opensource/cocos
1
0
Fork 0
mirror of https://github.com/ultravioletrs/cocos.git synced 2026-06-23 04:10:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

COCOS-577 - Introduce Go-based CoRIM generation and deprecate Rust attestation policy scripts. (#578)
CI / lint (push) Has been cancelled
Details
CI / test (agent) (push) Has been cancelled
Details
CI / test (cli) (push) Has been cancelled
Details
CI / test (cmd) (push) Has been cancelled
Details
CI / test (internal) (push) Has been cancelled
Details
CI / test (manager, true) (push) Has been cancelled
Details
CI / test (pkg) (push) Has been cancelled
Details
CI / upload-coverage (push) Has been cancelled
Details

Browse Source 
* feat: Introduce Go-based CoRIM generation and deprecate Rust attestation policy scripts.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Update dependencies and refactor attestation policy handling

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* refactor: Migrate attestation verification to use CoRIM and remove deprecated policy handling and EAT verification tests.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* Removed the `tdx` and `sev-snp` attestation policy scripts and their build configurations, along with related build and installation steps from the main Makefile.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* chore: Remove Rust CI workflow and Cargo Dependabot configuration, and enhance Go test setup for attestation policy paths.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* refactor: Use WriteString instead of Write([]byte) for writing policy file content in test.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Refactor `ca-bundle` command to fetch bundles by product string using a configurable HTTP getter with improved error handling, and simplify `attestation_policy` command usage.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* fix: ignore return value of cmd.Help()

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Implement CoRIM generation for Azure and GCP attestation policies and add a CLI command to download and verify GCP OVMF files.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Upgrade Python virtual environment setup to include setuptools and wheel, append computation ID to Docker container names, and improve test robustness with error assertions and conditional skips for runtime tests.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* test: Enhance attestation verification tests, including CoRIM integration and specific platform types like Azure SNP, vTPM, TDX, and IGVM.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Add comprehensive test cases for `VerifyWithCoRIM` including success and measurement mismatch, and refine reference value validation.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Add Azure and TDX attestation verification tests and abstract external service dependencies for improved testability.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Add new test cases for Azure measurement extraction, EAT platform types, IGVM measurement stopping, vTPM CoRIM verification, and GCP OVMF download CLI.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* test: enhance CLI CoRIM generation and ATLS certificate verification tests, and refactor the Azure MAA client to use an interface.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

---------

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
This commit is contained in:
Sammy Kerata Oina
2026-03-19 19:01:24 +03:00
committed by GitHub
parent da31d76c94
commit c1cbcec851
74 changed files with 3662 additions and 8288 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cmd/cli/main.go
+7 -7
View File
@@ -136,7 +136,7 @@ func main() {
rootCmd.AddCommand(cliSVC.NewFileHashCmd())
rootCmd.AddCommand(attestationPolicyCmd)
rootCmd.AddCommand(keysCmd)
rootCmd.AddCommand(cliSVC.NewCABundleCmd(directoryCachePath))
rootCmd.AddCommand(cliSVC.NewCABundleCmd(directoryCachePath, nil))
rootCmd.AddCommand(cliSVC.NewCreateVMCmd())
rootCmd.AddCommand(cliSVC.NewRemoveVMCmd())
rootCmd.AddCommand(cliSVC.NewIMAMeasurementsCmd())
@@ -159,13 +159,13 @@ func main() {
)
// Attestation Policy commands
attestationPolicyCmd.AddCommand(cliSVC.NewAddMeasurementCmd())
attestationPolicyCmd.AddCommand(cliSVC.NewAddHostDataCmd())
attestationPolicyCmd.AddCommand(cliSVC.NewGCPAttestationPolicy())
// Legacy JSON policy commands removed in favor of CoRIM.
// attestationPolicyCmd.AddCommand(cliSVC.NewAddMeasurementCmd())
// attestationPolicyCmd.AddCommand(cliSVC.NewAddHostDataCmd())
// attestationPolicyCmd.AddCommand(cliSVC.NewGCPAttestationPolicy())
attestationPolicyCmd.AddCommand(cliSVC.NewDownloadGCPOvmfFile())
attestationPolicyCmd.AddCommand(cliSVC.NewAzureAttestationPolicy())
attestationPolicyCmd.AddCommand(cliSVC.NewTDXAttestationPolicy())
attestationPolicyCmd.AddCommand(cliSVC.NewExtendWithManifestCmd())
// attestationPolicyCmd.AddCommand(cliSVC.NewAzureAttestationPolicy())
// attestationPolicyCmd.AddCommand(cliSVC.NewExtendWithManifestCmd())
if err := rootCmd.Execute(); err != nil {
logErrorCmd(*rootCmd, err)
cmd/manager/main.go
+12 -12
View File
@@ -43,15 +43,15 @@ const (
)
type config struct {
LogLevel string `env:"MANAGER_LOG_LEVEL" envDefault:"info"`
JaegerURL url.URL `env:"COCOS_JAEGER_URL" envDefault:"http://localhost:4318"`
TraceRatio float64 `env:"COCOS_JAEGER_TRACE_RATIO" envDefault:"1.0"`
InstanceID string `env:"MANAGER_INSTANCE_ID" envDefault:""`
AttestationPolicyBinary string `env:"MANAGER_ATTESTATION_POLICY_BINARY" envDefault:"../../build/attestation_policy"`
IgvmMeasureBinary string `env:"MANAGER_IGVMMEASURE_BINARY" envDefault:"../../build/igvmmeasure"`
PcrValues string `env:"MANAGER_PCR_VALUES" envDefault:""`
EosVersion string `env:"MANAGER_EOS_VERSION" envDefault:""`
MaxVMs int `env:"MANAGER_MAX_VMS" envDefault:"10"`
LogLevel string `env:"MANAGER_LOG_LEVEL" envDefault:"info"`
JaegerURL url.URL `env:"COCOS_JAEGER_URL" envDefault:"http://localhost:4318"`
TraceRatio float64 `env:"COCOS_JAEGER_TRACE_RATIO" envDefault:"1.0"`
InstanceID string `env:"MANAGER_INSTANCE_ID" envDefault:""`
AttestationPolicyBinaryPath string `env:"MANAGER_ATTESTATION_POLICY_BINARY_PATH" envDefault:"../../build"`
PcrValues string `env:"MANAGER_PCR_VALUES" envDefault:""`
EosVersion string `env:"MANAGER_EOS_VERSION" envDefault:""`
MaxVMs int `env:"MANAGER_MAX_VMS" envDefault:"10"`
SigningKeyPath string `env:"MANAGER_CORIM_SIGNING_KEY" envDefault:""`
}
func main() {
@@ -125,7 +125,7 @@ func main() {
logger.Error(fmt.Sprintf("failed to load %s gRPC server configuration : %s", svcName, err))
}
svc, err := newService(logger, tracer, *qemuCfg, cfg.AttestationPolicyBinary, cfg.IgvmMeasureBinary, cfg.PcrValues, cfg.EosVersion, cfg.MaxVMs)
svc, err := newService(logger, tracer, *qemuCfg, cfg.AttestationPolicyBinaryPath, cfg.PcrValues, cfg.SigningKeyPath, cfg.EosVersion, cfg.MaxVMs)
if err != nil {
logger.Error(err.Error())
exitCode = 1
@@ -166,8 +166,8 @@ func main() {
}
}
func newService(logger *slog.Logger, tracer trace.Tracer, qemuCfg qemu.Config, attestationPolicyPath string, igvmMeasurementBinaryPath string, pcrValuesFilePath string, eosVersion string, maxVMs int) (manager.Service, error) {
svc, err := manager.New(qemuCfg, attestationPolicyPath, igvmMeasurementBinaryPath, pcrValuesFilePath, logger, qemu.NewVM, eosVersion, maxVMs)
func newService(logger *slog.Logger, tracer trace.Tracer, qemuCfg qemu.Config, attestationPolicyBinaryPath string, pcrValuesFilePath string, signingKeyPath string, eosVersion string, maxVMs int) (manager.Service, error) {
svc, err := manager.New(qemuCfg, attestationPolicyBinaryPath, pcrValuesFilePath, signingKeyPath, logger, qemu.NewVM, eosVersion, maxVMs)
if err != nil {
return nil, err
}