VMSDK/rust: add support for container mounted file path (#94)

* this commit adds support for container mounted CCEL and IMA file path Signed-off-by: Hairong Chen hairong.chen@intel.com * remove empty line --------- Signed-off-by: Hairong Chen hairong.chen@intel.com
cc-api · Jan 31, 2024 · 06c47f5 · 06c47f5
1 parent 199bf83
commit 06c47f5
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 16 deletions.
diff --git a/common/rust/cctrusted_base/src/tdx/common.rs b/common/rust/cctrusted_base/src/tdx/common.rs
@@ -74,6 +74,11 @@ pub enum QeCertDataType {
 pub const TDX_QUOTE_VERSION_4: u16 = 4;
 pub const TDX_QUOTE_VERSION_5: u16 = 5;
 
-pub const ACPI_TABLE_FILE: &str = "/sys/firmware/acpi/tables/CCEL";
-pub const ACPI_TABLE_DATA_FILE: &str = "/sys/firmware/acpi/tables/data/CCEL";
-pub const IMA_DATA_FILE: &str = "/sys/kernel/security/integrity/ima/ascii_runtime_measurements";
+pub const ACPI_TABLE_FILE_VM: &str = "/sys/firmware/acpi/tables/CCEL";
+pub const ACPI_TABLE_DATA_FILE_VM: &str = "/sys/firmware/acpi/tables/data/CCEL";
+pub const IMA_DATA_FILE_VM: &str = "/sys/kernel/security/integrity/ima/ascii_runtime_measurements";
+
+pub const ACPI_TABLE_FILE_CONTAINER: &str = "/run/firmware/acpi/tables/CCEL";
+pub const ACPI_TABLE_DATA_FILE_CONTAINER: &str = "/run/firmware/acpi/tables/data/CCEL";
+pub const IMA_DATA_FILE_CONTAINER: &str =
+    "/run/kernel/security/integrity/ima/ascii_runtime_measurements";
diff --git a/vmsdk/rust/cctrusted_vm/src/tdvm.rs b/vmsdk/rust/cctrusted_vm/src/tdvm.rs
@@ -379,22 +379,38 @@ impl CVM for TdxVM {
         start: Option<u32>,
         count: Option<u32>,
     ) -> Result<Vec<EventLogEntry>, anyhow::Error> {
-        if !Path::new(ACPI_TABLE_FILE).exists() {
-            return Err(anyhow!(
-                "[process_cc_eventlog] Failed to find TDX CCEL table at {:?}",
-                ACPI_TABLE_FILE
-            ));
+        let (acpi_table_file, acpi_table_data_file, ima_data_file);
+
+        if !Path::new(ACPI_TABLE_FILE_VM).exists() {
+            if !Path::new(ACPI_TABLE_FILE_CONTAINER).exists() {
+                return Err(anyhow!(
+                    "[process_cc_eventlog] Failed to find TDX CCEL table file at {:?} or {:?}",
+                    ACPI_TABLE_FILE_VM,
+                    ACPI_TABLE_FILE_CONTAINER
+                ));
+            } else {
+                acpi_table_file = ACPI_TABLE_FILE_CONTAINER.to_string();
+            }
+        } else {
+            acpi_table_file = ACPI_TABLE_FILE_VM.to_string();
         }
 
-        if !Path::new(ACPI_TABLE_DATA_FILE).exists() {
-            return Err(anyhow!(
-                "[process_cc_eventlog] Failed to find TDX CCEL data file at {:?}",
-                ACPI_TABLE_DATA_FILE
-            ));
+        if !Path::new(ACPI_TABLE_DATA_FILE_VM).exists() {
+            if !Path::new(ACPI_TABLE_DATA_FILE_CONTAINER).exists() {
+                return Err(anyhow!(
+                    "[process_cc_eventlog] Failed to find TDX CCEL table data at {:?} or {:?}",
+                    ACPI_TABLE_DATA_FILE_VM,
+                    ACPI_TABLE_DATA_FILE_CONTAINER
+                ));
+            } else {
+                acpi_table_data_file = ACPI_TABLE_DATA_FILE_CONTAINER.to_string();
+            }
+        } else {
+            acpi_table_data_file = ACPI_TABLE_DATA_FILE_VM.to_string();
         }
 
         // read ACPI data
-        let ccel_file = File::open(ACPI_TABLE_FILE)?;
+        let ccel_file = File::open(acpi_table_file)?;
         let mut ccel_reader = BufReader::new(ccel_file);
         let mut ccel = Vec::new();
         ccel_reader.read_to_end(&mut ccel)?;
@@ -404,7 +420,7 @@ impl CVM for TdxVM {
             return Err(anyhow!("[process_cc_eventlog] Invalid CCEL table"));
         }
 
-        let boot_time_data_file = File::open(ACPI_TABLE_DATA_FILE)?;
+        let boot_time_data_file = File::open(acpi_table_data_file)?;
         let mut boot_time_data_reader = BufReader::new(boot_time_data_file);
         let mut boot_time_data = Vec::new();
         boot_time_data_reader.read_to_end(&mut boot_time_data)?;
@@ -416,14 +432,29 @@ impl CVM for TdxVM {
           https://github.com/intel/tdx-tools/blob/tdx-1.5/build/common/patches-tdx-kernel-MVP-KERNEL-6.2.16-v5.0.tar.gz)
           If not, suppose IMA over RTMR not enabled in kernel
         */
+
+        if !Path::new(IMA_DATA_FILE_VM).exists() {
+            if !Path::new(IMA_DATA_FILE_CONTAINER).exists() {
+                return Err(anyhow!(
+                    "[process_cc_eventlog] Failed to find TDX CCEL table data at {:?} or {:?}",
+                    IMA_DATA_FILE_VM,
+                    IMA_DATA_FILE_CONTAINER
+                ));
+            } else {
+                ima_data_file = IMA_DATA_FILE_CONTAINER.to_string();
+            }
+        } else {
+            ima_data_file = IMA_DATA_FILE_VM.to_string();
+        }
+
         let mut run_time_data = Vec::new();
 
         let cmdline_file = File::open("/proc/cmdline")?;
         let mut cmdline_reader = BufReader::new(cmdline_file);
         let mut cmdline_string = String::new();
         let _ = cmdline_reader.read_to_string(&mut cmdline_string);
         if cmdline_string.contains("ima_hash=sha384") {
-            run_time_data = read_to_string(IMA_DATA_FILE)
+            run_time_data = read_to_string(ima_data_file)
                 .unwrap()
                 .lines()
                 .map(String::from)