Attester: remove libtdx feature for TDX attester#1470
Conversation
|
Thanks! Just one quick comment: I know at least Openshift does not have RTMRs available so Could this PR be about dropping |
|
@mythi Thanks for the information. Do you mean that
|
|
Yes. mrconfigid for initdata is read from report0 ioctl which is available without the DCAP wrapper in the default configuration. Another clarification: the rtmr abi is not related to configfs reports abi |
Xynnn007
force-pushed
the
attester/tdx-remove-ioctl
branch
3 times, most recently
from
5d91279 to
0397f03
Compare
This patch adds the initdata (mr_configid) reading and RTMR reading/writes via sysfs on TDX platform. This is a feature of kernel >= 6.16 version. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Xynnn007
force-pushed
the
attester/tdx-remove-ioctl
branch
2 times, most recently
from
c2e5040 to
dccb63e
Compare
Xynnn007
changed the title
|
Intel's DCAP internally has a compiler switch called V3_DRIVER that controls the type of ioctl writes for RTMR. I've implemented support for this in my PR. For IOR scenarios, the iocuddle crate can only make read requests with the req parameter using |
|
Test with all configfs/sysfs/ioctl scenarios. |
|
There are no kernels with ioctl RTMR extend so I don't think we need to add that here. RTMR extend is only available via sysfs. Upstream kernels have only report0 ioctl (no get quote nor rtmr extend). |
We alibaba cloud kernel is using a version with ioctl RTMR, which might be an out-of-tree code. This is what the DCAP lib is doing such and with this PR we can get rid of DCAP but still, keep the functionality work. I am not sure how other CSPs support the RTMR extending if they does not have 6.16 sysfs patch. Let me make a comment upon the codes to show that this is for out-of-tree code and TODO is to use sysfs when all projects are ready. |
Now with new version of guest kernel it's practical to use TSM to do quote generation and use sysfs to do initdata reading/rtmr read-writing. This patch deprecates legacy libtdx related features to get quotes. Also, natively use ioctl to get reports for initdata/rtmr reading on kernel version < 6.16 and use sysfs to do initdata reading/rtmr read-writing on kernel version >= 6.16. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
The tests are ignored because they require to be run inside a TDX guest. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Xynnn007
force-pushed
the
attester/tdx-remove-ioctl
branch
from
dccb63e to
fe9e11c
Compare
are you saying you moved to configfs-tsm reports for Qutoes but kept ioctl RTMR? |
Yes. configfs for quotes; ioctl/sysfs for RTMR |
If both are available, we can drop ioctl RTMR extend. I'm not OK to support out-of-tree functionality unconditionally and/or enabled by default. |
|
@mythi Ok. Another choice is to have a feature flag to cover the ioctl code and have an explicit roadmap that delete them once main CSPs/distros to support sysfs. But this seems the same as we keep DCAP here also. So, this work can be pending as now the upstream kernel 6.16 is not widely used and we can wait for main CSPs/distros to support sysfs. At the same time, the DCAP dep can be fully removed. Before that, as the runtime measurement is still under use, DCAP is still required (if we do not allow ioctl MVP codes to get into this repo). |
|
One optimization we could do already today is to try to get |
Let me implement it in another PR. |
OK. This PR can be closed? |
Let's keep it a draft and then we can track the thread. |
2 participants
No description provided.