From a846ba461ed591d50b3ae04bd6b34874f06542a5 Mon Sep 17 00:00:00 2001 From: peg Date: Wed, 29 Apr 2026 12:01:18 +0200 Subject: [PATCH] Switch crate used for TDX quote generation from configfs-tsm to tdx-attest --- Cargo.lock | 8 +------- crates/attestation/Cargo.toml | 2 +- crates/attestation/README.md | 4 +++- crates/attestation/src/dcap.rs | 9 ++++----- crates/attestation/src/lib.rs | 6 +++--- 5 files changed, 12 insertions(+), 17 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0b33f69..1fd10ff 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -297,7 +297,6 @@ dependencies = [ "anyhow", "az-tdx-vtpm", "base64 0.22.1", - "configfs-tsm", "dcap-qvl 0.3.12 (git+https://github.com/Phala-Network/dcap-qvl.git?rev=f1dcc65371e941a7b83e3234833d23a1fb232ab1)", "hex", "http 1.4.0", @@ -313,6 +312,7 @@ dependencies = [ "serde", "serde-saphyr", "serde_json", + "tdx-attest", "tdx-quote", "tempfile", "thiserror 2.0.18", @@ -835,12 +835,6 @@ version = "3.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "12170080f3533d6f09a19f81596f836854d0fa4867dc32c8172b8474b4e9de61" -[[package]] -name = "configfs-tsm" -version = "0.0.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "187437900921c8172f33316ad51a3267df588e99a2aebfa5ca1a2ed44df9e703" - [[package]] name = "console" version = "0.16.3" diff --git a/crates/attestation/Cargo.toml b/crates/attestation/Cargo.toml index 74b13a3..e855573 100644 --- a/crates/attestation/Cargo.toml +++ b/crates/attestation/Cargo.toml @@ -15,7 +15,7 @@ x509-parser = "0.18.0" thiserror = "2.0.17" anyhow = "1.0.100" pem-rfc7468 = { version = "0.7.0", features = ["std"] } -configfs-tsm = "0.0.2" +tdx-attest = { git = "https://github.com/Dstack-TEE/dstack.git", rev = "4f602dddc0542cd34da031c90ac0b3a560f316ed" } rand_core = { version = "0.6.4", features = ["getrandom"] } dcap-qvl = { workspace = true, features = ["danger-allow-tcb-override"] } hex = "0.4.3" diff --git a/crates/attestation/README.md b/crates/attestation/README.md index 6e0320c..92ff7f7 100644 --- a/crates/attestation/README.md +++ b/crates/attestation/README.md @@ -58,7 +58,9 @@ Google Cloud metadata API is used to detect whether we are on Google Cloud. In the case of attestation types `dcap-tdx`, `gcp-tdx`, and `qemu-tdx`, a standard DCAP attestation is generated using the `configfs-tsm` linux filesystem interface. This means that the binary must be run with access to -`/sys/kernel/config/tsm/report` which on many systems requires sudo. +`/sys/kernel/config/tsm/report` which on many systems requires sudo. If +configfs-tsm is unavailable, quote generation via vSOCK to the QGS will be +attempted. Alternatively, an external 'attestation provider service' URL can be provided which outsources the attestation generation to another process. diff --git a/crates/attestation/src/dcap.rs b/crates/attestation/src/dcap.rs index 1225820..beb3164 100644 --- a/crates/attestation/src/dcap.rs +++ b/crates/attestation/src/dcap.rs @@ -1,6 +1,5 @@ //! Data Center Attestation Primitives (DCAP) evidence generation and //! verification -use configfs_tsm::QuoteGenerationError; use dcap_qvl::{ QuoteCollateralV3, collateral::get_collateral_for_fmspc, @@ -19,7 +18,7 @@ const AZURE_BAD_FMSPC: &str = "90C06F000000"; /// For fetching collateral directly from Intel, if no PCCS is specified pub const PCS_URL: &str = "https://api.trustedservices.intel.com"; -/// Quote generation using configfs_tsm +/// Quote generation using tdx-attest pub fn create_dcap_attestation(input_data: [u8; 64]) -> Result, AttestationError> { let quote = generate_quote(input_data)?; tracing::info!("Generated TDX quote of {} bytes", quote.len()); @@ -234,7 +233,7 @@ pub fn verify_dcap_attestation_sync( /// Create a mock quote for testing on non-confidential hardware #[cfg(any(test, feature = "mock"))] -fn generate_quote(input: [u8; 64]) -> Result, QuoteGenerationError> { +fn generate_quote(input: [u8; 64]) -> Result, tdx_attest::TdxAttestError> { let attestation_key = tdx_quote::SigningKey::random(&mut rand_core::OsRng); let provisioning_certification_key = tdx_quote::SigningKey::random(&mut rand_core::OsRng); Ok(tdx_quote::Quote::mock( @@ -248,8 +247,8 @@ fn generate_quote(input: [u8; 64]) -> Result, QuoteGenerationError> { /// Create a quote #[cfg(not(any(test, feature = "mock")))] -fn generate_quote(input: [u8; 64]) -> Result, QuoteGenerationError> { - configfs_tsm::create_tdx_quote(input) +fn generate_quote(input: [u8; 64]) -> Result, tdx_attest::TdxAttestError> { + tdx_attest::get_quote(&input) } /// Given a [Report] get the input data regardless of report type diff --git a/crates/attestation/src/lib.rs b/crates/attestation/src/lib.rs index cf49ded..3e2461a 100644 --- a/crates/attestation/src/lib.rs +++ b/crates/attestation/src/lib.rs @@ -113,7 +113,7 @@ impl AttestationType { } // Otherwise try DCAP quote - this internally checks that the quote provider // is `tdx_guest` - if configfs_tsm::create_tdx_quote([0; 64]).is_ok() { + if tdx_attest::get_quote(&[0; 64]).is_ok() { if running_on_gcp().await? { return Ok(AttestationType::GcpTdx); } else { @@ -572,8 +572,8 @@ pub enum AttestationError { X509(#[from] x509_parser::error::X509Error), #[error("Configuration mismatch - expected no remote attestation")] AttestationGivenWhenNoneExpected, - #[error("Configfs-tsm quote generation: {0}")] - QuoteGeneration(#[from] configfs_tsm::QuoteGenerationError), + #[error("TDX quote generation: {0}")] + QuoteGeneration(#[from] tdx_attest::TdxAttestError), #[error("DCAP verification: {0}")] DcapVerification(#[from] DcapVerificationError), #[error("Attestation type not supported")]