+
Skip to content

COCOS-391- GCP Attestation policy #405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Mar 19, 2025
Merged

COCOS-391- GCP Attestation policy #405

merged 9 commits into from
Mar 19, 2025

Conversation

SammyOina
Copy link
Contributor

@SammyOina SammyOina commented Mar 13, 2025
edited
Loading

What type of PR is this?

This is a feature that adds generation of gcp attestation policy

What does this do?

  • New Features

    • Introduced new CLI commands that let users retrieve attestation policies for GCP and download OVMF files.
    • Enabled explicit configuration of the gRPC host for improved connectivity.
    • Expanded attestation capabilities by supporting an additional hash value.

  • Chores

    • Updated various underlying dependencies to enhance overall system stability and performance.

Which issue(s) does this PR fix/relate to?

Have you included tests for your changes?

Did you document any new/modified feature?

Notes

sequenceDiagram
    participant User as User
    participant CLI as CLI Command (NewGCPAttestationPolicy)
    participant FS as File System
    participant GCP as GCP Package

    User->>CLI: Execute GCP Attestation Policy Command with report file path
    CLI->>FS: Read attestation report file
    FS-->>CLI: Return binary attestation data
    CLI->>GCP: Extract384BitMeasurement(data)
    GCP-->>CLI: 384-bit measurement
    CLI->>GCP: GetLaunchEndorsement(measurement)
    GCP-->>CLI: Launch endorsement data
    CLI->>GCP: GenerateAttestationPolicy(endorsement)
    GCP-->>CLI: Attestation policy data
    CLI->>FS: Write attestation_policy.json
    CLI-->>User: Output success result
Loading 
sequenceDiagram
    participant User as User
    participant CLI as CLI Command (NewDownloadGCPOvmfFile)
    participant FS as File System
    participant GCP as GCP Package

    User->>CLI: Execute Download GCPOVMF command with report file path
    CLI->>FS: Read attestation report file
    FS-->>CLI: Return binary attestation data
    CLI->>GCP: Extract384BitMeasurement(data)
    GCP-->>CLI: 384-bit measurement
    CLI->>GCP: GetLaunchEndorsement(measurement)
    GCP-->>CLI: Launch endorsement data
    CLI->>GCP: DownloadOvmfFile(endorsement.digest)
    GCP-->>CLI: OVMF file bytes
    CLI->>FS: Write ovmf.fd
    CLI-->>User: Signal download success
Loading 
sequenceDiagram
    participant Main as Main Function (cmd/agent/main.go)
    participant Server as Agent Server (agent/cvms/server/cvm.go)
    participant gRPC as gRPC Server

    Main->>Server: Call NewServer(logger, service, host)
    Server-->>Main: Return AgentServer instance
    Main->>Server: Call Start()
    Server->>gRPC: Initialize gRPC server using host from field
    gRPC-->>Server: gRPC server starts
Loading

@codecov Codecov
Copy link

codecov bot commented Mar 13, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 177 lines in your changes missing coverage. Please review.

Project coverage is 54.94%. Comparing base (293c65a) to head (85a51f0).
Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
cli/attestation_policy.go 0.00% 97 Missing ⚠️
pkg/attestation/gcp/gcp.go 0.00% 63 Missing ⚠️
pkg/attestation/vtpm/vtpm.go 0.00% 14 Missing ⚠️
agent/cvms/server/cvm.go 0.00% 3 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #405      +/-   ##
==========================================
- Coverage   56.77%   54.94%   -1.84%     
==========================================
  Files          59       60       +1     
  Lines        5099     5262     +163     
==========================================
- Hits         2895     2891       -4     
- Misses       1903     2070     +167     
  Partials      301      301

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@SammyOina SammyOina changed the title Cocos 391- GCP Attestation policy COCOS-391- GCP Attestation policy Mar 13, 2025
danko-miladinovic
danko-miladinovic reviewed Mar 14, 2025
View reviewed changes
pkg/attestation/gcp/gcp.go Outdated
func GenerateAttestationPolicy(endorsement *endorsement.VMGoldenMeasurement) (*config.Config, error) {
attestationPolicy := config.Config{PcrConfig: &config.PcrConfig{}, SnpCheck: &check.Config{RootOfTrust: &check.RootOfTrust{}, Policy: &check.Policy{}}}
attestationPolicy.SnpCheck.Policy.Policy = endorsement.SevSnp.Policy
attestationPolicy.SnpCheck.Policy.Measurement = endorsement.SevSnp.Measurements[2]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make this configurable? We can the CVM is launched with more than 2 vCPUs. Also, it will be good to set fields family_id and image_id here.

danko-miladinovic
danko-miladinovic approved these changes Mar 14, 2025
View reviewed changes
Copy link
Contributor

@danko-miladinovic danko-miladinovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

drasko
drasko approved these changes Mar 14, 2025
View reviewed changes
Copy link
Contributor

@drasko drasko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@SammyOina
Add AgentGrpcHost configuration to agent server
49d51d6 
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
@SammyOina
Add SHA1 support to PcrValues and implement GCP attestation functions
ac60dcb 
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
@SammyOina
Add GCP attestation policy and OVMF download commands
3ffa066 
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
@SammyOina
Add vTPM attestation support and update protobuf versions
125910b 
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
@SammyOina
Remove Host field from AgentConfig and update related references
3071637 
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
@SammyOina
Update GCP attestation policy to accept vCPU count as an argument
166c9f2 
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
@SammyOina
Add SHA512 digest verification for OVMF file in GCP download command
8ec6693 
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
@SammyOina
Update OVMF object name format in GCP attestation package
71a078a 
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
@SammyOina
Refactor attestation policy structure to use nested Config field
85a51f0 
Signed-off-by: Sammy Oina <sammyoina@gmail.com>
@dborovcanin dborovcanin merged commit c14f1d7 into ultravioletrs:main Mar 19, 2025
2 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drasko drasko drasko approved these changes

@dborovcanin dborovcanin dborovcanin approved these changes

@danko-miladinovic danko-miladinovic danko-miladinovic approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@SammyOina @drasko @dborovcanin @danko-miladinovic
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载