cc-trusted-api icon indicating copy to clipboard operation
cc-trusted-api copied to clipboard

Published 20 hours ago verified publisher icon cc-api

The guest is enabled with TDX, however the cc-api shows "not in any TEE"

Open wenhuizhang opened this issue 1 year ago • 2 comments

I have a guest enabled with Trusted Domain Extensions (TDX), but when I query the cc-api, it shows "not in any TEE". This indicates that the system is not recognizing the TDX environment properly.

Steps to Reproduce

  • Set up a guest with TDX enabled.
  • Query the cc-api to check the TEE status.
  • Observe that the cc-api response is "not in any TEE".

Expected Behavior

  • The cc-api should recognize the TDX environment and report the guest as running in TDX.

Actual Behavior

  • The cc-api shows "not in any TEE" despite the guest being enabled with TDX.
root@localhost:~/runc_agent# dmesg | grep tdx
[    0.000000] tdx: Guest detected
[    0.000000] Linux version 5.15.120.bsk.0-tdxg.0-amd64 (STE-Kernel@ByteDance) (gcc (Debian 8.3.0-6) 8.3.0, GNU ld (GNU Binutils for Debian) 2.31.1) #tdxg.0 SMP Debian 5.15.120.bsk.0-tdxg.0 Tue May 7 06:25:17 UTC 
[    0.000000] Command line: init=/bin/systemd rootwait rw root=/dev/vda1 rootfstype=ext4 console=ttyS0 console=tty0 systemd.show_status=true systemd.log_level=debug net.ifnames=0 tdx_disable_filter tdx_host=on numa_balancing=disable ima=on ima_policy=tcb ima_hash=sha384 initrd=initrd
[    0.381383] Kernel command line: init=/bin/systemd rootwait rw root=/dev/vda1 rootfstype=ext4 console=ttyS0 console=tty0 systemd.show_status=true systemd.log_level=debug net.ifnames=0 tdx_disable_filter tdx_host=on numa_balancing=disable ima=on ima_policy=tcb ima_hash=sha384 initrd=initrd
[    0.381455] Unknown kernel command line parameters "tdx_disable_filter tdx_host=on ima=on ima_policy=tcb ima_hash=sha384", will be passed to user space.
[    5.933650]     tdx_disable_filter
[    5.933652]     tdx_host=on
root@localhost:~/runc_agent# grep -o tdx_guest /proc/cpuinfo 
tdx_guest
tdx_guest

root@localhost:~/runc_agent/test/target/release# ./cc-sample-eventlog 
[2024-06-13T00:20:27Z ERROR cc_sample_eventlog] error getting TDX report: [get_cc_eventlog] error create cvm: [build_cvm] Error: not in any TEE!


root@localhost:~/runc_agent/test/target/release# ./cc-sample-measurement 
[2024-06-13T00:20:36Z INFO  cc_sample_measurement] call cc trusted API [get_default_algorithm] to get CVM supported algorithm!
[2024-06-13T00:20:36Z ERROR cc_sample_measurement] error get algorithm: [get_default_algorithm] error get algorithm: [build_cvm] Error: not in any TEE!
root@localhost:~/runc_agent/test/target/release# ./cc-sample-quote 
[2024-06-13T00:20:41Z INFO  cc_sample_quote] call cc trusted API [get_cc_report] to retrieve cc report!
[2024-06-13T00:20:41Z ERROR cc_sample_quote] error getting TDX report: [get_cc_report] error create cvm: [build_cvm] Error: not in any TEE!

wenhuizhang avatar Jun 13 '24 00:06 wenhuizhang

@wenhuizhang May i know if the /dev/tdx_guest or any other device node exists in your environment?

Ruoyu-y avatar Jun 13 '24 00:06 Ruoyu-y

@wenhuizhang Any update on the issue?

ruomengh avatar Jun 20 '24 01:06 ruomengh