Giter VIP home page Giter VIP logo

uefi's Introduction

UEFI

This repository contains the changes that need to be applied on top of edk2 in order to run x86_64 guests on Nitro-based EC2 instances. We use Nix for creating reproducible builds of the UEFI binaries to ensure that the same UEFI binaries that are used with instance launches can be reproduced on any environment. EC2 customers running instances with AMD SEV-SNP support can match their running UEFI firmware with the binaries released here and even reproduce the binaries themselves.

How to build

Amazon EC2 instances that have AMD SEV-SNP enabled will use UEFI binaries built in this repository as instance boot firmware. The Github workflow that is run on every new release uses Nix to build the binary. However, the binary can also be generated manually after installing Nix by running the command:

nix-build --pure

This will produce the result/ovmf_img.fd binary which can be matched against running and released UEFI binaries.

How to generate a measurement

The sev-snp-measure tool can be used to generate measurements, e.g. for a guest with 4 vCPUs:

./sev-snp-measure.py --mode snp --vcpus=4 --vmm-type=ec2 --ovmf=ovmf_img.fd

Security

See CONTRIBUTING for more information.

License

This project is licensed under the BSD-2-Clause-Patent License.

uefi's People

Contributors

clupuishere avatar amazon-auto avatar

Stargazers

Masanori Misono avatar Jason Riddle avatar Seonghyun Park avatar adam kaminski avatar Fabian Kammel avatar Moritz Eckert avatar Givi Tsvariani avatar Malte Poll avatar Marius Knaust avatar Luis Quiñones avatar Caleb Woodbine avatar Paul Meyer avatar Felix Schuster avatar Alexander Graf avatar Timothée Isnard avatar Guillaume Delacour avatar koyashiro avatar avatar Ahnaf Mahmud avatar

Watchers

Alexander Graf avatar Alex Ciobotaru avatar Sergey Zolotorev avatar avatar Sabin Râpan avatar avatar Thomas Tendyck avatar M. Mediouni avatar

Forkers

petreeftime

uefi's Issues

How to measure the firmware, kernel, initrd, and cmdline

It is not clear to me how one can measure the firmware, kernel, initrd, and cmdline that is running an authentic AMD SEV-SNP Guest VM on AWS. Could you please share a workflow of deployment of the AWS VM and of obtaining and comparing the measurements? (Your repository seems to be related to my question, but I cannot figure out what is the exact workflow.)

Unclear how to match the sevsnp report measurment to the binary built in this repo

I've launched m6a.xlarge Amazon Linux instance with AMD sev-snp enabled.
Installed the dependencies to get the report, then parsed the report (as seen in AWS doc https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-attestation.html):

[ec2-user@ip-172-31-43-23 sev-guest]$ ./sev-guest-parse-report guest_report.bin 
Version: 2
Guest SVN: 0
Policy: 0x30000
 - Debugging Allowed:       No
 - Migration Agent Allowed: No
 - SMT Allowed:             Yes
 - Min. ABI Major:          0
 - Min. ABI Minor:          0
Family ID:
    00000000000000000000000000000000
Image ID:
    00000000000000000000000000000000
VMPL: 0
Signature Algorithm: 1 (ECDSA P-384 with SHA-384)
Platform Version: 03000000000010207
 - Boot Loader SVN:   3
 - TEE SVN:           0
 - SNP firmware SVN: 10
 - Microcode SVN:    207
Platform Info: 0x3
 - SMT Enabled: Yes
Author Key Enabled: Yes
Report Data:
    0000000000000000000000000000000000000000000000000000000000000000
    0000000000000000000000000000000000000000000000000000000000000000
Measurement:
    25ac810f5c4750890fb1a158f097962e04d4d7fb640d1d08
    a99829cf4a70543a47cc6fb192bbe90aa713142361a66155
Host Data:
    0000000000000000000000000000000000000000000000000000000000000000
ID Key Digest:
    000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000
Author Key Digest:
    000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000
Report ID:
    095ff96690717c80615a8feea94e79dfcf008f1c957cd8ab1305c3f049715a15
Migration Agent Report ID:
    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
Reported TCB: 03000000000010207
 - Boot Loader SVN:   3
 - TEE SVN:           0
 - SNP firmware SVN: 10
 - Microcode SVN:    207
Chip ID:
    0000000000000000000000000000000000000000000000000000000000000000
    0000000000000000000000000000000000000000000000000000000000000000
Signature:
  R:
    77f23faa9c8ac604a9572c9e3e4567e0bf5fc04a0c28255c7755997aeeb6f63c0970254a
    db13e4e7ae4720d96f7aa651000000000000000000000000000000000000000000000000
  S:
    6c72dda0b714d38023631cfc30bb3eaf277ce6cec9bcd93f3ab02e366427cbb97c72eb8e
    31f014b9855357e0fe85ea6f000000000000000000000000000000000000000000000000

The measurement indicates a digest (sha384) of the initial boot state 25ac810f5c4750890fb1a158f097962e04d4d7fb640d1d08a99829cf4a70543a47cc6fb192bbe90aa713142361a66155

The release section has some conflicting info about the hashes though:

  • release 20230421 does not match the measurement
    • indicates digest (in release notes) is a58211791a556a630a4319dc9e2ea96cc0e9784dd9f20a4fadf81b26c98d163fcdcb6703884bbbb80d7b1de45b3d84d0
    • if ovmf_img.fd is downloaded and then sha384 calculated produces 2bf3363231d8dc2bdff02aca47a6244b258c4fc2903401d896c17d69e2c193d0ed76ff78767c2749ef774b07855aaf28
  • release 20230516 does not match the measurement
    • indicates digest (in release notes) is SHA256: c00148b844a508f82f5a62f0c023857892e9b9723c89907e41f5fe0a9488c633 but we need sha384
    • calculated ovmf_img.fd is 2707c61c9ad5ecea4b20b1d4df1e2852f5f1bd4b3bc2e43c488f8e0497199c0a55ab784ef9be7fd3d093f271bd042c9d

Can you elaborate in the readme how to link the measurement to the specific release in this repository?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.