Refactoring TDX specific types to correct places

- `verify` function now is part of `ReportMac` instead of
  `TdxReportV1`, although maintaining compatibility that the `verify`
  function still exists in `TdxReportV1`
- Move the internal `tdx_arch` module to be part of entire `arch`
  module in the crate.
- Move `ReportMac` to the main crate level instead of under `tdx`
  module namespace
- Move all `TdxError` crates out as it is more relevant to `tdx-ql`
  crate. The error from SGX-ISA should be only the `ErrorCode` types.
  `TdxError` is not part of the ISA.

Author: gilanghamidy

intel-sgx/aesm-client/Cargo.toml

@@ -27,7 +27,7 @@ test-sgx = []
 [dependencies]
 # Project dependencies
 sgxs = { version = "0.8.0", path = "../sgxs", optional = true }
-sgx-isa = { version = "0.4.0", path = "../sgx-isa"}
+sgx-isa = { version = "0.4.1", path = "../sgx-isa"}
 
 # External dependencies
 byteorder = "1.0"          # Unlicense/MIT
@@ -53,6 +53,6 @@ libloading = "0.5.2"
 protobuf-codegen = "3" # MIT
 
 [dev-dependencies]
-sgx-isa = { version = "0.4.0", path = "../sgx-isa" }
+sgx-isa = { version = "0.4.1", path = "../sgx-isa" }
 "report-test" = { version = "0.5.0", path = "../report-test" }
 "sgxs-loaders" = { version = "0.5.0", path = "../sgxs-loaders" }

intel-sgx/sgx-isa/src/arch.rs

@@ -15,6 +15,10 @@ pub struct Align16<T>(pub T);
 #[repr(align(128))]
 pub struct Align128<T>(pub T);
 
+/// Wrapper struct to force 256-byte alignment.
+#[repr(align(256))]
+pub struct Align256<T>(pub T);
+
 /// Wrapper struct to force 512-byte alignment.
 #[repr(align(512))]
 pub struct Align512<T>(pub T);
@@ -70,3 +74,26 @@ pub fn ereport(
         report.assume_init()
     }
 }
+
+/// Call the `EVERIFYREPORT2` instruction to verify a REPORT MAC struct.
+/// The concrete type is [`crate::ReportMac`].
+pub fn everifyreport2(tdx_report_mac: &Align256<[u8; 256]>) -> Result<(), u32> {
+    unsafe {
+        let error: u32;
+        asm!(
+            "xchg %rbx, {0}",
+            "enclu",
+            "mov {0}, %rbx",
+            "jz 1f",
+            "xor %eax, %eax",
+            "1:",
+            inout(reg) tdx_report_mac => _,
+            inlateout("eax") Enclu::EVerifyReport2 as u32 => error,
+            options(att_syntax, nostack),
+        );
+        match error {
+            0 => Ok(()),
+            err => Err(err),
+        }
+    }
+}

intel-sgx/sgx-isa/src/large_array_impl.rs

@@ -288,3 +288,18 @@ impl ::core::fmt::Debug for Keyrequest {
         }
     }
 }
+
+impl ::core::fmt::Debug for ReportMac {
+    fn fmt(&self, f: &mut ::core::fmt::Formatter<'_>) -> ::core::fmt::Result {
+        f.debug_struct("ReportMac")
+            .field("report_type", &self.report_type)
+            .field("reserved1", &self.reserved1)
+            .field("cpu_svn", &self.cpu_svn)
+            .field("tee_tcb_info_hash", &self.tee_tcb_info_hash)
+            .field("tee_info_hash", &self.tee_info_hash)
+            .field("report_data", &self.report_data)
+            .field("reserved2", &self.reserved2)
+            .field("mac", &self.mac)
+            .finish()
+    }
+}

intel-sgx/sgx-isa/src/lib.rs

@@ -305,6 +305,7 @@ pub enum ErrorCode {
     PageAttributesMismatch =  19,
     PageNotModifiable      =  20,
     PageNotDebuggable      =  21,
+    InvalidReportMacStruct =  28,
     InvalidCpusvn          =  32,
     InvalidIsvsvn          =  64,
     UnmaskedEvent          = 128,
@@ -702,7 +703,7 @@ impl Report {
     /// implementation of the verifying function.
     ///
     /// Care should be taken that `check_mac` prevents timing attacks,
-    /// in particular that the comparison happens in constant time. 
+    /// in particular that the comparison happens in constant time.
     #[cfg(target_env = "sgx")]
     pub fn verify<F, R>(&self, check_mac: F) -> R
     where
@@ -808,6 +809,100 @@ impl Default for Keypolicy {
     }
 }
 
+struct_def! {
+    /// Rust definition of `REPORTTYPE` from `REPORTMACSTRUCT`.
+    ///
+    /// Ref: Intel® Trust Domain CPU Architectural Extensions, table 2-4.
+    /// Version: 343754-002US, MAY 2021
+    /// Link: <https://cdrdv2.intel.com/v1/dl/getContent/733582>
+    #[repr(C, align(4))]
+    #[derive(Clone, Debug, Default, Eq, PartialEq)]
+    pub struct TeeReportType {
+        /// Trusted Execution Environment(TEE) type:
+        ///   0x00:      SGX Legacy REPORT TYPE
+        ///   0x7F-0x01: Reserved
+        ///   0x80:      Reserved
+        ///   0x81:      TEE Report type 2
+        ///   0xFF-0x82: Reserved
+        pub report_type: u8,
+        /// TYPE-specific subtype, Stage1: value is 0
+        pub subtype: u8,
+        /// TYPE-specific version, Stage1: value is 0
+        pub version: u8,
+        pub reserved: u8,
+    }
+}
+
+impl TeeReportType {
+    pub const UNPADDED_SIZE: usize = 4;
+}
+
+/// SHA384 hash size in bytes
+pub const HASH_384_SIZE: usize = 48;
+/// SHA384 hash
+pub type Sha384Hash = [u8; HASH_384_SIZE];
+
+pub const CPU_SVN_SIZE: usize = 16;
+pub const REPORT_MAC_STRUCT_SIZE: usize = 256;
+pub const REPORT_MAC_STRUCT_RESERVED1_BYTES: usize = 12;
+pub const REPORT_MAC_STRUCT_RESERVED2_BYTES: usize = 32;
+pub const REPORT_DATA_SIZE: usize = 64;
+
+/// Message SHA 256 HASH Code - 32 bytes
+pub const TEE_MAC_SIZE: usize = 32;
+
+
+struct_def! {
+/// Rust definition of `REPORTMACSTRUCT`, used by TDX `TDREPORT_STRUCT`
+/// and the future 256BITSGX
+///
+/// Ref: Intel® Trust Domain CPU Architectural Extensions, table 2-5.
+/// Version: 343754-002US, MAY 2021
+/// Link TDX: <https://cdrdv2.intel.com/v1/dl/getContent/733582>
+/// Link 256BITSGX: <https://cdrdv2-public.intel.com/851355/319433-057-architecture-instruction-set-extensions-programming-reference.pdf>
+#[repr(C, align(256))]
+#[cfg_attr(
+    feature = "large_array_derive",
+    derive(Clone, Debug, Eq, PartialEq)
+)]
+pub struct ReportMac {
+    /// (  0) TEE Report type
+    pub report_type: TeeReportType,
+    /// (  4) Reserved, must be zero
+    pub reserved1: [u8; REPORT_MAC_STRUCT_RESERVED1_BYTES],
+    /// ( 16) Security Version of the CPU
+    pub cpu_svn: [u8; CPU_SVN_SIZE],
+    /// ( 32) SHA384 of TEE_TCB_INFO for TEEs
+    pub tee_tcb_info_hash: Sha384Hash,
+    /// ( 80) SHA384 of TEE_INFO
+    pub tee_info_hash: Sha384Hash,
+    /// (128) Data provided by the user
+    pub report_data: [u8; REPORT_DATA_SIZE],
+    /// (192) Reserved, must be zero
+    pub reserved2: [u8; REPORT_MAC_STRUCT_RESERVED2_BYTES],
+    /// (224) The Message Authentication Code over this structure
+    pub mac: [u8; TEE_MAC_SIZE],
+}
+}
+
+impl ReportMac {
+    pub const UNPADDED_SIZE: usize = 256;
+
+    #[cfg(target_env = "sgx")]
+    pub fn verify(&self) -> Result<(), ErrorCode> {
+        arch::everifyreport2(self.as_ref())
+            // Same as `egetkey` reasoning: unwrap is okay here
+            .map_err(|e| ErrorCode::try_from(e).unwrap())
+    }
+}
+
+#[cfg(target_env = "sgx")]
+impl AsRef<arch::Align256<[u8; ReportMac::UNPADDED_SIZE]>> for ReportMac {
+    fn as_ref(&self) -> &arch::Align256<[u8; Self::UNPADDED_SIZE]> {
+        unsafe { &*(self as *const _ as *const _) }
+    }
+}
+
 #[test]
 fn test_eq() {
     let mut a = Keyrequest::default();