TDX: Ensure quote-generation-service is added to the QEMU command line #9497

fidencio · 2024-04-17T07:40:24Z

In order to use QEMU + TDX, and get the quote for the attestation, we need to make sure that QEMU is correctly started using the following command line -object tdx-guest,id=tdx,quote-generation-service=vsock:2:$qgs_port (default qgs_port is 4050).

From a quick look at the code, this is something that should be passed to

kata-containers/src/runtime/virtcontainers/qemu_amd64.go

Lines 278 to 290 in af3b19e

    
           case tdxProtection: 
        
           	id := q.devLoadersCount 
        
           	q.devLoadersCount += 1 
        
           	return append(devices, 
        
           		govmmQemu.Object{ 
        
           			Driver:         govmmQemu.Loader, 
        
           			Type:           govmmQemu.TDXGuest, 
        
           			ID:             "tdx", 
        
           			DeviceID:       fmt.Sprintf("fd%d", id), 
        
           			Debug:          false, 
        
           			File:           firmware, 
        
           			FirmwareVolume: firmwareVolume, 
        
           		}), "", nil

, and then https://github.com/kata-containers/kata-containers/blob/main/src/runtime/pkg/govmm/qemu/qemu.go should be adjusted accordingly to be able to build the correct command line for QEMU.

The port, unfortunately, will have to be exposed to the user, and I see this as an user experience problem, as the user deploying Kata Containers may not be the same user who'd set up QGS, but the best we can do is hope for some clear documentation on the CSPs side, to make sure that this information is available.

For this, we'd also need to:

Add a new tdx_quote_generation_service_port option as part of the config file, and this should only be used by the qemu-tdx configuration
We need to test that passing a quote-generation-service won't break QEMU to start when there's no QGS installed in the host, but rather only the attestation would fail

Jakub will be done working on this, so we may need a few more discussions to happen here before actually seeing a patch.

The text was updated successfully, but these errors were encountered:

For the TD attestation to work the connection to QGS on the host is needed. By default QGS runs on vsock port 4050, but can be modified by the host owner. Format of the qemu object follows the SocketAddress structure, so it needs to be provided in the JSON format, as in the example below: -object '{"qom-type":"tdx-guest","id":"tdx0","quote-generation-socket":{"type":"vsock","cid":"2","port":"4050"}}' Fixes: kata-containers#9497 Signed-off-by: Jakub Ledworowski <jakub.ledworowski@intel.com>

For the TD attestation to work the connection to QGS on the host is needed. By default QGS runs on vsock port 4050, but can be modified by the host owner. Format of the qemu object follows the SocketAddress structure, so it needs to be provided in the JSON format, as in the example below: -object '{"qom-type":"tdx-guest","id":"tdx","quote-generation-socket":{"type":"vsock","cid":"2","port":"4050"}}' Fixes: kata-containers#9497 Signed-off-by: Jakub Ledworowski <jakub.ledworowski@intel.com>

Fix formatting. Fixes: kata-containers#9497 Signed-off-by: Jakub Ledworowski <jakub.ledworowski@intel.com>

Bring back debug option to TdxQomObject. Fixes: kata-containers#9497 Signed-off-by: Jakub Ledworowski <jakub.ledworowski@intel.com>

For the TD attestation to work the connection to QGS on the host is needed. By default QGS runs on vsock port 4050, but can be modified by the host owner. Format of the qemu object follows the SocketAddress structure, so it needs to be provided in the JSON format, as in the example below: -object '{"qom-type":"tdx-guest","id":"tdx","quote-generation-socket":{"type":"vsock","cid":"2","port":"4050"}}' Fixes: kata-containers#9497 Signed-off-by: Jakub Ledworowski <jakub.ledworowski@intel.com>

fidencio added enhancement Improvement to an existing feature needs-review Needs to be assessed by the team. labels Apr 17, 2024

katacontainersbot added this to To do in Issue backlog Apr 17, 2024

JakubLedworowski added a commit to JakubLedworowski/kata-containers that referenced this issue May 15, 2024

runtime: Enable connection to Quote Generation Service (QGS)

4d5b163

Fix formatting. Fixes: kata-containers#9497 Signed-off-by: Jakub Ledworowski <jakub.ledworowski@intel.com>

This was referenced May 17, 2024

runtime: Enable connection to Quote Generation Service (QGS) JakubLedworowski/kata-containers#2

Closed

runtime: Enable connection to Quote Generation Service (QGS) #9653

Merged

katacontainersbot moved this from To do to In progress in Issue backlog May 17, 2024

fidencio closed this as completed in #9653 May 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

TDX: Ensure quote-generation-service is added to the QEMU command line #9497

TDX: Ensure quote-generation-service is added to the QEMU command line #9497

fidencio commented Apr 17, 2024

TDX: Ensure quote-generation-service is added to the QEMU command line #9497

TDX: Ensure quote-generation-service is added to the QEMU command line #9497

Comments

fidencio commented Apr 17, 2024