attester: tdx-attester: extend RTMRs #1025
Conversation
|
Nice to see that we are using the new feature of kernel. One thing not clear to me is whether we have a plan to update the kernel version of kata-side? https://github.com/kata-containers/kata-containers/blob/main/versions.yaml#L199 |
|
I'm going to make the version bump once 6.16 is released |
| fn runtime_measurement_extend_available() -> bool { | ||
| if Path::new("/sys/kernel/config/tsm/report").exists() { | ||
| if Path::new(TDX_RTMR_PATH).exists() { |
There was a problem hiding this comment.
Will this influence scenarios where we are using ioctl?
There was a problem hiding this comment.
right, I was not thinking the logic here very clearly. will re-work a bit.
| #[cfg(not(feature = "tdx-attest-dcap-ioctls"))] | ||
| std::fs::write( | ||
| Path::new(TDX_RTMR_PATH).join(format!("rtmr{rtmr_index}:sha384")), | ||
| extend_data, | ||
| ) | ||
| .context("TDX Attester: failed to extend RTMR")?; | ||
|
|
There was a problem hiding this comment.
I found that we have multiple cfg conditions here for ioctl/non-ioctl. Could you help to make two separate same-name functions and just call it here but enable one of them with feature flag?
There was a problem hiding this comment.
I'll re-think this along with the updated runtime_measurement_extend_available() logic.
There was a problem hiding this comment.
@Xynnn007 do you think it's OK as it is now?
Linux 6.16 adds the RTMR ABI that lets userspace to extend TEE RTMRs. Initially the support is added for TDX and follows https://github.com/torvalds/linux/blob/master/Documentation/ABI/testing/sysfs-devices-virtual-misc-tdx_guest Change tdx-attester to use the ABI defined by the spec to do RTMR extend. Signed-off-by: Mikko Ylinen <[email protected]>
|
I think we should also provide an option for people to use this for |
I might wait with that a bit but yeah it's in the plans to move away from the TDREPORT ioctl to just read |
| let rtmr_path = Path::new(TDX_RTMR_PATH); | ||
| if rtmr_path.exists() { | ||
| std::fs::write( | ||
| rtmr_path.join(format!("rtmr{rtmr_index}:sha384")), | ||
| extend_data, | ||
| ) | ||
| .context("TDX Attester: failed to extend RTMR")?; | ||
| } | ||
|
|
There was a problem hiding this comment.
If we are using tdx-attest-dcap-ioctls this code will also be executed, which is not expected?
There was a problem hiding this comment.
It is expected: I think it's harmless to check the path exists (kinda what we do with TSM reports too)
There was a problem hiding this comment.
We'd better use also feature flag for this. A corner case is with io-ctl but coincidently the path exists.
There was a problem hiding this comment.
okay, I thought about that corner base but that's almost impossible. Anyway, I'll rework on this further after my break...
Linux 6.16 adds the RTMR ABI that lets userspace to extend TEE RTMRs. Initially the support is added for TDX and follows https://github.com/torvalds/linux/blob/master/Documentation/ABI/testing/sysfs-devices-virtual-misc-tdx_guest
Change tdx-attester to use the ABI defined by the spec to do RTMR extend.
TODO: