MCPcopy Index your code
hub / github.com/Freax13/mushroom

github.com/Freax13/mushroom @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
3,790 symbols 11,796 edges 209 files 257 documented · 7%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

:mushroom: mushroom :mushroom:

Run integrity protected workloads in a hardware based Trusted Execution Environment.

mushroom can be used to process inputs using unmodified Linux workloads. It can create and verify attestation reports proving that the output for a given input hasn't been tampered with. It tries to provide a very high level of security by aggressively cutting down on potential attack surfaces. mushroom's security is rooted in secure encrypted virtual machines based on AMD's SEV-SNP and Intel's TDX technologies.

Warning

mushroom is still very experimental! Chances are it can't even run most workloads yet because it doesn't implement enough of the Linux syscall interface. mushroom has not received any external security audits.

Architecture and Core Concepts

mushroom is split up into three parts: 1. mushroom library and executable: These implement a minimal VMM to launch the VM on a Linux host. 1. workload kernel: This kernel runs the workloads. On AMD SEV-SNP, it runs at VMPL 1. On Intel TDX, it runs in a L2 nested VM. This kernel never directly talks to the host. 1. supervisor kernel: This kernel runs at VMPL 0 on AMD SEV-SNP and runs as the L1 VM on Intel TDX. It mediates between the communication between the workload kernel and the host. It handles necessary host communication such as for input and output transfer, memory hot plugging, and AP boot.

Reduce Attack Surface

The code running in the VM has been split up into two parts, the workload kernel and the supervisor kernel, to reduce the amount security relevant code. It should be sufficient to audit the supervisor kernels as the the workload kernel should never come into contact with untrusted data.

The supervisor kernels are the only component directly talking to the host. The supervisor kernels are intentionally kept small and is hardended against exploits.

The workload kernel cannot access host shared memory and even though it's in theory not impossible for it to communicate to the host through some side-channels, it should be very unlikely that the host can influence the code running in the workload kernel.

Tell, Don't Ask

Communication between the supervisor kernel and the host has been designed in such a way that data mostly flows from the supervisor kernel to the host and not the other way around. This makes it more difficult for the host to feed the supervisor kernel invalid data that could cause a vulnerability.

Attest All Inputs

The following data ends up in the attestation report: 1. supervisor kernel 1. workload kernel 1. init executable 1. input data

The input data is included in the attestation report to ensure that an attacker doesn't feed malicous input to the workload which exploits some vulnerability in the workload.

It should be impossible for the attacker to tamper with any of these without the attestation report changing.

There is no way for the workloads to communicate with the host, external devices or external services. The only input to the workload is the input file provided to it.

More details can be found here.

Non-goals

The workload kernel has not been hardened against attacks from within the workload itself, only the outputs of trusted workloads and inputs should be considered trusted.

Example Use Cases

mushroom could be the basis of a secure remote build system: mushroom could be used to securely compile code on untrusted servers. The attestation report would prove that the compiled program really corresponds to the input source files and hasn't been backdoored or otherwise tampered with.

Usage

KVM host support for AMD SEV-SNP has been partially upstreamed into the Linux kernel, but additional patches are needed. KVM host support for Intel TDX has not yet been upstreamed. A tree based on Intel's partitioning patches can be used.

The host folder contains cargo-make files to simplify the process of running a workload.

To execute a workload use:

freax13@workstation:~/mushroom$ make run PROFILE=release INPUT=input-file OUTPUT=output.bin ATTESTATION_REPORT=report.bin
[...]
2023-07-07T20:45:00.670741Z  INFO mushroom: launched num_launch_pages=16102 num_data_pages=16100 total_launch_duration=16.47807905s
2023-07-07T20:45:02.570740Z  INFO mushroom: finished

To verify the output with attestation report simply swap out the run subcommand with verify:

freax13@workstation:~/mushroom$ make verify PROFILE=release INPUT=input-file OUTPUT=output.bin ATTESTATION_REPORT=report.bin
[...]
Ok

See tee/example/README.md for an example workload.

Known Issues

Time

Securely keeping track of time inside a secure VM is difficult. Even under Intel TDX or with AMD SEV-SNP SecureTSC enabled, the hypervisor can change the VM's perception of time e.g. by frequently pausing execution of the VM for a brief moment.

The two main requirements for a time-keeping implementation are: 1. The hypervisor should not be able to mess with the workload's perception of time. 2. The clock should be accurate.

We are not aware of any way to achieve both of these goals under AMD SEV-SNP or Intel TDX. Instead, we implement two different "time backends" and let the user pick one of them at compile time:

  1. The fake time backend doesn't use any of the CPU's native time-keeping facilities and meerly increments a counter by a fixed amount every time the current time is requested. This clock is completly deterministic and can't be influenced by the hypervisor, but it's also very inaccurate.
  2. The real time backend, uses the SecureTSC SEV feature and TDX's TSC virtualization and the rdtsc instruction to query the current time. This clock backend is accurate if and only if the hypervisor doesn't mess with the guest.

The different time backends can be enabled by passing either TIME_BACKEND=fake or TIME_BACKEND=real to make. By default, the fake time backend is enabled for optimal security.

Note that regardless of the selected time backend, the mushroom kernel may skip forward in time when it determines that no tasks can be executed until the clock advances to a certain timestamp. This is transparent to the workload.

Extension points exported contracts — how you extend this code

Pointee (Interface)
This trait is implemented by types for which userspace pointers can exist. [79 implementers]
tee/kernel/src/user/syscall/args/pointee.rs
ParentLevel (Interface)
A page table level which can be a parent to another level. [3 implementers]
tee/static-page-tables/src/lib.rs
Synchronized (Interface)
(no doc) [2 implementers]
tee/supervisor-snp/src/pagetable.rs
WritablePointee (Interface)
A pointee which can be written to userspace. The extra generic parameter `T` only exists to allow multiple blankets imp [8 …
tee/kernel/src/user/syscall/args/pointee.rs
PageLevel (Interface)
A page table level at which pages can be mapped. [3 implementers]
tee/static-page-tables/src/lib.rs
GuestRequest (Interface)
(no doc) [1 implementers]
tee/supervisor-snp/src/ghcb.rs
PrimitivePointee (Interface)
A primitive pointee. Primitive pointees always have the same size and layout on all abi. Primitive pointees can be rea [31 …
tee/kernel/src/user/syscall/args/pointee.rs
Level (Interface)
(no doc) [4 implementers]
tee/static-page-tables/src/lib.rs

Core symbols most depended-on inside this repo

new
called by 1207
tee/kernel/src/rt/mpmc.rs
new
called by 350
tee/kernel/src/fs/node/procfs.rs
clone
called by 319
tee/kernel/src/fs/node/tmpfs.rs
lock
called by 291
tee/kernel/src/fs/fd/unix_socket/stream.rs
contains
called by 265
tee/kernel/src/user/thread.rs
new
called by 255
tee/kernel/src/fs/fd/pipe/anon.rs
register
called by 235
tee/kernel/src/user/syscall/traits.rs
lock
called by 185
tee/kernel/src/fs/fd.rs

Shape

Method 2,004
Function 853
Class 766
Enum 124
Interface 43

Languages

Rust100%
C1%

Modules by API surface

tee/kernel/src/user/syscall.rs252 symbols
tee/kernel/src/fs/fd.rs132 symbols
tee/kernel/src/user/thread.rs116 symbols
tee/kernel/src/user/syscall/args/pointee.rs115 symbols
tee/kernel/src/user/syscall/args.rs112 symbols
host/mushroom/src/kvm.rs111 symbols
tee/kernel/src/user/memory.rs104 symbols
tee/kernel/src/fs/node.rs88 symbols
tee/kernel/src/user/process.rs83 symbols
tee/kernel/src/memory/pagetable.rs81 symbols
tee/kernel/src/time.rs76 symbols
tee/tests/src/unix.rs75 symbols

For agents

$ claude mcp add mushroom \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact