COCOS-577 - Introduce Go-based CoRIM generation and deprecate Rust attestation policy scripts.#578
Merged
Merged
Conversation
…ion policy scripts. Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…precated policy handling and EAT verification tests. Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…build configurations, along with related build and installation steps from the main Makefile. Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…d enhance Go test setup for attestation policy paths. Signed-off-by: Sammy Oina <sammyoina@gmail.com>
… file content in test. Signed-off-by: Sammy Oina <sammyoina@gmail.com>
… using a configurable HTTP getter with improved error handling, and simplify `attestation_policy` command usage. Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #578 +/- ##
==========================================
+ Coverage 71.85% 73.49% +1.64%
==========================================
Files 96 99 +3
Lines 7110 6358 -752
==========================================
- Hits 5109 4673 -436
+ Misses 1545 1265 -280
+ Partials 456 420 -36 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
…es and add a CLI command to download and verify GCP OVMF files. Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…and wheel, append computation ID to Docker container names, and improve test robustness with error assertions and conditional skips for runtime tests. Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…tion and specific platform types like Azure SNP, vTPM, TDX, and IGVM. Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…ccess and measurement mismatch, and refine reference value validation. Signed-off-by: Sammy Oina <sammyoina@gmail.com>
jovan-djukic
approved these changes
Mar 18, 2026
…xternal service dependencies for improved testability. Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…rm types, IGVM measurement stopping, vTPM CoRIM verification, and GCP OVMF download CLI. Signed-off-by: Sammy Oina <sammyoina@gmail.com>
…tests, and refactor the Azure MAA client to use an interface. Signed-off-by: Sammy Oina <sammyoina@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
What does this do?
New Features
create-corimwith subcommands for generating attestation policies across Azure, GCP, SNP, and TDX platforms.Deprecated
Documentation
Which issue(s) does this PR fix/relate to?
Have you included tests for your changes?
Did you document any new/modified feature?
Notes
sequenceDiagram participant User participant CLI as CLI<br/>(create-corim) participant CorimGen as CorimGen<br/>Package participant IGVM as IGVM<br/>Measurement participant SigningKey as Signing Key<br/>Loader participant Manager as Manager<br/>Service participant CertVerifier as Certificate<br/>Verifier participant Attestation as Attestation<br/>Verifier User->>CLI: Invoke create-corim<br/>(SNP/TDX/Azure/GCP) CLI->>CorimGen: GenerateCoRIM(platform,<br/>config) alt SNP Platform CorimGen->>IGVM: Compute IGVM<br/>Measurements IGVM-->>CorimGen: Measurements else TDX Platform CorimGen->>CorimGen: Apply TDX<br/>Defaults end CorimGen->>SigningKey: LoadSigningKey() SigningKey-->>CorimGen: Signing Key CorimGen->>CorimGen: Construct CoRIM<br/>Structure CorimGen->>CorimGen: Sign with<br/>COSE Sign1 CorimGen-->>CLI: UnsignedCoRIM<br/>(signed) CLI-->>User: CoRIM File Manager->>Manager: Load AttestationPolicy<br/>via CoRIM Path Note over Manager: Manager now uses<br/>CoRIM instead of<br/>separate binary paths User->>CertVerifier: Verify Certificate<br/>with Attestation CertVerifier->>CertVerifier: Load CoRIM<br/>from File CertVerifier->>CertVerifier: Parse COSE Sign1<br/>or Unsigned CoRIM CertVerifier->>Attestation: VerifyWithCoRIM<br/>(attestationData,<br/>corimManifest) Note over Attestation: New unified interface<br/>replaces:<br/>- VerifyAttestation<br/>- VerifyEAT<br/>- JSONToPolicy Attestation->>Attestation: Validate Attestation<br/>against CoRIM Attestation-->>CertVerifier: Verification Result CertVerifier-->>User: Certificate Valid/Invalid rect rgba(100, 200, 100, 0.5) Note over CLI,Attestation: Legacy JSON Policy Flow DEPRECATED<br/>✗ Old CLI attestation commands<br/>✗ Policy JSON files<br/>✗ Rust attestation_policy scripts end rect rgba(100, 150, 200, 0.5) Note over CLI,Attestation: New CoRIM-Based Flow ACTIVE<br/>✓ create-corim CLI commands<br/>✓ CoRIM manifests<br/>✓ IGVM measurements integration<br/>✓ Signing key support endTo be merged after #575