Merge pull request google#148 from katexochen/platform-info-update

abi: parse PlatformInfo form v3 report and badram mitigation
edgelesssys · Jan 16, 2025 · b5e708c · b5e708c
2 parents ef2fcc0 + ccd51e9
commit b5e708c
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 5 deletions.
diff --git a/abi/abi.go b/abi/abi.go
@@ -73,7 +73,7 @@ const (
 	policyDebugBit        = 19
 	policySingleSocketBit = 20
 
-	maxPlatformInfoBit = 1
+	maxPlatformInfoBit = 5
 
 	signatureOffset = 0x2A0
 	ecdsaRSsize     = 72 // From the ECDSA-P384-SHA384 format in SEV SNP API specification.
@@ -186,6 +186,16 @@ type SnpPlatformInfo struct {
 	// TSMEEnabled represents if the platform that produced the attestation report has transparent
 	// secure memory encryption (TSME) enabled.
 	TSMEEnabled bool
+	// ECCEnabled indicates that the platform is using error correcting codes for memory.
+	// Present when EccMemReporting feature bit is set.
+	ECCEnabled bool
+	// RAPLDisabled indicates that the RAPL is disabled.
+	RAPLDisabled bool
+	// CiphertextHidingDRAMEnabled indicates cypher text hiding is enabled for DRAM.
+	CiphertextHidingDRAMEnabled bool
+	// AliasCheckComplete indicates that alias detection has completed since the last system reset and there are no aliasing addresses.
+	// Mitigation for https://badram.eu/, see https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3015.html#mitigation.
+	AliasCheckComplete bool
 }
 
 // SnpPolicy represents the bitmask guest policy that governs the VM's behavior from launch.
@@ -244,8 +254,12 @@ func SnpPolicyToBytes(policy SnpPolicy) uint64 {
 // unrecognized bits.
 func ParseSnpPlatformInfo(platformInfo uint64) (SnpPlatformInfo, error) {
 	result := SnpPlatformInfo{
-		SMTEnabled:  (platformInfo & (1 << 0)) != 0,
-		TSMEEnabled: (platformInfo & (1 << 1)) != 0,
+		SMTEnabled:                  (platformInfo & (1 << 0)) != 0,
+		TSMEEnabled:                 (platformInfo & (1 << 1)) != 0,
+		ECCEnabled:                  (platformInfo & (1 << 2)) != 0,
+		RAPLDisabled:                (platformInfo & (1 << 3)) != 0,
+		CiphertextHidingDRAMEnabled: (platformInfo & (1 << 4)) != 0,
+		AliasCheckComplete:          (platformInfo & (1 << 5)) != 0,
 	}
 	reserved := platformInfo & ^uint64((1<<(maxPlatformInfoBit+1))-1)
 	if reserved != 0 {

diff --git a/abi/abi_test.go b/abi/abi_test.go
@@ -236,8 +236,35 @@ func TestSnpPlatformInfo(t *testing.T) {
 			want:  SnpPlatformInfo{TSMEEnabled: true, SMTEnabled: true},
 		},
 		{
-			input:   4,
-			wantErr: "unrecognized platform info bit(s): 0x4",
+			input: 21,
+			want: SnpPlatformInfo{
+				SMTEnabled:                  true,
+				ECCEnabled:                  true,
+				CiphertextHidingDRAMEnabled: true,
+			},
+		},
+		{
+			input: 42,
+			want: SnpPlatformInfo{
+				TSMEEnabled:        true,
+				RAPLDisabled:       true,
+				AliasCheckComplete: true,
+			},
+		},
+		{
+			input: 63,
+			want: SnpPlatformInfo{
+				TSMEEnabled:                 true,
+				SMTEnabled:                  true,
+				ECCEnabled:                  true,
+				RAPLDisabled:                true,
+				CiphertextHidingDRAMEnabled: true,
+				AliasCheckComplete:          true,
+			},
+		},
+		{
+			input:   64,
+			wantErr: "unrecognized platform info bit(s): 0x40",
 		},
 	}
 	for _, tc := range tests {