
| | -^^^^^^^^^^^^^ method not found in `BigNum`
| |_____________|
|
error[E0599]: no method named `to_vec_padded` found for struct `BigNum` in the current scope
--> /home/cowbon/.cargo/registry/src/index.crates.io-6f17d22bba15001f/sev-3.0.0/src/measurement/idblock_types.rs:195:14
|
194 | let mut pad_y = y
| _________________________-
195 | | .to_vec_padded(ECDSA_POINT_SIZE_BYTES as i32)
| | -^^^^^^^^^^^^^ method not found in `BigNum`
| |_____________|
|
For more information about this error, try `rustc --explain E0599`.
error: could not compile `sev` (lib) due to 7 previous errors
I tried to build /home/cowbon/.cargo/registry/src/index.crates.io-6f17d22bba15001f/sev-3.0.0
, but strangely there's nothing wrong
Can't compile code if OpenSSL 3.0 isn't installed and certain functionalities do not require OpenSSL. We should set features that are reliant on OpenSSL behind a feature flag so that the tool can compile when verify features aren't wanted on snphost.
Lines 89 to 98 in e8f2613
We are not currently supporting verification of DER formatted certificates?
The ok
and commit
commands seem to print usage instructions rather than their intended functionality.
For example:
$ snphost ok
Probe system for SEV-SNP support
Usage: snphost ok
Options:
-h, --help Print help
$ snphost commit
Commit current firmware and TCB versions to PSP
Usage: snphost commit
Options:
-h, --help Print help
This is with the latest from main
:
$ snphost --version
snphost 0.3.0
The reset command calls to the platform_reset library command, which is a legacy command for sev. If that is the intended use, then we would need a command that would then reset the platform extended config using snp_reset_config instead.
snphost/src/cert/fetch/vcek.rs
Lines 78 to 82 in 67b2fb1
Should be using reported_tcb_version
instead of platform_tcb_version
, as the latter pulls information from the CURRENT_TCB
instead of the REPORTED_TCB
fields.
It would be useful for this utility to have a way for users to get the CA certs from the AMD KDS. That way they won't need to use other tools to get those into their servers and it can all be done within SNPHOST.
verify
would pull certificates from the PSP, and (assuming the certificate blob would contain ARK, ASK, and VCEK) verify the certificate chain.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.