Describe NSM

raoulstrackx · raoulstrackx · commit 4fa6830a48bd · 2022-01-19T14:39:08.000+01:00
diff --git a/fortanix-vme/nsm/src/lib.rs b/fortanix-vme/nsm/src/lib.rs
@@ -1,6 +1,8 @@
 pub use nitro_attestation_verify::{AttestationDocument, Unverified, NitroError as AttestationError};
 use nsm_io::{ErrorCode, Response, Request};
+pub use nsm_io::Digest;
 pub use serde_bytes::ByteBuf;
+use std::collections::BTreeSet;
 
 pub struct Nsm(i32);
 
@@ -102,6 +104,52 @@ impl TryFrom<Response> for Pcr {
     }
 }
 
+#[derive(Debug, PartialEq)]
+pub struct Description {
+    /// Breaking API changes are denoted by `major_version`
+    pub version_major: u16,
+    /// Minor API changes are denoted by `minor_version`. Minor versions should be backwards compatible.
+    pub version_minor: u16,
+    /// Patch version. These are security and stability updates and do not affect API.
+    pub version_patch: u16,
+    /// `module_id` is an identifier for a singular NitroSecureModule
+    pub module_id: String,
+    /// The maximum number of PCRs exposed by the NitroSecureModule.
+    pub max_pcrs: u16,
+    /// The PCRs that are read-only.
+    pub locked_pcrs: BTreeSet<u16>,
+    /// The digest of the PCR Bank
+    pub digest: Digest,
+}
+
+impl TryFrom<Response> for Description {
+    type Error = Error;
+
+    fn try_from(response: Response) -> Result<Self, Self::Error> {
+        match response {
+            Response::DescribeNSM {
+                version_major,
+                version_minor,
+                version_patch,
+                module_id,
+                max_pcrs,
+                locked_pcrs,
+                digest,
+            } => Ok(Description {
+                    version_major,
+                    version_minor,
+                    version_patch,
+                    module_id,
+                    max_pcrs,
+                    locked_pcrs,
+                    digest,
+                  }),
+            Response::Error(code) => Err(code.into()),
+            _ => Err(Error::InvalidResponse),
+        }
+    }
+}
+
 impl Nsm {
     pub fn new() -> Result<Self, Error> {
         let fd = nsm_driver::nsm_init();
@@ -162,6 +210,10 @@ impl Nsm {
             _                     => Err(Error::InvalidResponse),
         }
     }
+
+    pub fn describe(&self) -> Result<Description, Error> {
+        nsm_driver::nsm_process_request(self.0, Request::DescribeNSM).try_into()
+    }
 }
 
 impl Drop for Nsm {
diff --git a/fortanix-vme/tests/nsm-test/src/main.rs b/fortanix-vme/tests/nsm-test/src/main.rs
@@ -1,4 +1,4 @@
-use nsm::{ByteBuf, Nsm};
+use nsm::{ByteBuf, Digest, Nsm};
 
 fn main() {
     let mut nsm = Nsm::new().unwrap();
@@ -44,4 +44,13 @@ fn main() {
         println!("#pcr{} = {:?}", pcr, nsm.describe_pcr(pcr));
         assert_eq!(nsm.describe_pcr(pcr).map(|val| val.locked), Ok(pcr < 18));
     }
+
+    println!("# nsm description: {:#?}", nsm.describe().unwrap());
+    let description = nsm.describe().unwrap();
+    assert_eq!(description.version_major, 1);
+    assert_eq!(description.version_minor, 0);
+    assert_eq!(description.version_patch, 0);
+    assert_eq!(description.max_pcrs, 32);
+    assert_eq!(description.locked_pcrs.iter().count(), 18);
+    assert_eq!(description.digest, Digest::SHA384);
 }
