-
Notifications
You must be signed in to change notification settings - Fork 6
feat(fw): implement GetUnwrappingKey DDI handler #501
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
87cbadf
feat(fw): implement GetUnwrappingKey DDI handler
jaygmsft d9a6e38
fix(fw): address GetUnwrappingKey review feedback
jaygmsft 6bce42c
fix(fw): drive GetUnwrappingKey off the partition property model
jaygmsft fc3f54b
Apply remaining changes
Copilot 20bdf6a
Merge branch 'main' into user/jayg/get_unwrap_key
jaygmsft File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
107 changes: 107 additions & 0 deletions
107
ddi/mbor/types/tests/integration/get_unwrapping_key_smoke.rs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,107 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
|
|
||
| //! GetUnwrappingKey smoke tests. | ||
| //! | ||
| //! - Happy path: with an open session, the command returns an RSA-2048 | ||
| //! public key and a vault key id. We intentionally do *not* assert | ||
| //! on `masked_key` — the firmware emits an empty placeholder until | ||
| //! vault-key masking is wired up — nor on the exact `key_id` value, | ||
| //! which is an opaque handle (the sim backend legitimately assigns | ||
| //! `0`). | ||
| //! - Stability: two calls on the same partition return the same key id | ||
| //! and public-key bytes — the key is partition-cached and lazily | ||
| //! generated on first use. | ||
| //! - Without a session: rejected with `FileHandleSessionIdDoesNotMatch` | ||
| //! by the host-side dev validator before the request reaches firmware. | ||
|
|
||
| #![cfg(test)] | ||
|
|
||
| use azihsm_ddi::*; | ||
| use azihsm_ddi_mbor_types::*; | ||
| use test_with_tracing::test; | ||
|
|
||
| use super::common::*; | ||
|
|
||
| #[test] | ||
| fn test_get_unwrapping_key_smoke() { | ||
| ddi_dev_test( | ||
| common_setup, | ||
| common_cleanup, | ||
| |dev, _ddi, _path, session_id| { | ||
| let resp = helper_get_unwrapping_key( | ||
| dev, | ||
| Some(session_id), | ||
| Some(DdiApiRev { major: 1, minor: 0 }), | ||
| ) | ||
| .expect("get_unwrapping_key should succeed"); | ||
|
|
||
| assert_eq!(resp.hdr.op, DdiOp::GetUnwrappingKey); | ||
| assert_eq!(resp.hdr.status, DdiStatus::Success); | ||
| assert_eq!(resp.hdr.sess_id, Some(session_id)); | ||
|
|
||
| assert!( | ||
| !resp.data.pub_key.der.is_empty(), | ||
| "unwrap pub_key must be non-empty" | ||
| ); | ||
| assert_eq!( | ||
| resp.data.pub_key.key_kind, | ||
| DdiKeyType::Rsa2kPublic, | ||
| "unwrap key must be RSA-2048" | ||
| ); | ||
| }, | ||
| ); | ||
| } | ||
|
|
||
| #[test] | ||
| fn test_get_unwrapping_key_stable_across_calls_smoke() { | ||
| ddi_dev_test( | ||
| common_setup, | ||
| common_cleanup, | ||
| |dev, _ddi, _path, session_id| { | ||
| let r1 = helper_get_unwrapping_key( | ||
| dev, | ||
| Some(session_id), | ||
| Some(DdiApiRev { major: 1, minor: 0 }), | ||
| ) | ||
| .expect("first get_unwrapping_key"); | ||
| let r2 = helper_get_unwrapping_key( | ||
| dev, | ||
| Some(session_id), | ||
| Some(DdiApiRev { major: 1, minor: 0 }), | ||
| ) | ||
| .expect("second get_unwrapping_key"); | ||
|
|
||
| assert_eq!( | ||
| r1.data.key_id, r2.data.key_id, | ||
| "repeat call must return the same key id" | ||
| ); | ||
| assert_eq!( | ||
| r1.data.pub_key.der.as_slice(), | ||
| r2.data.pub_key.der.as_slice(), | ||
| "repeat call must return the same pub_key bytes" | ||
| ); | ||
| }, | ||
| ); | ||
| } | ||
|
|
||
| #[test] | ||
| fn test_get_unwrapping_key_no_session_smoke() { | ||
| ddi_dev_test( | ||
| common_setup, | ||
| common_cleanup, | ||
| |dev, _ddi, _path, _session_id| { | ||
| let err = helper_get_unwrapping_key(dev, None, Some(DdiApiRev { major: 1, minor: 0 })) | ||
| .expect_err("must be rejected without a session"); | ||
|
|
||
| assert!( | ||
| matches!( | ||
| err, | ||
| DdiError::DdiStatus(DdiStatus::FileHandleSessionIdDoesNotMatch) | ||
| ), | ||
| "expected FileHandleSessionIdDoesNotMatch, got {:?}", | ||
| err | ||
| ); | ||
| }, | ||
| ); | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT License. | ||
|
|
||
| //! DDI GetUnwrappingKey command handler. | ||
| //! | ||
| //! Within an open session, return the partition's RSA-2048 *unwrapping* | ||
| //! key — the public key (raw wire `n_le ‖ e_le`) plus its vault key id, | ||
| //! used by the host to RSA-AES key-wrap a payload for | ||
| //! [`RsaUnwrap`](super::DdiOp::RsaUnwrap). | ||
| //! | ||
| //! The unwrapping key is materialised by the PAL and cached for the | ||
| //! partition's current enabled incarnation — it is dropped (and its | ||
| //! vault slot deleted) when the partition is disabled or freed, and | ||
| //! regenerated on the next request after a re-enable. RSA key | ||
| //! generation is expensive, so it is never done at partition enable: | ||
| //! the std (emulator) PAL generates it lazily on the first call, while | ||
| //! hardware PALs generate it in the background from partition init and | ||
| //! report `PendingKeyGeneration` until it is ready, prompting the host | ||
| //! to retry. | ||
|
|
||
| use azihsm_fw_ddi_mbor_types::get_unwrapping_key::DdiGetUnwrappingKeyReq; | ||
| use azihsm_fw_ddi_mbor_types::get_unwrapping_key::DdiGetUnwrappingKeyResp; | ||
| use azihsm_fw_ddi_mbor_types::DdiPublicKeyFrameParams; | ||
|
|
||
| use super::*; | ||
|
|
||
| /// Handle `DdiGetUnwrappingKeyCmd`. | ||
| pub(crate) async fn get_unwrapping_key<'p, P: HsmPal>( | ||
| pal: &'p P, | ||
| io: &impl HsmIo, | ||
| decoder: &mut DdiDecoder<'_>, | ||
| hdr: &DdiReqHdr, | ||
| ) -> HsmResult<&'p DmaBuf> { | ||
| let _body: DdiGetUnwrappingKeyReq = decoder.decode_data()?; | ||
| let sess_id = hdr.sess_id.ok_or(HsmError::SessionExpected)?; | ||
|
|
||
| // Ensure the partition's RSA-2048 unwrapping key exists (generated | ||
| // lazily by the std PAL, or in the background on hardware) and get | ||
| // its vault key id. On hardware this may return | ||
| // `PendingKeyGeneration` while generation is in flight, which the | ||
| // host retries. | ||
| let key_id = pal.part_ensure_unwrapping_key(io).await?; | ||
|
|
||
| // Query the wire length of the unwrapping public key derived from | ||
| // the vault-stored private key — no separate public key is cached | ||
| // (matches the reference firmware). The actual serialization writes | ||
| // straight into the reserved response slot below. | ||
| let priv_key = pal.vault_key(io, key_id)?; | ||
| let pub_len = pal.rsa_priv_pub_key(io, priv_key, None)?; | ||
|
|
||
|
jaygmsft marked this conversation as resolved.
|
||
| // `masked_key` is the host's opaque re-import blob; firmware-side | ||
| // masking is pending the corresponding unmask path — emit an empty | ||
| // placeholder for now so the response is wire-valid. | ||
| let (resp, layout) = pal.dma_alloc_var_with(io, |buf| { | ||
| let mut encoder = super::encode_resp_hdr( | ||
| &super::success_hdr_sess(hdr, DdiOp::GetUnwrappingKey, sess_id), | ||
| buf, | ||
| )?; | ||
| let layout = DdiGetUnwrappingKeyResp::reserve( | ||
| &mut encoder, | ||
| u16::from(key_id), | ||
| DdiPublicKeyFrameParams { | ||
| raw_len: pub_len, | ||
| key_kind: DdiKeyType::Rsa2kPublic, | ||
| }, | ||
| 0, /* masked_key length — empty placeholder */ | ||
| )?; | ||
| Ok((encoder.position(), layout)) | ||
| })?; | ||
|
|
||
| // Serialize the wire-format public key directly into the frame's | ||
| // reserved slot — the PAL converts its vault representation into the | ||
| // wire form (incl. any big-endian↔little-endian flip). | ||
| let frame = DdiGetUnwrappingKeyResp::from_layout(resp, &layout); | ||
| pal.rsa_priv_pub_key(io, priv_key, Some(frame.pub_key.raw))?; | ||
|
|
||
|
jaygmsft marked this conversation as resolved.
|
||
| Ok(resp) | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.