Skip to content

COCOS-395 - Cloud Provider Firmware Integration#415

Merged
drasko merged 12 commits into
ultravioletrs:mainfrom
danko-miladinovic:cocos-395
May 19, 2025
Merged

COCOS-395 - Cloud Provider Firmware Integration#415
drasko merged 12 commits into
ultravioletrs:mainfrom
danko-miladinovic:cocos-395

Conversation

@danko-miladinovic

@danko-miladinovic danko-miladinovic commented Mar 27, 2025

Copy link
Copy Markdown
Contributor

What type of PR is this?

This is a feature because it adds the following functionality:

  • Updates aTLS for Azure.
  • Generates attestation policy for Azure CVM using the CLI (new command was added).
  • Verifies the attestation report for Azure.
  • Develop appropriate handling mechanisms despite Azure VM firmware not being public.

What does this do?

This PR is intended to verify the Azure attestation token and attestation report.

Which issue(s) does this PR fix/relate to?

Have you included tests for your changes?

Tests will be included.

Did you document any new/modified feature?

Documentation will be updated.

Notes

@danko-miladinovic danko-miladinovic added the enhancement New feature or request label Mar 27, 2025
@danko-miladinovic danko-miladinovic self-assigned this Mar 27, 2025
@codecov

codecov Bot commented Mar 27, 2025

Copy link
Copy Markdown

Codecov Report

Attention: Patch coverage is 11.03203% with 500 lines in your changes missing coverage. Please review.

Project coverage is 47.98%. Comparing base (5c60bc2) to head (e0ad527).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
pkg/attestation/azure/snp.go 0.00% 202 Missing ⚠️
pkg/attestation/vtpm/vtpm.go 0.00% 86 Missing ⚠️
cli/attestation.go 31.25% 55 Missing ⚠️
pkg/attestation/attestation.go 0.00% 48 Missing ⚠️
cli/attestation_policy.go 2.50% 38 Missing and 1 partial ⚠️
pkg/atls/atlsListener.go 0.00% 39 Missing ⚠️
pkg/attestation/emptyprovider.go 0.00% 12 Missing ⚠️
pkg/attestation/quoteprovider/sev.go 58.82% 7 Missing ⚠️
agent/service.go 64.70% 6 Missing ⚠️
agent/cvms/server/cvm.go 0.00% 2 Missing ⚠️
... and 3 more
Additional details and impacted files
@@            Coverage Diff             @@
##             main     #415      +/-   ##
==========================================
- Coverage   50.42%   47.98%   -2.45%     
==========================================
  Files          61       63       +2     
  Lines        5600     5912     +312     
==========================================
+ Hits         2824     2837      +13     
- Misses       2469     2769     +300     
+ Partials      307      306       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Comment thread pkg/attestation/config.go Outdated
@danko-miladinovic danko-miladinovic marked this pull request as ready for review April 23, 2025 16:00
Comment thread agent/service.go Outdated
func (as *agentService) Attestation(ctx context.Context, reportData [quoteprovider.Nonce]byte, nonce [vtpm.Nonce]byte, attType attestations.PlatformType) ([]byte, error) {
switch attType {
case config.SNP:
case attestations.SNP:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a distinction between attetstation type and platform for example here azure case is not handled

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is not. I will add the Azure type.

Comment thread cli/attestation_policy.go Outdated
cmd := &cobra.Command{
Use: "azure",
Short: "Get attestation policy for Azure CVM",
Example: `azure <azure_maa_token_file> <product_name>`,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we'll need this token file on the cloud as well so we need to send it simillar to attestation when agent boots up

cocos/cmd/agent/main.go

Lines 178 to 192 in dffefc4

attestation, certSerialNumber, err := attestationFromCert(ctx, cvmGrpcConfig.ClientCert, svc)
if err != nil {
logger.Error(fmt.Sprintf("failed to get attestation: %s", err))
exitCode = 1
return
}
eventsLogsQueue <- &cvms.ClientStreamMessage{
Message: &cvms.ClientStreamMessage_VTPMattestationReport{
VTPMattestationReport: &cvms.AttestationResponse{
File: attestation,
CertSerialNumber: certSerialNumber,
},
},
}

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Understood.

Comment thread cmd/agent/main.go Outdated
vtpmAttest := vtpm.Attest

if !sevGuesDeviceExists() {
if !attestations.SevGuesDeviceExists() {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will this work for azure or will it result in a mocked quote provider?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will result in a mocked quote provider. I will change to CCPlatform().

}

// CCPlatform returns the type of the confidential computing platform.
func CCPlatform() PlatformType {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be used in main.go

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I presume cmd/agent/main.go

@dborovcanin

Copy link
Copy Markdown
Contributor

@danko-miladinovic Is this ready?

@danko-miladinovic

Copy link
Copy Markdown
Contributor Author

@danko-miladinovic Is this ready?
I have pushed a new commit. The review process can continue.

Comment thread agent/api/grpc/endpoint_test.go Outdated
"github.com/ultravioletrs/cocos/agent"
"github.com/ultravioletrs/cocos/agent/mocks"
config "github.com/ultravioletrs/cocos/pkg/attestation"
attestations "github.com/ultravioletrs/cocos/pkg/attestation"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this called in plural, when library is in singular? Also, do we have to rename this package, or we can use simply it's name attestation - i.e. without renaming? And if we have to rename it, maybe we use something shorter, like att?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The name is attestations because the directory attestation (I can rename it to attestations) contains packages for attestation for different cloud providers and bare metal providers.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but it is confusing - package name is attestation, and then you are importing it with the rename to attestations. Either call package attestations, or do not rename it in import, use just its original name attestation (I think this might be more appropriate here).

@drasko drasko left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@drasko drasko merged commit 3102114 into ultravioletrs:main May 19, 2025
dorcaslitunya pushed a commit to dorcaslitunya/cocos that referenced this pull request May 21, 2025
* add CC platform identification capability

* add token verification

* add snp azure

* add azure snp report verification

* fix linter errors

* fix agent tests

* expand the CC provider

* fix azure atls

* rebase branch

* add nonce check for azure token

* rename package attestations

* remove alias attestations

---------

Co-authored-by: Ubuntu <azureuser@UVCTestCVM.bu0p0zdolasezg1jifpyqhaxuc.dx.internal.cloudapp.net>
dorcaslitunya pushed a commit to dorcaslitunya/cocos that referenced this pull request May 21, 2025
* add CC platform identification capability

* add token verification

* add snp azure

* add azure snp report verification

* fix linter errors

* fix agent tests

* expand the CC provider

* fix azure atls

* rebase branch

* add nonce check for azure token

* rename package attestations

* remove alias attestations

---------

Co-authored-by: Ubuntu <azureuser@UVCTestCVM.bu0p0zdolasezg1jifpyqhaxuc.dx.internal.cloudapp.net>
drasko pushed a commit that referenced this pull request May 21, 2025
* Add token measurement command

Add Azure cloud attestation fetching

Add ability to fetch azure attestation token

Remove gcp changes

Remove gcp changes

Add Azure attestation support

Modify pipeline proto checks

Update protoc version

Fix failing CI

fetch token as a file

Convert jwt to json

Small bug fix -- correct file name for attestation token

Fix failing CI

Modify protoc version

Update protoc version

Update protoc version

Update protoc version

Add changes to allow passing vtpm nonce

Add PR review changes to refactor the code

Refactor name change to AttestationResult

Refactor name change to AttestationResult

Return report as json

Format files properly

Fix attestaton changes

Modify changes based on PR review

Add more test coverage

Correct bug in Server test

Rename "FetchAttestationResult" to "AttestationResult"

Send token as part of stream

Fix CI

NOISSUE -  Add DisconnectReq message and TTL support for VM creation (#428)

* feat: Add DisconnectReq message and TTL support for VM creation

- Introduced DisconnectReq message in cvms.proto to handle disconnection requests.
- Enhanced CreateReq in manager.proto to include a TTL field for virtual machines.
- Updated CLI to accept TTL as a command-line flag during VM creation.
- Modified manager service to remove VMs after the specified TTL duration.
- Adjusted gRPC client connection handling in agent main.go to support new client structure.
- Added mock implementation for gRPC client to facilitate testing.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* fix: Mark server URL flag as required with error handling

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

---------

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

COCOS-407 - Add support for Linux IMA (#429)

* Added a feature which enables users to fetch IMA measurements and verify them

* Added a feature which enables users to fetch IMA measurements and verify them

* fixed lint error

* fixed according to comments

* fixed according to comments

* fixed according to comments

* fixed according to comments

* final bug fix

Add token measurement command

Add Azure cloud attestation fetching

Add ability to fetch azure attestation token

Remove gcp changes

Remove gcp changes

Add Azure attestation support

Modify pipeline proto checks

Update protoc version

Fix failing CI

fetch token as a file

Convert jwt to json

Small bug fix -- correct file name for attestation token

Fix failing CI

Modify protoc version

Update protoc version

Update protoc version

Update protoc version

Add changes to allow passing vtpm nonce

Add PR review changes to refactor the code

Refactor name change to AttestationResult

Refactor name change to AttestationResult

Return report as json

Format files properly

Fix attestaton changes

Modify changes based on PR review

Add more test coverage

Correct bug in Server test

Rename "FetchAttestationResult" to "AttestationResult"

Send token as part of stream

Fix CI

Rebase changes to main

Refactor after rebase

* Add Azure attestation

* COCOS-395 - Cloud Provider Firmware Integration (#415)

* add CC platform identification capability

* add token verification

* add snp azure

* add azure snp report verification

* fix linter errors

* fix agent tests

* expand the CC provider

* fix azure atls

* rebase branch

* add nonce check for azure token

* rename package attestations

* remove alias attestations

---------

Co-authored-by: Ubuntu <azureuser@UVCTestCVM.bu0p0zdolasezg1jifpyqhaxuc.dx.internal.cloudapp.net>

* Add token measurement command

Add Azure cloud attestation fetching

Add ability to fetch azure attestation token

Remove gcp changes

Remove gcp changes

Add Azure attestation support

Modify pipeline proto checks

Update protoc version

Fix failing CI

fetch token as a file

Convert jwt to json

Small bug fix -- correct file name for attestation token

Fix failing CI

Modify protoc version

Update protoc version

Update protoc version

Update protoc version

Add changes to allow passing vtpm nonce

Add PR review changes to refactor the code

Refactor name change to AttestationResult

Refactor name change to AttestationResult

Return report as json

Format files properly

Fix attestaton changes

Modify changes based on PR review

Add more test coverage

Correct bug in Server test

Rename "FetchAttestationResult" to "AttestationResult"

Send token as part of stream

Fix CI

NOISSUE -  Add DisconnectReq message and TTL support for VM creation (#428)

* feat: Add DisconnectReq message and TTL support for VM creation

- Introduced DisconnectReq message in cvms.proto to handle disconnection requests.
- Enhanced CreateReq in manager.proto to include a TTL field for virtual machines.
- Updated CLI to accept TTL as a command-line flag during VM creation.
- Modified manager service to remove VMs after the specified TTL duration.
- Adjusted gRPC client connection handling in agent main.go to support new client structure.
- Added mock implementation for gRPC client to facilitate testing.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* fix: Mark server URL flag as required with error handling

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

---------

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

COCOS-407 - Add support for Linux IMA (#429)

* Added a feature which enables users to fetch IMA measurements and verify them

* Added a feature which enables users to fetch IMA measurements and verify them

* fixed lint error

* fixed according to comments

* fixed according to comments

* fixed according to comments

* fixed according to comments

* final bug fix

Add token measurement command

Add Azure cloud attestation fetching

Add ability to fetch azure attestation token

Remove gcp changes

Remove gcp changes

Add Azure attestation support

Modify pipeline proto checks

Update protoc version

Fix failing CI

fetch token as a file

Convert jwt to json

Small bug fix -- correct file name for attestation token

Fix failing CI

Modify protoc version

Update protoc version

Update protoc version

Update protoc version

Add changes to allow passing vtpm nonce

Add PR review changes to refactor the code

Refactor name change to AttestationResult

Refactor name change to AttestationResult

Return report as json

Format files properly

Fix attestaton changes

Modify changes based on PR review

Add more test coverage

Correct bug in Server test

Rename "FetchAttestationResult" to "AttestationResult"

Send token as part of stream

Fix CI

Rebase changes to main

Refactor after rebase

* Rebase with main

* Modify tests to accomodate changes

* Use env vars appropriately

* Use env vars appropriately

* Use caps in err name

---------

Co-authored-by: Danko Miladinovic <72250944+danko-miladinovic@users.noreply.github.com>
Co-authored-by: Ubuntu <azureuser@UVCTestCVM.bu0p0zdolasezg1jifpyqhaxuc.dx.internal.cloudapp.net>
@danko-miladinovic danko-miladinovic deleted the cocos-395 branch August 8, 2025 15:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Feature: Cloud Provider Firmware Integration

4 participants