Conversation
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #592 +/- ##
==========================================
+ Coverage 68.36% 68.54% +0.17%
==========================================
Files 116 123 +7
Lines 7344 7865 +521
==========================================
+ Hits 5021 5391 +370
- Misses 1746 1853 +107
- Partials 577 621 +44 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
…port for S3, GCS, and OCI sources (#590) * feat: implement extensible resource downloader framework with support for S3, GCS, and OCI sources Signed-off-by: SammyOina <sammyoina@gmail.com> * refactor: improve resource URL parsing and add support for bare OCI image references Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix: add empty string check and slash requirement for OCI image inference, and update python unit tests with event mock expectations Signed-off-by: Sammy Oina <sammyoina@gmail.com> * refactor: introduce OCIClient interface, add test coverage for decryption, and improve resource download error handling Signed-off-by: Sammy Oina <sammyoina@gmail.com> * chore: remove trailing whitespace in OCI downloader and HTTP tests Signed-off-by: Sammy Oina <sammyoina@gmail.com> --------- Signed-off-by: SammyOina <sammyoina@gmail.com> Signed-off-by: Sammy Oina <sammyoina@gmail.com>
| s.logger.Info(fmt.Sprintf("[ATTESTATION-SERVICE] Collected GPU evidence: format=%s bytes=%d", | ||
| evidence.EvidenceFormat, len(evidence.RawEvidence))) | ||
|
|
||
| opts = append(opts, eat.WithGPU(&eat.GPUExtensions{ |
There was a problem hiding this comment.
pkg/atls/evidence_verifier.go recomputes the expected GPU nonce from the session nonce, so persisting evidence.Nonce here makes the claim depend on the collector/helper echoing that value back correctly. If that round-trip ever diverges, the service will mint claims that can never verify. Use the gpuNonce you derived locally instead of trusting the helper response for this field.
| NVIDIA_ATTESTATION_HELPER_RUSTFLAGS = $(strip $(RUSTFLAGS) $(if $(filter 1,$(NVAT_USE_SYSTEM_LIB)),,-C link-arg=-Wl,-rpath,$$ORIGIN/lib)) | ||
|
|
||
| all: $(SERVICES) | ||
| .PHONY: all $(SERVICES) $(NVIDIA_ATTESTATION_HELPER) nvidia-attestation-helper-prereqs install clean |
There was a problem hiding this comment.
make all now hard-requires NVAT setup, which is a build regression.
Default builds will fail on environments without NVAT headers/checkout, even when GPU attestation is not needed.
| return fmt.Errorf("atls: gpu evidence is empty") | ||
| } | ||
|
|
||
| expectedNonce := sha256.Sum256(append(append([]byte(nil), claims.Nonce...), []byte(":gpu")...)) |
There was a problem hiding this comment.
Right now the session binding check only covers claims.GPUExtensions.Nonce. The raw GPU evidence is then verified using the nonce embedded in claims.GPUExtensions.EvidenceJSON, and those two values are never compared. That leaves a replay gap: a stale but self-consistent GPU evidence blob can be paired with a rewritten outer nonce and still pass helper verification. Reject the claim unless the nonce inside EvidenceJSON matches expectedNonce.
| return nil, err | ||
| } | ||
|
|
||
| for _, opt := range opts { |
There was a problem hiding this comment.
Guard nil ClaimsOption values to prevent panic. A call like NewEATClaims(..., nil) will panic at option invocation.
| return fmt.Errorf("gpu verifier response did not contain claims_json") | ||
| } | ||
|
|
||
| // NVIDIA attestation currently performs its own evidence-policy appraisal |
There was a problem hiding this comment.
pkg/atls/evidence_verifier.go now passes the deployment policy into VerifyWithCoRIM, but this implementation discards it and accepts whatever the helper’s built-in NVIDIA checks allow. That makes GPU appraisal independent of the configured CoRIM and can admit hardware that the operator policy did not authorize. Please either appraise the returned GPU claims against manifest here or fail closed until manifest enforcement exists.
|
|
||
| [dependencies] | ||
| anyhow = "1" | ||
| nv-attestation-sdk = { git = "https://github.com/NVIDIA/attestation-sdk", branch = "main" } |
There was a problem hiding this comment.
Using branch = "main" makes builds non-deterministic and can break unexpectedly as upstream changes. Without a Cargo.lock file, this dependency will pull the latest main branch commit on every build.
This reverts commit d81d67e.
This reverts commit 5e566d5.
This reverts commit 47d13fe.
This reverts commit 3fb1b79.
…r is" This reverts commit f9f11ed.
This reverts commit 5dcf7a5.
This reverts commit d81d67e.
This reverts commit 5e566d5.
This reverts commit 47d13fe.
This reverts commit 3fb1b79.
…r is" This reverts commit f9f11ed.
This reverts commit 5dcf7a5.
What type of PR is this?
This is a feature because it adds the following functionality: GPU CC attestation. Its related to #591. In order for this feature to work the following conditions need to be met:
coconut-svsm/linuxbranchsvsmcoconut-svsm/linuxbranchsvsm-planes-v6.17coconut-svsm/qemubranchsvsm-igvmcoconut-svsm/svsmcoconut-svsm/edk2branchsvsm, built with-D TPM2_ENABLEmicrosoft/igvm~/igvminstppa:ubuntu-toolchain-r/testThe attestion service uses a rust helper to retrieve and verify the attestation report. The path to the helper is passed through an environment variable
ATTESTATION_GPU_HELPER_PATH.