Log TDX measurements on boot

[ameba23]

This logs TDX measurement values on OS boot.

The idea is to make it easy to check that deployments have the expected measurement values without needing remote access to the image in order to generate an attestation.

The problem

On production images remote access via ssh / serial console should be disabled. But this makes it hard to check that the measurements match our released image. mripper requires ssh to do this. When trying to reproduce measurements computed by attest, it was annoying to require remote access.

Testing

Tested on GCP - in the serial logs i see this:

RTMR0: e1d0235496f93f9475bf0b26d33da5c15831cfc94104d6bea7ab82db027c5f1e917d47dda6953eefae7dcb20ab6f75c4
RTMR1: 45289e4b56460d93b8f59cd449eb8ecc894d051889743399354d5995a1a8145f784fdc5663b9d8befa1be24f11b2e361
RTMR2: 6776a1798bae697ef457b79d9258594146c3fbc713276a477c03f14a0eb7af3806acdd69b919e2072c1e94a6e9ab8fb3
RTMR3: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

If started on a non-CVM i see:

Measurements not available on this platform

Notes

As for the actual format of the measurements, we probably want to use JSON or something. But i first wanted to check whether people want this at all.

This is not intended to act as a proof that the measurements are correct, since we don't log the whole attestation with signatures. This is for internal testing of measurement computation only.

[alexhulbert]

I think we should try to keep as much binary artifact out of shared/as possible. is there any way we could do this cleanly without compiled code?

if it's hard, maybe we should consider adding to devtools instead

[ameba23]

is there any way we could do this cleanly without compiled code?

We can generate the quote and dump the whole thing as base64 with a script. But if we want to just print the measurement values, im not sure how we would parse the quote to extract them.

[alexhulbert]

We can generate the quote and dump the whole thing as base64 with a script. But if we want to just print the measurement values, im not sure how we would parse the quote to extract them.

@ameba23 Is this too hacky? 5 lines of perl does the job

$b = "\0" x 1088;
sysopen F, "/dev/tdx_guest", 2 or die $!;
ioctl F, 0xc4405401, $b or die $!;
@r = unpack "(H96)4", substr $b, 784, 192;
print "RTMR$_: $r[$_]\n" for 0..3;

[ameba23]

@ameba23 Is this too hacky? 5 lines of perl does the job

Fine by me, if that counts as not using a binary. Im guessing we would have to add perl to Packages to do this.

Also on non-TDX hardware this prints:
No such file or directory at script.pl line 2.

Maybe we can make it print something like 'Measurements not available on this platform'.

[alexhulbert]

lots of core Linux packages depend on Perl (e.g. debconf/dpkg, git, udev, etc) so we def already have it in the image, but adding it as an explicit dependency wouldn't hurt

For the error message, this should do the trick:

my $errmsg = "Measurements not available on this platform\n";
my $b = "\0" x 1088;
sysopen F, "/dev/tdx_guest", 2 or warn $errmsg and exit 0;
ioctl F, 0xc4405401, $b or die $!;
my @r = unpack "(H96)4", substr $b, 784, 192;
print "RTMR$_: $r[$_]\n" for 0..3;

[ameba23]

I have switched to using a perl script, and confirmed working on GCP:

RTMR0: e1d0235496f93f9475bf0b26d33da5c15831cfc94104d6bea7ab82db027c5f1e917d47dda6953eefae7dcb20ab6f75c4
RTMR1: 45289e4b56460d93b8f59cd449eb8ecc894d051889743399354d5995a1a8145f784fdc5663b9d8befa1be24f11b2e361
RTMR2: 6776a1798bae697ef457b79d9258594146c3fbc713276a477c03f14a0eb7af3806acdd69b919e2072c1e94a6e9ab8fb3
RTMR3: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

One thing worth noting, on Azure this presumably wont print the PCR values. Im not sure if we really care about that though.

[alexhulbert]

let's do this with systemd. Systemd expects to be PID1, and this change pushes it to PID2

[ameba23]

From GCP:

[    5.365707] print-measurements[520]: RTMR0: e1d0235496f93f9475bf0b26d33da5c15831cfc94104d6bea7ab82db027c5f1e917d47dda6953eefae7dcb20ab6f75c4
[�[0;32m  OK  �[0m] Finished �[0;1;39mprint-measurements.service�[0m - Log TDX measurements.

[    5.376145] print-measurements[520]: RTMR1: 2ef9cad36d2349fbcf508e289051e29a5f0ad262b95c9c26ec6bf58a2cef80750a78262b85d461858a5eed192595edfa
[    5.380921] print-measurements[520]: RTMR2: 27e39cd9e8cd4d5c18ddb4f492a1eff49594c32788296673874daa0eeea9b00c6f5855e79e93903c9c6e82120b4ace86
[    5.384202] print-measurements[520]: RTMR3: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

[alexhulbert]

LGTM!