Add igvm measurement (#379)

Add copyright information to package Add testing to igvm measurements Remove trailing white space Improve testing Resolve PR comments Add measure to cli Add README for feature Fix PR comments Added new line to shell script Add measurement interface Fix ci Refactor code for IgvmMeasurement to become a CLI dependency Refactor code for IgvmMeasurement to become a CLI dependency Refactor based on ci failures Fix error handling Add header Fix ci
2026-06-23 04:10:25 +00:00 · 2025-03-12 12:24:51 +03:00
parent 67f939fc66
commit 4bb732ebf9
9 changed files with 316 additions and 7 deletions
@@ -100,3 +100,22 @@ When defining the manifest dataset and algorithm checksums are required. This ca
 ```bash
 ./build/cocos-cli checksum <path_to_dataset_or_algorithm>
 ```
+
+#### Measure IGVM file
+We assume that our current working directory is the root of the cocos repository, both on the host machine and in the VM.
+
+`igvmmeasure` calculates the launch measurement for an IGVM file and can generate a signed version. It ensures integrity by precomputing the expected launch digest, which can be verified against the attestation report. The tool parses IGVM directives, outputs the measurement as a hex string, or creates a signed file for verification at guest launch.
+
+##### Example
+We measure an IGVM file using our measure command, run:
+
+```bash
+./build/cocos-cli igvmmeasure /path/to/igvm/file
+```
+
+The tool will parse the directives in the IGVM file, calculate the launch measurement, and output the computed digest. If successful, it prints the measurement to standard output.
+
+Here is a sample output
+```
+91c4929bec2d0ecf11a708e09f0a57d7d82208bcba2451564444a4b01c22d047995ca27f9053f86de4e8063e9f810548
+```
@@ -624,6 +624,28 @@ func (cli *CLI) NewValidateAttestationValidationCmd() *cobra.Command {
 	return cmd
 }

+func (cli *CLI) NewMeasureCmd(igvmBinaryPath string) *cobra.Command {
+	igvmmeasureCmd := &cobra.Command{
+		Use:   "igvmmeasure <INPUT>",
+		Short: "Measure an IGVM file",
+		Long: `igvmmeasure measures an IGVM file and outputs the calculated measurement.
+			It ensures integrity verification for the IGVM file.`,
+
+		Args: cobra.MinimumNArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 0 {
+				return fmt.Errorf("error: No input file provided")
+			}
+
+			inputFile := args[0]
+
+			return cli.measurement.Run(inputFile)
+		},
+	}
+
+	return igvmmeasureCmd
+}
+
 func sevsnpverify(cmd *cobra.Command, args []string) error {
 	cmd.Println("Checking attestation")

@@ -34,8 +34,6 @@ func TestNewAttestationCmd(t *testing.T) {
 	var buf bytes.Buffer
 	cmd.SetOut(&buf)

-	cmd.SetOutput(&buf)
-
 	reportData := bytes.Repeat([]byte{0x01}, quoteprovider.Nonce)
 	mockSDK.On("Attestation", mock.Anything, [quoteprovider.Nonce]byte(reportData), mock.Anything).Return(nil)

@@ -159,7 +157,7 @@ func TestNewGetAttestationCmd(t *testing.T) {
 			}
 			cmd := cli.NewGetAttestationCmd()
 			var buf bytes.Buffer
-			cmd.SetOutput(&buf)
+			cmd.SetOut(&buf)

 			mockSDK.On("Attestation", mock.Anything, [quoteprovider.Nonce]byte(bytes.Repeat([]byte{0x00}, quoteprovider.Nonce)), [vtpm.Nonce]byte(bytes.Repeat([]byte{0x00}, vtpm.Nonce)), mock.Anything, mock.Anything).Return(tc.mockError).Run(func(args mock.Arguments) {
 				_, err := args.Get(4).(*os.File).Write(tc.mockResponse)
@@ -285,6 +283,61 @@ func TestNewValidateAttestationValidationCmd(t *testing.T) {
 	})
 }

+type MockMeasurement struct {
+	mock.Mock
+}
+
+func (m *MockMeasurement) Run(igvmBinaryPath string) error {
+	args := m.Called(igvmBinaryPath)
+	return args.Error(0)
+}
+
+func (m *MockMeasurement) Stop() error {
+	args := m.Called()
+	return args.Error(0)
+}
+
+func TestNewMeasureCmd_RunSuccess(t *testing.T) {
+	cliInstance := &CLI{}
+	mockMeasurement := new(MockMeasurement)
+	cliInstance.measurement = mockMeasurement
+
+	mockMeasurement.On("Run", "testfile.igvm").Return(nil)
+
+	cmd := cliInstance.NewMeasureCmd("fake_binary_path")
+	buf := new(bytes.Buffer)
+	cmd.SetOut(buf)
+	cmd.SetErr(buf)
+	cmd.SetArgs([]string{"testfile.igvm"})
+
+	err := cmd.Execute()
+
+	assert.NoError(t, err)
+	mockMeasurement.AssertExpectations(t)
+}
+
+func TestNewMeasureCmd_RunError(t *testing.T) {
+	cliInstance := &CLI{}
+	mockMeasurement := new(MockMeasurement)
+	cliInstance.measurement = mockMeasurement
+	expectedError := errors.New("mocked measurement error")
+
+	mockMeasurement.On("Run", "testfile.igvm").Return(expectedError)
+
+	cmd := cliInstance.NewMeasureCmd("fake_binary_path")
+
+	buf := new(bytes.Buffer)
+	cmd.SetOut(buf)
+	cmd.SetErr(buf)
+	cmd.SetArgs([]string{"testfile.igvm"})
+
+	err := cmd.Execute()
+
+	assert.Error(t, err)
+	assert.Equal(t, expectedError.Error(), err.Error())
+	mockMeasurement.AssertExpectations(t)
+}
+
 func TestParseConfig(t *testing.T) {
 	cfgString = ""
 	err := parseConfig()
@@ -7,6 +7,7 @@ import (

 	"github.com/spf13/cobra"
 	"github.com/ultravioletrs/cocos/manager"
+	"github.com/ultravioletrs/cocos/pkg/attestation/igvmmeasure"
 	"github.com/ultravioletrs/cocos/pkg/clients/grpc"
 	"github.com/ultravioletrs/cocos/pkg/clients/grpc/agent"
 	managergrpc "github.com/ultravioletrs/cocos/pkg/clients/grpc/manager"
@@ -22,12 +23,14 @@ type CLI struct {
 	client        grpc.Client
 	managerClient manager.ManagerServiceClient
 	connectErr    error
+	measurement   igvmmeasure.MeasurementProvider
 }

-func New(agentConfig grpc.AgentClientConfig, managerConfig grpc.ManagerClientConfig) *CLI {
+func New(agentConfig grpc.AgentClientConfig, managerConfig grpc.ManagerClientConfig, measurement igvmmeasure.MeasurementProvider) *CLI {
 	return &CLI{
 		agentConfig:   agentConfig,
 		managerConfig: managerConfig,
+		measurement:   measurement,
 	}
 }