Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

td-shim-tee-info-hash: MRTD calculation for OVMF #740

Open
mythi opened this issue Sep 30, 2024 · 4 comments
Open

td-shim-tee-info-hash: MRTD calculation for OVMF #740

mythi opened this issue Sep 30, 2024 · 4 comments
Assignees
Labels
bug Something isn't working

Comments

@mythi
Copy link

mythi commented Sep 30, 2024

Describe the bug

I'm using td-shim-tee-info-hash to get OVMF generated MRTD "reproduced" but I'm not getting a match.

How to reproduce

cargo build -p td-shim-tools --bin td-shim-tee-info-hash --features tee
target/debug/td-shim-tee-info-hash -i /usr/share/ovmf/OVMF.fd -m td-shim-tools/src/bin/td-shim-tee-info-hash/sample_manifest.json  -s 1 -o /tmp/foo.bin

The printed MRTD is 3491d438652cde331546683a37120504e961d02d871002f621fe51357df20c848406e485b625f2fd27bf3de32f49da70.

My TDVM is booted with the same OVMF but the quote generated in it gives 91eb2b44d141d4ece09f0c75c2c53d247a3c68edd7fafe8a3520c942a604a407de03ae6dc5f87f27428b2538873118b7

CoCo version information

td-shim HEAD

What TEE are you seeing the problem on

Tdx

Failing command and relevant log output

$ ps ax|grep qemu
   7832 ?        Sl   11253:35 qemu-system-x86_64 -D /tmp/tdx-guest-td.log -accel kvm -m 2G -smp 16 -name td,process=td,debug-threads=on -cpu host -object {"qom-type":"tdx-guest","id":"tdx","quote-generation-socket":{"type": "vsock", "cid":"2","port":"4050"}} -machine q35,kernel_irqchip=split,confidential-guest-support=tdx,hpet=off -bios /usr/share/ovmf/OVMF.fd -nographic -daemonize -nodefaults -device virtio-net-pci,netdev=nic0_td -netdev user,id=nic0_td,hostfwd=tcp::10022-:22 -drive file=/home/mylinen/tdx/guest-tools/image/tdx-guest-ubuntu-24.04.qcow2,if=none,id=virtio-disk0 -device virtio-blk-pci,drive=virtio-disk0 -pidfile /tmp/tdx-demo-td-pid.pid
@mythi mythi added the bug Something isn't working label Sep 30, 2024
@gaojiaqi7
Copy link
Member

gaojiaqi7 commented Dec 20, 2024

hi @mythi , I tried OVMF on my local machine and I can see the guest report MRTD matches the generated value using tee-info-hash tool. Could you share the manifest and OVMF image that can reproduce this issue?

If the attributes/xfam/mrconfigid/mrowner/mrownerconfig values in manifest does not match real tdreport values, it will result in incorrect MRTD prediction.

@mythi
Copy link
Author

mythi commented Dec 20, 2024

@gaojiaqi7 thanks for checking. Let me retry on my side to double check. Maybe I indeed had a user-error with the manifest (I remember I had some issues with it).

@mythi
Copy link
Author

mythi commented Dec 20, 2024

Could you share the manifest and OVMF image that can reproduce this issue?

I can reproduce the original issue still. I'm running Canonical 24.04 + TDX from it. ovmf 2024.02-3+tdx1.0. I don't see how the manifest file is relevant to build_mrtd()

@gaojiaqi7
Copy link
Member

gaojiaqi7 commented Dec 23, 2024

I have tested both ovmf edk2-stable202402 and edk2-stable202411 with tdx1.5 and MRTDs are matched.

I don't see how the manifest file is relevant to build_mrtd()

Right. The manifest affects tee_info_hash but not mrtd, I got them muddlled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants