Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support az-tdx-vtpm tee #169

Merged

Conversation

mkulke
Copy link
Contributor

@mkulke mkulke commented Oct 18, 2023

This is a tracking issue for adding the az-tdx-vtpm tee that is required to add support for Azure's TDX CVMs to CoCo.

Related PRs

e2e Test

The test performs a key release via remote-attestation using the az-tdx-vtpm tee. Build and run this PR on an Azure TDX CVM.

Prepare

The steps assume Ubuntu 22.04:

curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
sudo apt-get update
sudo apt-get install -y \
    libsgx-dcap-default-qpl \
    libsgx-dcap-quote-verify \
    libsgx-dcap-quote-verify-dev \
    libsgx-urts \
    libssl-dev \
    libtdx-attest \
    libtdx-attest-dev \
    libtss2-dev \
    make \
    clang \
    protobuf-compiler \
    pkg-config

# The default golang version is 1.18 and we need at least 1.20 so install it like this.
curl -o /tmp/pullgo.sh https://raw.githubusercontent.com/surajssd/dotfiles/master/local-bin/pullgo.sh
chmod +x /tmp/pullgo.sh
/tmp/pullgo.sh 1.21.2

cat <<EOF | sudo tee /etc/sgx_default_qcnl.conf
{
  "pccs_url": "https://global.acccache.azure.net/sgx/certification/v3/",
  "use_secure_cert": true,
  "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
  "pccs_api_version": "3.1",
  "retry_times": 6,
  "retry_delay": 5,
  "local_pck_url": "http://169.254.169.254/metadata/THIM/sgx/certification/v3/",
  "pck_cache_expire_hours": 24,
  "verify_collateral_cache_expire_hours": 24,
  "custom_request_options": {
    "get_cert": {
      "headers": {
        "metadata": "true"
      },
      "params": {
        "api-version": "2021-07-22-preview"
      }
    }
  }
}
EOF

Run tests

Install rust + golang

cd kbs/test
sudo apt-get update && sudo apt-get install -y build-essential
sudo make install-dependencies
make bins
sudo make e2e-test

@mkulke mkulke force-pushed the mkulke/add-az-tdx-vtpm-tee branch 7 times, most recently from 048c5bd to 6046da8 Compare October 21, 2023 07:58
@mkulke mkulke force-pushed the mkulke/add-az-tdx-vtpm-tee branch 11 times, most recently from b638fa6 to aaf600c Compare November 29, 2023 21:09
@mkulke mkulke force-pushed the mkulke/add-az-tdx-vtpm-tee branch from aaf600c to 9adf9e9 Compare January 2, 2024 06:46
@mkulke mkulke mentioned this pull request Jan 2, 2024
@mkulke mkulke force-pushed the mkulke/add-az-tdx-vtpm-tee branch from 9adf9e9 to efd2d6e Compare January 2, 2024 07:36
@mkulke mkulke marked this pull request as ready for review January 2, 2024 07:55
@mkulke mkulke requested a review from sameo as a code owner January 2, 2024 07:55
@mkulke mkulke force-pushed the mkulke/add-az-tdx-vtpm-tee branch from efd2d6e to 32955e1 Compare January 16, 2024 13:42
@bpradipt bpradipt requested review from fitzthum and Xynnn007 January 16, 2024 13:48
Copy link
Member

@Xynnn007 Xynnn007 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR Magnus! There is a only problem that might cause unexpected behavior

if var_data_hash != td_quote.report_body.report_data[..32] {
bail!("TDX Quote report data mismatch");
}
debug!("Report data verification completed successfully.");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love the debug check point here

attestation-service/verifier/src/tdx/mod.rs Show resolved Hide resolved
@mkulke mkulke force-pushed the mkulke/add-az-tdx-vtpm-tee branch 2 times, most recently from 15bd589 to 360a4eb Compare January 17, 2024 11:39
Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. See one comment

- Added verification code
- Added tdx fixtures and test cases
- Reorganized snp fixtures
- Added missing dependency for tdx e2e test
- Added entry for e2e test

Co-authored-by: Xynnn_ <xynnn@linux.alibaba.com>

Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
@mkulke mkulke force-pushed the mkulke/add-az-tdx-vtpm-tee branch 4 times, most recently from 432acb4 to 689a11c Compare January 19, 2024 20:42
@fitzthum fitzthum merged commit 04cda09 into confidential-containers:main Jan 19, 2024
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

3 participants