Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-110112

[rhel10] Sgx-dcap: qgs service will failed with tdx guest attestation if not rebooting host

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-10.2
    • rhel-10.1
    • linux-sgx
    • None
    • linux-sgx-2.26-1.el10
    • No
    • Moderate
    • 1
    • rhel-virt-confidential-virt
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • ConfVirt Sprint 1
    • Bug Fix
    • Hide
      Cause: Upon installing of SGX packages the /dev/sgx_provision device node will not have correct ownership until rebooting
      Consequence: If manually starting the 'qgs.service' systemd unit after installation without first rebooting, it will be unable to access the /dev/sgx_provision device.
      Fix: The updated package attempts to apply the new udev rules at time of installation
      Result: The qgs.service daemon can be started and used without requiring a reboot after installation.
      Show
      Cause: Upon installing of SGX packages the /dev/sgx_provision device node will not have correct ownership until rebooting Consequence: If manually starting the 'qgs.service' systemd unit after installation without first rebooting, it will be unable to access the /dev/sgx_provision device. Fix: The updated package attempts to apply the new udev rules at time of installation Result: The qgs.service daemon can be started and used without requiring a reboot after installation.
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • x86_64
    • None

      What were you trying to do that didn't work?

      qgs service won't work properly if not rebooting the host after linux-sgx packages installation.

      What is the impact of this issue to you?

      It doesn't block the function, but should work without rebooting.

      Please provide the package NVR for which the bug is seen:

      linux-sgx-2.25-6.el10

      How reproducible is this bug?:

      100%

      Steps to reproduce

      1. Install linux-sgx packages.
      2. Boot a tdx guest, and start to do attestation inside the guest
      3. Attestation failed, and check host dmesg shows:

      qgs[6085][error_driver2api sgx_enclave_common.cpp:281] Enclave not authorized to run, .e.g. provisioning enclave hosted in app without access rights to /dev/sgx_provision. You need add the user id to group sgx_prv or run the app as root.

      Expected results

      Attestation works.

      Actual results

      Attestation failed due to qgs.service issue.

              rhn-engineering-berrange Daniel Berrangé
              zixchen Zixi Chen
              Daniel Berrangé Daniel Berrangé
              Zixi Chen Zixi Chen
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: