Skip to content

Commit

Permalink
attester: tdx: use TSM reports to generate quotes
Browse files Browse the repository at this point in the history 
Move tdx attester to primarily use TSM reports to get
the quotes generated.

The ioctl() based get-quote mechanisms have never been
upstreamed so they can be considered 'deprecated'. However,
a feature switch is added to keep the old functionality available
for now.

Signed-off-by: Mikko Ylinen <[email protected]>
  • Loading branch information
@mythi
mythi committed Jan 18, 2024
1 parent f9a20d6 commit da97958
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 14 deletions.
3 changes: 2 additions & 1 deletion attestation-agent/attester/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,8 @@ required-features = [ "bin" ]
default = ["all-attesters"]
all-attesters = ["tdx-attester", "sgx-attester", "az-snp-vtpm-attester", "az-tdx-vtpm-attester", "snp-attester", "csv-attester", "cca-attester"]

tdx-attester = ["tdx-attest-rs"]
tdx-attester = ["tsm-report", "tdx-getquote-ioctl"]
tdx-getquote-ioctl = ["tdx-attest-rs"]
sgx-attester = ["occlum_dcap"]
az-snp-vtpm-attester = ["az-snp-vtpm"]
az-tdx-vtpm-attester = ["az-tdx-vtpm"]
Expand Down
51 changes: 38 additions & 13 deletions attestation-agent/attester/src/tdx/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,23 @@
// SPDX-License-Identifier: Apache-2.0
//

use super::tsm_report::{provider_is, TsmReportPath, TsmReportProvider, TSM_REPORT_PROVIDER_TDX};
use super::Attester;
use anyhow::*;
use base64::Engine;
use serde::{Deserialize, Serialize};
use std::path::Path;
use std::result::Result::Ok;

#[cfg(feature = "tdx-getquote-ioctl")]
use tdx_attest_rs;

const CCEL_PATH: &str = "/sys/firmware/acpi/tables/data/CCEL";

pub fn detect_platform() -> bool {
Path::new("/dev/tdx-attest").exists() || Path::new("/dev/tdx-guest").exists()
provider_is(TSM_REPORT_PROVIDER_TDX)
|| (cfg!(feature = "tdx-legacy-getquote-ioctl")
&& (Path::new("/dev/tdx-attest").exists() || Path::new("/dev/tdx-guest").exists()))
}

#[derive(Serialize, Deserialize)]
Expand All @@ -37,20 +43,38 @@ impl Attester for TdxAttester {

report_data.resize(64, 0);

let tdx_report_data = tdx_attest_rs::tdx_report_data_t {
d: report_data.as_slice().try_into()?,
};

let engine = base64::engine::general_purpose::STANDARD;
let quote = match tdx_attest_rs::tdx_att_get_quote(Some(&tdx_report_data), None, None, 0) {
(tdx_attest_rs::tdx_attest_error_t::TDX_ATTEST_SUCCESS, Some(q)) => engine.encode(q),
(error_code, _) => {
return Err(anyhow!(
"TDX Attester: Failed to get TD quote. Error code: {:?}",
error_code
));
let quote_bytes = match TsmReportPath::open() {
Ok(tsm) => match tsm.attestation_report(TsmReportProvider::Tdx(report_data)) {
Ok(bytes) => {
tsm.close();
bytes
}
Err(e) => {
tsm.close();
bail!("TDX Attester: {}", e);
}
},
#[cfg(feature = "tdx-getquote-ioctl")]
Err(_) => {
let tdx_report_data = tdx_attest_rs::tdx_report_data_t {
d: report_data.as_slice().try_into().unwrap(),
};

match tdx_attest_rs::tdx_att_get_quote(Some(&tdx_report_data), None, None, 0) {
(tdx_attest_rs::tdx_attest_error_t::TDX_ATTEST_SUCCESS, Some(q)) => q,
(error_code, _) => {
bail!(
"TDX Attester: Failed to get TD quote using ioctl. Error code: {:?}",
error_code
);
}
}
}
#[cfg(not(feature = "tdx-getquote-ioctl"))]
Err(e) => bail!("TDX Attester: {}", e),
};
let engine = base64::engine::general_purpose::STANDARD;
let quote = engine.encode(quote_bytes);

let cc_eventlog = match std::fs::read(CCEL_PATH) {
Result::Ok(el) => Some(engine.encode(el)),
Expand All @@ -66,6 +90,7 @@ impl Attester for TdxAttester {
.map_err(|e| anyhow!("Serialize TDX evidence failed: {:?}", e))
}

#[cfg(feature = "tdx-getquote-ioctl")]
async fn extend_runtime_measurement(
&self,
events: Vec<Vec<u8>>,
Expand Down

0 comments on commit da97958

Please sign in to comment.