Previously we would return a valid signature containing the empty
outblob, which is undesirable. In other cases where we cannot query a
report because the guest doesn't support it we currently return an
empty response so the signature aggregator in systemd-report silently
skips it. In this case, we have everything we need to actually get a
report on the guest side, but the host isn't providing us with the
quote, so we fail.
Signed-off-by: Paul Meyer <katexochen0@gmail.com>
if (r < 0)
return log_debug_errno(r, "Failed to read 'provider' attribute: %m");
+ /* A zero-length outblob is never a valid attestation report, e.g. under Intel TDX the kernel
+ * yields an empty quote when the GetQuote round-trip to the host's Quote Generation Service
+ * produced nothing. */
+ if (!iovec_is_set(&report->outblob))
+ return log_debug_errno(SYNTHETIC_ERRNO(ENODATA),
+ "TSM provider '%s' returned an empty 'outblob'; no attestation report available.",
+ report->provider);
+
r = read_full_file_at(entry_fd, "auxblob",
(char**) &report->auxblob.iov_base, &report->auxblob.iov_len);
if (r < 0 && r != -ENOENT) /* auxblob is optional */