-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tdx-attester: log error on empty TSM report #825
Conversation
@@ -87,6 +87,7 @@ impl Attester for TdxAttester { | |||
}, | |||
|tsm| { | |||
tsm.attestation_report(TsmReportData::Tdx(report_data.clone())) | |||
.inspect(|outblob| {if outblob.is_empty() {log::error!("TSM provider returned an empty quote without an error")}}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the quote here is empty, the attester side error
info cannot be exposed to users when using CoCo. The verifier side will face error "base64 decode failed". If we can ensure the behavior here is only caused by misconfiguration of host side we can also raise an error to indicate "TSM provider returned an empty quote, please ensure the host side QGS is configured correctly".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we can ensure the behavior here is only caused by misconfiguration
I'm currently checking if Qemu is just handling this case wrong. I'd think the same could also happen due to other reasons too where Qemu only sees qemu-system-x86_64: Failed to connect to '2:4050': Connection reset by peer
(which is what I get in my test setup with no QGS running).
In the mean time, perhaps we could also look to the verifier side to return meaningful error if the evidence is missing mandatory fields.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. Anyway, both attester and verifier side should raise error if no quote is included. For attester the error would be finally exposed to kata-agent and thus host side containerd making the deployer know something wrong with host side stack.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did a bit of research and it looks the kernel has an issue of not handling the errors correctly. There's even a dedicated error code for TDX_VP_GET_QUOTE_QGS_UNAVAILABLE
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How this error can be caught by AA?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm looking to submit the kernel fix which is something like:
diff --git a/drivers/virt/coco/tdx-guest/tdx-guest.c b/drivers/virt/coco/tdx-guest/tdx-guest.c
index abe3076f965e..de71a430a4b9 100644
--- a/drivers/virt/coco/tdx-guest/tdx-guest.c
+++ b/drivers/virt/coco/tdx-guest/tdx-guest.c
@@ -268,6 +268,13 @@ static int tdx_report_new(struct tsm_report *report, void *data)
goto done;
}
+ /* Quote data is included only when the status is OK */
+ if (quote_buf->status != GET_QUOTE_SUCCESS) {
+ pr_err("GetQuote failed, status:%llx\n", quote_buf->status);
+ ret = -EIO;
+ goto done;
+ }
+
Which then shows up as an error normally, like in my test case with evidence_getter
:
get evidence failed: quote generation using TSM reports failed
Caused by:
0: Failed to access TSM Report attribute: outblob (Input/output error (os error 5))
1: Input/output error (os error 5)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice!
Updated 2nd: please take a rebase. Now the CI is fixed. |
tdx_guest TSM provider covers a wide range of errors which trigger an errno on outblob read but can also return empty reports without error. One such scenario seems to be when Qemu isn't connecting to TDX QGS properly (likely due to misconfiguration) but returns back with an empty buffer. Notify users about this scenario and log an error on empty TSM report but don't turn it into a new error because there isn't any. Signed-off-by: Mikko Ylinen <[email protected]>
dbdd376
to
7787164
Compare
I'm closing this one but keeping #823 open to track the kernel/qemu fixes. |
Fixes: #823
tdx_guest TSM provider covers a wide range of errors which trigger an errno on outblob read but can also return empty reports without error.
One such scenario seems to be when Qemu isn't connecting to TDX QGS properly (likely due to misconfiguration) but returns back with an empty buffer.
Notify users about this scenario and log an error on empty TSM report but don't turn it into a new error because there isn't any.
Note: when used with
evidence_getter
, a logger must be enabled to get the logs visible.