Skip to content

Commit

Permalink
Fix: CRN API did not expose CPU features for trusted computing
Browse files Browse the repository at this point in the history
Trusted computing requires CPU features such as `sev`, `sev_es` and `sev_snp`.

This adds the field `properties.cpu.features` `/about/usage/system` as a list of CPU features.

Currently, only SEV related features are present, but more can be added, for example `avx2`, `fma` and `f16c`. Adding them will require ensuring that they are actually active and not just present on the CPU via `/proc/cpuinfo`.

This work is based on a proposal to add the relevant field on aleph-message: aleph-im/aleph-message#100
  • Loading branch information
hoh committed Jun 27, 2024
1 parent 4f9b3e6 commit 3f3aaff
Show file tree
Hide file tree
Showing 5 changed files with 77 additions and 9 deletions.
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ dependencies = [
"aiodns==3.1.0",
"setproctitle==1.3.3",
"pyyaml==6.0.1",
"aleph-message==0.4.4",
"aleph-message==0.4.7",
"eth-account~=0.10",
"sentry-sdk==1.31.0",
"aioredis==1.3.1",
Expand Down
15 changes: 10 additions & 5 deletions src/aleph/vm/conf.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,12 @@
from pydantic.env_settings import DotenvType, env_file_sentinel
from pydantic.typing import StrPath

from aleph.vm.utils import check_system_module, file_hashes_differ, is_command_available
from aleph.vm.utils import (
check_amd_sev_es_supported,
check_amd_sev_supported,
file_hashes_differ,
is_command_available,
)

logger = logging.getLogger(__name__)

Expand Down Expand Up @@ -384,11 +389,11 @@ def check(self):
), "Command `qemu-system-x86_64` not found, run `apt install qemu-system-x86`"

if self.ENABLE_CONFIDENTIAL_COMPUTING:
assert check_system_module("kvm_amd/parameters/sev") == "Y", "SEV feature isn't enabled, enable it in BIOS"
assert (
check_system_module("kvm_amd/parameters/sev_es") == "Y"
), "SEV-ES feature isn't enabled, enable it in BIOS"
assert self.SEV_CTL_PATH.is_file(), f"File not found {self.SEV_CTL_PATH}"
assert check_amd_sev_supported(), "SEV feature isn't enabled, enable it in BIOS"
assert check_amd_sev_es_supported(), "SEV-ES feature isn't enabled, enable it in BIOS"

Check warning on line 394 in src/aleph/vm/conf.py

View check run for this annotation

Codecov / codecov/patch

src/aleph/vm/conf.py#L393-L394

Added lines #L393 - L394 were not covered by tests
# Not available on the test machine yet
# assert check_amd_sev_snp_supported(), "SEV-SNP feature isn't enabled, enable it in BIOS"
assert self.ENABLE_QEMU_SUPPORT, "Qemu Support is needed for confidential computing and it's disabled, "
"enable it setting the env variable `ENABLE_QEMU_SUPPORT=True` in configuration"

Expand Down
17 changes: 16 additions & 1 deletion src/aleph/vm/orchestrator/resources.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,12 @@

from aleph.vm.conf import settings
from aleph.vm.sevclient import SevClient
from aleph.vm.utils import cors_allow_all
from aleph.vm.utils import (
check_amd_sev_es_supported,
check_amd_sev_snp_supported,
check_amd_sev_supported,
cors_allow_all,
)


class Period(BaseModel):
Expand Down Expand Up @@ -90,6 +95,16 @@ def get_machine_properties() -> MachineProperties:
cpu=CpuProperties(
architecture=cpu_info.get("raw_arch_string", cpu_info.get("arch_string_raw")),
vendor=cpu_info.get("vendor_id", cpu_info.get("vendor_id_raw")),
features=list(
filter(
None,
(
"sev" if check_amd_sev_supported() else None,
"sev_es" if check_amd_sev_es_supported() else None,
"sev_snp" if check_amd_sev_snp_supported() else None,
),
)
),
),
)

Expand Down
28 changes: 28 additions & 0 deletions src/aleph/vm/utils/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,34 @@ def check_system_module(module_path: str) -> Optional[str]:
return p.read_text().strip()


def check_amd_sev_supported() -> bool:
"""Check if AMD SEV is supported on the system.
AMD Secure Encrypted Virtualization (SEV)
Uses one key per virtual machine to isolate guests and the hypervisor from one another.
"""
return check_system_module("kvm_amd/parameters/sev") == "Y"


def check_amd_sev_es_supported() -> bool:
"""Check if AMD SEV-ES is supported on the system.
AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES)
Encrypts all CPU register contents when a VM stops running.
"""
return check_system_module("kvm_amd/parameters/sev_es") == "Y"


def check_amd_sev_snp_supported() -> bool:
"""Check if AMD SEV-SNP is supported on the system.
AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP)
Adds strong memory integrity protection to help prevent malicious hypervisor-based attacks like data replay,
memory re-mapping, and more in order to create an isolated execution environment.
"""
return check_system_module("kvm_amd/parameters/sev_snp") == "Y"


def fix_message_validation(message: dict) -> dict:
"""Patch a fake message program to pass validation."""
message["item_content"] = json.dumps(message["content"])
Expand Down
24 changes: 22 additions & 2 deletions tests/supervisor/test_utils.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
from unittest import mock

from aleph.vm.utils import check_system_module
from aleph.vm.utils import (
check_amd_sev_es_supported,
check_amd_sev_snp_supported,
check_amd_sev_supported,
check_system_module,
)


def test_check_system_module_enabled():
Expand All @@ -11,9 +16,24 @@ def test_check_system_module_enabled():
):
expected_value = "Y"
with mock.patch(
"pathlib.Path.open",
"aleph.vm.utils.Path.open",
mock.mock_open(read_data=expected_value),
):

output = check_system_module("kvm_amd/parameters/sev_enp")
assert output == expected_value

assert check_amd_sev_supported() is True
assert check_amd_sev_es_supported() is True
assert check_amd_sev_snp_supported() is True

with mock.patch(
"aleph.vm.utils.Path.open",
mock.mock_open(read_data="N"),
):
output = check_system_module("kvm_amd/parameters/sev_enp")
assert output == "N"

assert check_amd_sev_supported() is False
assert check_amd_sev_es_supported() is False
assert check_amd_sev_snp_supported() is False

0 comments on commit 3f3aaff

Please sign in to comment.