search

canonical / tdx

Intel confidential computing - TDX
GNU General Public License v3.0
105 stars 41 forks source link

Failed to get the quote (the qgsd service is not properly working) #256

Closed jorgealmansa closed 4 weeks ago

jorgealmansa commented 4 weeks ago

The attestation was working a few days ago and now it is not working properly, the main error is due to the qgsd. I also tried to do the solution proposed in this issue (the error is practically the same) and it didn't work.

Log of the VM:

root@tdx-guest:/usr/share/doc/libtdx-attest-dev/examples# ./test_tdx_attest

                TDX report data

 00000000: d2 12 6b 37 d1 de 7c c7 89 1c 79 7b 11 09 33 fa
 00000010: 2a 76 8a fa 08 3b e7 c1 a4 bf 91 bf 3a ca 72 0c
 00000020: dd dd 43 ae bb bf 75 45 db ef c0 ec f8 f3 e6 23
 00000030: 69 70 1d 71 ab 04 32 4f c4 c4 0e fe 8e 80 0a 6b

Wrote TD Report to report.dat

Failed to get the quote

Git ref

70e06d0ac92eb5191fc69f85cda5e68084ec4ba7

Operating system details

Distributor ID: Ubuntu
Description:    Ubuntu 24.04.1 LTS
Release:        24.04
Codename:       noble

Kernel version

6.8.0-1013-intel #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Oct  3 17:38:00 UTC 2024 x86_64 x86_64 GNU/Linux

TDX kernel logs

[    0.893765] virt/tdx: BIOS enabled: private KeyID range [32, 64)
[    0.893767] virt/tdx: Disable ACPI S3. Turn off TDX in the BIOS to use ACPI S3.
[    6.190258] virt/tdx: TDX module: attributes 0x0, vendor_id 0x8086, major_version 1, minor_version 5, build_date 20240129, build_num 698
[    6.190261] virt/tdx: CMR: [0x100000, 0x77800000)
[    6.190263] virt/tdx: CMR: [0x100000000, 0x1ffe000000)
[    6.190264] virt/tdx: CMR: [0x2080000000, 0x4000000000)
[    7.045419] virt/tdx: 1034220 KB allocated for PAMT
[    7.045424] virt/tdx: module initialized
...
[    0.893765] virt/tdx: BIOS enabled: private KeyID range [32, 64)
[    0.893767] virt/tdx: Disable ACPI S3. Turn off TDX in the BIOS to use ACPI S3.
[    6.190258] virt/tdx: TDX module: attributes 0x0, vendor_id 0x8086, major_version 1, minor_version 5, build_date 20240129, build_num 698
[    6.190261] virt/tdx: CMR: [0x100000, 0x77800000)
[    6.190263] virt/tdx: CMR: [0x100000000, 0x1ffe000000)
[    6.190264] virt/tdx: CMR: [0x2080000000, 0x4000000000)
[    7.045419] virt/tdx: 1034220 KB allocated for PAMT
[    7.045424] virt/tdx: module initialized

TDX CPU instruction support

CPU supports TDX according to /proc/cpuinfo

Model specific registers (MSRs)

MK_TME_ENABLED bit: 1 (expected value: 1)
SEAM_RR bit: 1 (expected value: 1)
NUM_TDX_PRIV_KEYS: 20
SGX_AND_MCHECK_STATUS: 0 (expected value: 0)
Production platform: Production (expected value: Production)

CPU details

 INTEL(R) XEON(R) GOLD 6548N

QEMU package details

Status: Installed
Package: qemu-system-x86
Version: 1:8.2.2+ds-0ubuntu2+tdx1.0
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-release/ubuntu noble/main amd64 Packages

Libvirt package details

Status: Installed
Package: libvirt-clients
Version: 10.0.0-2ubuntu8.3+tdx1.2
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-release/ubuntu noble/main amd64 Packages

OVMF package details

Status: Installed
Package: ovmf
Version: 2024.02-3+tdx1.0
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-release/ubuntu noble/main amd64 Packages

sgx-dcap-pccs package details

Status: Installed
Package: sgx-dcap-pccs
Version: 1.21-0ubuntu1
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-attestation-release/ubuntu noble/main amd64 Packages

tdx-qgs package details

Status: Installed
Package: tdx-qgs
Version: 1.22.100.3-noble1
APT-Sources: https://download.01.org/intel-sgx/sgx_repo/ubuntu noble/main amd64 Packages

sgx-ra-service package details

Status: Installed
Package: sgx-ra-service
Version: 1.22.100.3-noble1
APT-Sources: https://download.01.org/intel-sgx/sgx_repo/ubuntu noble/main amd64 Packages
Description: Intel(R) Software Guard Extensions Multi-Package Registration Agent Service: Enables SGX Remote Attestation for Multi-Package platforms

sgx-pck-id-retrieval-tool package details

Status: Installed
Package: sgx-pck-id-retrieval-tool
Version: 1.22.100.3-noble1
APT-Sources: https://download.01.org/intel-sgx/sgx_repo/ubuntu noble/main amd64 Packages

QGSD service status

● qgsd.service - Intel(R) TD Quoting Generation Service
     Loaded: loaded (/usr/lib/systemd/system/qgsd.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-10-28 12:52:41 CET; 21min ago
    Process: 95513 ExecStartPre=/bin/chown -R qgsd:qgsd /var/opt/qgsd/ (code=exited, status=0/SUCCESS)
    Process: 95517 ExecStartPre=/bin/chmod 0750 /var/opt/qgsd/ (code=exited, status=0/SUCCESS)
    Process: 95529 ExecStartPre=/usr/share/qgs/linksgx.sh (code=exited, status=0/SUCCESS)
    Process: 95546 ExecStart=/usr/bin/qgs (code=exited, status=0/SUCCESS)
   Main PID: 95549 (qgs)
      Tasks: 5 (limit: 303922)
     Memory: 7.9M (peak: 8.7M)
        CPU: 1.705s
     CGroup: /system.slice/qgsd.service
             └─95549 /usr/bin/qgs

oct 28 13:05:03 pandora-1 qgsd[95549]: call tee_att_init_quote
oct 28 13:05:03 pandora-1 qgsd[95549]: [QCNL] Encountered CURL error: (60) SSL peer certificate or SSH remote key was not OK
oct 28 13:05:03 pandora-1 qgsd[95549]: [QPL] Failed to get quote config. Error code is 0xb033
oct 28 13:05:03 pandora-1 qgsd[95549]: [get_platform_quote_cert_data ../td_ql_logic.cpp:302] Error returned from the p_sgx_get_quote_config API. 0xe065
oct 28 13:05:03 pandora-1 qgsd[95549]: tee_att_init_quote return 0x11001
oct 28 13:05:03 pandora-1 qgsd[95549]: tee_att_get_quote_size return 0x1100f
oct 28 13:05:03 pandora-1 qgsd[95549]: Return from get_resp
oct 28 13:05:03 pandora-1 qgsd[95549]: About to write response in thread [709a6da006c0]
oct 28 13:05:03 pandora-1 qgsd[95549]: About to shutdown and close socket
oct 28 13:05:03 pandora-1 qgsd[95549]: erased a connection, now [0]

PCCS service status

● pccs.service - Provisioning Certificate Caching Service (PCCS)
     Loaded: loaded (/usr/lib/systemd/system/pccs.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-10-28 12:52:41 CET; 21min ago
       Docs: https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/QuoteGeneration/pccs/README.md
   Main PID: 95512 (node)
      Tasks: 15 (limit: 303922)
     Memory: 45.5M (peak: 59.0M)
        CPU: 2.200s
     CGroup: /system.slice/pccs.service
             └─95512 /usr/bin/node /opt/intel/sgx-dcap-pccs/pccs_server.js

oct 28 12:52:41 pandora-1 systemd[1]: Started pccs.service - Provisioning Certificate Caching Service (PCCS).
oct 28 12:52:42 pandora-1 node[95512]: 2024-10-28 12:52:42.064 [info]: HTTPS Server is running on: https://localhost:8081

MPA registration logs (last 30 lines)

[24-10-2024 04:37:31] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[24-10-2024 04:37:31] INFO: Finished Registration Agent Flow.
[25-10-2024 08:49:53] INFO: SGX Registration Agent version: 1.21.100.3
[25-10-2024 08:49:53] INFO: Starts Registration Agent Flow.
[25-10-2024 08:49:53] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[25-10-2024 08:49:53] INFO: Finished Registration Agent Flow.
[26-10-2024 12:46:21] INFO: SGX Registration Agent version: 1.21.100.3
[26-10-2024 12:46:21] INFO: Starts Registration Agent Flow.
[26-10-2024 12:46:21] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[26-10-2024 12:46:21] INFO: Finished Registration Agent Flow.
[26-10-2024 12:59:30] INFO: SGX Registration Agent version: 1.21.100.3
[26-10-2024 12:59:30] INFO: Starts Registration Agent Flow.
[26-10-2024 12:59:30] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[26-10-2024 12:59:30] INFO: Finished Registration Agent Flow.
[27-10-2024 11:44:08] INFO: SGX Registration Agent version: 1.21.100.3
[27-10-2024 11:44:08] INFO: Starts Registration Agent Flow.
[27-10-2024 11:44:08] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[27-10-2024 11:44:08] INFO: Finished Registration Agent Flow.
[28-10-2024 08:59:11] INFO: SGX Registration Agent version: 1.21.100.3
[28-10-2024 08:59:11] INFO: Starts Registration Agent Flow.
[28-10-2024 08:59:11] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[28-10-2024 08:59:11] INFO: Finished Registration Agent Flow.
[28-10-2024 09:33:55] INFO: SGX Registration Agent version: 1.21.100.3
[28-10-2024 09:33:55] INFO: Starts Registration Agent Flow.
[28-10-2024 09:33:55] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[28-10-2024 09:33:55] INFO: Finished Registration Agent Flow.
[28-10-2024 11:16:05] INFO: SGX Registration Agent version: 1.21.100.3
[28-10-2024 11:16:05] INFO: Starts Registration Agent Flow.
[28-10-2024 11:16:05] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[28-10-2024 11:16:05] INFO: Finished Registration Agent Flow.

<======== COPY ABOVE HERE ========>

syncronize-issues-to-jira[bot] commented 4 weeks ago

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/PEK-1437.

This message was autogenerated

jorgealmansa commented 4 weeks ago

Now, is doing the attestation right!