Skip to content

Cocos 407 - Linux IMA#429

Merged
dborovcanin merged 9 commits into
ultravioletrs:mainfrom
jovan-djukic:issue-407
May 14, 2025
Merged

Cocos 407 - Linux IMA#429
dborovcanin merged 9 commits into
ultravioletrs:mainfrom
jovan-djukic:issue-407

Conversation

@jovan-djukic

@jovan-djukic jovan-djukic commented May 8, 2025

Copy link
Copy Markdown
Contributor

What type of PR is this?

This is a feature because it adds the option of downloading and verifying the Linux IMA measurements.

What does this do?

This feature enables users to download ascii_runtime_measurements file from the VM. In addition, it also verifies the contents of that file using the SHA1 value of TPMs PCR10.

Which issue(s) does this PR fix/relate to?

Firmware, bootloader and the kernel are already measured, so the only part of the boot process that isn't measured is the part that includes additional OS modules and such. Linux IMA can be used to solve this.

Have you included tests for your changes?

No. However it was tested successfully on the DELL server.

Did you document any new/modified feature?

No.

Notes

Linux IMA is not enabled by default. To enabled it do the following:

  1. Update kernel command line parameters to include ima_policy=tcb
  2. Update grub
  3. Reboot

For this feature to work SHA1 bank of TPM must be enabled. On GCP it is enabled by default. If not, the bank can allocated with the help of tpm2-tools (tpm2_pcrallocate). On Azure it is also enabled by default. However, If it isn't there is not much that can be done since, unlike GCP which uses vTPM, Azure uses HW TPM which can only be modified through firmware which we don't have access to.

On our DELL server we need to use swtpm. SHA1 bank can be enabled through the IGVM file. However, the IGVM must be created with two changes that both impact EDK2:

  1. In file SecuirtyPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf, section [Pcd] needs to be appended with: gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask
  2. In file OvmfPkg/OmfPkgX64.dsc, section [PcdsDynamicDefault] needs to be appended with: gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x0000000C

The rest of the compilation process is the same.

@codecov

codecov Bot commented May 8, 2025

Copy link
Copy Markdown

Codecov Report

Attention: Patch coverage is 3.20856% with 181 lines in your changes missing coverage. Please review.

Project coverage is 50.48%. Comparing base (dffefc4) to head (990f32d).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
cli/ima_measurements.go 0.00% 64 Missing ⚠️
agent/api/grpc/server.go 10.86% 41 Missing ⚠️
pkg/sdk/agent.go 0.00% 23 Missing ⚠️
pkg/attestation/vtpm/vtpm.go 0.00% 18 Missing ⚠️
agent/api/grpc/endpoint.go 8.33% 10 Missing and 1 partial ⚠️
pkg/progressbar/progressbar.go 0.00% 11 Missing ⚠️
agent/service.go 0.00% 10 Missing ⚠️
agent/api/grpc/requests.go 0.00% 3 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main     #429      +/-   ##
==========================================
- Coverage   52.35%   50.48%   -1.88%     
==========================================
  Files          60       61       +1     
  Lines        5386     5602     +216     
==========================================
+ Hits         2820     2828       +8     
- Misses       2262     2468     +206     
- Partials      304      306       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@drasko

drasko commented May 8, 2025

Copy link
Copy Markdown
Contributor

Please name this PR properly, according to our rules (change title to COCOS-407 <Some Title>)

@jovan-djukic jovan-djukic changed the title Issue 407 Cocos 407 - Measured boot May 9, 2025
@jovan-djukic jovan-djukic changed the title Cocos 407 - Measured boot Cocos 407 - Linux IMA May 9, 2025

@danko-miladinovic danko-miladinovic left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Comment thread pkg/sdk/agent.go Outdated
Data(ctx context.Context, dataset *os.File, filename string, privKey any) error
Result(ctx context.Context, privKey any, resultFile *os.File) error
Attestation(ctx context.Context, reportData [size64]byte, nonce [size32]byte, attType int, attestationFile *os.File) error
IMAMeasurements(ctx context.Context, privKey any, resultFile *os.File) ([]byte, error)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can leave this unauthenticated as we do in attestation. no need for private key

Comment thread pkg/sdk/agent.go Outdated
func (sdk *agentSDK) IMAMeasurements(ctx context.Context, privKey any, resultFile *os.File) ([]byte, error) {
request := &agent.IMAMeasurementsRequest{}

md, err := generateMetadata(string(auth.ConsumerRole), privKey)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thid consumer role is part of the computation manifest so it should not be included here

Comment thread hal/cloud/qemu.sh Outdated
Comment on lines +114 to +115
# commented so the VM can be rebooted and Linux IMA enabled
# args+=("-no-reboot")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we don't need it erase the commented code

Comment thread hal/cloud/config.yaml
permissions: "0755"

# IMA setup for first boot
- path: /cocos_init/linux_ima_init.sh

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please open a pr on prism as well adding this change here https://github.com/ultravioletrs/prism/blob/main/docker/providers/cloud-init/config.yml

Comment thread agent/api/grpc/server.go Outdated
}
rr := res.(*agent.IMAMeasurementsResponse)

if err := stream.SetHeader(metadata.New(map[string]string{FileSizeKey: fmt.Sprint(len(rr.File))})); err != nil {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use strconv.Itoa(len(rr.File)) instead of fmt.Sprint for efficiency (to avoid reflection).

Comment thread agent/api/grpc/server.go Outdated
Comment on lines +268 to +293
imaMeasurementsBuffer := bytes.NewBuffer(rr.File)
pcr10Buffer := bytes.NewBuffer(rr.Pcr10)

imaMeasurementsResultBuffer := make([]byte, bufferSize)
pcr10ResultBuffer := make([]byte, bufferSize)

for {
iman, err := imaMeasurementsBuffer.Read(imaMeasurementsResultBuffer)
if err == io.EOF {
break
}
if err != nil {
return status.Error(codes.Internal, err.Error())
}

pcrn, err := pcr10Buffer.Read(pcr10ResultBuffer)
if err == io.EOF {
break
}
if err != nil {
return status.Error(codes.Internal, err.Error())
}

if err := stream.Send(&agent.IMAMeasurementsResponse{File: imaMeasurementsResultBuffer[:iman], Pcr10: pcr10ResultBuffer[:pcrn]}); err != nil {
return status.Error(codes.Internal, err.Error())
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since rr.File and rr.Pcr10 are byte slices, this whole block can be replaced by:

if err := stream.Send(&agent.IMAMeasurementsResponse{File: rr.File, Pcr10: rr.Pcr10}); err != nil {
	return status.Error(codes.Internal, err.Error())
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is to read and send in chunks, but this should only be the case if they exceed 4MB in size, the default gRPC limit

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it. In that case, this does make sense but requires some adjustments - 1) shorter, more Go-idiomatic names and 2) proper handling of EOF. If either error is EOF - this code will skip both last chunks.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also need some retires to Send if there are no any implicit ones done by the stream.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can add abstractions here for sending chunks from agent

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is the only place we use it, there is no need to abstract anything. I guess it's impractical due to the way we handle gRPC server responses (we're always creating new types).

Comment thread agent/api/grpc/server.go Outdated
Comment on lines +269 to +299
imaMeasurementsBuffer := bytes.NewBuffer(rr.File)
pcr10Buffer := bytes.NewBuffer(rr.Pcr10)

imaMeasurementsResultBuffer := make([]byte, bufferSize)
pcr10ResultBuffer := make([]byte, bufferSize)

for {
iman, imaErr := imaMeasurementsBuffer.Read(imaMeasurementsResultBuffer)
pcrn, pcrErr := pcr10Buffer.Read(pcr10ResultBuffer)

if imaErr != nil && imaErr != io.EOF {
return status.Error(codes.Internal, imaErr.Error())
}

if pcrErr != nil && pcrErr != io.EOF {
return status.Error(codes.Internal, pcrErr.Error())
}

imaEmpty := iman == 0 && imaErr == io.EOF
pcrEmpty := pcrn == 0 && pcrErr == io.EOF

if imaEmpty && pcrEmpty {
break
}

if err := stream.Send(&agent.IMAMeasurementsResponse{File: imaMeasurementsResultBuffer[:iman], Pcr10: pcr10ResultBuffer[:pcrn]}); err != nil {
return status.Error(codes.Internal, err.Error())
}
}

return nil

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic seems correct now. Let's try to make it a little leaner and more Go-idiomatic with something like:

imaBuff := bytes.NewBuffer(rr.File)
pcr10Buff := bytes.NewBuffer(rr.Pcr10)

imaResBuff := make([]byte, bufferSize)
pcr10ResBuff := make([]byte, bufferSize)

for {
	nIma, errIma := imaBuff.Read(imaResBuff)
	if errIma != nil && errIma != io.EOF {
		return status.Error(codes.Internal, errIma.Error())
	}

	nPcr, errPcr := pcr10Buff.Read(pcr10ResBuff)
	if errPcr != nil && errPcr != io.EOF {
		return status.Error(codes.Internal, errPcr.Error())
	}

	if nIma == 0 && errIma == io.EOF &&
		nPcr == 0 && errPcr == io.EOF {
		return nil
	}
	if err := stream.Send(&agent.IMAMeasurementsResponse{File: imaResBuff[:nIma], Pcr10: pcr10ResBuff[:nPcr]}); err != nil {
		return status.Error(codes.Internal, err.Error())
	}
}

We’ll need unit tests - feel free to handle that in a separate PR. For now, please test the changes manually.

@dborovcanin dborovcanin merged commit 5c60bc2 into ultravioletrs:main May 14, 2025
dorcaslitunya pushed a commit to dorcaslitunya/cocos that referenced this pull request May 16, 2025
* Added a feature which enables users to fetch IMA measurements and verify them

* Added a feature which enables users to fetch IMA measurements and verify them

* fixed lint error

* fixed according to comments

* fixed according to comments

* fixed according to comments

* fixed according to comments

* final bug fix
dorcaslitunya added a commit to dorcaslitunya/cocos that referenced this pull request May 16, 2025
Add Azure cloud attestation fetching

Add ability to fetch azure attestation token

Remove gcp changes

Remove gcp changes

Add Azure attestation support

Modify pipeline proto checks

Update protoc version

Fix failing CI

fetch token as a file

Convert jwt to json

Small bug fix -- correct file name for attestation token

Fix failing CI

Modify protoc version

Update protoc version

Update protoc version

Update protoc version

Add changes to allow passing vtpm nonce

Add PR review changes to refactor the code

Refactor name change to AttestationResult

Refactor name change to AttestationResult

Return report as json

Format files properly

Fix attestaton changes

Modify changes based on PR review

Add more test coverage

Correct bug in Server test

Rename "FetchAttestationResult" to "AttestationResult"

Send token as part of stream

Fix CI

NOISSUE -  Add DisconnectReq message and TTL support for VM creation (ultravioletrs#428)

* feat: Add DisconnectReq message and TTL support for VM creation

- Introduced DisconnectReq message in cvms.proto to handle disconnection requests.
- Enhanced CreateReq in manager.proto to include a TTL field for virtual machines.
- Updated CLI to accept TTL as a command-line flag during VM creation.
- Modified manager service to remove VMs after the specified TTL duration.
- Adjusted gRPC client connection handling in agent main.go to support new client structure.
- Added mock implementation for gRPC client to facilitate testing.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* fix: Mark server URL flag as required with error handling

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

---------

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

COCOS-407 - Add support for Linux IMA (ultravioletrs#429)

* Added a feature which enables users to fetch IMA measurements and verify them

* Added a feature which enables users to fetch IMA measurements and verify them

* fixed lint error

* fixed according to comments

* fixed according to comments

* fixed according to comments

* fixed according to comments

* final bug fix

Add token measurement command

Add Azure cloud attestation fetching

Add ability to fetch azure attestation token

Remove gcp changes

Remove gcp changes

Add Azure attestation support

Modify pipeline proto checks

Update protoc version

Fix failing CI

fetch token as a file

Convert jwt to json

Small bug fix -- correct file name for attestation token

Fix failing CI

Modify protoc version

Update protoc version

Update protoc version

Update protoc version

Add changes to allow passing vtpm nonce

Add PR review changes to refactor the code

Refactor name change to AttestationResult

Refactor name change to AttestationResult

Return report as json

Format files properly

Fix attestaton changes

Modify changes based on PR review

Add more test coverage

Correct bug in Server test

Rename "FetchAttestationResult" to "AttestationResult"

Send token as part of stream

Fix CI

Rebase changes to main

Refactor after rebase
dorcaslitunya added a commit to dorcaslitunya/cocos that referenced this pull request May 21, 2025
Add Azure cloud attestation fetching

Add ability to fetch azure attestation token

Remove gcp changes

Remove gcp changes

Add Azure attestation support

Modify pipeline proto checks

Update protoc version

Fix failing CI

fetch token as a file

Convert jwt to json

Small bug fix -- correct file name for attestation token

Fix failing CI

Modify protoc version

Update protoc version

Update protoc version

Update protoc version

Add changes to allow passing vtpm nonce

Add PR review changes to refactor the code

Refactor name change to AttestationResult

Refactor name change to AttestationResult

Return report as json

Format files properly

Fix attestaton changes

Modify changes based on PR review

Add more test coverage

Correct bug in Server test

Rename "FetchAttestationResult" to "AttestationResult"

Send token as part of stream

Fix CI

NOISSUE -  Add DisconnectReq message and TTL support for VM creation (ultravioletrs#428)

* feat: Add DisconnectReq message and TTL support for VM creation

- Introduced DisconnectReq message in cvms.proto to handle disconnection requests.
- Enhanced CreateReq in manager.proto to include a TTL field for virtual machines.
- Updated CLI to accept TTL as a command-line flag during VM creation.
- Modified manager service to remove VMs after the specified TTL duration.
- Adjusted gRPC client connection handling in agent main.go to support new client structure.
- Added mock implementation for gRPC client to facilitate testing.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* fix: Mark server URL flag as required with error handling

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

---------

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

COCOS-407 - Add support for Linux IMA (ultravioletrs#429)

* Added a feature which enables users to fetch IMA measurements and verify them

* Added a feature which enables users to fetch IMA measurements and verify them

* fixed lint error

* fixed according to comments

* fixed according to comments

* fixed according to comments

* fixed according to comments

* final bug fix

Add token measurement command

Add Azure cloud attestation fetching

Add ability to fetch azure attestation token

Remove gcp changes

Remove gcp changes

Add Azure attestation support

Modify pipeline proto checks

Update protoc version

Fix failing CI

fetch token as a file

Convert jwt to json

Small bug fix -- correct file name for attestation token

Fix failing CI

Modify protoc version

Update protoc version

Update protoc version

Update protoc version

Add changes to allow passing vtpm nonce

Add PR review changes to refactor the code

Refactor name change to AttestationResult

Refactor name change to AttestationResult

Return report as json

Format files properly

Fix attestaton changes

Modify changes based on PR review

Add more test coverage

Correct bug in Server test

Rename "FetchAttestationResult" to "AttestationResult"

Send token as part of stream

Fix CI

Rebase changes to main

Refactor after rebase
dorcaslitunya added a commit to dorcaslitunya/cocos that referenced this pull request May 21, 2025
Add Azure cloud attestation fetching

Add ability to fetch azure attestation token

Remove gcp changes

Remove gcp changes

Add Azure attestation support

Modify pipeline proto checks

Update protoc version

Fix failing CI

fetch token as a file

Convert jwt to json

Small bug fix -- correct file name for attestation token

Fix failing CI

Modify protoc version

Update protoc version

Update protoc version

Update protoc version

Add changes to allow passing vtpm nonce

Add PR review changes to refactor the code

Refactor name change to AttestationResult

Refactor name change to AttestationResult

Return report as json

Format files properly

Fix attestaton changes

Modify changes based on PR review

Add more test coverage

Correct bug in Server test

Rename "FetchAttestationResult" to "AttestationResult"

Send token as part of stream

Fix CI

NOISSUE -  Add DisconnectReq message and TTL support for VM creation (ultravioletrs#428)

* feat: Add DisconnectReq message and TTL support for VM creation

- Introduced DisconnectReq message in cvms.proto to handle disconnection requests.
- Enhanced CreateReq in manager.proto to include a TTL field for virtual machines.
- Updated CLI to accept TTL as a command-line flag during VM creation.
- Modified manager service to remove VMs after the specified TTL duration.
- Adjusted gRPC client connection handling in agent main.go to support new client structure.
- Added mock implementation for gRPC client to facilitate testing.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* fix: Mark server URL flag as required with error handling

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

---------

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

COCOS-407 - Add support for Linux IMA (ultravioletrs#429)

* Added a feature which enables users to fetch IMA measurements and verify them

* Added a feature which enables users to fetch IMA measurements and verify them

* fixed lint error

* fixed according to comments

* fixed according to comments

* fixed according to comments

* fixed according to comments

* final bug fix

Add token measurement command

Add Azure cloud attestation fetching

Add ability to fetch azure attestation token

Remove gcp changes

Remove gcp changes

Add Azure attestation support

Modify pipeline proto checks

Update protoc version

Fix failing CI

fetch token as a file

Convert jwt to json

Small bug fix -- correct file name for attestation token

Fix failing CI

Modify protoc version

Update protoc version

Update protoc version

Update protoc version

Add changes to allow passing vtpm nonce

Add PR review changes to refactor the code

Refactor name change to AttestationResult

Refactor name change to AttestationResult

Return report as json

Format files properly

Fix attestaton changes

Modify changes based on PR review

Add more test coverage

Correct bug in Server test

Rename "FetchAttestationResult" to "AttestationResult"

Send token as part of stream

Fix CI

Rebase changes to main

Refactor after rebase
dorcaslitunya added a commit to dorcaslitunya/cocos that referenced this pull request May 21, 2025
Add Azure cloud attestation fetching

Add ability to fetch azure attestation token

Remove gcp changes

Remove gcp changes

Add Azure attestation support

Modify pipeline proto checks

Update protoc version

Fix failing CI

fetch token as a file

Convert jwt to json

Small bug fix -- correct file name for attestation token

Fix failing CI

Modify protoc version

Update protoc version

Update protoc version

Update protoc version

Add changes to allow passing vtpm nonce

Add PR review changes to refactor the code

Refactor name change to AttestationResult

Refactor name change to AttestationResult

Return report as json

Format files properly

Fix attestaton changes

Modify changes based on PR review

Add more test coverage

Correct bug in Server test

Rename "FetchAttestationResult" to "AttestationResult"

Send token as part of stream

Fix CI

NOISSUE -  Add DisconnectReq message and TTL support for VM creation (ultravioletrs#428)

* feat: Add DisconnectReq message and TTL support for VM creation

- Introduced DisconnectReq message in cvms.proto to handle disconnection requests.
- Enhanced CreateReq in manager.proto to include a TTL field for virtual machines.
- Updated CLI to accept TTL as a command-line flag during VM creation.
- Modified manager service to remove VMs after the specified TTL duration.
- Adjusted gRPC client connection handling in agent main.go to support new client structure.
- Added mock implementation for gRPC client to facilitate testing.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* fix: Mark server URL flag as required with error handling

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

---------

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

COCOS-407 - Add support for Linux IMA (ultravioletrs#429)

* Added a feature which enables users to fetch IMA measurements and verify them

* Added a feature which enables users to fetch IMA measurements and verify them

* fixed lint error

* fixed according to comments

* fixed according to comments

* fixed according to comments

* fixed according to comments

* final bug fix

Add token measurement command

Add Azure cloud attestation fetching

Add ability to fetch azure attestation token

Remove gcp changes

Remove gcp changes

Add Azure attestation support

Modify pipeline proto checks

Update protoc version

Fix failing CI

fetch token as a file

Convert jwt to json

Small bug fix -- correct file name for attestation token

Fix failing CI

Modify protoc version

Update protoc version

Update protoc version

Update protoc version

Add changes to allow passing vtpm nonce

Add PR review changes to refactor the code

Refactor name change to AttestationResult

Refactor name change to AttestationResult

Return report as json

Format files properly

Fix attestaton changes

Modify changes based on PR review

Add more test coverage

Correct bug in Server test

Rename "FetchAttestationResult" to "AttestationResult"

Send token as part of stream

Fix CI

Rebase changes to main

Refactor after rebase
drasko pushed a commit that referenced this pull request May 21, 2025
* Add token measurement command

Add Azure cloud attestation fetching

Add ability to fetch azure attestation token

Remove gcp changes

Remove gcp changes

Add Azure attestation support

Modify pipeline proto checks

Update protoc version

Fix failing CI

fetch token as a file

Convert jwt to json

Small bug fix -- correct file name for attestation token

Fix failing CI

Modify protoc version

Update protoc version

Update protoc version

Update protoc version

Add changes to allow passing vtpm nonce

Add PR review changes to refactor the code

Refactor name change to AttestationResult

Refactor name change to AttestationResult

Return report as json

Format files properly

Fix attestaton changes

Modify changes based on PR review

Add more test coverage

Correct bug in Server test

Rename "FetchAttestationResult" to "AttestationResult"

Send token as part of stream

Fix CI

NOISSUE -  Add DisconnectReq message and TTL support for VM creation (#428)

* feat: Add DisconnectReq message and TTL support for VM creation

- Introduced DisconnectReq message in cvms.proto to handle disconnection requests.
- Enhanced CreateReq in manager.proto to include a TTL field for virtual machines.
- Updated CLI to accept TTL as a command-line flag during VM creation.
- Modified manager service to remove VMs after the specified TTL duration.
- Adjusted gRPC client connection handling in agent main.go to support new client structure.
- Added mock implementation for gRPC client to facilitate testing.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* fix: Mark server URL flag as required with error handling

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

---------

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

COCOS-407 - Add support for Linux IMA (#429)

* Added a feature which enables users to fetch IMA measurements and verify them

* Added a feature which enables users to fetch IMA measurements and verify them

* fixed lint error

* fixed according to comments

* fixed according to comments

* fixed according to comments

* fixed according to comments

* final bug fix

Add token measurement command

Add Azure cloud attestation fetching

Add ability to fetch azure attestation token

Remove gcp changes

Remove gcp changes

Add Azure attestation support

Modify pipeline proto checks

Update protoc version

Fix failing CI

fetch token as a file

Convert jwt to json

Small bug fix -- correct file name for attestation token

Fix failing CI

Modify protoc version

Update protoc version

Update protoc version

Update protoc version

Add changes to allow passing vtpm nonce

Add PR review changes to refactor the code

Refactor name change to AttestationResult

Refactor name change to AttestationResult

Return report as json

Format files properly

Fix attestaton changes

Modify changes based on PR review

Add more test coverage

Correct bug in Server test

Rename "FetchAttestationResult" to "AttestationResult"

Send token as part of stream

Fix CI

Rebase changes to main

Refactor after rebase

* Add Azure attestation

* COCOS-395 - Cloud Provider Firmware Integration (#415)

* add CC platform identification capability

* add token verification

* add snp azure

* add azure snp report verification

* fix linter errors

* fix agent tests

* expand the CC provider

* fix azure atls

* rebase branch

* add nonce check for azure token

* rename package attestations

* remove alias attestations

---------

Co-authored-by: Ubuntu <azureuser@UVCTestCVM.bu0p0zdolasezg1jifpyqhaxuc.dx.internal.cloudapp.net>

* Add token measurement command

Add Azure cloud attestation fetching

Add ability to fetch azure attestation token

Remove gcp changes

Remove gcp changes

Add Azure attestation support

Modify pipeline proto checks

Update protoc version

Fix failing CI

fetch token as a file

Convert jwt to json

Small bug fix -- correct file name for attestation token

Fix failing CI

Modify protoc version

Update protoc version

Update protoc version

Update protoc version

Add changes to allow passing vtpm nonce

Add PR review changes to refactor the code

Refactor name change to AttestationResult

Refactor name change to AttestationResult

Return report as json

Format files properly

Fix attestaton changes

Modify changes based on PR review

Add more test coverage

Correct bug in Server test

Rename "FetchAttestationResult" to "AttestationResult"

Send token as part of stream

Fix CI

NOISSUE -  Add DisconnectReq message and TTL support for VM creation (#428)

* feat: Add DisconnectReq message and TTL support for VM creation

- Introduced DisconnectReq message in cvms.proto to handle disconnection requests.
- Enhanced CreateReq in manager.proto to include a TTL field for virtual machines.
- Updated CLI to accept TTL as a command-line flag during VM creation.
- Modified manager service to remove VMs after the specified TTL duration.
- Adjusted gRPC client connection handling in agent main.go to support new client structure.
- Added mock implementation for gRPC client to facilitate testing.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* fix: Mark server URL flag as required with error handling

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

---------

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

COCOS-407 - Add support for Linux IMA (#429)

* Added a feature which enables users to fetch IMA measurements and verify them

* Added a feature which enables users to fetch IMA measurements and verify them

* fixed lint error

* fixed according to comments

* fixed according to comments

* fixed according to comments

* fixed according to comments

* final bug fix

Add token measurement command

Add Azure cloud attestation fetching

Add ability to fetch azure attestation token

Remove gcp changes

Remove gcp changes

Add Azure attestation support

Modify pipeline proto checks

Update protoc version

Fix failing CI

fetch token as a file

Convert jwt to json

Small bug fix -- correct file name for attestation token

Fix failing CI

Modify protoc version

Update protoc version

Update protoc version

Update protoc version

Add changes to allow passing vtpm nonce

Add PR review changes to refactor the code

Refactor name change to AttestationResult

Refactor name change to AttestationResult

Return report as json

Format files properly

Fix attestaton changes

Modify changes based on PR review

Add more test coverage

Correct bug in Server test

Rename "FetchAttestationResult" to "AttestationResult"

Send token as part of stream

Fix CI

Rebase changes to main

Refactor after rebase

* Rebase with main

* Modify tests to accomodate changes

* Use env vars appropriately

* Use env vars appropriately

* Use caps in err name

---------

Co-authored-by: Danko Miladinovic <72250944+danko-miladinovic@users.noreply.github.com>
Co-authored-by: Ubuntu <azureuser@UVCTestCVM.bu0p0zdolasezg1jifpyqhaxuc.dx.internal.cloudapp.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Feature: Bootloader

5 participants