Skip to content

underhill_attestation: allow fallback from GspKey to GspById #2055

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Oct 8, 2025
Merged

underhill_attestation: allow fallback from GspKey to GspById #2055

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f585d35
loosen GspKey encryption policy
tjones60 Sep 30, 2025
e9afcde
swap if order
tjones60 Oct 8, 2025
70bf6c7
update comment
tjones60 Oct 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 16 additions & 13 deletions openhcl/underhill_attestation/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -678,10 +678,10 @@ async fn get_derived_keys(

let requires_gsp = is_gsp
|| response.extended_status_flags.requires_rpc_server()
|| matches!(
|| (matches!(
guest_state_encryption_policy,
GuestStateEncryptionPolicy::GspKey
);
) && strict_encryption_policy);
Comment on lines +681 to +684
Copy link

Copilot AI Sep 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The parentheses around the matches! expression create unnecessary complexity. The logical precedence already ensures correct evaluation without the extra parentheses.

Copilot uses AI. Check for mistakes.


// If the VMGS is encrypted, but no key protection data is found,
// assume GspById encryption is enabled, but no ID file was written.
Expand Down Expand Up @@ -889,18 +889,21 @@ async fn get_derived_keys(
if no_kek && no_gsp {
if matches!(
guest_state_encryption_policy,
GuestStateEncryptionPolicy::None
GuestStateEncryptionPolicy::GspById | GuestStateEncryptionPolicy::Auto
) {
tracing::info!(CVM_ALLOWED, "Using GspById");
} else {
// Log a warning here to indicate that the VMGS state is out of
// sync with the VM's configuration.
//
// This should only happen if the VM is configured to
// have no encryption, but it already has GspById encryption
// and strict encryption policy is disabled.
// This should only happen if strict encryption policy is
// disabled and one of the following is true:
// - The VM is configured to have no encryption, but it already
// has GspById encryption.
// - The VM is configured to use GspKey, but GspKey is not
// available and GspById is.
tracing::warn!(CVM_ALLOWED, "Allowing GspById");
} else {
tracing::info!(CVM_ALLOWED, "Using GspById");
}
};

// Not required for Id protection
key_protector_settings.should_write_kp = false;
Expand Down Expand Up @@ -968,7 +971,7 @@ async fn get_derived_keys(
derived_keys.ingress = ingress_key;
}
} else {
tracing::info!(CVM_ALLOWED, "Using GSP.");
tracing::info!(CVM_ALLOWED, "Using existing GSP.");

ingress_seed = Some(
gsp_response.decrypted_gsp[ingress_idx].buffer
Expand Down Expand Up @@ -1034,17 +1037,17 @@ async fn get_derived_keys(

if matches!(
guest_state_encryption_policy,
GuestStateEncryptionPolicy::None | GuestStateEncryptionPolicy::GspById
GuestStateEncryptionPolicy::GspKey | GuestStateEncryptionPolicy::Auto
) {
tracing::info!(CVM_ALLOWED, "Using Gsp");
} else {
// Log a warning here to indicate that the VMGS state is out of
// sync with the VM's configuration.
//
// This should only happen if the VM is configured to have no
// encryption or GspById encryption, but it already has GspKey
// encryption and strict encryption policy is disabled.
tracing::warn!(CVM_ALLOWED, "Allowing Gsp");
} else {
tracing::info!(CVM_ALLOWED, "Using Gsp");
}

Ok(DerivedKeyResult {
Expand Down
8 changes: 4 additions & 4 deletions vm/devices/get/get_protocol/src/dps_json.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,11 +123,11 @@ pub enum GuestStateEncryptionPolicy {
/// strict encryption policy is enabled. Fails if the data cannot be
/// encrypted.
GspById,
/// Require GspKey.
/// Prefer (or require, if strict) GspKey.
///
/// VMs will be created as or migrated to GspKey. Fails if GspKey is
/// not available. Strict encryption policy has no effect here since
/// GspKey is currently the most secure policy.
/// VMs will be created as or migrated to GspKey. GspById encryption will
/// be used if GspKey is unavailable unless strict encryption policy is
/// enabled. Fails if the data cannot be encrypted.
GspKey,
/// Use hardware sealing
// TODO: update this doc comment once hardware sealing is implemented
Expand Down
8 changes: 4 additions & 4 deletions vm/vmgs/vmgs_resources/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,11 +92,11 @@ pub enum GuestStateEncryptionPolicy {
/// strict encryption policy is enabled. Fails if the data cannot be
/// encrypted.
GspById(bool),
/// Require GspKey.
/// Prefer (or require, if strict) GspKey.
///
/// VMs will be created as or migrated to GspKey. Fails if GspKey is
/// not available. Strict encryption policy has no effect here since
/// GspKey is currently the most secure policy.
/// VMs will be created as or migrated to GspKey. GspById encryption will
/// be used if GspKey is unavailable unless strict encryption policy is
/// enabled. Fails if the data cannot be encrypted.
GspKey(bool),
}

Expand Down