ruomengh
commented
4 months ago The DCAP released by this repo is still v1.20. The maintainer mentioned they will update to v1.21 which supports configfs-tsm. See the discussion in issue #89.
Closed fidencio closed 1 month ago
ruomengh
commented
4 months ago The DCAP released by this repo is still v1.20. The maintainer mentioned they will update to v1.21 which supports configfs-tsm. See the discussion in issue #89.
syncronize-issues-to-jira[bot]
commented
4 months ago Thank you for reporting us your feedback!
The internal ticket has been created: https://warthogs.atlassian.net/browse/PEK-654.
This message was autogenerated
mmisono
commented
2 months ago Hi,
Does Ubuntu 24.04 (noble) support this? I booted a TD with the qemu option mentioned in the first comment, and run
report=/sys/kernel/config/tsm/report/report0
mkdir $report
dd if=/dev/urandom bs=64 count=1 > $report/inblob
hexdump -C $report/outblobbut I found empty results in outblob.
(cat /sys/kernel/config/tsm/report/report0/provider shows tdx_guest)
Guest: Linux tdx-guest 6.8.0-36-generic #36-Ubuntu SMP PREEMPT_DYNAMIC Mon Jun 10 10:49:14 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux)
ruomengh
commented
2 months ago @mmisono It needs to work with DCAP 1.21 to make configfs-tsm work. I have an environment with DCAP 1.21 and configfs-tsm works. I remember @hector-cao mentioned DCAP will be upgraded to 1.21 later.
mmisono
commented
2 months ago Thanks for the info. I found that the host kernel (Ubuntu noble) still has DCAP 1.20.
Also, I was wondering if we need to have vsock for it. In my understanding, the kernel uses TDVMCALL_GET_QUOTE, so don't we need to have vsock?
https://github.com/torvalds/linux/blob/4376e966ecb78c520b0faf239d118ecfab42a119/drivers/virt/coco/tdx-guest/tdx-guest.c#L218
hector-cao
commented
2 months ago We are packaging the new version of ITA (intel trust authority) 1.5, we will release DCAP 1.21 with ITA 1.5 ASAP
hector-cao
commented
2 months ago @mmisono What do you mean by host jernel still has DCAP 1.20 ?
mmisono
commented
2 months ago @hector-cao
I mean this shows 1.20 on the host (I think this should be 1.21 to use configfs-tsm?)
$ dpkg -l | grep -i dcap
ii libsgx-dcap-default-qpl 1.20-0ubuntu1 amd64 Intel(R) Software Guard Extensions Default Quote Provider Library
ii libsgx-dcap-default-qpl-dev 1.20-0ubuntu1 amd64 Intel(R) SGX Default Quote Provider Library development files
ii libsgx-dcap-quoteverify-dev 1.20-0ubuntu1 amd64 Intel(R) SGX DCAP quote verification development files
ii libsgx-dcap-quoteverify1 1.20-0ubuntu1 amd64 Intel(R) Software Guard Extensions DCAP Quote Verification Library
ii sgx-dcap-pccs 1.20-0ubuntu1 amd64 Intel(R) Software Guard Extensions PCK Caching ServiceHello, we are going to do a new release in the next days, it should fix this issue, please give ot a try by using this branch from a fresh Ubuntu 24.04 installation : https://github.com/canonical/tdx/tree/noble-24.04-beta-release
configfs-tsm made its way upstream as part of kernel v6.7, is now fully available on Ubuntu, and can be used with very little tweaks, such as:
-object {"qom-type":"tdx-guest","id":"tdx","quote-generation-socket":{"type": "vsock", "cid":"2","port":"4050"}}Once that's done we can easily verify attestation works using the google's https://github.com/google/go-tdx-guest project (with one small change, as noted here: https://github.com/google/go-tdx-guest/issues/41)