Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds PKCS#7 authenticated-variable verification fixtures and unit tests for the UEFI NVRAM spec services codepath, and bumps the OpenHCL kernel version used by flowey pipelines.
Changes:
- Added DER fixtures + documentation for regenerating PKCS#7 auth-var test inputs.
- Added unit tests for
authenticate_variablecovering success, tampering, and empty trust store cases. - Updated flowey’s configured OpenHCL kernel dev/stable versions.
Reviewed changes
Copilot reviewed 3 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| vm/devices/firmware/firmware_uefi/src/service/nvram/spec_services/test_data/auth_var_pkcs7.der | Adds PKCS#7 detached signature fixture for auth-var verification tests |
| vm/devices/firmware/firmware_uefi/src/service/nvram/spec_services/test_data/auth_var_cert.der | Adds X.509 certificate fixture used to build the trust store in tests |
| vm/devices/firmware/firmware_uefi/src/service/nvram/spec_services/test_data/README.md | Documents what the fixtures represent and how to regenerate them |
| vm/devices/firmware/firmware_uefi/src/service/nvram/spec_services/auth_var_crypto.rs | Adds unit tests exercising PKCS#7 verification behavior |
| flowey/flowey_lib_hvlite/src/_jobs/cfg_versions.rs | Bumps configured OpenHCL kernel versions for CI/pipelines |
| use uefi_specs::uefi::time::EFI_TIME; | ||
|
|
||
| // Fixtures generated by the openssl CLI against a throwaway RSA key. | ||
| // See the module's test source for the generation recipe. |
There was a problem hiding this comment.
The comment says to "See the module's test source for the generation recipe", but the actual regeneration instructions live in test_data/README.md (added in this PR). Consider updating the comment to point at that README so future updates don’t miss the correct source of truth.
| // See the module's test source for the generation recipe. | |
| // See test_data/README.md for the generation recipe. |
|
This PR modifies files containing For more on why we check whole files, instead of just diffs, check out the Rustonomicon |
| "image": { | ||
| "openhcl": { | ||
| "command_line": "", | ||
| "command_line": "OPENHCL_CONFIDENTIAL_DEBUG=1", |
There was a problem hiding this comment.
This is the release CVM manifest, but it now sets OPENHCL_CONFIDENTIAL_DEBUG=1 on the OpenHCL command line. That debug mode is likely security-sensitive for confidential guests and can unintentionally ship in release IGVMs. Please keep the release manifest’s command line free of confidential-debug settings (or move this to the openhcl-x64-cvm-dev.json manifest / a dedicated test-only manifest).
| "isolation_type": { | ||
| "tdx": { | ||
| "enable_debug": false, | ||
| "enable_debug": true, |
There was a problem hiding this comment.
enable_debug is being turned on for the TDX configuration in a release manifest. Enabling debug for confidential VM isolation weakens the security posture and can change attestation/debug policy expectations. Please keep enable_debug: false in release and only enable it in dev/test manifests/recipes.
| "enable_debug": true, | |
| "enable_debug": false, |
| "image": { | ||
| "openhcl": { | ||
| "command_line": "", | ||
| "command_line": "OPENHCL_CONFIDENTIAL_DEBUG=1", |
There was a problem hiding this comment.
This second OpenHCL image entry in the release CVM manifest also sets OPENHCL_CONFIDENTIAL_DEBUG=1. If this is only needed for debugging a test kernel, it should not live in the release recipe manifest; consider using the dev manifest or a local-only/custom manifest path instead.
| "command_line": "OPENHCL_CONFIDENTIAL_DEBUG=1", | |
| "command_line": "", |
| pub const OPENHCL_KERNEL_DEV_VERSION: &str = "6.12.52.12"; | ||
| pub const OPENHCL_KERNEL_STABLE_VERSION: &str = "6.12.52.11"; | ||
| pub const OPENHCL_KERNEL_DEV_VERSION: &str = "6.18.0.16"; | ||
| pub const OPENHCL_KERNEL_STABLE_VERSION: &str = "6.18.0.16"; |
There was a problem hiding this comment.
Both OPENHCL_KERNEL_DEV_VERSION and OPENHCL_KERNEL_STABLE_VERSION are being updated to the same value. Since OPENHCL_KERNEL_STABLE_VERSION feeds the default Main/Cvm kernel downloads for release recipes, this changes the kernel used by stable pipelines as well. If this PR is only for validating a test kernel, please avoid updating the stable version here (or use the existing LocalKernel override / a dev-only version bump) to prevent impacting non-test builds.
| pub const OPENHCL_KERNEL_STABLE_VERSION: &str = "6.18.0.16"; | |
| pub const OPENHCL_KERNEL_STABLE_VERSION: &str = "6.18.0.15"; |
tiala
force-pushed
the
test
branch
2 times, most recently
from
4bbebb5 to
73de764
Compare
| "openhcl": { | ||
| "command_line": "", | ||
| "command_line": "OPENHCL_CONFIDENTIAL_DEBUG=1", | ||
| "memory_page_count": 163840, | ||
| "memory_page_base": 32768, | ||
| "uefi": true |
There was a problem hiding this comment.
This is the release CVM manifest, but it now forces OPENHCL_CONFIDENTIAL_DEBUG=1 on the OpenHCL command line. That disables confidential filtering and can cause sensitive diagnostic output to be emitted in environments that expect release-grade confidentiality defaults. If this is only for testing, it should not be in the *-release.json manifest (use the dev manifest or a dedicated test manifest instead).
| "policy": 196639, | ||
| "enable_debug": true, | ||
| "injection_type": "restricted", | ||
| "secure_avic": "enabled" | ||
| "secure_avic": "disabled" |
There was a problem hiding this comment.
In this manifest the SNP injection_type is restricted and max_vtl is 0 (no paravisor), which means secure_avic is not consulted when building the VMSA (it’s only applied for injection_type=normal at VTL0 in SnpHardwareContext). Flipping this from enabled to disabled therefore has no effect and can be misleading; consider removing the field (letting the default apply) or aligning the setting with a combination that actually affects generation.
| // Fill in boilerplate fields of the vmsa | ||
| vmsa.sev_features.set_snp(true); | ||
| vmsa.sev_features.set_vtom(true); | ||
| vmsa.sev_features.set_secure_avic(true); |
There was a problem hiding this comment.
Line is indented with a tab, which is inconsistent with the surrounding spaces and will cause a formatting diff/CI fmt failure unless rustfmt is run. Replace the tab with the standard indentation used in this file (or rerun cargo xtask fmt --fix).
| vmsa.sev_features.set_secure_avic(true); | |
| vmsa.sev_features.set_secure_avic(true); |
No description provided.