Skip to content

IGVMfilegen: Sign hash of ID block with temporary key#3832

Merged
jennagoddard merged 11 commits into
microsoft:mainfrom
jennagoddard:idblock
Jul 2, 2026
Merged

IGVMfilegen: Sign hash of ID block with temporary key#3832
jennagoddard merged 11 commits into
microsoft:mainfrom
jennagoddard:idblock

Conversation

@jennagoddard

Copy link
Copy Markdown
Contributor

No description provided.

Copilot AI review requested due to automatic review settings June 27, 2026 00:00

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the IGVM file generator’s SNP measurement path to additionally emit an IgvmDirectiveHeader::SnpIdBlock directive by generating a temporary ECDSA P-384 keypair and signing the SHA-384 hash of the SNP ID block. To support this, the measurement generation APIs are adjusted to allow mutation of the directive list, and symcrypt is added as a dependency for ECC signing/key export.

Changes:

  • Emit a temporarily-signed SNP ID block directive during SNP measurement generation (using SymCrypt ECDSA P-384).
  • Adjust measurement-generation interfaces to take a mutable directive vector so the SNP path can append directives.
  • Add symcrypt as a dependency for igvmfilegen.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
vm/loader/igvmfilegen/src/signed_measurement/snp.rs Adds temp key generation + ECDSA signature/public key export and pushes a SnpIdBlock directive during SNP measurement generation.
vm/loader/igvmfilegen/src/file_loader.rs Updates the measurement-generation trait and call sites to pass a mutable directives Vec (enabling SNP to append directives).
vm/loader/igvmfilegen/Cargo.toml Adds symcrypt as a direct dependency for the new SNP signing code.

Comment on lines +228 to +233
// Generate a temporary key and sign the ID block hash.
let (id_key_signature, id_public_key) = sign_id_block_with_temp_key(&psp_id_block)?;
directive_headers.push(IgvmDirectiveHeader::SnpIdBlock {
compatibility_mask: DEFAULT_COMPATIBILITY_MASK,
author_key_enabled: 0,
reserved: [0; 3],

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes this is expected for non release builds

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should make sure Ben is aware of this as it might impact his reproducible build work

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@benhillis fyi the IGVM file for non-release\shipping builds will contain an ID block for SNP VMs signed with a temp key. This only impacts the igvm file not the build itself

@mingweishih

Copy link
Copy Markdown
Contributor

Can you check if this change can also be done with signed_measurement upstreamed to igvm (https://github.com/microsoft/igvm/blob/main/igvm/src/measurement/snp.rs)?

Comment thread vm/loader/igvmfilegen/src/signed_measurement/snp.rs Outdated
@jennagoddard

Copy link
Copy Markdown
Contributor Author

yes I'll look into that


In reply to: 4836364193

@github-actions github-actions Bot added the unsafe Related to unsafe code label Jul 2, 2026
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

⚠️ Unsafe Code Detected

This PR modifies files containing unsafe Rust code. Extra scrutiny is required during review.

For more on why we check whole files, instead of just diffs, check out the Rustonomicon

@jennagoddard jennagoddard marked this pull request as ready for review July 2, 2026 20:15
@jennagoddard jennagoddard requested a review from a team as a code owner July 2, 2026 20:15
Copilot AI review requested due to automatic review settings July 2, 2026 20:15
Comment thread vm/loader/igvmfilegen/Cargo.toml Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Comment thread support/crypto/src/lib.rs
Comment thread vm/loader/igvmfilegen/Cargo.toml
Comment thread vm/loader/igvmfilegen/src/signed_measurement/snp.rs Outdated
Comment thread vm/loader/igvmfilegen/src/signed_measurement/snp.rs Outdated
Copilot AI review requested due to automatic review settings July 2, 2026 20:19
Comment thread support/crypto/src/ecdsa/win.rs Outdated
.map_err(|e| Error::TempSigning(format!("EcdsaKeyPair::generate: {e}")))?;

// Hash the ID block with SHA-384.
let mut hash = Sha384::new();

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't forget my other comment on teams about moving to use crypto-provided hashing too, but that can come in a follow up.

sys::EcdsaKeyPairInner::generate(curve).map(Self)
}

/// Sign a pre-computed hash value. Returns the signature as `r || s`

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be more user-friendly if this took the raw data and did the hashing internally? We have a HashAlgorithm enum for exactly this use case, and do similar for other algorithms.

Comment thread support/crypto/src/ecdsa/mod.rs Outdated
Comment thread support/crypto/src/ecdsa/mod.rs Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Comment thread vm/loader/igvmfilegen/src/signed_measurement/snp.rs Outdated
Comment thread support/crypto/src/ecdsa/win.rs Outdated
Comment thread vm/loader/igvmfilegen/Cargo.toml Outdated
Comment thread support/crypto/src/ecdsa/mod.rs
@jennagoddard jennagoddard changed the title Draft: Sign hash of ID block with temporary key IGVMfilegen: Sign hash of ID block with temporary key Jul 2, 2026
Comment thread support/crypto/src/ecdsa/win.rs Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 9 changed files in this pull request and generated 6 comments.

Comment thread vm/loader/igvmfilegen/src/signed_measurement/snp.rs
Comment thread vm/loader/igvmfilegen/src/signed_measurement/snp.rs
Comment thread vm/loader/igvmfilegen/src/signed_measurement/snp.rs
Comment thread vm/loader/igvmfilegen/src/signed_measurement/snp.rs
Comment thread vm/loader/igvmfilegen/src/signed_measurement/snp.rs
Comment thread support/crypto/src/ecdsa/mod.rs
Copilot AI review requested due to automatic review settings July 2, 2026 21:08

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 9 changed files in this pull request and generated 5 comments.

Comment thread support/crypto/src/ecdsa/win.rs
Comment thread support/crypto/src/ecdsa/win.rs
Comment thread vm/loader/igvmfilegen/src/signed_measurement/snp.rs Outdated
Comment thread vm/loader/igvmfilegen/src/signed_measurement/snp.rs
Comment thread vm/loader/igvmfilegen/src/signed_measurement/snp.rs
Copilot AI review requested due to automatic review settings July 2, 2026 21:41
Comment thread support/crypto/src/ecdsa/mac_stub.rs Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 10 out of 11 changed files in this pull request and generated 1 comment.

Comment thread support/crypto/src/ecdsa/win.rs
Copilot AI review requested due to automatic review settings July 2, 2026 21:53

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 10 out of 11 changed files in this pull request and generated 3 comments.

Comment thread vm/loader/igvmfilegen/src/signed_measurement/snp.rs
Comment thread support/crypto/src/ecdsa/win.rs
Comment thread support/crypto/src/ecdsa/mod.rs Outdated
Comment thread vm/loader/igvmfilegen/Cargo.toml
@jennagoddard jennagoddard enabled auto-merge (squash) July 2, 2026 22:18
@jennagoddard jennagoddard merged commit 4f9abad into microsoft:main Jul 2, 2026
69 checks passed
benhillis added a commit that referenced this pull request Jul 6, 2026
igvmfilegen enables `crypto`'s `native` + `vendored` features, which
vendor-builds OpenSSL from source on Linux. The vendored build runs
OpenSSL's `./Configure` perl script, needing the OpenSSL headers and a
perl install with the standard modules. Ubuntu's base `perl` ships them
(so GitHub CI is green), but minimal Fedora/Azure Linux images don't,
failing with `Can't locate FindBin.pm`.

This adds `openssl-devel` + `perl` as pre-build deps for the igvmfilegen
node, mirroring `build_vmgstool.rs` which already does this for the same
crypto feature combo. No-op on non-Linux hosts.

Surfaced by a downstream Azure Linux OneBranch build of igvmfilegen
going red after #3832 added the vendored crypto dependency.

---------

Co-authored-by: OpenVMM Team <openvmm@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

unsafe Related to unsafe code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants