COCOS-238 - Add measurement directly on backend info file (#245)

* add measurement directly on backendinfo

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* add host data

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

---------

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

cmd/cli/main.go

@@ -16,6 +16,7 @@ import (
 	"github.com/ultravioletrs/cocos/pkg/clients/grpc"
 	"github.com/ultravioletrs/cocos/pkg/clients/grpc/agent"
 	"github.com/ultravioletrs/cocos/pkg/sdk"
+	cmd "github.com/virtee/sev-snp-measure-go/sevsnpmeasure/cmd"
 )
 
 const (
@@ -115,6 +116,9 @@ func main() {
 	attestationCmd.AddCommand(cliSVC.NewGetAttestationCmd())
 	attestationCmd.AddCommand(cliSVC.NewValidateAttestationValidationCmd())
 
+	// measure.
+	rootCmd.AddCommand(cmd.NewRootCmd())
+
 	// Flags
 	keysCmd.PersistentFlags().StringVarP(
 		&cli.KeyType,

go.mod

@@ -14,6 +14,7 @@ require (
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
+	github.com/virtee/sev-snp-measure-go v0.0.0-20240530153610-e6e8dc9b6877
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0
 	go.opentelemetry.io/otel/trace v1.28.0
 	golang.org/x/crypto v0.25.0
@@ -79,3 +80,5 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
+
+replace github.com/virtee/sev-snp-measure-go => github.com/sammyoina/sev-snp-measure-go v0.0.0-20240918192515-70b6b9542aa5

go.sum

@@ -100,6 +100,8 @@ github.com/prometheus/procfs v0.13.0/go.mod h1:cd4PFCR54QLnGKPaKGA6l+cfuNXtht43Z
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sammyoina/sev-snp-measure-go v0.0.0-20240918192515-70b6b9542aa5 h1:w5R0cZgvakKxBsIrzboOb0DcHdkzEQ4tcQ6wLEn/FWo=
+github.com/sammyoina/sev-snp-measure-go v0.0.0-20240918192515-70b6b9542aa5/go.mod h1:dEkBe8JnxU5itNjZDEQINFd7f7l4DtjfqRuzPQcit4w=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=

manager/backend_info.go

@@ -7,11 +7,21 @@
 package manager
 
 import (
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"os"
 	"os/exec"
+
+	"github.com/ultravioletrs/cocos/cli"
+	"github.com/ultravioletrs/cocos/manager/qemu"
+	"github.com/virtee/sev-snp-measure-go/cpuid"
+	"github.com/virtee/sev-snp-measure-go/guest"
+	"github.com/virtee/sev-snp-measure-go/vmmtypes"
 )
 
+const defGuestFeatures = 0x1
+
 func (ms *managerService) FetchBackendInfo() ([]byte, error) {
 	cmd := exec.Command("sudo", fmt.Sprintf("%s/backend_info", ms.backendMeasurementBinaryPath), "--policy", "1966081")
 
@@ -25,5 +35,40 @@ func (ms *managerService) FetchBackendInfo() ([]byte, error) {
 		return nil, err
 	}
 
+	var backendInfo cli.AttestationConfiguration
+
+	if err = json.Unmarshal(f, &backendInfo); err != nil {
+		return nil, err
+	}
+
+	var measurement []byte
+	if ms.qemuCfg.EnableSEV {
+		measurement, err = guest.CalcLaunchDigest(guest.SEV, ms.qemuCfg.SMPCount, uint64(cpuid.CpuSigs[ms.qemuCfg.CPU]), ms.qemuCfg.OVMFCodeConfig.File, ms.qemuCfg.KernelFile, ms.qemuCfg.RootFsFile, qemu.KernelCommandLine, defGuestFeatures, "", vmmtypes.QEMU, false, "", 0)
+		if err != nil {
+			return nil, err
+		}
+	} else if ms.qemuCfg.EnableSEVSNP {
+		measurement, err = guest.CalcLaunchDigest(guest.SEV_SNP, ms.qemuCfg.SMPCount, uint64(cpuid.CpuSigs[ms.qemuCfg.CPU]), ms.qemuCfg.OVMFCodeConfig.File, ms.qemuCfg.KernelFile, ms.qemuCfg.RootFsFile, qemu.KernelCommandLine, defGuestFeatures, "", vmmtypes.QEMU, false, "", 0)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if measurement == nil {
+		backendInfo.SNPPolicy.Measurement = measurement
+	}
+
+	if ms.qemuCfg.HostData != "" {
+		hostData, err := base64.StdEncoding.DecodeString(ms.qemuCfg.HostData)
+		if err != nil {
+			return nil, err
+		}
+		backendInfo.SNPPolicy.HostData = hostData
+	}
+
+	f, err = json.Marshal(backendInfo)
+	if err != nil {
+		return nil, err
+	}
+
 	return f, nil
 }

manager/qemu/config.go

@@ -7,7 +7,10 @@ import (
 	"strconv"
 )
 
-const BaseGuestCID = 3
+const (
+	BaseGuestCID      = 3
+	KernelCommandLine = "quiet console=null rootfstype=ramfs"
+)
 
 type MemoryConfig struct {
 	Size  string `env:"MEMORY_SIZE"  envDefault:"2048M"`
@@ -175,7 +178,7 @@ func (config Config) ConstructQemuArgs() []string {
 	}
 
 	args = append(args, "-kernel", config.DiskImgConfig.KernelFile)
-	args = append(args, "-append", strconv.Quote("quiet console=null rootfstype=ramfs"))
+	args = append(args, "-append", strconv.Quote(KernelCommandLine))
 	args = append(args, "-initrd", config.DiskImgConfig.RootFsFile)
 
 	// SEV

test/manual/README.md

@@ -19,7 +19,7 @@ All assets/datasets the algorithm uses are stored in the `datasets` directory. T
 
 Agent is started automatically in the VM when launched but requires configuration and manifest to be passed by manager. Alternatively you can pass configuration using this [simplified script](./agent-config/main.go)
 
-For attested TLS, you will have to calculate the VM's measurement, which can be done using a tool [sev-snp-measure](https://pypi.org/project/sev-snp-measure/).
+For attested TLS, you will have to calculate the VM's measurement, which can be done using cli. This information is also contained in the backend info file.
 
 ```bash
 # Define the path to the OVMF, KERNEL, INITRD and CMD Kernel line arguments.
@@ -29,7 +29,7 @@ KERNEL="/home/cocosai/bzImage"
 LINE="earlyprintk=serial console=ttyS0"
 
 # Call sev-snp-measure
-sev-snp-measure --mode snp --vcpus 4 --vcpu-type EPYC-v4 --ovmf $OVMF_CODE --kernel $KERNEL --initrd $INITRD --append "$LINE" --output-format base64
+./build/cocos-cli sevsnpmeasure --mode snp --vcpus 4 --vcpu-type EPYC-v4 --ovmf $OVMF_CODE --kernel $KERNEL --initrd $INITRD --append "$LINE"
 ```
 
 To speed up the verification process of attested TLS, download the ARK and ASK certificates using the CLI tool. The CLI tool will download the certificates under your home directory in the `.cocos` directory.