COCOS-391- GCP Attestation policy (#405)

* Add AgentGrpcHost configuration to agent server Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add SHA1 support to PcrValues and implement GCP attestation functions Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add GCP attestation policy and OVMF download commands Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add vTPM attestation support and update protobuf versions Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Remove Host field from AgentConfig and update related references Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Update GCP attestation policy to accept vCPU count as an argument Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add SHA512 digest verification for OVMF file in GCP download command Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Update OVMF object name format in GCP attestation package Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Refactor attestation policy structure to use nested Config field Signed-off-by: Sammy Oina <sammyoina@gmail.com> --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com>
2026-06-23 04:10:25 +00:00 · 2025-03-19 11:39:46 +03:00
parent ebc8f1bba4
commit c14f1d7b6c
20 changed files with 630 additions and 168 deletions
@@ -4,6 +4,10 @@ package main

 import (
 	"context"
+	"crypto/sha256"
+	"crypto/sha512"
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"log"
@@ -25,6 +29,7 @@ import (
 	"github.com/ultravioletrs/cocos/agent/cvms/server"
 	"github.com/ultravioletrs/cocos/agent/events"
 	agentlogger "github.com/ultravioletrs/cocos/internal/logger"
+	attestationconfig "github.com/ultravioletrs/cocos/pkg/attestation"
 	"github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider"
 	"github.com/ultravioletrs/cocos/pkg/attestation/quoteprovider/mocks"
 	pkggrpc "github.com/ultravioletrs/cocos/pkg/clients/grpc"
@@ -41,8 +46,9 @@ const (
 )

 type config struct {
-	LogLevel string `env:"AGENT_LOG_LEVEL" envDefault:"debug"`
-	Vmpl     int    `env:"AGENT_VMPL" envDefault:"2"`
+	LogLevel      string `env:"AGENT_LOG_LEVEL" envDefault:"debug"`
+	Vmpl          int    `env:"AGENT_VMPL"      envDefault:"2"`
+	AgentGrpcHost string `env:"AGENT_GRPC_HOST" envDefault:"0.0.0.0"`
 }

 func main() {
@@ -138,7 +144,7 @@ func main() {
 		return
 	}

-	mc, err := cvmsapi.NewClient(pc, svc, eventsLogsQueue, logger, server.NewServer(logger, svc), storageDir, reconnectFn)
+	mc, err := cvmsapi.NewClient(pc, svc, eventsLogsQueue, logger, server.NewServer(logger, svc, cfg.AgentGrpcHost), storageDir, reconnectFn)
 	if err != nil {
 		logger.Error(err.Error())
 		exitCode = 1
@@ -164,6 +170,22 @@ func main() {
 		return mc.Process(ctx, cancel)
 	})

+	attestation, certSerialNumber, err := attestationFromCert(ctx, cvmGrpcConfig.ClientCert, svc)
+	if err != nil {
+		logger.Error(fmt.Sprintf("failed to get attestation: %s", err))
+		exitCode = 1
+		return
+	}
+
+	eventsLogsQueue <- &cvms.ClientStreamMessage{
+		Message: &cvms.ClientStreamMessage_VTPMattestationReport{
+			VTPMattestationReport: &cvms.AttestationResponse{
+				File:             attestation,
+				CertSerialNumber: certSerialNumber,
+			},
+		},
+	}
+
 	if err := g.Wait(); err != nil {
 		logger.Error(fmt.Sprintf("%s service terminated: %s", svcName, err))
 	}
@@ -187,3 +209,29 @@ func sevGuesDeviceExists() bool {
 	d.Close()
 	return true
 }
+
+func attestationFromCert(ctx context.Context, certFilePath string, svc agent.Service) ([]byte, string, error) {
+	if certFilePath == "" {
+		return nil, "", nil
+	}
+
+	certFile, err := os.ReadFile(certFilePath)
+	if err != nil {
+		return nil, "", err
+	}
+
+	certPem, _ := pem.Decode(certFile)
+	certx509, err := x509.ParseCertificate(certPem.Bytes)
+	if err != nil {
+		return nil, "", err
+	}
+
+	nonceSNP := sha512.Sum512(certFile)
+	nonceVTPM := sha256.Sum256(certFile)
+	attestation, err := svc.Attestation(ctx, nonceSNP, nonceVTPM, attestationconfig.SNPvTPM)
+	if err != nil {
+		return nil, "", err
+	}
+
+	return attestation, certx509.SerialNumber.String(), nil
+}
@@ -160,6 +160,8 @@ func main() {
 	// Attestation Policy commands
 	attestationPolicyCmd.AddCommand(cliSVC.NewAddMeasurementCmd())
 	attestationPolicyCmd.AddCommand(cliSVC.NewAddHostDataCmd())
+	attestationPolicyCmd.AddCommand(cliSVC.NewGCPAttestationPolicy())
+	attestationPolicyCmd.AddCommand(cliSVC.NewDownloadGCPOvmfFile())

 	if err := rootCmd.Execute(); err != nil {
 		logErrorCmd(*rootCmd, err)