mirror of
https://github.com/ultravioletrs/cocos.git
synced 2026-06-23 04:10:25 +00:00
Sammy Kerata Oina
c1cbcec851
CI / lint (push) Has been cancelled
CI / test (agent) (push) Has been cancelled
CI / test (cli) (push) Has been cancelled
CI / test (cmd) (push) Has been cancelled
CI / test (internal) (push) Has been cancelled
CI / test (manager, true) (push) Has been cancelled
CI / test (pkg) (push) Has been cancelled
CI / upload-coverage (push) Has been cancelled
* feat: Introduce Go-based CoRIM generation and deprecate Rust attestation policy scripts. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Update dependencies and refactor attestation policy handling Signed-off-by: Sammy Oina <sammyoina@gmail.com> * refactor: Migrate attestation verification to use CoRIM and remove deprecated policy handling and EAT verification tests. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Removed the `tdx` and `sev-snp` attestation policy scripts and their build configurations, along with related build and installation steps from the main Makefile. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * chore: Remove Rust CI workflow and Cargo Dependabot configuration, and enhance Go test setup for attestation policy paths. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * refactor: Use WriteString instead of Write([]byte) for writing policy file content in test. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Refactor `ca-bundle` command to fetch bundles by product string using a configurable HTTP getter with improved error handling, and simplify `attestation_policy` command usage. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix: ignore return value of cmd.Help() Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Implement CoRIM generation for Azure and GCP attestation policies and add a CLI command to download and verify GCP OVMF files. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Upgrade Python virtual environment setup to include setuptools and wheel, append computation ID to Docker container names, and improve test robustness with error assertions and conditional skips for runtime tests. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * test: Enhance attestation verification tests, including CoRIM integration and specific platform types like Azure SNP, vTPM, TDX, and IGVM. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Add comprehensive test cases for `VerifyWithCoRIM` including success and measurement mismatch, and refine reference value validation. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Add Azure and TDX attestation verification tests and abstract external service dependencies for improved testability. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Add new test cases for Azure measurement extraction, EAT platform types, IGVM measurement stopping, vTPM CoRIM verification, and GCP OVMF download CLI. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * test: enhance CLI CoRIM generation and ATLS certificate verification tests, and refactor the Azure MAA client to use an interface. Signed-off-by: Sammy Oina <sammyoina@gmail.com> --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com>
IGVM Measure Package
The igvmmeasure package provides a Go wrapper for the igvmmeasure binary, which calculates measurements for IGVM (Isolated Guest Virtual Machine) files used in AMD SEV-SNP environments.
Overview
This package executes the igvmmeasure binary to compute cryptographic measurements of IGVM files, which are essential for SEV-SNP attestation and policy generation.
Features
- Binary Wrapper: Executes the
igvmmeasurebinary with proper arguments - Measurement Calculation: Computes IGVM file measurements for SEV-SNP
- Flexible I/O: Supports custom stdout/stderr writers for output capture
- Testable: Allows injection of mock exec commands for testing
Usage
Basic Example
import (
"bytes"
"github.com/ultravioletrs/cocos/pkg/attestation/igvmmeasure"
)
var stdout, stderr bytes.Buffer
// Create measurement provider
measurer, err := igvmmeasure.NewIgvmMeasurement(
"/path/to/igvmmeasure",
&stderr,
&stdout,
)
if err != nil {
// handle error
}
// Calculate measurement
err = measurer.Run("/path/to/file.igvm")
if err != nil {
// handle error
}
// Get measurement (hex string)
measurement := stdout.String()
Manager Integration
The manager uses this package to calculate IGVM measurements dynamically:
igvmMeasurementBinaryPath := fmt.Sprintf("%s/igvmmeasure", ms.attestationPolicyBinaryPath)
var stdoutBuffer bytes.Buffer
var stderrBuffer bytes.Buffer
stdout := bufio.NewWriter(&stdoutBuffer)
stderr := bufio.NewWriter(&stderrBuffer)
igvmMeasurement, err := igvmmeasure.NewIgvmMeasurement(
igvmMeasurementBinaryPath,
stderr,
stdout,
)
if err != nil {
return nil, fmt.Errorf("failed to create IGVM measurement: %w", err)
}
err = igvmMeasurement.Run(ms.qemuCfg.IGVMConfig.File)
if err != nil {
return nil, fmt.Errorf("failed to run IGVM measurement: %w", err)
}
measurement := fmt.Sprintf("%x", stdoutBuffer.Bytes())
Binary Requirements
The igvmmeasure binary must be available at the specified path. This binary is typically built from the COCONUT-SVSM project.
Building igvmmeasure
# Clone COCONUT-SVSM repository
git clone https://github.com/coconut-svsm/svsm
cd svsm
# Build igvmmeasure
cd tools/igvmmeasure
cargo build --release
# Binary will be at: target/release/igvmmeasure
Configuration
The manager expects the binary path to be configured via environment variable:
export MANAGER_ATTESTATION_POLICY_BINARY_PATH=/path/to/binaries
The manager will look for igvmmeasure in ${MANAGER_ATTESTATION_POLICY_BINARY_PATH}/igvmmeasure.
Interface
MeasurementProvider
type MeasurementProvider interface {
Run(igvmBinaryPath string) error
Stop() error
}
IgvmMeasurement
type IgvmMeasurement struct {
// Contains binary path, options, and I/O writers
}
func NewIgvmMeasurement(binPath string, stderr, stdout io.Writer) (*IgvmMeasurement, error)
func (m *IgvmMeasurement) Run(pathToFile string) error
func (m *IgvmMeasurement) Stop() error
func (m *IgvmMeasurement) SetExecCommand(cmdFunc func(name string, arg ...string) *exec.Cmd)
Testing
The package supports test mocking via SetExecCommand:
measurer.SetExecCommand(func(name string, arg ...string) *exec.Cmd {
// Return mock command
})