COCOS-395 - Cloud Provider Firmware Integration#415
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #415 +/- ##
==========================================
- Coverage 50.42% 47.98% -2.45%
==========================================
Files 61 63 +2
Lines 5600 5912 +312
==========================================
+ Hits 2824 2837 +13
- Misses 2469 2769 +300
+ Partials 307 306 -1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
ef6e103 to
8e501f2
Compare
| func (as *agentService) Attestation(ctx context.Context, reportData [quoteprovider.Nonce]byte, nonce [vtpm.Nonce]byte, attType attestations.PlatformType) ([]byte, error) { | ||
| switch attType { | ||
| case config.SNP: | ||
| case attestations.SNP: |
There was a problem hiding this comment.
is there a distinction between attetstation type and platform for example here azure case is not handled
There was a problem hiding this comment.
There is not. I will add the Azure type.
| cmd := &cobra.Command{ | ||
| Use: "azure", | ||
| Short: "Get attestation policy for Azure CVM", | ||
| Example: `azure <azure_maa_token_file> <product_name>`, |
There was a problem hiding this comment.
we'll need this token file on the cloud as well so we need to send it simillar to attestation when agent boots up
Lines 178 to 192 in dffefc4
There was a problem hiding this comment.
Understood.
| vtpmAttest := vtpm.Attest | ||
|
|
||
| if !sevGuesDeviceExists() { | ||
| if !attestations.SevGuesDeviceExists() { |
There was a problem hiding this comment.
will this work for azure or will it result in a mocked quote provider?
There was a problem hiding this comment.
This will result in a mocked quote provider. I will change to CCPlatform().
| } | ||
|
|
||
| // CCPlatform returns the type of the confidential computing platform. | ||
| func CCPlatform() PlatformType { |
There was a problem hiding this comment.
should be used in main.go
There was a problem hiding this comment.
I presume cmd/agent/main.go
|
@danko-miladinovic Is this ready? |
|
45386c6 to
01513d6
Compare
| "github.com/ultravioletrs/cocos/agent" | ||
| "github.com/ultravioletrs/cocos/agent/mocks" | ||
| config "github.com/ultravioletrs/cocos/pkg/attestation" | ||
| attestations "github.com/ultravioletrs/cocos/pkg/attestation" |
There was a problem hiding this comment.
Why is this called in plural, when library is in singular? Also, do we have to rename this package, or we can use simply it's name attestation - i.e. without renaming? And if we have to rename it, maybe we use something shorter, like att?
There was a problem hiding this comment.
The name is attestations because the directory attestation (I can rename it to attestations) contains packages for attestation for different cloud providers and bare metal providers.
There was a problem hiding this comment.
Yes, but it is confusing - package name is attestation, and then you are importing it with the rename to attestations. Either call package attestations, or do not rename it in import, use just its original name attestation (I think this might be more appropriate here).
* add CC platform identification capability * add token verification * add snp azure * add azure snp report verification * fix linter errors * fix agent tests * expand the CC provider * fix azure atls * rebase branch * add nonce check for azure token * rename package attestations * remove alias attestations --------- Co-authored-by: Ubuntu <azureuser@UVCTestCVM.bu0p0zdolasezg1jifpyqhaxuc.dx.internal.cloudapp.net>
* add CC platform identification capability * add token verification * add snp azure * add azure snp report verification * fix linter errors * fix agent tests * expand the CC provider * fix azure atls * rebase branch * add nonce check for azure token * rename package attestations * remove alias attestations --------- Co-authored-by: Ubuntu <azureuser@UVCTestCVM.bu0p0zdolasezg1jifpyqhaxuc.dx.internal.cloudapp.net>
* Add token measurement command Add Azure cloud attestation fetching Add ability to fetch azure attestation token Remove gcp changes Remove gcp changes Add Azure attestation support Modify pipeline proto checks Update protoc version Fix failing CI fetch token as a file Convert jwt to json Small bug fix -- correct file name for attestation token Fix failing CI Modify protoc version Update protoc version Update protoc version Update protoc version Add changes to allow passing vtpm nonce Add PR review changes to refactor the code Refactor name change to AttestationResult Refactor name change to AttestationResult Return report as json Format files properly Fix attestaton changes Modify changes based on PR review Add more test coverage Correct bug in Server test Rename "FetchAttestationResult" to "AttestationResult" Send token as part of stream Fix CI NOISSUE - Add DisconnectReq message and TTL support for VM creation (#428) * feat: Add DisconnectReq message and TTL support for VM creation - Introduced DisconnectReq message in cvms.proto to handle disconnection requests. - Enhanced CreateReq in manager.proto to include a TTL field for virtual machines. - Updated CLI to accept TTL as a command-line flag during VM creation. - Modified manager service to remove VMs after the specified TTL duration. - Adjusted gRPC client connection handling in agent main.go to support new client structure. - Added mock implementation for gRPC client to facilitate testing. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix: Mark server URL flag as required with error handling Signed-off-by: Sammy Oina <sammyoina@gmail.com> --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com> COCOS-407 - Add support for Linux IMA (#429) * Added a feature which enables users to fetch IMA measurements and verify them * Added a feature which enables users to fetch IMA measurements and verify them * fixed lint error * fixed according to comments * fixed according to comments * fixed according to comments * fixed according to comments * final bug fix Add token measurement command Add Azure cloud attestation fetching Add ability to fetch azure attestation token Remove gcp changes Remove gcp changes Add Azure attestation support Modify pipeline proto checks Update protoc version Fix failing CI fetch token as a file Convert jwt to json Small bug fix -- correct file name for attestation token Fix failing CI Modify protoc version Update protoc version Update protoc version Update protoc version Add changes to allow passing vtpm nonce Add PR review changes to refactor the code Refactor name change to AttestationResult Refactor name change to AttestationResult Return report as json Format files properly Fix attestaton changes Modify changes based on PR review Add more test coverage Correct bug in Server test Rename "FetchAttestationResult" to "AttestationResult" Send token as part of stream Fix CI Rebase changes to main Refactor after rebase * Add Azure attestation * COCOS-395 - Cloud Provider Firmware Integration (#415) * add CC platform identification capability * add token verification * add snp azure * add azure snp report verification * fix linter errors * fix agent tests * expand the CC provider * fix azure atls * rebase branch * add nonce check for azure token * rename package attestations * remove alias attestations --------- Co-authored-by: Ubuntu <azureuser@UVCTestCVM.bu0p0zdolasezg1jifpyqhaxuc.dx.internal.cloudapp.net> * Add token measurement command Add Azure cloud attestation fetching Add ability to fetch azure attestation token Remove gcp changes Remove gcp changes Add Azure attestation support Modify pipeline proto checks Update protoc version Fix failing CI fetch token as a file Convert jwt to json Small bug fix -- correct file name for attestation token Fix failing CI Modify protoc version Update protoc version Update protoc version Update protoc version Add changes to allow passing vtpm nonce Add PR review changes to refactor the code Refactor name change to AttestationResult Refactor name change to AttestationResult Return report as json Format files properly Fix attestaton changes Modify changes based on PR review Add more test coverage Correct bug in Server test Rename "FetchAttestationResult" to "AttestationResult" Send token as part of stream Fix CI NOISSUE - Add DisconnectReq message and TTL support for VM creation (#428) * feat: Add DisconnectReq message and TTL support for VM creation - Introduced DisconnectReq message in cvms.proto to handle disconnection requests. - Enhanced CreateReq in manager.proto to include a TTL field for virtual machines. - Updated CLI to accept TTL as a command-line flag during VM creation. - Modified manager service to remove VMs after the specified TTL duration. - Adjusted gRPC client connection handling in agent main.go to support new client structure. - Added mock implementation for gRPC client to facilitate testing. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix: Mark server URL flag as required with error handling Signed-off-by: Sammy Oina <sammyoina@gmail.com> --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com> COCOS-407 - Add support for Linux IMA (#429) * Added a feature which enables users to fetch IMA measurements and verify them * Added a feature which enables users to fetch IMA measurements and verify them * fixed lint error * fixed according to comments * fixed according to comments * fixed according to comments * fixed according to comments * final bug fix Add token measurement command Add Azure cloud attestation fetching Add ability to fetch azure attestation token Remove gcp changes Remove gcp changes Add Azure attestation support Modify pipeline proto checks Update protoc version Fix failing CI fetch token as a file Convert jwt to json Small bug fix -- correct file name for attestation token Fix failing CI Modify protoc version Update protoc version Update protoc version Update protoc version Add changes to allow passing vtpm nonce Add PR review changes to refactor the code Refactor name change to AttestationResult Refactor name change to AttestationResult Return report as json Format files properly Fix attestaton changes Modify changes based on PR review Add more test coverage Correct bug in Server test Rename "FetchAttestationResult" to "AttestationResult" Send token as part of stream Fix CI Rebase changes to main Refactor after rebase * Rebase with main * Modify tests to accomodate changes * Use env vars appropriately * Use env vars appropriately * Use caps in err name --------- Co-authored-by: Danko Miladinovic <72250944+danko-miladinovic@users.noreply.github.com> Co-authored-by: Ubuntu <azureuser@UVCTestCVM.bu0p0zdolasezg1jifpyqhaxuc.dx.internal.cloudapp.net>
What type of PR is this?
This is a feature because it adds the following functionality:
What does this do?
This PR is intended to verify the Azure attestation token and attestation report.
Which issue(s) does this PR fix/relate to?
Have you included tests for your changes?
Tests will be included.
Did you document any new/modified feature?
Documentation will be updated.
Notes