Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tdx-attester: log error on empty TSM report #825

Closed
wants to merge 1 commit into from
Closed

tdx-attester: log error on empty TSM report #825

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions attestation-agent/attester/src/tdx/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ impl Attester for TdxAttester {
},
|tsm| {
tsm.attestation_report(TsmReportData::Tdx(report_data.clone()))
.inspect(|outblob| {if outblob.is_empty() {log::error!("TSM provider returned an empty quote without an error")}})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the quote here is empty, the attester side error info cannot be exposed to users when using CoCo. The verifier side will face error "base64 decode failed". If we can ensure the behavior here is only caused by misconfiguration of host side we can also raise an error to indicate "TSM provider returned an empty quote, please ensure the host side QGS is configured correctly".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we can ensure the behavior here is only caused by misconfiguration

I'm currently checking if Qemu is just handling this case wrong. I'd think the same could also happen due to other reasons too where Qemu only sees qemu-system-x86_64: Failed to connect to '2:4050': Connection reset by peer (which is what I get in my test setup with no QGS running).

In the mean time, perhaps we could also look to the verifier side to return meaningful error if the evidence is missing mandatory fields.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. Anyway, both attester and verifier side should raise error if no quote is included. For attester the error would be finally exposed to kata-agent and thus host side containerd making the deployer know something wrong with host side stack.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did a bit of research and it looks the kernel has an issue of not handling the errors correctly. There's even a dedicated error code for TDX_VP_GET_QUOTE_QGS_UNAVAILABLE.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How this error can be caught by AA?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm looking to submit the kernel fix which is something like:

diff --git a/drivers/virt/coco/tdx-guest/tdx-guest.c b/drivers/virt/coco/tdx-guest/tdx-guest.c
index abe3076f965e..de71a430a4b9 100644
--- a/drivers/virt/coco/tdx-guest/tdx-guest.c
+++ b/drivers/virt/coco/tdx-guest/tdx-guest.c
@@ -268,6 +268,13 @@ static int tdx_report_new(struct tsm_report *report, void *data)
                goto done;
        }
 
+       /* Quote data is included only when the status is OK */
+       if (quote_buf->status != GET_QUOTE_SUCCESS) {
+               pr_err("GetQuote failed, status:%llx\n", quote_buf->status);
+               ret = -EIO;
+               goto done;
+       }
+

Which then shows up as an error normally, like in my test case with evidence_getter:

get evidence failed: quote generation using TSM reports failed

Caused by:
    0: Failed to access TSM Report attribute: outblob (Input/output error (os error 5))
    1: Input/output error (os error 5)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

.context("TDX Attester: quote generation using TSM reports failed")
},
)?;
Expand Down
Loading