tdx-attester: log error on empty TSM report #825
Conversation
| @@ -87,6 +87,7 @@ impl Attester for TdxAttester { | |||
| }, | |||
| |tsm| { | |||
| tsm.attestation_report(TsmReportData::Tdx(report_data.clone())) | |||
| .inspect(|outblob| {if outblob.is_empty() {log::error!("TSM provider returned an empty quote without an error")}}) | |||
There was a problem hiding this comment.
If the quote here is empty, the attester side error info cannot be exposed to users when using CoCo. The verifier side will face error "base64 decode failed". If we can ensure the behavior here is only caused by misconfiguration of host side we can also raise an error to indicate "TSM provider returned an empty quote, please ensure the host side QGS is configured correctly".
There was a problem hiding this comment.
If we can ensure the behavior here is only caused by misconfiguration
I'm currently checking if Qemu is just handling this case wrong. I'd think the same could also happen due to other reasons too where Qemu only sees qemu-system-x86_64: Failed to connect to '2:4050': Connection reset by peer (which is what I get in my test setup with no QGS running).
In the mean time, perhaps we could also look to the verifier side to return meaningful error if the evidence is missing mandatory fields.
There was a problem hiding this comment.
Ok. Anyway, both attester and verifier side should raise error if no quote is included. For attester the error would be finally exposed to kata-agent and thus host side containerd making the deployer know something wrong with host side stack.
There was a problem hiding this comment.
I did a bit of research and it looks the kernel has an issue of not handling the errors correctly. There's even a dedicated error code for TDX_VP_GET_QUOTE_QGS_UNAVAILABLE.
There was a problem hiding this comment.
How this error can be caught by AA?
There was a problem hiding this comment.
I'm looking to submit the kernel fix which is something like:
diff --git a/drivers/virt/coco/tdx-guest/tdx-guest.c b/drivers/virt/coco/tdx-guest/tdx-guest.c
index abe3076f965e..de71a430a4b9 100644
--- a/drivers/virt/coco/tdx-guest/tdx-guest.c
+++ b/drivers/virt/coco/tdx-guest/tdx-guest.c
@@ -268,6 +268,13 @@ static int tdx_report_new(struct tsm_report *report, void *data)
goto done;
}
+ /* Quote data is included only when the status is OK */
+ if (quote_buf->status != GET_QUOTE_SUCCESS) {
+ pr_err("GetQuote failed, status:%llx\n", quote_buf->status);
+ ret = -EIO;
+ goto done;
+ }
+
Which then shows up as an error normally, like in my test case with evidence_getter:
get evidence failed: quote generation using TSM reports failed
Caused by:
0: Failed to access TSM Report attribute: outblob (Input/output error (os error 5))
1: Input/output error (os error 5)
|
Updated 2nd: please take a rebase. Now the CI is fixed. |
tdx_guest TSM provider covers a wide range of errors which trigger an errno on outblob read but can also return empty reports without error. One such scenario seems to be when Qemu isn't connecting to TDX QGS properly (likely due to misconfiguration) but returns back with an empty buffer. Notify users about this scenario and log an error on empty TSM report but don't turn it into a new error because there isn't any. Signed-off-by: Mikko Ylinen <[email protected]>
mythi
force-pushed
the
tdx-attester-2
branch
from
dbdd376 to
7787164
Compare
|
I'm closing this one but keeping #823 open to track the kernel/qemu fixes. |
Fixes: #823
tdx_guest TSM provider covers a wide range of errors which trigger an errno on outblob read but can also return empty reports without error.
One such scenario seems to be when Qemu isn't connecting to TDX QGS properly (likely due to misconfiguration) but returns back with an empty buffer.
Notify users about this scenario and log an error on empty TSM report but don't turn it into a new error because there isn't any.
Note: when used with
evidence_getter, a logger must be enabled to get the logs visible.