fix(attestation): differentiate retriable errors from non-retriable ones

Classify tdvmcall_get_quote and buffer status errors into 2 categories:

- Busy: VMCALL_RETRY, GET_QUOTE_IN_FLIGHT, GET_QUOTE_ERROR, GET_QUOTE_SERVICE_UNAVAILABLE
  Retried with exponential backoff (1s initial), up to 5 attempts.
- Non-retriable: VMCALL_OPERAND_INVALID and other errors cause immediate failure.

Propagate error categories through attest.rs and igvmattest.rs.

Update mock quote emulation to return Ok with error status in buffer
(matching real VMM behavior) instead of returning Err, and trigger
the notification interrupt so ghci.rs wakes from wait_for_vmm_notification.
Add igvm-attest feature to mock-quote-retry CI test since retry
differentiation only applies to the igvm-attest path.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Haitao Huang <haitaohuang@microsoft.com>

Author: 2 people

.github/workflows/integration-emu.yml

@@ -89,7 +89,7 @@ jobs:
             test-type: "mock-quote-retry"
             install-jq: 'false'
             timeout-seconds: 900
-            test-command: "./migtdemu.sh --mock-report --mock-quote-retry --both --no-sudo --log-level info"
+            test-command: "./migtdemu.sh --mock-report --mock-quote-retry --features igvm-attest --both --no-sudo --log-level info"
             artifact-name: "mock-quote-retry-test-logs"
 
     steps:

deps/td-shim-AzCVMEmu/tdx-tdcall/src/tdx_emu.rs

@@ -1454,9 +1454,16 @@ fn handle_quote_request(
         Ok(quote) => quote,
         Err(e) => {
             error!("Failed to generate quote in AzCVMEmu mode: {:?}", e);
+            // Set error status in buffer. Return Ok so ghci.rs proceeds to
+            // check the buffer status and classifies it as a retriable error.
             let error_status = 0x8000000000000000u64;
             buffer[8..16].copy_from_slice(&error_status.to_le_bytes());
-            return Err(TdVmcallError::Other);
+            // Trigger event notification so ghci.rs wakes from wait_for_vmm_notification
+            if let Some(vector) = *EVENT_NOTIFY_VECTOR.lock() {
+                log::info!("AzCVMEmu: Triggering interrupt vector {} (error path)", vector);
+                intr::trigger(vector as u8);
+            }
+            return Ok(());
         }
     };
 

migtdemu.sh

@@ -62,7 +62,7 @@ show_usage() {
     echo "  --skip-ra                    Skip remote attestation (uses mock TD reports/quotes for non-TDX environments)"
     echo "  --mock-report                Use mock report data for RA and policy v2 (non-TDX, but full attestation flow)"
     echo "  --mock-quote-file FILE       Path to mock quote file (used with --mock-report, defaults to output_data_v4.bin)"
-    echo "  --mock-quote-retry           Enable mock_quote_retry feature (get_quote fails first 8 times to test retry logic)"
+    echo "  --mock-quote-retry           Enable mock_quote_retry feature (get_quote fails first 5 times to test retry logic)"
     echo "  --both                       Start destination first, then source (same host)"
     echo "  --no-sudo                    Run without sudo (useful for local testing)"
     echo "  --features FEATURES          Add extra cargo features (comma-separated, e.g., 'spdm_attestation,feature2')"

src/attestation/src/attest.rs

@@ -9,7 +9,7 @@ use crate::binding::verify_quote_integrity_ex;
 use crate::binding::get_quote as get_quote_inner;
 
 use crate::{
-    binding::{init_heap, verify_quote_integrity, QveCollateral},
+    binding::{init_heap, verify_quote_integrity, AttestLibError, QveCollateral},
     root_ca::ROOT_CA_PUBLIC_KEY,
     Error, TD_VERIFIED_REPORT_SIZE,
 };
@@ -133,7 +133,10 @@ pub fn get_quote(td_report: &[u8]) -> Result<Vec<u8>, Error> {
             );
             if result != 0 {
                 log::error!("get_quote_inner failed with error: {:#x}\n", result);
-                return Err(Error::GetQuote);
+                return Err(match result {
+                    x if x == AttestLibError::Busy as i32 => Error::Busy,
+                    _ => Error::GetQuote,
+                });
             }
         }
         quote.truncate(quote_size as usize);

src/attestation/src/ghci.rs

@@ -9,6 +9,7 @@ use td_payload::arch::apic::{disable, enable_and_hlt};
 use td_payload::arch::idt::{register_interrupt_callback, InterruptCallback, InterruptStack};
 use td_payload::mm::shared::SharedMemory;
 use tdx_tdcall::tdx::tdvmcall_get_quote;
+use tdx_tdcall::TdVmcallError;
 
 use crate::binding::AttestLibError;
 
@@ -18,6 +19,9 @@ const GET_QUOTE_MAX_SIZE: u64 = 32 * 0x1000;
 const GET_QUOTE_STATUS_FIELD: Range<usize> = 8..16;
 const GET_QUOTE_STATUS_SUCCESS: u64 = 0;
 const GET_QUOTE_STATUS_IN_FLIGHT: u64 = 0xFFFFFFFF_FFFFFFFF;
+// Any quote error: e.g., impactless update causing report verification failure, upper layer should retry.
+const GET_QUOTE_STATUS_ERROR: u64 = 0x80000000_00000000;
+const GET_QUOTE_STATUS_SERVICE_UNAVAILABLE: u64 = 0x80000000_00000001;
 
 pub static NOTIFIER: AtomicU8 = AtomicU8::new(0);
 
@@ -44,9 +48,16 @@ pub extern "C" fn servtd_get_quote(tdquote_req_buf: *mut c_void, len: u64) -> i3
 
     let notify_registered = set_vmm_notification();
 
-    if let Err(e) = tdvmcall_get_quote(shared.as_mut_bytes()) {
-        log::error!("tdvmcall_get_quote failed with error: {:?}\n", e);
-        return AttestLibError::QuoteFailure as i32;
+    match tdvmcall_get_quote(shared.as_mut_bytes()) {
+        Ok(()) => {}
+        Err(TdVmcallError::VmcallRetry) => {
+            log::error!("tdvmcall_get_quote returned RETRY\n");
+            return AttestLibError::Busy as i32;
+        }
+        Err(e) => {
+            log::error!("tdvmcall_get_quote failed with error: {:?}\n", e);
+            return AttestLibError::QuoteFailure as i32;
+        }
     }
 
     let wait_result = wait_for_quote_completion(notify_registered, shared.as_bytes());
@@ -116,11 +127,21 @@ fn wait_for_quote_completion(notify_registered: bool, buffer: &[u8]) -> Result<(
         }
     };
 
-    if status_code == GET_QUOTE_STATUS_SUCCESS {
-        Ok(())
-    } else {
-        log::error!("Quote status indicates failure: {:#x}\n", status_code);
-        Err(AttestLibError::QuoteFailure)
+    match status_code {
+        GET_QUOTE_STATUS_SUCCESS => Ok(()),
+        GET_QUOTE_STATUS_SERVICE_UNAVAILABLE
+        | GET_QUOTE_STATUS_ERROR
+        | GET_QUOTE_STATUS_IN_FLIGHT => {
+            log::error!(
+                "Quote status indicates service unavailable or other retriable error: {:#x}\n",
+                status_code
+            );
+            Err(AttestLibError::Busy)
+        }
+        _ => {
+            log::error!("Quote status indicates failure: {:#x}\n", status_code);
+            Err(AttestLibError::QuoteFailure)
+        }
     }
 }
 

src/attestation/src/igvmattest.rs

@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 
-use crate::{attest::TD_QUOTE_SIZE, Error};
+use crate::{attest::TD_QUOTE_SIZE, binding::AttestLibError, Error};
 #[cfg(feature = "igvm-attest")]
 use alloc::{vec, vec::Vec};
 use core::ffi::c_void;
@@ -92,7 +92,11 @@ pub fn get_quote_igvm(td_report: &[u8]) -> Result<Vec<u8>, Error> {
                 (*hdr)
             );
         }
-        return Err(Error::GetQuote);
+        const BUSY: i32 = AttestLibError::Busy as i32;
+        return Err(match servtd_get_quote_ret {
+            BUSY => Error::Busy,
+            _ => Error::GetQuote,
+        });
     }
 
     let hdr = get_quote_blob_ptr as *mut ServtdTdxQuoteHdr;

src/attestation/src/lib.rs

@@ -89,4 +89,6 @@ pub enum Error {
     InvalidOutput,
     InvalidQuote,
     OutOfMemory,
+    /// Service busy/unavailable/transient error, caller should retry
+    Busy,
 }

src/migtd/src/quote.rs

@@ -36,9 +36,10 @@ pub enum QuoteError {
     QuoteGenerationFailed,
 }
 
-/// Get a quote with retry logic to handle potential security updates
+/// Get a quote with retry logic to handle transient and retriable errors
 ///
-/// On quote failure, fetches a new TD REPORT and retries with exponential backoff.
+/// On retriable errors, retries with exponential backoff starting at 1s.
+/// Non-retriable errors cause immediate failure.
 ///
 /// # Arguments
 /// * `additional_data` - The 64-byte additional data to include in the TD REPORT
@@ -63,21 +64,25 @@ pub fn get_quote_with_retry(additional_data: &[u8; 64]) -> Result<(Vec<u8>, Vec<
                 log::info!("Quote generated successfully\n");
                 return Ok((quote, report_bytes.to_vec()));
             }
-            _ => {
+            Err(attestation::Error::Busy) => {
                 attempt += 1;
                 if attempt > MAX_RETRIES {
                     log::error!("GetQuote failed after {} attempts\n", attempt);
                     return Err(QuoteError::QuoteGenerationFailed);
                 }
                 log::warn!(
-                    "GetQuote failed (attempt {}/{}), retrying in {}ms\n",
+                    "GetQuote returned Busy (attempt {}/{}), retrying in {}ms\n",
                     attempt,
                     MAX_RETRIES + 1,
                     busy_delay_ms
                 );
                 delay_milliseconds(busy_delay_ms);
                 busy_delay_ms *= 2;
             }
+            Err(e) => {
+                log::error!("GetQuote failed with non-retriable error: {:?}\n", e);
+                return Err(QuoteError::QuoteGenerationFailed);
+            }
         }
     }
 }

src/migtd/src/ratls/server_client.rs

@@ -220,14 +220,19 @@ pub fn client_rebinding<T: AsyncRead + AsyncWrite + Unpin>(
     })
 }
 
-fn gen_quote(public_key: &[u8]) -> Result<Vec<u8>> {
+fn prepare_report_data(public_key: &[u8]) -> Result<[u8; 64]> {
     let hash = digest_sha384(public_key).map_err(|e| {
         log::error!("Failed to compute SHA384 digest: {:?}\n", e);
         e
     })?;
 
     let mut additional_data = [0u8; 64];
     additional_data[..hash.len()].copy_from_slice(hash.as_ref());
+    Ok(additional_data)
+}
+
+fn gen_quote(public_key: &[u8]) -> Result<Vec<u8>> {
+    let additional_data = prepare_report_data(public_key)?;
 
     let (quote, _report) = crate::quote::get_quote_with_retry(&additional_data).map_err(|e| {
         log::error!("get_quote_with_retry failed: {:?}\n", e);
@@ -238,15 +243,9 @@ fn gen_quote(public_key: &[u8]) -> Result<Vec<u8>> {
 }
 
 pub fn gen_tdreport(public_key: &[u8]) -> Result<TdxReport> {
-    let hash = digest_sha384(public_key).map_err(|e| {
-        log::error!("Failed to compute SHA384 digest: {:?}\n", e);
-        e
-    })?;
+    let additional_data = prepare_report_data(public_key)?;
 
     // Generate the TD Report that contains the public key hash as nonce
-    let mut additional_data = [0u8; 64];
-    additional_data[..hash.len()].copy_from_slice(hash.as_ref());
-
     tdx_tdcall::tdreport::tdcall_report(&additional_data).map_err(|e| {
         log::error!("Failed to get TD report via tdcall. Error: {:?}\n", e);
         e.into()