feat: Implement SEV-based key derivation (#6112)

The SEV-based key derivation uses the key coming from the SEV Secure
Processor to derive keys for various purposes. We use HKDF to derive the
keys. The resulting derived keys are encoded with base64 so that they
can be entered manually if necessary.

---------

Co-authored-by: IDX GitHub Automation <infra+github-automation@dfinity.org>

Author: frankdavid

Cargo.lock

@@ -571,6 +571,7 @@ getrandom = { version = "0.2", features = ["custom"] }
 goldenfile = "1.8.0"
 gpt = "4.1"
 hex = { version = "0.4.3", features = ["serde"] }
+hkdf = "^0.12"
 http = "1.3.1"
 http-body = "1.0.1"
 http-body-util = "0.1.3"

Cargo.toml

@@ -5,10 +5,13 @@ package(default_visibility = ["//rs:ic-os-pkg"])
 DEPENDENCIES = [
     # Keep sorted.
     "@crate_index//:anyhow",
+    "@crate_index//:base64",
     "@crate_index//:der",
+    "@crate_index//:hkdf",
     "@crate_index//:mockall",
     "@crate_index//:reqwest",
     "@crate_index//:sev",
+    "@crate_index//:sha2",
     "@crate_index//:tempfile",
 ]
 

rs/ic_os/sev/BUILD.bazel

@@ -4,10 +4,13 @@ edition = "2021"
 
 [dependencies]
 anyhow = { workspace = true }
+base64 = { workspace = true }
 der = { workspace = true }
+hkdf = { workspace = true }
 mockall = { workspace = true }
 reqwest = { workspace = true }
 sev = { workspace = true }
+sha2 = { workspace = true }
 tempfile = { workspace = true }
 
 [dev-dependencies]

rs/ic_os/sev/Cargo.toml

@@ -0,0 +1,24 @@
+use sev::error::UserApiError;
+use sev::firmware::guest::DerivedKey;
+#[cfg(target_os = "linux")]
+use sev::firmware::guest::Firmware;
+
+#[mockall::automock]
+pub trait SevGuestFirmware: Sync + Send {
+    fn get_derived_key(
+        &mut self,
+        message_version: Option<u32>,
+        derived_key_request: DerivedKey,
+    ) -> Result<[u8; 32], UserApiError>;
+}
+
+#[cfg(target_os = "linux")]
+impl SevGuestFirmware for Firmware {
+    fn get_derived_key(
+        &mut self,
+        message_version: Option<u32>,
+        derived_key_request: DerivedKey,
+    ) -> Result<[u8; 32], UserApiError> {
+        self.get_derived_key(message_version, derived_key_request)
+    }
+}

rs/ic_os/sev/src/guest/firmware.rs

@@ -0,0 +1,118 @@
+use crate::guest::firmware::SevGuestFirmware;
+use anyhow::Context;
+use anyhow::Result;
+use hkdf::SimpleHkdf;
+use sev::firmware::guest::{DerivedKey, GuestFieldSelect};
+use sha2::Sha256;
+use std::os::unix::ffi::OsStrExt;
+use std::path::Path;
+
+/// A key derivation provider that uses the SEV firmware to derive keys.
+pub struct SevKeyDeriver {
+    sev_firmware: Box<dyn SevGuestFirmware>,
+}
+
+impl SevKeyDeriver {
+    pub fn new() -> Result<Self> {
+        #[cfg(not(target_os = "linux"))]
+        {
+            anyhow::bail!("SEV key derivation is only supported on Linux");
+        }
+
+        #[cfg(target_os = "linux")]
+        Ok(Self {
+            sev_firmware: Box::new(
+                sev::firmware::guest::Firmware::open().context("Could not open SEV firmware")?,
+            ),
+        })
+    }
+
+    pub fn new_for_test(sev_firmware: Box<dyn SevGuestFirmware>) -> Self {
+        Self { sev_firmware }
+    }
+
+    /// Derives a key for the given `Key` variant using the SEV firmware.
+    /// The key is in base64 format (useful e.g., if the key must be entered manually).
+    pub fn derive_key(&mut self, key: Key) -> Result<String> {
+        let mut field_select = GuestFieldSelect::default();
+        field_select.set_measurement(true);
+
+        let derived_key = self
+            .sev_firmware
+            .get_derived_key(Some(1), DerivedKey::new(false, field_select, 0, 0, 0))
+            .context("Failed to get derived key from SEV firmware")?;
+
+        let mut output = vec![0; 32];
+        // Should not be InvalidLength, since we hardcoded 32 bytes for the derived key length
+        SimpleHkdf::<Sha256>::new(/*salt=*/ None, &derived_key)
+            .expand_multi_info(key.as_info().as_slice(), &mut output)
+            .unwrap();
+
+        Ok(base64::encode(&output))
+    }
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum Key<'a> {
+    DiskEncryptionKey { device_path: &'a Path },
+}
+
+impl Key<'_> {
+    fn as_info(&self) -> [&[u8]; 2] {
+        // change to Vec once necessary
+        match self {
+            Key::DiskEncryptionKey { device_path } => [
+                b"ic-disk-encryption-key",
+                device_path.as_os_str().as_bytes(),
+            ],
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::guest::firmware::MockSevGuestFirmware;
+    use std::collections::HashSet;
+
+    #[test]
+    fn test_derives_key() {
+        let mut mock_sev_guest_firmware = MockSevGuestFirmware::new();
+        mock_sev_guest_firmware
+            .expect_get_derived_key()
+            .returning(|_, _| Ok([42; 32]));
+        let mut key_provider = SevKeyDeriver::new_for_test(Box::new(mock_sev_guest_firmware));
+
+        assert_eq!(
+            key_provider
+                .derive_key(Key::DiskEncryptionKey {
+                    device_path: Path::new("/dev/vda8")
+                })
+                .unwrap(),
+            // This value does not have any particular meaning, but it should not change
+            // unless the key derivation algorithm changes.
+            "f0ap27QRjRgVHqeQBK8RO0GYHnSxYRLsgpJ8Ad3j/r8="
+        );
+    }
+
+    #[test]
+    fn test_derives_unique_keys() {
+        let mut mock_sev_guest_firmware = MockSevGuestFirmware::new();
+        mock_sev_guest_firmware
+            .expect_get_derived_key()
+            .returning(|_, _| Ok([42; 32]));
+        let mut key_provider = SevKeyDeriver::new_for_test(Box::new(mock_sev_guest_firmware));
+
+        let all_keys = (1..=10)
+            .map(|i| {
+                key_provider
+                    .derive_key(Key::DiskEncryptionKey {
+                        device_path: Path::new(&format!("/dev/vda{}", i)),
+                    })
+                    .unwrap()
+            })
+            .collect::<HashSet<String>>();
+
+        assert_eq!(all_keys.len(), 10, "Keys should be unique");
+    }
+}

rs/ic_os/sev/src/guest/key_deriver.rs

@@ -0,0 +1,2 @@
+pub mod firmware;
+pub mod key_deriver;

rs/ic_os/sev/src/guest/mod.rs

@@ -1 +1,2 @@
+pub mod guest;
 pub mod host;