Eventlog for Stage0

stage0/Cargo.toml

@@ -5,6 +5,9 @@ authors = ["Andri Saar <andrisaar@google.com>"]
 edition = "2021"
 license = "Apache-2.0"
 
+[build-dependencies]
+prost-build = { version = "*" }
+
 [dependencies]
 bitflags = "*"
 coset = { version = "*", default-features = false }
@@ -23,6 +26,8 @@ p256 = { version = "*", default-features = false, features = ["ecdsa"] }
 rand_core = { version = "*", default-features = false, features = [
   "getrandom",
 ] }
+prost = {version = "*", default-features = false, features = ["prost-derive"]}
+prost-types = {version = "*", default-features = false}
 sev_serial = { path = "../sev_serial" }
 sha2 = { version = "*", default-features = false, features = ["force-soft"] }
 spinning_top = "*"

stage0/build.rs

@@ -0,0 +1,8 @@
+extern crate prost_build;
+
+fn main() {
+    let mut config = prost_build::Config::new();
+    config.btree_map(&["."]);
+    prost_build::compile_protos(&["src/eventlog.proto"],
+                                &["src/"]).unwrap();
+}

stage0/src/eventlog.proto

@@ -0,0 +1,39 @@
+syntax = "proto2";
+
+package eventlog;
+
+import "google/protobuf/any.proto";
+
+// All the related measurements for Stage 0.
+message Stage0Measurements {
+  // Kernel setup data digest.
+  optional bytes setup_data_digest = 1;
+  // Kernel digest.
+  optional bytes kernel_measurement = 2;
+  // Initial RAM disk digest.
+  optional bytes ram_disk_digest = 3;
+  // E820 table digest
+  optional bytes memory_map_digest = 4;
+  // ACPI table generation digest
+  optional bytes acpi_digest = 5;
+  // Kernel Command line.
+  optional string kernel_cmdline = 6;
+}
+
+// Represents an event intended for inclusion in attestation.
+// For example, in an attested measured boot, each event is a reference to the
+// code identity of the boot layer being launched next.
+// An Event message must have a canonical serialization and contain what's
+// necessary for an attestation verifier to verify the Event against a Reference
+// Value.
+message Event {
+  // Represents what is contains in the event. For example, the tag for
+  // TaskConfig for the Layer 2 is "layer2".
+  optional string tag = 1;
+  optional google.protobuf.Any event = 2;
+}
+
+// A sequence of Events intended for inclusion in attestation evidence.
+message EventLog {
+  repeated Event events = 1;
+}

stage0/src/lib.rs

@@ -21,14 +21,16 @@
 
 extern crate alloc;
 
-use alloc::{boxed::Box, format};
+use alloc::{boxed::Box, format, string::String};
 use core::{arch::asm, ffi::c_void, mem::MaybeUninit, panic::PanicInfo};
 
 use linked_list_allocator::LockedHeap;
 use oak_core::sync::OnceCell;
 use oak_dice::evidence::{TeePlatform, DICE_DATA_CMDLINE_PARAM};
 use oak_linux_boot_params::{BootE820Entry, E820EntryType};
 use oak_sev_guest::{io::PortFactoryWrapper, msr::SevStatus};
+use prost::{Message, Name};
+use prost_types::Any;
 use sha2::{Digest, Sha256};
 use x86_64::{
     instructions::{hlt, interrupts::int3},
@@ -61,6 +63,10 @@ mod sev;
 mod smp;
 mod zero_page;
 
+pub mod eventlog {
+    include!(concat!(env!("OUT_DIR"), "/eventlog.rs"));
+}
+
 type Measurement = [u8; 32];
 
 // Reserve 128K for boot data structures that will outlive Stage 0.
@@ -339,13 +345,34 @@ pub fn rust64_start(encrypted: u64) -> ! {
         ),
         &crate::BOOT_ALLOC,
     ));
+
     // Reserve the memory containing the DICE data.
     zero_page.insert_e820_entry(BootE820Entry::new(
         dice_data.as_bytes().as_ptr() as usize,
         dice_data.as_bytes().len(),
         E820EntryType::RESERVED,
     ));
 
+    // Generate Stage0 Event Log data.
+    let mut stage0event = eventlog::Stage0Measurements::default();
+    stage0event.kernel_measurement = Some(kernel_info.measurement.as_bytes().to_vec());
+    stage0event.acpi_digest = Some(acpi_sha2_256_digest.as_bytes().to_vec());
+    stage0event.memory_map_digest = Some(memory_map_sha2_256_digest.as_bytes().to_vec());
+    stage0event.ram_disk_digest = Some(ram_disk_sha2_256_digest.as_bytes().to_vec());
+    stage0event.setup_data_digest = Some(setup_data_sha2_256_digest.as_bytes().to_vec());
+    stage0event.kernel_cmdline = Some(cmdline.clone());
+    let event_log = Box::leak(Box::new_in(
+        generate_event_log(stage0event),
+        &crate::BOOT_ALLOC,
+    ));
+    log::info!("event tag = {:?}", event_log);
+    // Reserve memory containing Eventlog Data.
+    zero_page.insert_e820_entry(BootE820Entry::new(
+        event_log.encode_to_vec().as_bytes().as_ptr() as usize,
+        event_log.encode_to_vec().as_bytes().len(),
+        E820EntryType::RESERVED,
+    ));
+
     // Append the DICE data address to the kernel command-line.
     let extra = format!("--{DICE_DATA_CMDLINE_PARAM}={dice_data:p}");
     let cmdline = if kernel_info.kernel_type == KernelType::Elf {
@@ -414,3 +441,33 @@ fn io_port_factory() -> PortFactoryWrapper {
         PortFactoryWrapper::new_raw()
     }
 }
+
+const PACKAGE: &str = "google.protobuf";
+
+/// Compute the type URL for the given `google.protobuf` type, using
+/// `type.googleapis.com` as the authority for the URL.
+fn type_url_for<T: Name>() -> String {
+    format!("type.googleapis.com/{}.{}", T::PACKAGE, T::NAME)
+}
+
+impl Name for eventlog::Stage0Measurements {
+    const PACKAGE: &'static str = PACKAGE;
+    const NAME: &'static str = "Stage0";
+
+    fn type_url() -> String {
+        type_url_for::<Self>()
+    }
+}
+
+fn generate_event_log(measurements: eventlog::Stage0Measurements) -> eventlog::EventLog {
+    let mut event = eventlog::Event::default();
+    let mut str = String::new();
+    let any = Any::from_msg(&measurements);
+    str.push_str("Stage0");
+    let m = Some(str);
+    event.tag = m;
+    event.event = Some(any.unwrap());
+    let mut eventlog = eventlog::EventLog::default();
+    eventlog.events.push(event);
+    eventlog
+}