Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-127046

[RHEL-9.8] Rebase to latest upstream SGX 2.26 / dcap 1.24 releases

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-9.8
    • None
    • linux-sgx
    • None
    • linux-sgx-2.26-1.el9
    • None
    • rhel-virt-confidential-virt
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Enhancement
    • Hide
      Feature, enhancement: Update to SGX 2.26 / DCAP 1.23 releases
      Reason: This update introduces the PCCS service allowing TDX host certificate collateral to be cached on the local network
      Result: When configured to use a local PCCS service, virutalization hosts running TDX virtual machines no longer require a direct connection to the public Intel hosted services.
      Show
      Feature, enhancement: Update to SGX 2.26 / DCAP 1.23 releases Reason: This update introduces the PCCS service allowing TDX host certificate collateral to be cached on the local network Result: When configured to use a local PCCS service, virutalization hosts running TDX virtual machines no longer require a direct connection to the public Intel hosted services.
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Late in the development of SGX for RHEL-10.1/9.7 Intel made a new upstream release of linux-sgx, version 2.26. This just missed our dev cutoff so we shiped 2.25.

      This in turn brings in dcap 1.23 release.

      THe release notes for each are in

      https://github.com/intel/SGXDataCenterAttestationPrimitives/commit/e880e54c8f35d44a4763e08dff32a046c8ef2230

      https://github.com/intel/linux-sgx/commit/8e9ed532cc9b4dc4f86e6d2e1fef45e411892233

       

      Ignore the comments about "support for RHEL" in the release notes, as that is referring to their own upstream RPM packaging which we do not utilize.

      Aside from misc bugfixes, the main interesting feature is the restoration of the PCCS service. This is a NodeJS server which can be run on the LAN to provide cached certificates for SGX enabled hosts. This avoids the need for individual compute hosts to have a direct connection to Intel's public RPC services (https://api.trustedservices.intel.com/sgx/certification/v4/).  Certs can be pre-loaded into PCCS via an out of band / offline workflow, allowing the entire deployment to be isolated from the Internet (if desired).

      If we think PCCS will be useful to RHEL customers, it is likely worth planning to rebase. 

      In terms of work, we would largely just be importing the latest RPM specfile changes from Fedora which already updated

      https://src.fedoraproject.org/rpms/linux-sgx/c/aac61150a470025e29f7ab3f8e50aa0a86518abb?branch=rawhide

      The downside of PCCS is that it is a NodeJS app which means we get to deal with the dependency pain of the NodeJS ecosystem going forward.

              rhn-engineering-berrange Daniel Berrangé
              rhn-engineering-berrange Daniel Berrangé
              Zixi Chen Zixi Chen
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: