attester: add TSM REPORT module and move TDX to use it #434
Conversation
|
The CI error does not seem to be related to this PR (I can see it locally with |
Linux 6.7 is available so TSM reports exist. I updated the commit message with the link to the ABI spec. There's no immediate additional changes needed on the Kata side other than just to get 6.7 used. I'm collaborating with @fidencio on that. |
|
Upstream CI issue is fixed btw. Please rebase at some point. |
done. |
|
(rebased to trigger CI but no code changes at this time) |
mythi
force-pushed
the
tsm_report
branch
2 times, most recently
from
b4e3780
to
4e190ae
Compare
mythi
force-pushed
the
tsm_report
branch
5 times, most recently
from
daa4d92
to
0c9a88c
Compare
mythi
force-pushed
the
tsm_report
branch
3 times, most recently
from
c03ac3c
to
df22dfc
Compare
|
This is looking good @mythi. I left a couple more comments. |
mythi
force-pushed
the
tsm_report
branch
2 times, most recently
from
72530e3
to
1bf0fcf
Compare
| .with_context(|| format!("TDX Attester: get_quote_ioctl() fallback failed after a TSM report error ({notsm})")) | ||
| }, | ||
| |tsm| { | ||
| tsm.attestation_report(TsmReportData::Tdx(report_data.clone())) |
There was a problem hiding this comment.
the short answer is 'yes' but I'm open to brainstorm how this gets passed to attestation_report()
mythi
force-pushed
the
tsm_report
branch
2 times, most recently
from
8874143
to
e93788a
Compare
|
Added some tests too. |
Linux 6.7 added a common ABI for CVMs to provide their attestation reports. It's based on configfs and the quotes can be generated using the 'TSM reports'. Documentation: https://www.kernel.org/doc/Documentation/ABI/testing/configfs-tsm Add a tsm_report module that CoCo attesters can use to generate quotes to be included in their attestation evidence. Signed-off-by: Mikko Ylinen <[email protected]>
Move tdx attester to primarily use TSM reports to get the quotes generated. The ioctl() based get-quote mechanisms have never been upstreamed so they can be considered 'deprecated'. However, a feature switch is added to keep the old functionality available for now. Signed-off-by: Mikko Ylinen <[email protected]>
|
rebased to get CI green |
|
Ok, sorry for the delays on this. Took a while since it touches some important things. We may need some follow-up work (for other platforms, for instance), but this seems like a good start. Thanks @mythi |
Agree that follow-up work is needed. Do you think it would be good to have an issue about it? I'm counting at least 4 future work items depending on how they land upstream: SEV, SEV SVSM, RTMR writes, maybe TDX get-report and ioctl deprecation. |
No description provided.