From 1d586541dfc565c3bf9136e3e2324051dd22fb18 Mon Sep 17 00:00:00 2001 From: Haitao Huang Date: Thu, 26 Mar 2026 18:51:07 +0000 Subject: [PATCH 1/2] Fix RatlsError to MigrationResult conversion in RATLS setup Use the From for MigrationResult conversion instead of hardcoding SecureSessionError when ratls::client(), ratls::server(), and ratls::server_rebinding() fail. This ensures errors like GetQuote and TdxModule are mapped to MutualAttestationError and TdxModuleError respectively. Also map RatlsError::InvalidPolicy to InvalidPolicyError instead of SecureSessionError. Signed-off-by: Haitao Huang --- src/migtd/src/migration/mod.rs | 2 +- src/migtd/src/migration/rebinding.rs | 9 +++++---- src/migtd/src/migration/session.rs | 4 ++-- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/migtd/src/migration/mod.rs b/src/migtd/src/migration/mod.rs index 86636eb5..13a53f4d 100644 --- a/src/migtd/src/migration/mod.rs +++ b/src/migtd/src/migration/mod.rs @@ -233,8 +233,8 @@ impl From for MigrationResult { RatlsError::Crypto(_) | RatlsError::X509(_) | RatlsError::InvalidEventlog - | RatlsError::InvalidPolicy | RatlsError::GenerateCertificate => MigrationResult::SecureSessionError, + RatlsError::InvalidPolicy => MigrationResult::InvalidPolicyError, RatlsError::TdxModule(_) => MigrationResult::TdxModuleError, RatlsError::GetQuote | RatlsError::VerifyQuote => { MigrationResult::MutualAttestationError diff --git a/src/migtd/src/migration/rebinding.rs b/src/migtd/src/migration/rebinding.rs index c9342890..8cf59b9f 100644 --- a/src/migtd/src/migration/rebinding.rs +++ b/src/migtd/src/migration/rebinding.rs @@ -644,7 +644,7 @@ async fn rebinding_new_prepare( pre_session_data: Vec, ) -> Result<(), MigrationResult> { // TLS server - let mut ratls_server = ratls::server_rebinding(transport, pre_session_data).map_err(|_| { + let mut ratls_server = ratls::server_rebinding(transport, pre_session_data).map_err(|e| { #[cfg(feature = "vmcall-raw")] data.extend_from_slice( &format!( @@ -654,10 +654,11 @@ async fn rebinding_new_prepare( .into_bytes(), ); log::error!( - "rebinding_new(): Failed in ratls transport. Migration ID: {}\n", - info.mig_request_id + "rebinding_new(): Failed in ratls transport. Migration ID: {} Error: {:?}\n", + info.mig_request_id, + e ); - MigrationResult::SecureSessionError + e })?; let rebind_token = tls_receive_rebind_token(&mut ratls_server).await?; diff --git a/src/migtd/src/migration/session.rs b/src/migtd/src/migration/session.rs index 676baf73..f430ab5a 100644 --- a/src/migtd/src/migration/session.rs +++ b/src/migtd/src/migration/session.rs @@ -768,7 +768,7 @@ async fn migration_src_exchange_msk( log::error!(migration_request_id = info.mig_info.mig_request_id; "exchange_msk(): Failed in ratls client setup. Error: {:?}\n", e ); - MigrationResult::SecureSessionError + e })?; // MigTD-S send Migration Session Forward key to peer @@ -830,7 +830,7 @@ async fn migration_dst_exchange_msk( log::error!(migration_request_id = info.mig_info.mig_request_id; "exchange_msk(): Failed in ratls server setup. Error: {:?}\n", e ); - MigrationResult::SecureSessionError + e })?; with_timeout( From cd960e274d33e5951688e1ee360492e4c5646078 Mon Sep 17 00:00:00 2001 From: Haitao Huang Date: Thu, 26 Mar 2026 19:55:06 +0000 Subject: [PATCH 2/2] Map quote generation failure to MutualAttestationError in SPDM path Change gen_quote_spdm() to return MutualAttestationError instead of Unsupported when get_quote() fails, consistent with the RATLS path where RatlsError::GetQuote maps to MutualAttestationError. Signed-off-by: Haitao Huang --- src/migtd/src/spdm/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/migtd/src/spdm/mod.rs b/src/migtd/src/spdm/mod.rs index 84c47c6e..018f2d73 100644 --- a/src/migtd/src/spdm/mod.rs +++ b/src/migtd/src/spdm/mod.rs @@ -117,8 +117,8 @@ pub fn gen_quote_spdm(report_data: &[u8]) -> Result, MigrationResult> { additional_data[..hash.len()].copy_from_slice(hash.as_ref()); let td_report = tdx_tdcall::tdreport::tdcall_report(&additional_data)?; - let res = - attestation::get_quote(td_report.as_bytes()).map_err(|_| MigrationResult::Unsupported)?; + let res = attestation::get_quote(td_report.as_bytes()) + .map_err(|_| MigrationResult::MutualAttestationError)?; Ok(res) }