docs: add debug flag for CoCo initdata #918
Conversation
For CoCo, initdata will have a new field to control debugging mode. This will not influence the original overall initdata spec for it will only appear in `[data]` field. Signed-off-by: Xynnn007 <[email protected]>
For all-in-one KBS, the code changes upon the attestation-service, rvps and deps/verifier, deps/eventlog will also impact the logic of the KBS. This patch enables KBS Rust test suites when changes are added upon those paths. Signed-off-by: Xynnn007 <[email protected]>
The build error might be related to #902, where KBS Rust test suites were not triggered. The new version of az-vtpm uses an underlying sev build (SEV) version 6.2.1, which contains the arch-specific statements shown in the error message. Previously, the SEV 6.2.1 crate was located in the Now, az-vtpm is referenced by the ITA feature. Therefore, when the ITA feature is enabled, both az-vtpm and SEV 6.2.1 will be built, resulting in an error on the Arm platform. For CI coverage, Let me add a commit to update KBS Rust CI to be triggered whenever changes introduced in For this issue, probably introducing a |
Sorry for that. How about disabling the ITA feature on aarch64 since it's not meaningful for aarch64 platforms? |
I think you meant to say it's not a very likely setup people would use and I cannot disagree with that. However we need a sustainable solution. Hiding errors may make things worse in the long run. |
fitzthum
left a comment
fitzthum
left a comment
There was a problem hiding this comment.
I'm fine with this.
This will not influence the original overall initdata spec for it will only appear in [data] field.
This is what I was saying in confidential-containers/confidential-containers#303. The init-data spec allows for anything to be written into the data section, but we do not follow this in kata.
In my understanding, to support SNP attestation reports newer than v2 on azure CVM, that commit is required. |
OK, sounds like we cannot support that until the sev crate is fixed. |
Just to confirm, do you mean building intel-trust-authority-as on aarch64 failed here? |
I mean my opinion is we should revert rather than disable ITA on aarch64. |
Since sev is intended for x86_64, it's also not suitable to fix in sev crate. Do you have any ideas to fix the issue? |
One idea for the fix to make |
But I think |
I think I'd agree with @mythi that the culprit is probably in the sev crate (or how we use it. but I think there is no way to import SNP types without that cpuid code path being compiled currently). It should be ok in principle to have a verifier on ARM verify evidence from x86_64 TEEs. |
|
sth like: // Determine SEV-SNP CPU generation in order to parse platform status accordingly.
// On non-x86_64 targets, bail out with an Unknown error so the crate still compiles.
#[cfg(target_arch = "x86_64")]
let raw_cpuid = unsafe { std::arch::x86_64::__cpuid(0x8000_0001) }
.eax
.to_le_bytes();
#[cfg(not(target_arch = "x86_64"))]
{
return Err(crate::error::UserApiError::Unknown);
} |
|
@mythi @mkulke Thanks for the suggestion, and sorry for the late reply — I just got back from holiday. A fix has already been merged in the sev crate by @fitzthum: |
|
@yafu-1 can you rebase this PR |
Oh. Let me do this. But before that, we are involving another discussion about this kata-containers/kata-containers#11587 (comment) some points are raised by @burgerdev |
5 participants
For CoCo, initdata will have a new field to control debugging mode. This will not influence the original overall initdata spec for it will only appear in
[data]field.