-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In production, generate TDX quote using configfs-tsm #1041
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine. I took a quick look through the crate and it does look simple, so maybe worth rolling into tdx-quote
until we feel like it needs to be its own thing
@@ -72,6 +72,7 @@ sha2 ="0.10.8" | |||
hkdf ="0.12.4" | |||
project-root ={ version="0.2.2", optional=true } | |||
tdx-quote ={ git="https://github.com/entropyxyz/tdx-quote", optional=true, features=["mock"] } | |||
configfs-tsm ={ git="https://github.com/entropyxyz/configfs-tsm" } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would pin this to a specific commit hash or tag
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good but can we make a new flag and put all the tdx stuff behind it?
Personally, i think the default build should be a production build, and if you want unsafe testing features, such as making mock quotes, you should have to specify that, which is currently the case. I'm willing to do it the other way around - meaning default build makes mock quotes and production build needs a |
Until we get a good testing and release pipeline with TDX hardware we should have the default be non-TDX. |
Ok i will make a |
I have added a |
This adds TDX quote generation using configfs-tsm, a linux filesystem interface to generate TDX quotes in production.
If we want to run the TS server on non-production hardware, we have to use either test mode or enable the
unsafe
feature flag, or attestation will fail.This uses the
configfs-tsm
crate which is only a few lines and has no dependencies. There is still some work to be done on it but the api used here should stay the same. I am considering moving that code into thetdx-quote
crate, to avoid needing to manage yet another crate.