contrast: remove default SVNs for TDX #916
Conversation
|
I think we need documentation to instruct users how to fill these values if we don't have defaults, right? |
We don't ship minimum default SVNs for bare metal, so we shouldn't have a default for minimumTeeTcbSvn. Having a default for mrSeam is problematic because it legitimately can change as a customer updates their firmware.
Freax13
force-pushed
the
tom/remove-tdx-defaults
branch
from
4d82a4e
to
ac32c35
Compare
|
docs/docs/deployment.md
Outdated
| :::note[Missing TCB values] | ||
| On bare metal SEV-SNP, `contrast generate` is unable to fill in the `MinimumTCB` values as they can vary between platforms. | ||
| They will have to be filled in manually. | ||
| If you don't know the correct values use `{"BootloaderVersion":255,"TEEVersion":255,"SNPVersion":255,"MicrocodeVersion":255}` and observe the correct values in the error messages in the following steps. Note that the values will differ between CPU models. |
There was a problem hiding this comment.
Nit: I feel the word "correct" needs some explanation around trust-on-first-use. Even better would be some instructions for deriving the values directly on the host.
There was a problem hiding this comment.
Nit: I feel the word "correct" needs some explanation around trust-on-first-use.
Will do.
Even better would be some instructions for deriving the values directly on the host.
AFAICT there's no interface to ask the host kernel about the active values and I don't think the TDX module even exposes that. AFAICT the only way to get the values is to launch a virtual machine and create a quote. While this is technically feasible, as of right now, I don't think there's existing tooling for users to do this, though I'd be more than happy to write some.
There was a problem hiding this comment.
It would sure be great to have something like snphost for TDX.
There was a problem hiding this comment.
There's tdxhost, but it only implements this ok subcommand.
We could implement a tool to launch a minimal VM and request an attestation report for it. This could work on TDX and SNP.
@katexochen what are your thoughts?
| // The generate command doesn't fill in all required fields when | ||
| // generating a manifest for baremetal TDX. Do that now. |
There was a problem hiding this comment.
Why do we need to inject the reference values both here and in the justfile? I'd prefer if we always configured them externally, because they depend only on the runtime environment.
There was a problem hiding this comment.
This code isn't executed when running the default just target and the code in the justfile isn't executed when running the e2e tests. In both cases, this only affects our development workflows and so we don't expect this to change unless we upgrade the firmware on our server.
There was a problem hiding this comment.
I was thinking along the lines of an e2e test command line argument, but we don't need to do that right now.
Freax13
force-pushed
the
tom/remove-tdx-defaults
branch
from
ac32c35
to
1b8849b
Compare
We don't ship minimum default SVNs for bare metal, so we shouldn't have a default for minimumTeeTcbSvn. Having a default for mrSeam is problematic because it legitimately can change as a customer updates their firmware.