Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Empty outblob when using TSM to get TDX Quote #823

Open
Xynnn007 opened this issue Nov 26, 2024 · 4 comments
Open

Empty outblob when using TSM to get TDX Quote #823

Xynnn007 opened this issue Nov 26, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@Xynnn007
Copy link
Member

Xynnn007 commented Nov 26, 2024
edited
Loading

Describe the bug

Thanks from @LiuSecone

When using the evidence_getter inside a TDX guest that has /sys/kernel/config/tsm/report, the evidence of TDX would be

{
    "cc_eventlog": "AQAAA....",
    "quote": "",
    "aa_eventlog": null
}

This is not expected. If the reading of outblob, attester shoud raise an error and try back to ioctl way to get evidence. But the actual execution result treats the empty reading of /sys/kernel/config/tsm/report/xxx/outblob a success.

If we manually execute the following inside guest

mkdir /sys/kernel/config/tsm/report/123
echo hahaha > /sys/kernel/config/tsm/report/123/inblob
cat /sys/kernel/config/tsm/report/123/outblob
cat /sys/kernel/config/tsm/report/123/generation

The first cat will say

cat: /sys/kernel/config/tsm/report/123/outblob: Invalid argument

and the second cat will say

1

How to reproduce

See description

CoCo version information

v0.10.0

What TEE are you seeing the problem on

None

Failing command and relevant log output

No response
@Xynnn007 Xynnn007 added the bug Something isn't working label Nov 26, 2024
@Xynnn007
Copy link
Member Author

cc @mythi

@mythi
Copy link
Contributor

mythi commented Nov 26, 2024

The first cat will say

cat: /sys/kernel/config/tsm/report/123/outblob: Invalid argument

Interesting. I'll take a look where the error from std::fs:read() gets lost.

@mythi
Copy link
Contributor

mythi commented Nov 27, 2024

This is not expected. If the reading of outblob, attester shoud raise an error and try back to ioctl way to get evidence. But the actual execution result treats the empty reading of /sys/kernel/config/tsm/report/xxx/outblob a success.

We have not treated this as an error because there is no read error:

root@tdx-guest:~# dd if=/dev/random of=/sys/kernel/config/tsm/report/123/inblob bs=1 count=64
root@tdx-guest:~# cat /sys/kernel/config/tsm/report/123/outblob
root@tdx-guest:~# echo $?

(echo hahaha is incorrect reportdata and triggers the error shown in the original report)

I'm fine adding an .is_empty() check to tdx-attester but the ioctl() fallback is not ok since that interface is deprecated.

@mythi
Copy link
Contributor

mythi commented Nov 27, 2024

But the actual execution result treats the empty reading of /sys/kernel/config/tsm/report/xxx/outblob a success.

you might also wonder the root cause of an empty quote: TDX QGS is either too old (DCAP 1.21 or later is needed) or Qemu cannot connect to it (e.g., vsock_loopback module missing)

@mythi mythi mentioned this issue Nov 27, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

tdx-attester: log error on empty TSM report mythi/guest-components
2 participants
@mythi @Xynnn007