aa/attester: add IBM Secure Execution driver framework #492
Conversation
|
Thanks @huoqifeng for the contribution! I'd love to review this if it is ok : D |
huoqifeng
force-pushed
the
s390x-attester
branch
4 times, most recently
from
c6a4fad to
f82d20b
Compare
huoqifeng
changed the title
huoqifeng
force-pushed
the
s390x-attester
branch
from
f82d20b to
addfe37
Compare
|
@Xynnn007 this is not fully ready for review, but I think we can start discuss the potential changes both on guest-components side and on trustee side, trustee change is tracked by confidential-containers/trustee#345. We want to move the The reason is: for IBM Secure Execution (SE), |
huoqifeng
changed the title
huoqifeng
changed the title
huoqifeng
force-pushed
the
s390x-attester
branch
11 times, most recently
from
8cc2716 to
718c63c
Compare
huoqifeng
force-pushed
the
s390x-attester
branch
from
cca0fcb to
334a0dc
Compare
huoqifeng
changed the title
huoqifeng
changed the title
We are encountering an issue on s390x when compiling AS with `all-verifier`. The error message is as follows: ``` error: failed to run custom build command for `tss-esapi-sys v0.5.0` ``` A platform-specific verifier (e.g., `se-verifier`) is used here. (confidential-containers/guest-components#492) Although we can easily configure the verifier using `--features`, this approach lacks flexibility when the crate is selectively called from outside (e.g., kbs) based on `target_arch`. The optimal solution would be to open up room for configuring the verifier at a `dependencies` level rather than a `features` level. This commit aims to remove `all-verifier` from the default feature set and configure it differently for s390x. Signed-off-by: Hyounggyu Choi <[email protected]>
huoqifeng
force-pushed
the
s390x-attester
branch
2 times, most recently
from
c7b4d93 to
ebfbab8
Compare
|
@Xynnn007 I guess the failure in https://github.com/confidential-containers/guest-components/actions/runs/9358373555/job/25760080271?pr=492 is caused by network connection? |
* aa/attester: add IBM Secure Execution evidence driver framework Signed-off-by: Qi Feng Huo <[email protected]> * aa/attester: IBM SE use nonce to pass attestation request Signed-off-by: Qi Feng Huo <[email protected]> --------- Signed-off-by: Qi Feng Huo <[email protected]>
|
Squashed commits. |
Signed-off-by: Qi Feng Huo <[email protected]>
|
@huoqifeng I noticed the CI will not alert about code that doesn't compile in the se-attester module. I suppose due to the target-toggle. Do you plan to add CI for s390? If not, maybe we should revisit that toggle, otherwise the code will break unnoticed w/ future refactorings. |
Signed-off-by: Qi Feng Huo <[email protected]>
I know @BbolroC is working on this, maybe, we bring back the change in lib.rs to enable CI for se? I just noticed it also. |
This commit make the existing build/test for attestation agent running on s390x. We will enable `cargo test` after an image for kbs is ready. (confidential-containers/trustee#383) The build option for attestor is not configured here, but a new attester for s390x will be added by confidential-containers#492.
This commit make the existing build/test for attestation agent running on s390x. We will enable `cargo test` after an image for kbs is ready. (confidential-containers/trustee#383) The build option for attestor is not configured here, but a new attester for s390x will be added by confidential-containers#492. Signed-off-by: Hyounggyu Choi <[email protected]>
|
For reviewers, you can find CI enablement for s390x at #576 . Thanks! 😉 |
This is the initial draft to fix: #485 and the draft PR provides the API framework without a real pvattest crate yet.
Try it after adding the new Tee type
Tee::Sein https://github.com/virtee/kbs-types/blob/main/src/lib.rs#L24, run:Depends on: