This repository contains an implementation of a sev-guest
character device mock using CUSE (Character device in user space) to be used on Golang codes. The sev-guest character device is typically exposed inside AMD SEV-SNP guests VMs, allowing the guest to make requests to the AMD Secure Processor.
Please note that this mock implementation does not interact with the actual AMD Secure Processor and is intended for testing or educational purposes only.
Currently, the following request is implemented in this mock sev-guest
chardev:
-
GET_REPORT: This request retrieves a report containing information about the AMD Secure Processor and the Guest VM. The implementation provides a mock report for testing purposes.
-
GET_EXT_REPORT: This request retrieves a report containing information about the AMD Secure Processor and the Guest VM and the Certificate used to sign this report.
To build the code, follow these steps:
- Clone this repository to your local machine:
git clone https://github.com/Daviiap/sev-guest_device_mock.git
- Change into the cloned directory:
cd sev-guest_device_mock
- Run the configure script:
./configure
To run the configure script, you need to have root privileges. This script will install the dependencies and generate dummy VCEK and VLEK, along with the respective cert_chain for both keys. Once generated, the script will move these files to the /etc/sev-guest
directory.
To verify the signature of the report, you can use the ./keys_gen/keys/vcek.crt file. It contains the essential certificate required for signature validation. Furthermore, you can rely on the ./keys_gen/keys/cert_chain.pem file to verify the signature of the vcek.crt certificate. This chain file guarantees the authenticity and integrity of the certificate by including all the necessary intermediate certificates in the validation process, similar to an authentic AMD environment.
To use the package on your Golang code, you must get it running:
go get github.com/Daviiap/sev-guest_device_mock
An example of code using the mock:
package main
import (
"fmt"
"log"
sevguest "github.com/Daviiap/sev-guest_device_mock/src"
"github.com/google/go-sev-guest/client"
)
func main() {
device_mock := sevguest.New()
device_mock.Start()
defer device_mock.Stop()
device, _ := client.OpenDevice()
defer device.Close()
rawReport, err := client.GetRawReport(device, [64]byte{})
if err != nil {
log.Fatal(err)
}
fmt.Println(rawReport)
}
SEV Secure Nested Paging Firmware ABI Specification
- Use a configuration file to define the report fields;