* feat: Introduce Go-based CoRIM generation and deprecate Rust attestation policy scripts.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Update dependencies and refactor attestation policy handling
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: Migrate attestation verification to use CoRIM and remove deprecated policy handling and EAT verification tests.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Removed the `tdx` and `sev-snp` attestation policy scripts and their build configurations, along with related build and installation steps from the main Makefile.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* chore: Remove Rust CI workflow and Cargo Dependabot configuration, and enhance Go test setup for attestation policy paths.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: Use WriteString instead of Write([]byte) for writing policy file content in test.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Refactor `ca-bundle` command to fetch bundles by product string using a configurable HTTP getter with improved error handling, and simplify `attestation_policy` command usage.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: ignore return value of cmd.Help()
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Implement CoRIM generation for Azure and GCP attestation policies and add a CLI command to download and verify GCP OVMF files.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Upgrade Python virtual environment setup to include setuptools and wheel, append computation ID to Docker container names, and improve test robustness with error assertions and conditional skips for runtime tests.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: Enhance attestation verification tests, including CoRIM integration and specific platform types like Azure SNP, vTPM, TDX, and IGVM.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add comprehensive test cases for `VerifyWithCoRIM` including success and measurement mismatch, and refine reference value validation.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add Azure and TDX attestation verification tests and abstract external service dependencies for improved testability.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add new test cases for Azure measurement extraction, EAT platform types, IGVM measurement stopping, vTPM CoRIM verification, and GCP OVMF download CLI.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: enhance CLI CoRIM generation and ATLS certificate verification tests, and refactor the Azure MAA client to use an interface.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat(kbs): implement KBS client for attestation and resource retrieval
- Added KBS client implementation in pkg/kbs/client.go with methods for attestation and resource retrieval.
- Introduced necessary data structures for requests and responses.
- Implemented error handling for various scenarios.
test(kbs): add unit tests for KBS client
- Created comprehensive tests for the KBS client in pkg/kbs/client_test.go.
- Included tests for attestation success and failure cases, as well as resource retrieval.
feat(registry): introduce HTTP and S3 registry implementations
- Added HTTPRegistry for downloading resources over HTTP/HTTPS with retry logic in pkg/registry/http.go.
- Implemented S3Registry for downloading resources from AWS S3 and S3-compatible services in pkg/registry/s3.go.
- Included error handling and configuration options for both registries.
chore(registry): define registry interface and configuration
- Created registry interface and configuration struct in pkg/registry/registry.go.
- Added default configuration settings for registry clients.
docs(cvms): update README for CVMS server configuration and usage
- Enhanced documentation for CVMS server with detailed command-line flags and usage examples.
- Clarified direct upload and remote resource modes, including KBS integration.
fix(cvms): integrate KBS for remote resource handling in main.go
- Updated main.go to support remote datasets and algorithms using KBS.
- Added validation for command-line flags to ensure proper configuration.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: Move ifeq conditional outside define block in attestation-service.mk
Make conditionals cannot be evaluated inside define...endef blocks
when used as recipe bodies. Restructured to define the
ATTESTATION_SERVICE_INSTALL_INIT_SYSTEMD block conditionally based
on BR2_PACKAGE_CC_ATTESTATION_AGENT configuration.
* feat: Implement remote resource downloading for algorithms and datasets using AWS S3/MinIO credentials.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add comprehensive documentation and agent support for testing remote resource download with KBS attestation.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Improve agent logging for remote resource configuration and KBS status, and add a testing guide for remote resource downloads with KBS attestation.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add a comprehensive guide for testing remote resource download with KBS attestation and update multiple package versions to a specific commit.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add failure transitions for resource reception states and a comprehensive guide for testing remote resource downloads with KBS attestation.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Implement remote resource download with KBS attestation in the agent and add a comprehensive testing guide.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: Add comprehensive guide for testing remote resource download with KBS attestation and include a debug log in the attestation client.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Delegate KBS attestation and token retrieval to a new attestation-agent service and document remote resource testing.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* client fixes
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* raw evidence
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: Build all Go files in cmd directories, not just main.go
This fixes the issue where fetch_raw_evidence.go wasn't being included
in the attestation-service build.
* fix: Wrap binary evidence in JSON for KBS compatibility
Fixes 'invalid character' error by wrapping raw binary evidence
in a JSON structure with base64 encoding, as expected by KBS.
* chore: Update buildroot packages to c28cefae
Includes fixes for:
1. attestation-service build (including fetch_raw_evidence.go)
2. Agent KBS evidence format (wrapping binary in JSON)
* fix: Implement KBS RCAR handshake with cookies
Fixes 'cookie not found' error (401) from KBS by:
1. Adding CookieJar support to KBS client
2. Implementing GetChallenge() to perform /auth handshake and capture session cookie
3. Updating Agent to get challenge, decode nonce, and use it for evidence generation
4. Regenerating mocks
* chore: Update buildroot packages to f6981ac5
Includes KBS RCAR handshake fix (cookie support + GetChallenge loop)
* fix: Update KBS client JSON tags to kebab-case
Fixes deserialization error (401) from KBS by:
1. Using kebab-case (e.g. extra-params) for JSON tags as per protocol.
2. Initializing ExtraParams as empty object {} instead of null/omitted.
* fix: Wrap attestation evidence in primary_evidence format
Updates Agent to construct 'tee-evidence' payload with:
- primary_evidence: containing the actual quote/data
- additional_evidence: empty JSON object
This matches the Confidential Containers KBS Attestation Protocol requirements.
* fix: Update KBS protocol version to 0.4.0
KBS rejected 0.1.0 with a version mismatch error. Bumping to 0.4.0 to match server expectation.
* fix: Generate ephemeral key for KBS RuntimeData
Updates RuntimeData to include a valid ephemeral EC P-256 public key in JWK format, as required by the KBS RCAR protocol.
Also fixes the KBS client struct to support TEEPubKey as an object.
* fix: Update sample attestation quote to valid JSON
The default attestation.bin was binary, but the KBS Sample Verifier expects a valid JSON quote containing 'svn' and 'report_data'.
Updated the embedded bin file to contain this JSON structure.
* fix: Generate dynamic JSON quote for Sample TEE in FetchRawEvidence
The KBS Sample Verifier expects a JSON object with 'svn' and 'report_data'.
Previously, we were returning raw binary data (reportData+nonce).
This commit updates FetchRawEvidence to return a marshaled JSON structure with:
- svn: "1"
- report_data: base64(req.ReportData)
* refactor: Delegate Sample Attestation to Provider
Refactored sample attestation logic:
- Moved JSON Quote generation into EmptyProvider (standalone mode).
- Updated FetchRawEvidence to call provider.TeeAttestation instead of manual generation.
This enables using the real CC Attestation Agent for UNSPECIFIED platform if configured.
* feat: Add comprehensive debug logging and enforce CC AA usage
Changes:
- Updated EmptyProvider to return error instead of generating mock data
This forces proper use of CC Attestation Agent's sample attester
- Added detailed logging to attestation-service FetchRawEvidence:
* Hex dump of evidence (first 200 bytes)
* String preview of evidence
* Total evidence length
- Added detailed logging to agent service:
* Raw evidence hex and string previews
* KBS evidence JSON preview (first 500 bytes)
* Evidence lengths at each transformation step
This logging will help diagnose why KBS Sample Verifier is rejecting evidence.
* fix: Enable CC AA by default and add attestation-service log forwarding
Changes:
- Set USE_CC_ATTESTATION_AGENT=true by default in systemd service
- Added StandardOutput/StandardError to forward logs to /var/log/cocos/
- Updated HAL makefile to handle new default value
- This ensures attestation-service uses CC AA's sample attester
- Logs will now be visible in CVMS output for debugging
* feat: Add gRPC log forwarding to attestation-service
Implemented the same log forwarding mechanism used by the agent:
- Added ProtoHandler to write logs to both stdout and logQueue
- Connected to log client (/run/cocos/log.sock) for gRPC forwarding
- Added goroutine to forward logs to CVMS via log client
- Logs will now appear in CVMS output during computation runs
This enables visibility into attestation-service debug output including:
- CC AA connection status
- Evidence generation details (hex dumps, string previews)
- Any errors from providers
* fix: Parse sample evidence JSON instead of base64-encoding it
The attestation-service returns sample evidence as JSON:
{"svn":"1","report_data":"base64..."}
The agent was incorrectly base64-encoding this JSON string again.
KBS Sample Verifier expects the parsed JSON object directly.
Fixed by:
- Parsing the JSON evidence from attestation-service
- Passing the parsed object directly in primary_evidence.evidence
- This matches what KBS Sample Verifier expects
* debug: Increase KBS evidence logging preview to 1000 bytes
Show the complete JSON structure being sent to KBS to debug
the attestation failure.
* debug: Add comprehensive CC AA configuration logging
Added debug logs to show:
- Whether CC AA is enabled in config
- CC AA address being used
- Connection success/failure
- Which provider is ultimately selected
- Warning when falling back to EmptyProvider
This will help diagnose why EmptyProvider is being used
instead of CC Attestation Agent.
* debug: Add startup logging for log client connection
Added log message to show if log client connection succeeds
at attestation-service startup. This will help diagnose why
logs aren't appearing in CVMS output.
* feat: Add retry logic with exponential backoff to log client
Added simple retry mechanism to handle concurrent log requests:
- 3 retry attempts with exponential backoff (10ms, 20ms, 40ms)
- Applies to both SendLog and SendEvent methods
- Centralized in log client so all services benefit
- Should eliminate 'failed to send log' errors from concurrent requests
This fixes the issue where attestation-service logs weren't
appearing in CVMS output due to dropped messages.
* fix: Flatten sample evidence fields in primary_evidence for KBS
KBS Sample Verifier expects svn and report_data at the top level
of primary_evidence, not nested under an 'evidence' key.
Changed structure from:
{"primary_evidence": {"tee": "sample", "evidence": {"svn": "1", ...}}}
To:
{"primary_evidence": {"tee": "sample", "svn": "1", "report_data": "...", ...}}
This matches what KBS expects when deserializing the Quote structure.
* fix: Use sample quote directly as primary_evidence per KBS protocol
According to KBS attestation protocol spec, for sample TEE type,
primary_evidence should be the sample quote JSON directly:
{"svn": "1", "report_data": "..."}
Removed extra 'tee' and 'platform' fields that were causing KBS
to fail deserializing the Quote structure. The 'tee' field is
already sent in the Request payload during RCAR handshake.
Refs:
- https://github.com/confidential-containers/trustee/blob/main/kbs/docs/kbs_attestation_protocol.md
- https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/attester/src/sample/mod.rs
* fix: Make CC AA required for sample attestation when configured
When USE_CC_ATTESTATION_AGENT=true, attestation-service now
requires AA to be available for NoCC/sample platform. This ensures
sample evidence always comes from AA with the correct KBS format.
Changes:
- Error out if AA connection fails for NoCC platform when AA is configured
- Only use EmptyProvider if AA is explicitly NOT configured
- Prevents incorrect sample evidence format from EmptyProvider
This ensures attestation-service delegates to AA for sample evidence
generation instead of creating it itself.
* fix: Implement proper RCAR protocol with tee-pubkey and runtime-data hash
Fixed KBS attestation error 'REPORT_DATA is different from that in Sample Quote'
Changes:
1. Generate ephemeral EC key pair BEFORE getting evidence from AA
2. Create runtime-data with nonce + tee-pubkey (JWK format)
3. Hash runtime-data (SHA-256) and use as report_data for AA
4. This binds the tee-pubkey to the TEE evidence per RCAR protocol
The report_data in the evidence now matches what KBS expects:
hash(runtime-data) instead of computation ID.
This completes the full RCAR protocol implementation:
- Request → Challenge → Attestation (with bound tee-pubkey) → Response
* fix(agent): use simple nonce for Sample attestation report_data
For Sample/NoCC attestation, use the raw nonce bytes directly as
report_data instead of hashing runtime-data. This avoids JSON
serialization mismatches with the KBS Sample verifier.
Real TEEs (TDX/SNP) still use runtime-data hash binding to
cryptographically bind the ephemeral tee-pubkey to the evidence.
* fix(agent): use RFC 8785 canonical JSON for runtime-data hashing
The KBS Sample attestation verifier (and likely others) expects the
report_data to be the SHA-256 hash of the *canonical* JSON serialization
(RFC 8785) of the runtime-data. Standard Go JSON marshaling does not
guarantee key ordering, leading to hash mismatches.
This change uses github.com/gowebpki/jcs to canonicalize the runtime-data
before hashing, ensuring compatibility with the KBS RCAR implementation.
Also reverted the temporary 'simple nonce' workaround.
* feat(hal): add CoCo Keyprovider and Skopeo packages
- Add coco-keyprovider buildroot package with systemd service
- Add skopeo buildroot package for OCI image handling
- Add ocicrypt_keyprovider.conf for encrypted image decryption
- Update Config.in to include new packages
This enables standard CoCo ecosystem integration for encrypted
OCI images instead of custom S3/HTTP registry clients.
* feat(oci): add OCI image handling package with Skopeo integration
- Add pkg/oci/types.go with ResourceSource and ImageManifest types
- Add pkg/oci/skopeo.go with Skopeo wrapper for pull/decrypt
- Add pkg/oci/extract.go for extracting algorithms and datasets from layers
This package provides OCI image handling using Skopeo and CoCo
Keyprovider for encrypted image decryption, replacing custom
S3/HTTP registry clients.
* chore: regenerate protobuf files for updated cvms.proto
* refactor(agent): replace S3/HTTP/KBS with OCI package
- Remove pkg/kbs and pkg/registry imports
- Add pkg/oci import for OCI image handling
- Replace downloadAndDecryptResource with OCI-based implementation
- Use Skopeo + CoCo Keyprovider for automatic decryption
- Reduce code from ~240 lines to ~70 lines
This eliminates custom KBS RCAR handshake, S3/HTTP registry clients,
and manual decryption logic. CoCo Keyprovider handles all decryption
automatically via ocicrypt protocol.
* chore: remove obsolete pkg/kbs and pkg/registry packages
- Delete pkg/kbs/ (custom KBS client, ~300 lines)
- Delete pkg/registry/ (S3/HTTP registry clients, ~400 lines)
- Remove unused imports from agent/service.go
- Run go mod tidy to clean up dependencies
These packages have been replaced by pkg/oci with Skopeo and
CoCo Keyprovider for standard CoCo ecosystem integration.
* fix(agent): update ResourceSource struct to include type and encryption fields
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix(hal): update CoCo Keyprovider to v0.16.0 and fix build path
- Update version from v0.11.0 to v0.16.0 (matches attestation agent)
- Fix install path: target is at repo root, not in coco_keyprovider subdir
- This fixes the build error where coco_keyprovider binary wasn't found
The cargo workspace in guest-components builds to a shared target/
directory at the repository root, not within each crate's subdirectory.
* feat: Update remote resources testing guide to use kbs-client and coco-keyprovider for key management and encryption, enable insecure TLS for Skopeo, and enhance CVMS with
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Update component versions, revise image encryption documentation, and sanitize OCI image paths for Skopeo compatibility.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add `decompress` option to Dataset and `algo_type`/`algo_args` to Algorithm protobuf messages, updating client, test, and build configurations.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update multiple package versions and enhance OCI image extraction error reporting for missing algorithm files.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* chore: Bump package versions, improve OCI image extraction debugging by returning seen files, and remove unused dataset type parsing from test code.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: Migrate OCI extraction to use structured logging with `slog` and `context`, and update package versions.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Bump multiple component versions, add encrypted status for computation inputs and algorithms, and refine OCI layer extraction warnings.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* logging
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add `Encrypted` field to algorithm and dataset resource sources and update all component versions.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: update component versions, integrate coco-keyprovider service, and configure ocicrypt key provider.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: add support for KBS parameters and dataset/algorithm hash calculations in CVMS
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: update resource download and extraction logic to support requirements.txt and improve hash verification
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* chore: Update dependencies, improve code style, and add GetRawEvidence to attestation client mocks.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor code structure for improved readability and maintainability
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: update golangci configuration to include errcheck for build path and remove unnecessary exclusions
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: streamline kernel command line handling in QEMU args construction
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: add attestation binary and update checksum tests and policy structure
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add unit tests for attestation agent, attestation, log, crypto, OCI, and Skopeo clients
- Implement tests for the attestation agent client including Unix socket and TCP address handling, token retrieval, and error scenarios.
- Enhance attestation client tests to cover fetching raw evidence for various platforms (SNP, TDX, VTPM, SNPvTPM) and validate error handling.
- Introduce log client tests to verify retry behavior for sending logs and events.
- Create comprehensive tests for crypto package focusing on AES-GCM decryption, encrypted resource parsing, and key unwrapping.
- Add tests for OCI package to validate algorithm and dataset extraction, including JSON serialization of OCILayout.
- Implement Skopeo client tests to ensure proper functionality for image pulling, inspecting, and resource source handling.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: handle JSON marshal errors in test cases for decrypt and extract functions
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: add comprehensive tests for algorithm and dataset extraction with various scenarios
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: replace hardcoded Python script content with constant variable
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: remove redundant mock expectation for SendAgentConfig in TestCreateVMWithAaKbsParams
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: add tests for event sending failure, dataset extraction with path traversal, and Skopeo client behavior
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: add tests for download and decryption of resources with various URL formats
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: Introduce OCIClient interface for agent service to improve testability of OCI image operations and enhance related tests.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: Change `get_uint64_from_tcb` to accept `TcbVersion` by value and use `u64::from` for type conversions.
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add Confidential Containers attestation agent as an alternative attestation backend with new proto definitions and build system integration.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: Update protoc-gen-go and protoc-gen-go-grpc versions in CI workflow
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add mock implementation for AttestationAgentServiceClient and corresponding tests
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: Add missing periods to test function comments in provider_test.go
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor attestation handling to remove quoteprovider dependency
- Removed references to quoteprovider in various files, replacing them with vtpm where necessary.
- Updated function signatures and implementations to use SEVNonce instead of quoteprovider.Nonce.
- Introduced new vtpm package to handle SEV-related attestation logic, including fetching and verifying attestation reports.
- Adjusted tests to reflect changes in the attestation logic and ensure compatibility with the new structure.
- Deleted the now redundant quoteprovider/sev_test.go file.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: Add veraison/go-cose dependency to go.mod
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Introduce TLS package for enhanced security configuration and refactor client code to utilize new TLS utilities
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Implement EAT (Evidence Attestation Token) generation and verification for attestation responses, replacing raw quotes with EAT tokens in the attestation service and protobuf.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* style: standardize comment formatting and fix a debug log format specifier.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix pkg test
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Introduce named constants for OEM IDs and use them in attestation claim extraction.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* feat: Implement and test minimum length validation for EAT nonce in `NewEATClaims`.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* feat: Add EATClaims.Sanitize method and integrate it into the validator to enforce claim dependencies.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* feat: Add Signature field to SNPExtensions and TDXExtensions for enhanced claim validation
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Update dependencies and improve code structure in attestation package
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Introduce comprehensive test suites for EAT, ATLS, TDX, Azure SNP, and vTPM attestation, and improve EAT decoder robustness.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add encryption and admin keys, an encrypted algorithm file, and update go.mod to use go-jose/v4.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: add new encryption and KBS admin keys while improving TDX attestation test error handling.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Add new KBS admin and encryption keys, an encrypted linear regression algorithm, and refactor TDX test error message checks.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Implement Azure SNP attestation policy, update certificate verification, and add key management.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: replace hardcoded string literals with variables in Azure SNP attestation tests.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Refactor TDX EAT claims to use individual RTMR fields with `tdx_` prefixes and add an `IntUse` field.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Signed-off-by: SammyOina <sammyoina@gmail.com>
* feat: Introduce computation runner, log forwarder, ingress, and egress proxy services.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Update Go environment variable parsing and build system to use new architecture and repository.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Update package sources to `sammyoina/cocos-ai` at a specific commit, add log-forwarder pre-start hook, and rename proxy binaries.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* chore: Update build system references to a specific commit and enhance logging for service connections and message processing.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* build: Update package source repositories and versions, migrate client logging to slog, and adjust ingress/egress proxy build and install steps.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* debug stuck
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* debug
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* debug
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: add HTTP/2 support to egress proxy and update build system to use specific commit hashes
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: enhance egress proxy CONNECT handling, update package sources, and add gRPC test utility
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Update build system for various services to a specific commit from a new repository, change agent gRPC port to 7001, and add a gRPC test client.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Migrate agent-internal gRPC communication to Unix sockets, set ingress proxy to port 7002, and update build hashes.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: Remove standalone ingress-proxy systemd service and update component versions.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix: Prevent computation re-initialization in agent and update component versions across several packages.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: update package versions and enable h2c support in ingress proxy.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: refactor ingress proxy to support HTTP/2 over Unix sockets and update component versions.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: Update build system package sources to `ultravioletrs/cocos` and reduce agent logging verbosity.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* refactor: improve error handling in proxy commands and remove unused gRPC test
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: add mock service state return value in handleRunReqChunks test
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* feat: add comprehensive tests for service and proxy components
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* fix linter
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* improve coverage
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* test: add gRPC client and ingress adapter tests, and update egress proxy tests.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* improve coverage
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update dependencies and refactor certificate generation to include context
- Updated `cloud.google.com/go/compute/metadata` from v0.8.0 to v0.9.0.
- Updated `github.com/absmach/certs` from v0.18.0 to v0.18.2.
- Updated `github.com/absmach/supermq` from v0.18.1 to v0.18.2.
- Updated `github.com/go-logfmt/logfmt` from v0.6.0 to v0.6.1.
- Updated `github.com/grpc-ecosystem/grpc-gateway/v2` from v2.27.2 to v2.27.3.
- Updated `github.com/prometheus/common` from v0.66.1 to v0.67.1.
- Updated `github.com/rogpeppe/go-internal` from v1.13.1 to v1.14.1.
- Updated `github.com/segmentio/asm` from v1.2.0 to v1.2.1.
- Updated `go.opentelemetry.io/auto/sdk` from v1.1.0 to v1.2.1.
- Updated `go.opentelemetry.io/proto/otlp` from v1.7.1 to v1.8.0.
- Updated `golang.org/x/net` from v0.45.0 to v0.46.0.
- Updated `golang.org/x/oauth2` from v0.30.0 to v0.32.0.
- Updated `google.golang.org/genproto/googleapis/api` and `google.golang.org/genproto/googleapis/rpc` to the latest versions.
- Refactored `generateCASignedCertificate` method in `certificate_provider.go` to accept a context parameter.
- Updated calls to `generateCASignedCertificate` in `GetCertificate` and `TestCASignedCertificateErrors` to pass the context.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update mockSDK method signatures in certificate error tests to include additional parameters
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor ATLS and gRPC server to use CertificateProvider interface
- Removed unused test cases and mock dependencies in atls_test.go.
- Updated TestGetPlatformVerifier to use CertificateVerifier struct.
- Introduced CertificateProvider interface for better abstraction in TLS handling.
- Refactored gRPC server to accept CertificateProvider and configure TLS accordingly.
- Simplified TLS configuration logic in both gRPC and HTTP servers.
- Removed unnecessary parameters from server initialization in tests and main function.
- Enhanced logging for TLS configurations.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Fix comments for consistency and clarity in atls.go
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update expected error messages in VM command tests for clarity
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Enhance tests by integrating mock providers and improving error messages for clarity
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add comprehensive tests for certificate generation and attestation providers
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Implement certificate and attestation providers with unified generation logic
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor certificate and attestation provider structures for consistency; implement CertificateVerifier interface and related methods
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor attestation and certificate provider methods for consistency; rename methods and update related logic
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Implement gRPC server with TLS and mTLS support
- Added gRPC server implementation in pkg/server/grpc.
- Introduced server configuration options for TLS and mTLS.
- Implemented health check service for gRPC.
- Created tests for server initialization, startup, and shutdown scenarios.
- Added mock server for testing purposes.
- Implemented graceful shutdown handling for the server.
- Included documentation for the server package.
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Add TLS and ATLS support to gRPC and HTTP clients; refactor security handling
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Refactor server configuration structure to use Config instead of BaseConfig
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Fix comments for consistency and clarity in TLS-related code
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Add comprehensive tests for TLS and ATLS configurations in clients package
Signed-off-by: SammyOina <sammyoina@gmail.com>
* Refactor file permission constants in client tests to use octal notation
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add tests for HTTP server's TLS configuration and lifecycle management
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add comprehensive tests for TLS certificate handling and configuration
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add comprehensive tests for HTTP client configuration and transport
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor AttestationReportSize constant declaration for clarity
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor client configuration structure and update gRPC client implementations
- Consolidated client configuration types into a unified structure with BaseConfig.
- Introduced AttestedClientConfig and StandardClientConfig for specific use cases.
- Updated gRPC client creation functions to utilize new configuration types.
- Refactored tests to align with the new configuration structure.
- Removed redundant ClientConfiguration interface and related methods.
- Simplified TLS configuration loading logic for both standard and attested clients.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor client configuration structure and TLS handling
- Introduced StandardClientConfig to replace BaseConfig, simplifying client configuration.
- Updated AttestedClientConfig to embed StandardClientConfig instead of BaseConfig.
- Modified ClientConfiguration interface to use Config() method instead of GetBaseConfig().
- Refactored various client tests to accommodate changes in configuration structure.
- Added new TLS handling functions to support basic and attested TLS configurations.
- Implemented comprehensive tests for TLS loading and configuration validation.
- Removed deprecated methods and unnecessary code related to BaseConfig.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: SammyOina <sammyoina@gmail.com>
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Refactor mock interfaces to use 'any' instead of 'interface{}' for improved type safety and readability across multiple files in the manager and pkg directories.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update Go version to 1.25.x in CI workflows and remove obsolete Go package files
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Add mock implementations for various components in the attestation and SDK packages
- Created mock for MeasurementProvider in pkg/attestation/cmdconfig/mocks/mocks_test.go
- Created mock for Provider in pkg/attestation/mocks/mocks_test.go
- Created mock for Client in pkg/clients/grpc/mocks/mocks_test.go
- Created mock for SDK in pkg/sdk/mocks/mocks_test.go
These mocks are generated using mockery and are intended for unit testing purposes.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Remove autogenerated mock files and update mock usage in tests
- Deleted mocks for gRPC clients in pkg/clients/grpc/mocks/mocks_test.go and pkg/sdk/mocks/mocks_test.go.
- Updated test files in pkg/progressbar/progress_test.go to use the new mock structure without type parameters for gRPC client interfaces.
- Refactored mock generation in pkg/sdk/mocks/sdk.go to streamline the mock creation process and ensure consistency across mock methods.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update protobuf generated files for events and manager
- Bump protoc-gen-go version from v1.36.5 to v1.36.8 in events.pb.go and manager.pb.go.
- Refactor raw descriptor definitions in events.pb.go and manager.pb.go to use string concatenation for better readability and maintainability.
- Ensure compatibility with the latest protobuf specifications and improve code generation consistency.
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Update test commands to use GOTOOLCHAIN for consistent Go version handling
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
* Fix GOTOOLCHAIN usage in test command for consistency
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---------
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Sammy Kerata Oina
dusan
dependabot[bot]
Danko Miladinovic
Jovan Djukic
Washington Kigani Kamadi