Skip to content

COCOS-326 - Cocos vTPM support#376

Merged
dborovcanin merged 29 commits into
ultravioletrs:mainfrom
danko-miladinovic:vtpm
Mar 7, 2025
Merged

COCOS-326 - Cocos vTPM support#376
dborovcanin merged 29 commits into
ultravioletrs:mainfrom
danko-miladinovic:vtpm

Conversation

@danko-miladinovic

@danko-miladinovic danko-miladinovic commented Feb 14, 2025

Copy link
Copy Markdown
Contributor

What type of PR is this?

This is a feature that introduces vTPM support to Cocos. vTPM will allow Cocos to measure:

  • Kernel
  • Initial RAM file system
  • Kernel command line
  • Much more, as vTPM has multiple PCR registers that can be extended with arbitrary

What does this do?

This PR introduces vTPM support for:

  • Manager so it can boot CVMs with vTPM.
  • Agent so it can communicate and fetch the vTPM and SNP attestation report.
  • CLI so the CLI can fetch the vTPM and SNP attestation report.

Also:

  • Rust script has been changed to include default PCR values.
  • aTLS has been changed to include vTPM quotes.
  • verification has been changed to include vTPM verification.

Which issue(s) does this PR fix/relate to?

Have you included tests for your changes?

Tests are in progress.

Did you document any new/modified feature?

Documentation is in progress.

Notes

@codecov

codecov Bot commented Feb 28, 2025

Copy link
Copy Markdown

Codecov Report

Attention: Patch coverage is 30.54187% with 282 lines in your changes missing coverage. Please review.

Project coverage is 56.66%. Comparing base (7d063aa) to head (e4e5c0e).
Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
pkg/attestation/vtpm/vtpm.go 0.00% 204 Missing ⚠️
pkg/atls/atlsListener.go 0.00% 21 Missing ⚠️
cli/attestation.go 77.46% 16 Missing ⚠️
agent/service.go 41.66% 14 Missing ⚠️
internal/server/grpc/grpc.go 25.00% 6 Missing and 3 partials ⚠️
pkg/attestation/quoteprovider/sev.go 46.15% 6 Missing and 1 partial ⚠️
agent/api/grpc/server.go 54.54% 3 Missing and 2 partials ⚠️
agent/api/grpc/requests.go 60.00% 2 Missing ⚠️
manager/attestation_policy.go 0.00% 2 Missing ⚠️
agent/cvms/server/cvm.go 0.00% 1 Missing ⚠️
... and 1 more
Additional details and impacted files
@@            Coverage Diff             @@
##             main     #376      +/-   ##
==========================================
- Coverage   58.89%   56.66%   -2.23%     
==========================================
  Files          56       58       +2     
  Lines        4695     4998     +303     
==========================================
+ Hits         2765     2832      +67     
- Misses       1635     1868     +233     
- Partials      295      298       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dborovcanin dborovcanin left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add some more tests to increase coverage?

Comment thread agent/api/grpc/requests.go Outdated
Comment thread agent/api/grpc/endpoint_test.go Outdated
Comment thread agent/api/grpc/requests.go
Comment thread agent/api/grpc/server.go Outdated
Comment thread agent/api/grpc/server.go Outdated
Comment thread agent/service.go Outdated
Comment thread agent/service.go Outdated
Comment thread agent/service.go Outdated
Comment thread cli/attestation.go Outdated
Comment thread internal/server/grpc/grpc_test.go Outdated
Comment thread scripts/attestation_policy/src/main.rs
danko-miladinovic and others added 7 commits March 5, 2025 12:57
}

func prepareForTestVerifyAttestationReport(t *testing.T) ([]byte, []byte) {
func prepareForTestVerifyAttestationReport(t *testing.T) (*sevsnp.Attestation, []byte) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rename to something shorter like prepVerifyAttReport.

Comment thread pkg/attestation/vtpm/dummyrwc.go Outdated
@@ -0,0 +1,26 @@
// Copyright (c) Ultraviolet

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is only used in gRPC test, you can move it to the gRPC test file.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Done. Thank you.

return derBytes, nil
}

func createTEEAttestationReportNonce(pubKeyTLS []byte, ak []byte, nonce []byte) ([]byte, error) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rename to teeAttestReportNonce. Let's use attest as the abbreviation for attestations all over the codebase for the sake of simplicity.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. The rest of the renaming will be done in a separate PR.

}
}
}

No newline at end of file

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add an empty line (that is, if it does not mess up unmarshalling).

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

"product_line": "Milan"
}
}
} No newline at end of file

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ad the empty line.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@dborovcanin dborovcanin merged commit 67f939f into ultravioletrs:main Mar 7, 2025
@danko-miladinovic danko-miladinovic deleted the vtpm branch August 8, 2025 15:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Explore vTPM and how we can use it with remote attestations

3 participants