From e5a4b88143b98a632f7715620b8417cb2cca5ff9 Mon Sep 17 00:00:00 2001 From: Ruoyu Ying Date: Tue, 11 Jun 2024 10:13:02 +0800 Subject: [PATCH] eventlog: platform priority change and fix event log cli * make tpm as the first priority while doing platform check * fix event log issue and provide the sorted output * fix test case issues Signed-off-by: Ruoyu Ying --- src/python/cc_event_log_cli.py | 13 ++++++++++--- src/python/cctrusted_vm/cvm.py | 7 ++++--- src/python/cctrusted_vm/sdk.py | 2 +- src/python/tests/tdx_check.py | 8 ++++---- 4 files changed, 19 insertions(+), 11 deletions(-) diff --git a/src/python/cc_event_log_cli.py b/src/python/cc_event_log_cli.py index a95a625..242c48d 100644 --- a/src/python/cc_event_log_cli.py +++ b/src/python/cc_event_log_cli.py @@ -7,6 +7,7 @@ from cctrusted_base.api import CCTrustedApi from cctrusted_base.eventlog import TcgEventLog from cctrusted_base.tcgcel import TcgTpmsCelEvent +from cctrusted_base.tcg import TcgAlgorithmRegistry from cctrusted_vm.cvm import ConfidentialVM from cctrusted_vm.sdk import CCTrustedVmSdk @@ -41,11 +42,17 @@ def main(): LOG.info("Total %d of event logs fetched.", len(event_logs)) res = CCTrustedApi.replay_cc_eventlog(event_logs) + # pylint: disable-next=C0301 + LOG.info("Note: If the underlying platform is TDX, the IMR index showing is cc measurement register instead of TDX measurement register.") + # pylint: disable-next=C0301 + LOG.info("Please refer to the spec https://www.intel.com/content/www/us/en/content-details/726790/guest-host-communication-interface-ghci-for-intel-trust-domain-extensions-intel-tdx.html") LOG.info("Replayed result of collected event logs:") # pylint: disable-next=C0201 - for key in res.keys(): - LOG.info("IMR[%d]: ", key) - LOG.info(" %s", res.get(key).get(12).hex()) + for k in sorted(res.keys()): + LOG.info("IMR[%d]: ", k) + for alg, h in res.get(k).items(): + LOG.info(" %s: ", TcgAlgorithmRegistry.get_algorithm_string(alg)) + LOG.info(" %s", h.hex()) LOG.info("Dump collected event logs:") for event in event_logs: diff --git a/src/python/cctrusted_vm/cvm.py b/src/python/cctrusted_vm/cvm.py index ca948e2..f5145ae 100644 --- a/src/python/cctrusted_vm/cvm.py +++ b/src/python/cctrusted_vm/cvm.py @@ -97,12 +97,13 @@ def init(self) -> bool: @staticmethod def detect_cc_type(): """Detect the type of current confidential VM""" - # TODO: refine the justification + #TODO: refine the justification + # support TPM as the first priority for now + if os.path.exists(TpmVM.DEFAULT_TPM_DEVICE_NODE): + return CCTrustedApi.TYPE_CC_TPM for devpath in TdxVM.DEVICE_NODE_PATH.values(): if os.path.exists(devpath): return CCTrustedApi.TYPE_CC_TDX - if os.path.exists(TpmVM.DEFAULT_TPM_DEVICE_NODE): - return CCTrustedApi.TYPE_CC_TPM return CCTrustedApi.TYPE_CC_NONE @abstractmethod diff --git a/src/python/cctrusted_vm/sdk.py b/src/python/cctrusted_vm/sdk.py index 1a715ff..99f5523 100644 --- a/src/python/cctrusted_vm/sdk.py +++ b/src/python/cctrusted_vm/sdk.py @@ -135,7 +135,7 @@ def get_cc_eventlog(self, start:int = None, count:int = None) -> list: self._cvm.process_eventlog() event_logs = EventLogs(self._cvm.boot_time_event_log, self._cvm.runtime_event_log, - TcgEventLog.TCG_FORMAT_PCCLIENT) + self._cvm.cc_type, TcgEventLog.TCG_FORMAT_PCCLIENT) event_logs.select(start, count) diff --git a/src/python/tests/tdx_check.py b/src/python/tests/tdx_check.py index 491bef0..bcbff4a 100644 --- a/src/python/tests/tdx_check.py +++ b/src/python/tests/tdx_check.py @@ -34,10 +34,10 @@ def _check_imr(imr_index: int, alg_id: int, rtmr: bytes): alg_id: an integer specified the hash algorithm. rtmr: bytes of RTMR data for comparison. """ - assert 0 <= imr_index < TdxRTMR.RTMR_COUNT + assert 0 < imr_index <= TdxRTMR.RTMR_COUNT assert rtmr is not None assert alg_id == TcgAlgorithmRegistry.TPM_ALG_SHA384 - imr = CCTrustedVmSdk.inst().get_cc_measurement([imr_index, alg_id]) + imr = CCTrustedVmSdk.inst().get_cc_measurement([imr_index - 1, alg_id]) assert imr is not None digest_obj = imr.digest(alg_id) assert digest_obj is not None @@ -128,8 +128,8 @@ def _check_quote_rtmrs(quote): # Compare all the RTMR values which are used by the event log. # Please note that some RTMR may not be used. for imr_idx, digests in rtmrs.items(): - assert quote_rtmrs[imr_idx] == digests[alg.alg_id], \ - f"RTMR{imr_idx} doesn't equal the replay from event log!" + assert quote_rtmrs[imr_idx - 1] == digests[alg.alg_id], \ + f"RTMR{imr_idx - 1} doesn't equal the replay from event log!" def _check_quote_reportdata(quote, nonce=None, userdata=None): """Check the userdata in quote result."""