Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add igvm V2 RPC interfaces to propagate igvm error info #665

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add igvm V2 RPC interfaces to propagate igvm error info #665

wants to merge 3 commits into from
+491 −108

Conversation

qiucwang
Copy link

@qiucwang qiucwang commented Jan 14, 2025
edited
Loading

Add igvm V2 RPC request and response headers to propagate igvm attest error info.

HCL and Underhill in Confidential VMs, send requests to IGVM Agent in the host through the VM worker process (VMWP). The HCL/UH sends requests to the VMWP via the GET emulation protocol, while the VMWP communicates with the IGVM Agent via Windows RPC.
The current interface between HCL/UH and VMWP will not change. Currently interface, sends a i32 (-1), 0xFFFFFFFF back if there are any errors with the request to IGVM Agent. VMWP just acts as a proxy.

The proposed changes are to the format of the messages that are sent between UH/HCL and IGVM Agent. The version field of request header is incremented from 1 to 2 and a new struct CapabilityBitmap is added to the header:

pub struct IgvmAttestRequestData {
    pub data_size: u32,
    /// Version number, 1 or 2
    pub version: u32,
    pub report_type: IgvmAttestReportType,
    pub report_data_hash_type: IgvmAttestHashType,
    pub variable_data_size: u32,
    /// Bitmap of additional Igvm request attributes.
    /// [0] error_code: Requesting IGVM Agent Error code
    /// [1] retry: Retry preference
    pub capability_bitmap: IgvmCapabilityBitMap,
}

In case of a version 2 request being sent, IGVM Agent would respond with a version 2 response, whose header include a new field as IgvmErrorInfo that include error code and retry signal. The IGVM Agent attestation error is then propagated to UH and UH can take proper retry strategy as per retry recommendation.

pub struct IgvmErrorInfo {
    /// ErrorCode propogated from IgvmAgent
    pub error_code: u32,
    /// HttpStatusCode propogated from IgvmAgent that enhances the ErrorCode
    pub http_status_code: u32,
    /// Igvm signal bitmap from response, the first bit is retry recommendation
    pub igvm_signal: IgvmSignal,
    /// Reserved
    pub reserved: [u32; 3],
}

pub struct IgvmAttestKeyReleaseResponseHeader {
    pub data_size: u32,
    /// Version number that should match the request version
    pub version: u32,
    /// IgvmErrorInfo that contains RPC result and retry recommendation
    pub error_info: IgvmErrorInfo,
}

@qiucwang qiucwang requested review from a team as code owners January 14, 2025 17:48
@daprilik

This comment was marked as outdated.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@qiucwang @daprilik @mingweishih