search

canonical / tdx

Intel confidential computing - TDX
GNU General Public License v3.0
102 stars 41 forks source link

Upgrade to version 2.1 #207

Closed diegoara96 closed 2 months ago

diegoara96 commented 2 months ago

Describe the support request I currently have several VMs launched with version 2.0. I have seen interesting changes in version 2.1 that I would like to try but I am not sure what would be the procedure to update the versions of both the host and the VMs without stop working all.

Can you give me a hand? I understand that this may happen to more people from now on so maybe it was a good idea to also add this in the readme.

System report Please run the system-report.sh script (located in the root directory of this repo) on your host system and copy the output below.

syncronize-issues-to-jira[bot] commented 2 months ago

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/PEK-1062.

This message was autogenerated

hector-cao commented 2 months ago

@diegoara96 You could just checkout the new release (or download its tarball) and run the setup as usual

diegoara96 commented 2 months ago

@hector-cao And with the VMs that are already created? I think you have changed things in the xml and added/removed packages.

hector-cao commented 2 months ago

@diegoara96 you can ssh into it, clone the release, mofidy 'setup-tdx-config' ig needed and run 'setup-tdx-guest' script

diegoara96 commented 2 months ago

perfect thank you

diegoara96 commented 2 months ago

@hector-cao Everything seems to be fine except the attestation I have this error in the qgsd service. Could it be that some step is missing ?


tee_att_get_quote_size return 0x1100f
sep 02 12:30:59 tee-fhaas qgsd[6478]: call tee_att_init_quote
sep 02 12:31:00 tee-fhaas qgsd[6478]: [QCNL] Encountered CURL error: (60) SSL peer certificate or SSH remote key was not OK
sep 02 12:31:00 tee-fhaas qgsd[6478]: [QPL] Failed to get quote config. Error code is 0xb033
sep 02 12:31:00 tee-fhaas qgsd[6478]: [get_platform_quote_cert_data ../td_ql_logic.cpp:302] Error returned from the p_sgx_get_quote_config API. 0xe065
sep 02 12:31:00 tee-fhaas qgsd[6478]: tee_att_init_quote return 0x11001
sep 02 12:31:00 tee-fhaas qgsd[6478]: tee_att_get_quote_size return 0x1100f
sep 02 12:31:00 tee-fhaas qgsd[6478]: resp_size is 0
sep 02 12:31:00 tee-fhaas qgsd[6478]: About to shutdown and close socket
sep 02 12:31:00 tee-fhaas qgsd[6478]: erased a connection, now [0]```
hector-cao commented 2 months ago

Did you properly configure the pccs by invoking the pccs-configure script ?

diegoara96 commented 2 months ago

the attestation was already configured and was working fine, after updating is when it failed. I have tried to re-launch the script but the problem is the same.

Git ref

Operating system details

Distributor ID: Ubuntu
Description:    Ubuntu 24.04.1 LTS
Release:    24.04
Codename:   noble

Kernel version

6.8.0-1010-intel #17-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug  9 10:21:48 UTC 2024 x86_64 x86_64 GNU/Linux

TDX kernel logs

[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-6.8.0-1010-intel root=/dev/mapper/ubuntu--vg-ubuntu--lv ro kvm_intel.tdx=1 nohibernate
[    0.869062] Kernel command line: BOOT_IMAGE=/vmlinuz-6.8.0-1010-intel root=/dev/mapper/ubuntu--vg-ubuntu--lv ro kvm_intel.tdx=1 nohibernate
[    1.872259] virt/tdx: BIOS enabled: private KeyID range [32, 64)
[    1.872262] virt/tdx: Disable ACPI S3. Turn off TDX in the BIOS to use ACPI S3.
[    8.180290] virt/tdx: TDX module: attributes 0x0, vendor_id 0x8086, major_version 1, minor_version 5, build_date 20240129, build_num 698
[    8.180294] virt/tdx: CMR: [0x100000, 0x77800000)
[    8.180295] virt/tdx: CMR: [0x100000000, 0x3ffe000000)
[    8.180297] virt/tdx: CMR: [0x4080000000, 0x8000000000)
[    9.661180] virt/tdx: 2084844 KB allocated for PAMT
[    9.661186] virt/tdx: module initialized

TDX CPU instruction support

CPU supports TDX according to /proc/cpuinfo

Model specific registers (MSRs)

MK_TME_ENABLED bit: 1 (expected value: 1)
SEAM_RR bit: 1 (expected value: 1)
NUM_TDX_PRIV_KEYS: 20
SGX_AND_MCHECK_STATUS: 0 (expected value: 0)
Production platform: Production (expected value: Production)

CPU details

 INTEL(R) XEON(R) GOLD 6548Y+

QEMU package details

Status: Installed
Package: qemu-system-x86
Version: 1:8.2.2+ds-0ubuntu2+tdx1.0
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-release/ubuntu noble/main amd64 Packages

Libvirt package details

Status: Installed
Package: libvirt-clients
Version: 10.0.0-2ubuntu8.3+tdx1.1
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-release/ubuntu noble/main amd64 Packages

OVMF package details

Status: Installed
Package: ovmf
Version: 2024.02-3+tdx1.0
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-release/ubuntu noble/main amd64 Packages

sgx-dcap-pccs package details

Status: Installed
Package: sgx-dcap-pccs
Version: 1.21-0ubuntu1
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-attestation-release/ubuntu noble/main amd64 Packages

tdx-qgs package details

Status: Installed
Package: tdx-qgs
Version: 1.21-0ubuntu2
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-attestation-release/ubuntu noble/main amd64 Packages

sgx-ra-service package details

Status: Installed
Package: sgx-ra-service
Version: 1.21-0ubuntu2
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-attestation-release/ubuntu noble/main amd64 Packages
Description: Intel(R) Software Guard Extensions Multi-Package Registration Agent Service

sgx-pck-id-retrieval-tool package details

Status: Installed
Package: sgx-pck-id-retrieval-tool
Version: 1.21-0ubuntu2
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-attestation-release/ubuntu noble/main amd64 Packages

QGSD service status

● qgsd.service - Intel(R) TD Quoting Generation Service
     Loaded: loaded (/usr/lib/systemd/system/qgsd.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-09-02 13:28:39 UTC; 19min ago
    Process: 7414 ExecStartPre=/bin/chown -R qgsd:qgsd /var/opt/qgsd/ (code=exited, status=0/SUCCESS)
    Process: 7417 ExecStartPre=/bin/chmod 0750 /var/opt/qgsd/ (code=exited, status=0/SUCCESS)
    Process: 7420 ExecStartPre=/usr/share/qgs/linksgx.sh (code=exited, status=0/SUCCESS)
    Process: 7438 ExecStart=/usr/bin/qgs (code=exited, status=0/SUCCESS)
   Main PID: 7440 (qgs)
      Tasks: 5 (limit: 613428)
     Memory: 3.8M (peak: 4.2M)
        CPU: 212ms
     CGroup: /system.slice/qgsd.service
             └─7440 /usr/bin/qgs

sep 02 13:28:53 tee-fhaas qgsd[7440]: tee_att_get_quote_size return 0x1100f
sep 02 13:28:53 tee-fhaas qgsd[7440]: call tee_att_init_quote
sep 02 13:28:53 tee-fhaas qgsd[7440]: [QCNL] Encountered CURL error: (60) SSL peer certificate or SSH remote key was not OK
sep 02 13:28:53 tee-fhaas qgsd[7440]: [QPL] Failed to get quote config. Error code is 0xb033
sep 02 13:28:53 tee-fhaas qgsd[7440]: [get_platform_quote_cert_data ../td_ql_logic.cpp:302] Error returned from the p_sgx_get_quote_config API. 0xe065
sep 02 13:28:53 tee-fhaas qgsd[7440]: tee_att_init_quote return 0x11001
sep 02 13:28:53 tee-fhaas qgsd[7440]: tee_att_get_quote_size return 0x1100f
sep 02 13:28:53 tee-fhaas qgsd[7440]: resp_size is 0
sep 02 13:28:53 tee-fhaas qgsd[7440]: About to shutdown and close socket
sep 02 13:28:53 tee-fhaas qgsd[7440]: erased a connection, now [0]

PCCS service status

● pccs.service - Provisioning Certificate Caching Service (PCCS)
     Loaded: loaded (/usr/lib/systemd/system/pccs.service; disabled; preset: enabled)
     Active: active (running) since Mon 2024-09-02 13:28:44 UTC; 19min ago
       Docs: https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/QuoteGeneration/pccs/README.md
   Main PID: 7452 (node)
      Tasks: 15 (limit: 613428)
     Memory: 44.3M (peak: 59.2M)
        CPU: 2.121s
     CGroup: /system.slice/pccs.service
             └─7452 /usr/bin/node /opt/intel/sgx-dcap-pccs/pccs_server.js

sep 02 13:28:44 tee-fhaas systemd[1]: Started pccs.service - Provisioning Certificate Caching Service (PCCS).
sep 02 13:28:45 tee-fhaas node[7452]: 2024-09-02 13:28:45.291 [info]: HTTPS Server is running on: https://localhost:8081

MPA registration logs (last 30 lines)

[24-06-2024 10:39:00] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[24-06-2024 10:39:00] INFO: Finished Registration Agent Flow.
[24-06-2024 11:43:44] INFO: SGX Registration Agent version: 1.20.100.2
[24-06-2024 11:43:44] INFO: Starts Registration Agent Flow.
[24-06-2024 11:43:44] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[24-06-2024 11:43:44] INFO: Finished Registration Agent Flow.
[24-06-2024 01:05:57] INFO: SGX Registration Agent version: 1.20.100.2
[24-06-2024 01:05:57] INFO: Starts Registration Agent Flow.
[24-06-2024 01:05:57] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[24-06-2024 01:05:57] INFO: Finished Registration Agent Flow.
[11-07-2024 07:02:06] INFO: SGX Registration Agent version: 1.20.100.2
[11-07-2024 07:02:06] INFO: Starts Registration Agent Flow.
[11-07-2024 07:02:06] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[11-07-2024 07:02:06] INFO: Finished Registration Agent Flow.
[11-07-2024 02:05:02] INFO: SGX Registration Agent version: 1.20.100.2
[11-07-2024 02:05:02] INFO: Starts Registration Agent Flow.
[11-07-2024 02:05:02] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[11-07-2024 02:05:02] INFO: Finished Registration Agent Flow.
[29-08-2024 09:44:06] INFO: SGX Registration Agent version: 1.20.100.2
[29-08-2024 09:44:06] INFO: Starts Registration Agent Flow.
[29-08-2024 09:44:06] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[29-08-2024 09:44:06] INFO: Finished Registration Agent Flow.
[02-09-2024 11:13:42] INFO: SGX Registration Agent version: 1.20.100.2
[02-09-2024 11:13:42] INFO: Starts Registration Agent Flow.
[02-09-2024 11:13:42] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[02-09-2024 11:13:42] INFO: Finished Registration Agent Flow.
[02-09-2024 12:19:14] INFO: SGX Registration Agent version: 1.21.100.3
[02-09-2024 12:19:14] INFO: Starts Registration Agent Flow.
[02-09-2024 12:19:14] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[02-09-2024 12:19:14] INFO: Finished Registration Agent Flow.
diegoara96 commented 2 months ago

I will proceed to activate the SGX Factory Reset and redo the whole process although I don't think the problem is there.

hector-cao commented 2 months ago

@diegoara96 No need to do it for now, let me take a look

hector-cao commented 2 months ago

@diegoara96 I reproduced the issue and released a fix, could you please run the script setup-tdx-host.sh to retrieve the fix and let me know if that fixes the issue ?

diegoara96 commented 2 months ago

Perfect now works well. Thanks @hector-cao