Skip to content

COCOS-577 - Introduce Go-based CoRIM generation and deprecate Rust attestation policy scripts.#578

Merged
drasko merged 15 commits into
ultravioletrs:mainfrom
SammyOina:corim
Mar 19, 2026
Merged

COCOS-577 - Introduce Go-based CoRIM generation and deprecate Rust attestation policy scripts.#578
drasko merged 15 commits into
ultravioletrs:mainfrom
SammyOina:corim

Conversation

@SammyOina

@SammyOina SammyOina commented Feb 5, 2026

Copy link
Copy Markdown
Contributor

What type of PR is this?

What does this do?

  • New Features

    • Added CLI command create-corim with subcommands for generating attestation policies across Azure, GCP, SNP, and TDX platforms.
    • Added support for signing generated CoRIM policies with cryptographic keys.
    • Introduced IGVM measurement capabilities for SEV-SNP environments.
  • Deprecated

    • Legacy attestation policy commands deprecated in favor of new CoRIM-based generation workflow.
  • Documentation

    • Added comprehensive guides for CoRIM generation and manager integration.

Which issue(s) does this PR fix/relate to?

Have you included tests for your changes?

Did you document any new/modified feature?

Notes

sequenceDiagram
    participant User
    participant CLI as CLI<br/>(create-corim)
    participant CorimGen as CorimGen<br/>Package
    participant IGVM as IGVM<br/>Measurement
    participant SigningKey as Signing Key<br/>Loader
    participant Manager as Manager<br/>Service
    participant CertVerifier as Certificate<br/>Verifier
    participant Attestation as Attestation<br/>Verifier

    User->>CLI: Invoke create-corim<br/>(SNP/TDX/Azure/GCP)
    
    CLI->>CorimGen: GenerateCoRIM(platform,<br/>config)
    
    alt SNP Platform
        CorimGen->>IGVM: Compute IGVM<br/>Measurements
        IGVM-->>CorimGen: Measurements
    else TDX Platform
        CorimGen->>CorimGen: Apply TDX<br/>Defaults
    end
    
    CorimGen->>SigningKey: LoadSigningKey()
    SigningKey-->>CorimGen: Signing Key
    
    CorimGen->>CorimGen: Construct CoRIM<br/>Structure
    CorimGen->>CorimGen: Sign with<br/>COSE Sign1
    
    CorimGen-->>CLI: UnsignedCoRIM<br/>(signed)
    
    CLI-->>User: CoRIM File
    
    Manager->>Manager: Load AttestationPolicy<br/>via CoRIM Path
    
    Note over Manager: Manager now uses<br/>CoRIM instead of<br/>separate binary paths
    
    User->>CertVerifier: Verify Certificate<br/>with Attestation
    
    CertVerifier->>CertVerifier: Load CoRIM<br/>from File
    CertVerifier->>CertVerifier: Parse COSE Sign1<br/>or Unsigned CoRIM
    
    CertVerifier->>Attestation: VerifyWithCoRIM<br/>(attestationData,<br/>corimManifest)
    
    Note over Attestation: New unified interface<br/>replaces:<br/>- VerifyAttestation<br/>- VerifyEAT<br/>- JSONToPolicy
    
    Attestation->>Attestation: Validate Attestation<br/>against CoRIM
    Attestation-->>CertVerifier: Verification Result
    
    CertVerifier-->>User: Certificate Valid/Invalid

    rect rgba(100, 200, 100, 0.5)
        Note over CLI,Attestation: Legacy JSON Policy Flow DEPRECATED<br/>✗ Old CLI attestation commands<br/>✗ Policy JSON files<br/>✗ Rust attestation_policy scripts
    end

    rect rgba(100, 150, 200, 0.5)
        Note over CLI,Attestation: New CoRIM-Based Flow ACTIVE<br/>✓ create-corim CLI commands<br/>✓ CoRIM manifests<br/>✓ IGVM measurements integration<br/>✓ Signing key support
    end
Loading

To be merged after #575

…ion policy scripts.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…precated policy handling and EAT verification tests.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…build configurations, along with related build and installation steps from the main Makefile.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…d enhance Go test setup for attestation policy paths.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
… file content in test.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
… using a configurable HTTP getter with improved error handling, and simplify `attestation_policy` command usage.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
@codecov

codecov Bot commented Mar 17, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 77.02206% with 125 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.49%. Comparing base (da31d76) to head (1d8138a).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
cli/attestation_policy_corim.go 84.57% 16 Missing and 13 partials ⚠️
pkg/attestation/azure/snp.go 66.03% 11 Missing and 7 partials ⚠️
pkg/attestation/corimgen/generator.go 80.23% 13 Missing and 4 partials ⚠️
pkg/attestation/vtpm/vtpm.go 65.51% 10 Missing ⚠️
pkg/atls/certificate_verifier.go 43.75% 4 Missing and 5 partials ⚠️
pkg/attestation/gcp/gcp.go 64.00% 9 Missing ⚠️
manager/attestation_policy.go 75.86% 6 Missing and 1 partial ⚠️
pkg/attestation/tdx/tdx.go 65.00% 7 Missing ⚠️
cli/cache.go 50.00% 4 Missing and 1 partial ⚠️
manager/service.go 44.44% 4 Missing and 1 partial ⚠️
... and 5 more
Additional details and impacted files
@@            Coverage Diff             @@
##             main     #578      +/-   ##
==========================================
+ Coverage   71.85%   73.49%   +1.64%     
==========================================
  Files          96       99       +3     
  Lines        7110     6358     -752     
==========================================
- Hits         5109     4673     -436     
+ Misses       1545     1265     -280     
+ Partials      456      420      -36     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

…es and add a CLI command to download and verify GCP OVMF files.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…and wheel, append computation ID to Docker container names, and improve test robustness with error assertions and conditional skips for runtime tests.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…tion and specific platform types like Azure SNP, vTPM, TDX, and IGVM.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…ccess and measurement mismatch, and refine reference value validation.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…xternal service dependencies for improved testability.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…rm types, IGVM measurement stopping, vTPM CoRIM verification, and GCP OVMF download CLI.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…tests, and refactor the Azure MAA client to use an interface.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
@drasko drasko merged commit c1cbcec into ultravioletrs:main Mar 19, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Feature: CoRIM Integration

3 participants