realm measurement using veraison

[darshanp4]

hello ,

I am trying to attestation using veraison with islet from given steps at : veraison example run

while doing attest using ./bin/rsictl attest -o token.bin

facing below error :

rsi: device rsi open
rsi: ioctl: unknown ioctl cmd: 3494148290
rsi: device rsi released
Error: EINVAL

dmesg : [ 0.000000] RME: Using RSI version 1.0 [ 0.345241] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 1.911383] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 249) [ 12.149515] VFIO - User Level meta-driver version: 0.3 [ 12.516895] registered taskstats version 1 [ 747.676207] rsi: loading out-of-tree module taints kernel. [ 747.691658] rsi: Initializing [ 747.699933] rsi: Chardev registered with major 245 [ 747.712592] rsi: Device created on /dev/rsi [ 747.723240] rsi: Is realm: true [ 747.731454] rsi: RSI version, ret: RSI_SUCCESS, lower: 1.0, higher: 1.0 [ 747.747861] rsi: RSI config, ret: RSI_SUCCESS, ipa_width_in_bits: 33 [ 884.258661] rsi: device rsi open [ 884.267063] rsi: ioctl: unknown ioctl cmd [ 884.281800] rsi: device rsi released

and while doing realm measurement , I am not able find the below files mentioned at realm measurement

Image.realm & realm.s

can someone help with it?

[p-sawicki2]

@darshanp4 As to the measurements of the realm image. It looks that the documentation is outdated. Currently, the script for launching the realm is called launch-realm.sh, the kernel file linux.realm and the rootfs image rootfs-realm.cpio.gz.

There is another issue that you may encounter. Currently the Islet on the main branch supports the 1.0-EAC5 RMM specification, which differs from the previous version in the way how measurements are calculated. So, if you run the current version of kvmtool-rim-measurer you'll get different RIM than those calculated by Islet. Anyway, in the scope of this year's project we plan to prepare the kvmtool-rim-measurer tool for the version 1.0-EAC5. But, this will take some time.

As a workaround, you can just print the content of the attestation token and read the RIM value from there. And then use it to prepare the realm.json file.

[Havner]

@darshanp4 Regarding the rsictl tool there was a moment where the islet main branch was updated for EAC5 specification while the remote-attestation was not (it was on eac5 branch). It's been updated a week or two ago. From what I can see you must've caught this moment. Please make sure you have both repositories on the latest versions now. I've just tested it and seems to work fine.

[darshanp4]

Hi @Havner
thank you for your input now i am able to run rsictl tool, but it is giving incomplete status :

# ./bin/rsictl attest -o token.bin
[  588.404460] rsi: device rsi open
[  588.413131] rsi: ioctl: attestation_token
[  588.413173] rsi: RSI attestation init, ret: RSI_SUCCESS, max_token_len: 4096
[  588.441144] rsi: More space is needed for the token, got: 64, need: 4096
[  588.459458] rsi: ioctl: attestation_token
[  588.459501] rsi: RSI attestation init, ret: RSI_SUCCESS, max_token_len: 4096
[  588.648110] rsi: RSI attestation continue, ret: RSI_INCOMPLETE, read: 0
[  588.825123] rsi: RSI attestation continue, ret: RSI_INCOMPLETE, read: 0
[  589.002314] rsi: RSI attestation continue, ret: RSI_INCOMPLETE, read: 0

it just going-on and ON with read:0.

RMM shows this error :

[ERROR]islet_rmm::rsi -- IRQ is pending while fetching token

can you help to understand?

[Havner]

@darshanp4 I personally can't help you as I don't know the code responsible for this issue. What I can tell you:

1. I experience the same, so it's not an issue with your environment, the issue is there.
2. As a workaround if you don't need islet-rmm per se you can launch the fvp with --rmm=tf-rmm, this will allow you to fetch token.
3. This seems to be related to https://github.com/islet-project/islet/issues/352 and https://github.com/islet-project/islet/commit/2e0f9ffa672f526c91b5a6128cb70df082f33fd4, the latest code written by @L0czek so I'm passing the issue.

[L0czek]

It looks like an IRQ is pending and is not being handled by someone. As a result, the token is constantly interrupted by this code: rmm/src/rsi/mod.rs:218

            if is_irq_pending() {
                error!("IRQ is pending while fetching token");
                set_reg(rec, 0, INCOMPLETE)?;
                set_reg(rec, 1, 0)?;
                ret[0] = rmi::SUCCESS_REC_ENTER;
                return Ok(());
            }

When I was creating the #342 PR I tested it using the CCA-RMM-ACS tests and reading the attestation token was working just fine. For a quick solution you can comment this fragment out. For the long term one, we can either investigate way some IRQ is not being handled or just revert this patch and keep in mind that the attestation_rec_exit_irq test will fail.

[L0czek]

I reverted the one patch from #342 and confirmed that it fixes this issue. @darshanp4 please try for yourself https://github.com/islet-project/islet/pull/354 and merge if it works for you. Naturally, this means that IRQ handling in islet requires more fixing so if you merge this a proper issue should be opened.

[darshanp4]

@L0czek thank you for confirmation and fix for IRQ, as a workaround mentioned by @Havner i tried with tf-rmm and not seeing this issue. As of now i doesn't required islet-rmm. So, for future you can create an issue to fix IRQ handling in islet.

and for realm attestation i yet to try the workaround mentioned by @p-sawicki2, so you can pass this issue related to kvmtool-rim-measurer tool.

[Havner]

The token fetching issue fixed by #354.

@p-sawicki2 transferring to you for the rim extractor documentation issue.

[p-sawicki2]

The documentation has been fixed by #355