Having issues enabling TDX on Supermicro server
Closed this issue · 10 comments
Hello I'm reporting an issue, that was originally reported by our customer, about TDX/SGX feature is not being detected on Ubuntu 24.04 Kernel 6.8 with EMU on SMCI hardware X13DEG-QT motherboard using Emeralds Rapids 8570. Both our customer and our technical support team were using the guide from this link https://github.com/canonical/tdx, and yet they were not successful to enable the TDX. I have attached the steps to reproduce the issue. Refer to the attached file below
INTEL TDX Testing on EMR CPU.pdf
Here's to summarize the steps that were performed.
- TDX Initialized in BIOS and DMESG indicates that the TDX module has been initialized
- However, when verified using BIT (BIOS Information Tool), it shows TDX feature is not being supported
With this findings, TDX/SGX feature seems being supported by the Hardware and BIOS, but Kernel 6.8 from Ubuntu 24.04 does not support it. Could you help advise how to resolve this issue?
Appreciate for any recommendation
Alec
Thank you for reporting us your feedback!
The internal ticket has been created: https://warthogs.atlassian.net/browse/PEK-754.
This message was autogenerated
@acduroy Thanks for this valuable feedback. Even if BIT reports TDX not being enabled, can you run a TD Guest following the README's instructions ?
Hi thanks for quick response. We will try to create TD and will let you know how it goes.
Closing since we do not have any feedback, feel free to re-open the issue if it is still relevant
Hi @hector-cao, we are facing the same issue in our Supermicro server. The TDX feature in our server's BIOS stays greyed out and could not be enabled after following the instructions as suggested.
The hardware and BIOS definitely supports. Here are the links to specs - Intel Xeon Gold 5512u and Server Specsheet.
Based on @hector-cao's suggestion to @acduroy, I proceeded with creating a TD image and running it regardless. Creating a TD image is a success, however running it results in an error.
user@server:~/tdx/tdx/guest-tools$ ./run_td.sh
Error: Failed to create TD VM. Please check logfile "/tmp/tdx-guest-td.log" for more information.
user@server:~/tdx/tdx/guest-tools$ cat /tmp/tdx-guest-td.log
qemu-system-x86_64: -accel kvm: vm-type tdx not supported by KVMThe Error message basically points to TDX not being enabled/supported.
Hope you can help with this.
Hello, could you run the system-report.sh script (located in the root folder of this repo) on the system and then paste the results as a comment on this issue? That may provide some clues.
Hi,
Here's the output from system-report.sh
### Git ref
### Operating system details
Distributor ID: Ubuntu
Description: Ubuntu 24.04.1 LTS
Release: 24.04
Codename: noble
### Kernel version
6.8.0-1010-intel #17-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug 9 10:21:48 UTC 2024 x86_64 x86_64 GNU/Linux
### TDX kernel logs
### TDX CPU instruction support
No TDX support in CPU according to /proc/cpuinfo
### Model specific registers (MSRs)
MK_TME_ENABLED bit: 1 (expected value: 1)
SEAM_RR bit: 0 (expected value: 1)
NUM_TDX_PRIV_KEYS: 0
SGX_AND_MCHECK_STATUS: 0 (expected value: 0)
Production platform: Production (expected value: Production)
### CPU details
INTEL(R) XEON(R) GOLD 5512U
### QEMU package details
Status: Installed
Package: qemu-system-x86
Version: 1:8.2.2+ds-0ubuntu2+tdx1.0
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-release/ubuntu noble/main amd64 Packages
### Libvirt package details
Status: Installed
Package: libvirt-clients
Version: 10.0.0-2ubuntu8.3+tdx1.1
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-release/ubuntu noble/main amd64 Packages
### OVMF package details
Status: Installed
Package: ovmf
Version: 2024.02-3+tdx1.0
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-release/ubuntu noble/main amd64 Packages
### sgx-dcap-pccs package details
Status: Installed
Package: sgx-dcap-pccs
Version: 1.21-0ubuntu1
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-attestation-release/ubuntu noble/main amd64 Packages
### tdx-qgs package details
Status: Installed
Package: tdx-qgs
Version: 1.21-0ubuntu2.1
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-attestation-release/ubuntu noble/main amd64 Packages
### sgx-ra-service package details
Status: Installed
Package: sgx-ra-service
Version: 1.21-0ubuntu2.1
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-attestation-release/ubuntu noble/main amd64 Packages
Description: Intel(R) Software Guard Extensions Multi-Package Registration Agent Service
### sgx-pck-id-retrieval-tool package details
Status: Installed
Package: sgx-pck-id-retrieval-tool
Version: 1.21-0ubuntu2.1
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-attestation-release/ubuntu noble/main amd64 Packages
### QGSD service status
● qgsd.service - Intel(R) TD Quoting Generation Service
Loaded: loaded (/usr/lib/systemd/system/qgsd.service; enabled; preset: enabled)
Active: active (running) since Thu 2024-09-19 20:34:08 UTC; 1 day 1h ago
Process: 1514 ExecStartPre=/bin/chown -R qgsd:qgsd /var/opt/qgsd/ (code=exited, status=0/SUCCESS)
Process: 1573 ExecStartPre=/bin/chmod 0750 /var/opt/qgsd/ (code=exited, status=0/SUCCESS)
Process: 1586 ExecStartPre=/usr/share/qgs/linksgx.sh (code=exited, status=0/SUCCESS)
Process: 1702 ExecStart=/usr/bin/qgs (code=exited, status=0/SUCCESS)
Main PID: 1733 (qgs)
Tasks: 5 (limit: 618331)
Memory: 2.9M (peak: 3.9M)
CPU: 60ms
CGroup: /system.slice/qgsd.service
└─1733 /usr/bin/qgs
Sep 19 20:34:07 shs2 systemd[1]: Starting qgsd.service - Intel(R) TD Quoting Generation Service...
Sep 19 20:34:08 shs2 systemd[1]: Started qgsd.service - Intel(R) TD Quoting Generation Service.
Sep 19 20:34:08 shs2 qgsd[1733]: Added signal handler
Sep 19 20:34:08 shs2 qgsd[1733]: About to create QgsServer with num_thread = 4
Sep 19 20:34:08 shs2 qgsd[1733]: About to start main loop
### PCCS service status
● pccs.service - Provisioning Certificate Caching Service (PCCS)
Loaded: loaded (/usr/lib/systemd/system/pccs.service; enabled; preset: enabled)
Active: active (running) since Thu 2024-09-19 20:34:07 UTC; 1 day 1h ago
Docs: https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/QuoteGeneration/pccs/README.md
Main PID: 1510 (node)
Tasks: 15 (limit: 618331)
Memory: 114.1M (peak: 120.1M)
CPU: 3.453s
CGroup: /system.slice/pccs.service
└─1510 /usr/bin/node /opt/intel/sgx-dcap-pccs/pccs_server.js
Sep 20 01:00:00 shs2 node[1510]: 2024-09-20 01:00:00.746 [info]: Request-ID is : 3eb9ad0314784d9dbd3033167dd240c7
Sep 20 01:00:00 shs2 node[1510]: 2024-09-20 01:00:00.846 [info]: Request-ID is : c7ca7e558abd44158a790fa1ac1e954a
Sep 20 01:00:00 shs2 node[1510]: 2024-09-20 01:00:00.946 [info]: Request-ID is : aabce696ab284960b1b34634c7da521e
Sep 20 01:00:01 shs2 node[1510]: 2024-09-20 01:00:01.029 [info]: Request-ID is : 005d04a966eb44b58dc88038968c067e
Sep 20 01:00:01 shs2 node[1510]: 2024-09-20 01:00:01.197 [info]: Request-ID is : 205f54e183414397a2a7591ba2ed3a81
Sep 20 01:00:01 shs2 node[1510]: 2024-09-20 01:00:01.287 [info]: Request-ID is : c744fd2a1c21403c94136ca0852040e3
Sep 20 01:00:01 shs2 node[1510]: 2024-09-20 01:00:01.378 [info]: Request-ID is : 4f9e3588e97147f9b75cc98d7b423f09
Sep 20 01:00:01 shs2 node[1510]: 2024-09-20 01:00:01.470 [info]: Request-ID is : e7572ebe530549cab8460c8d95da849f
Sep 20 01:00:01 shs2 node[1510]: 2024-09-20 01:00:01.545 [info]: Request-ID is : a35a583bdfa54432b16a923d39a5c2b8
Sep 20 01:00:01 shs2 node[1510]: 2024-09-20 01:00:01.948 [info]: Scheduled cache refresh is completed successfully.
### MPA registration logs (last 30 lines)
[19-09-2024 06:55:38] INFO: SGX Registration Agent version: 1.21.100.3
[19-09-2024 06:55:38] INFO: Starts Registration Agent Flow.
[19-09-2024 06:55:38] INFO: SGX MP Server configuration flag indicates that Registration Server won't save encrypted platform keys.
[19-09-2024 06:55:38] INFO: Platform registration request (PLATFORM_MANIFEST) won't be send to Registration Server.
[19-09-2024 06:55:38] INFO: Please use management tool or PCKCertIDRetrievalTool to read PLATFORM_MANIFEST.
[19-09-2024 06:55:38] INFO: Finished Registration Agent Flow.
[19-09-2024 07:08:41] INFO: SGX Registration Agent version: 1.21.100.3
[19-09-2024 07:08:41] INFO: Starts Registration Agent Flow.
[19-09-2024 07:08:41] INFO: SGX MP Server configuration flag indicates that Registration Server won't save encrypted platform keys.
[19-09-2024 07:08:41] INFO: Platform registration request (PLATFORM_MANIFEST) won't be send to Registration Server.
[19-09-2024 07:08:41] INFO: Please use management tool or PCKCertIDRetrievalTool to read PLATFORM_MANIFEST.
[19-09-2024 07:08:41] INFO: Finished Registration Agent Flow.
[19-09-2024 08:34:07] INFO: SGX Registration Agent version: 1.21.100.3
[19-09-2024 08:34:07] INFO: Starts Registration Agent Flow.
[19-09-2024 08:34:07] INFO: SGX MP Server configuration flag indicates that Registration Server won't save encrypted platform keys.
[19-09-2024 08:34:07] INFO: Platform registration request (PLATFORM_MANIFEST) won't be send to Registration Server.
[19-09-2024 08:34:07] INFO: Please use management tool or PCKCertIDRetrievalTool to read PLATFORM_MANIFEST.
[19-09-2024 08:34:07] INFO: Finished Registration Agent Flow.
Hi @npankaj365 - Can you try going into the BIOS and loading default settings? If TDX settings are grayed out, then this needs to be resolved with SuperMicro.
Thank you for your prompt responses. I do not have access to the servers currently. I can try loading default settings and report back as soon as I get access to the server terminals.
I will also try to get to SuperMicro about this.