mvp vm attestation support in propolis-server (rfd 605)

[jordanhendricks]

This issue will cover #1010, which is a ticket for external tracking on the RFD 605 board. At the risk of being redundant, I'm creating a fresh issue to outline our design of an mvp attestation path in propolis-server and track incremental progress/PRs.

MVP Design Overview

We need a starting implementation of VM attestation as per RFD 605. (This is the relevant part of the RFD for us.)

The basic idea here is:

• a guest submits a 32-byte piece of data for attestation over a known attestation port
• this port is presented to the guest via a vsock (Want virtio-vsock support #1031) device
• on the propolis side of the port, propolis runs a "socket server" thread that can respond to attestation requests
• as part of the attestation process, we need additional qualifying_data tying the instance to this particular request. For our mvp targeting R19, that is only the hash of the instance boot disk, and its instance UUID.
• on instance start, propolis will hash the boot disk to be used in the qualifying data. This has two implications for our design: (1) that the boot disk is read-only ([nexus] create read-only disks from images or snapshots omicron#9731) and (2) that the boot disk must be hashed before we can start responding to attestation requests. As such, the socket server will fast-fail requests until the boot disk is hashed, so as to neither make instance start times obscenely long nor respond to attestation requests until we have the boot digest ready.
• propolis-server attests the data provided by the guest, along with the qualifying data, via the interfaces in oxidecomputer/vm-attest-proto
  
• for the MVP, communication to the RoT is via sled-agent APIs over the underlay network (sled-agent: add RoT attestation endpoints omicron#9739). This work is already plumbed through to the vm-attest-proto implementation such that propolis-server can use it (https://github.com/oxidecomputer/dice-util/blob/main/verifier/src/sled_agent.rs).

Incremental Work

We've largely been incrementally developing this feature in propolis-standalone, which allowed us to prove out the socket server and upstack consumers (i.e., software in a guest instance) without needing a whole control plane or even just sled-agent. This has been extremely useful for development and iterating quickly. For the real feature, we need support in propolis-server as well.

First we'll get propolis-standalone support merged, which will allow continued development and testing with propolis-standalone and allow us to start moving common code for -standalone and -server into lib/.

We have the following standalone PRs in progress from work so far:

• allow standalone to run a basic attestation server, using mock or real RoT (standalone: want ability to run attestation server backed by real or mock RoT #1068)
• hash the boot disk (standalone: want option to hash contents of boot disk #1071) and hook this up to the attestation server

For the propolis-server side, we need to do the following (these items may be broken up or combined into PRs depending on how it makes sense to land things):

• commonize socket server code for use by both server and standalone in lib/
• adapt boot disk hashing code for common use
• fetch instance ID out of instance spec
• plug in sled-agent dice_verifier::Attest impl to propolis-server: verifier: add sled-agent implementation for Attest dice-util#347
• Wire up vsock device to propolis-server #1069
• guest VMs should get vsock devices by default omicron#10000