Skip to content

NOISSUE - Remove scripts for attestation policy #579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
danko-miladinovic wants to merge 1 commit into
base: main
Choose a base branch
from
Open

NOISSUE - Remove scripts for attestation policy #579

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 3 additions & 10 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
BUILD_DIR = build
SERVICES = manager agent cli attestation-service log-forwarder computation-runner egress-proxy ingress-proxy
ATTESTATION_POLICY = attestation_policy
CGO_ENABLED ?= 0
GOARCH ?= amd64
VERSION ?= $(shell git describe --abbrev=0 --tags --always)
Expand All @@ -24,17 +23,14 @@ define compile_service
-o ${BUILD_DIR}/cocos-$(1) cmd/$(1)/main.go
endef

.PHONY: all $(SERVICES) $(ATTESTATION_POLICY) install clean
.PHONY: all $(SERVICES) install clean

all: $(SERVICES) $(ATTESTATION_POLICY)
all: $(SERVICES)

$(SERVICES):
$(call compile_service,$@)
@if [ "$@" = "cli" ] || [ "$@" = "manager" ]; then $(MAKE) build-igvm; fi

$(ATTESTATION_POLICY):
$(MAKE) -C ./scripts/attestation_policy OUTPUT_DIR=../../$(BUILD_DIR)

protoc:
protoc -I. --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative agent/agent.proto
protoc -I. --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative manager/manager.proto
Expand All @@ -47,18 +43,15 @@ protoc:
mocks:
mockery --config ./.mockery.yml

install: $(SERVICES) $(ATTESTATION_POLICY)
install: $(SERVICES)
install -d $(INSTALL_DIR)
install $(BUILD_DIR)/cocos-cli $(INSTALL_DIR)/cocos-cli
install $(BUILD_DIR)/cocos-manager $(INSTALL_DIR)/cocos-manager
install $(BUILD_DIR)/attestation_policy $(INSTALL_DIR)/attestation_policy
install $(BUILD_DIR)/attestation_policy_tdx $(INSTALL_DIR)/attestation_policy_tdx
install -d $(CONFIG_DIR)
install cocos-manager.env $(CONFIG_DIR)/cocos-manager.env

clean:
rm -rf $(BUILD_DIR)
$(MAKE) -C ./scripts/attestation_policy OUTPUT_DIR=../../$(BUILD_DIR) clean

run: install_service
sudo systemctl start $(SERVICE_NAME).service
Expand Down
94 changes: 82 additions & 12 deletions cmd/manager/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ package main

import (
"context"
"encoding/hex"
"fmt"
"log"
"log/slog"
Expand All @@ -26,6 +27,7 @@ import (
"github.com/ultravioletrs/cocos/manager/api/http"
"github.com/ultravioletrs/cocos/manager/qemu"
"github.com/ultravioletrs/cocos/manager/tracing"
"github.com/ultravioletrs/cocos/pkg/attestation/policy"
"github.com/ultravioletrs/cocos/pkg/server"
grpcserver "github.com/ultravioletrs/cocos/pkg/server/grpc"
"go.opentelemetry.io/otel/trace"
Expand All @@ -43,15 +45,25 @@ const (
)

type config struct {
LogLevel string `env:"MANAGER_LOG_LEVEL" envDefault:"info"`
JaegerURL url.URL `env:"COCOS_JAEGER_URL" envDefault:"http://localhost:4318"`
TraceRatio float64 `env:"COCOS_JAEGER_TRACE_RATIO" envDefault:"1.0"`
InstanceID string `env:"MANAGER_INSTANCE_ID" envDefault:""`
AttestationPolicyBinary string `env:"MANAGER_ATTESTATION_POLICY_BINARY" envDefault:"../../build/attestation_policy"`
IgvmMeasureBinary string `env:"MANAGER_IGVMMEASURE_BINARY" envDefault:"../../build/igvmmeasure"`
PcrValues string `env:"MANAGER_PCR_VALUES" envDefault:""`
EosVersion string `env:"MANAGER_EOS_VERSION" envDefault:""`
MaxVMs int `env:"MANAGER_MAX_VMS" envDefault:"10"`
LogLevel string `env:"MANAGER_LOG_LEVEL" envDefault:"info"`
JaegerURL url.URL `env:"COCOS_JAEGER_URL" envDefault:"http://localhost:4318"`
TraceRatio float64 `env:"COCOS_JAEGER_TRACE_RATIO" envDefault:"1.0"`
InstanceID string `env:"MANAGER_INSTANCE_ID" envDefault:""`
IgvmMeasureBinary string `env:"MANAGER_IGVMMEASURE_BINARY" envDefault:"../../build/igvmmeasure"`
SEVSNPPolicy uint64 `env:"MANAGER_SEV_SNP_POLICY" envDefault:"196608"`
PcrValues string `env:"MANAGER_PCR_VALUES" envDefault:""`
EosVersion string `env:"MANAGER_EOS_VERSION" envDefault:""`
MaxVMs int `env:"MANAGER_MAX_VMS" envDefault:"10"`
SGXVendorIDHex string `env:"MANAGER_SGX_VENDOR_ID" envDefault:""`
MinTdxSvnHex string `env:"MANAGER_MIN_TDX_SVN" envDefault:""`
MrSeamHex string `env:"MANAGER_MRSEAM" envDefault:""`
TdAttributesHex string `env:"MANAGER_TD_ATTRIBUTES" envDefault:""`
XfamHex string `env:"MANAGER_XFAM" envDefault:""`
MrTdHex string `env:"MANAGER_MRTD" envDefault:""`
RTMR0Hex string `env:"MANAGER_RTMR0" envDefault:""`
RTMR1Hex string `env:"MANAGER_RTMR1" envDefault:""`
RTMR2Hex string `env:"MANAGER_RTMR2" envDefault:""`
RTMR3Hex string `env:"MANAGER_RTMR3" envDefault:""`
}

func main() {
Expand Down Expand Up @@ -125,7 +137,14 @@ func main() {
logger.Error(fmt.Sprintf("failed to load %s gRPC server configuration : %s", svcName, err))
}

svc, err := newService(logger, tracer, *qemuCfg, cfg.AttestationPolicyBinary, cfg.IgvmMeasureBinary, cfg.PcrValues, cfg.EosVersion, cfg.MaxVMs)
tdxPolicy, err := parseTDXPolicyConfig(&cfg)
if err != nil {
logger.Error(fmt.Sprintf("failed to parse TDX policy configuration: %s", err))
exitCode = 1
return
}

svc, err := newService(logger, tracer, *qemuCfg, cfg.IgvmMeasureBinary, cfg.PcrValues, cfg.SEVSNPPolicy, tdxPolicy, cfg.EosVersion, cfg.MaxVMs)
if err != nil {
logger.Error(err.Error())
exitCode = 1
Expand Down Expand Up @@ -166,8 +185,8 @@ func main() {
}
}

func newService(logger *slog.Logger, tracer trace.Tracer, qemuCfg qemu.Config, attestationPolicyPath string, igvmMeasurementBinaryPath string, pcrValuesFilePath string, eosVersion string, maxVMs int) (manager.Service, error) {
svc, err := manager.New(qemuCfg, attestationPolicyPath, igvmMeasurementBinaryPath, pcrValuesFilePath, logger, qemu.NewVM, eosVersion, maxVMs)
func newService(logger *slog.Logger, tracer trace.Tracer, qemuCfg qemu.Config, igvmMeasurementBinaryPath string, pcrValuesFilePath string, sevsnpPolicy uint64, tdxPolicy *policy.TDXConfig, eosVersion string, maxVMs int) (manager.Service, error) {
svc, err := manager.New(qemuCfg, igvmMeasurementBinaryPath, pcrValuesFilePath, sevsnpPolicy, tdxPolicy, logger, qemu.NewVM, eosVersion, maxVMs)
if err != nil {
return nil, err
}
Expand All @@ -178,3 +197,54 @@ func newService(logger *slog.Logger, tracer trace.Tracer, qemuCfg qemu.Config, a

return svc, nil
}

func parseTDXPolicyConfig(cfg *config) (*policy.TDXConfig, error) {
decodeFixed := func(dst []byte, hexStr string) error {
b, err := hex.DecodeString(strings.TrimSpace(hexStr))
if err != nil {
return err
}
if len(b) != len(dst) {
return fmt.Errorf("expected %d bytes, got %d", len(dst), len(b))
}
copy(dst, b)
return nil
}

var policy policy.TDXConfig

if err := decodeFixed(policy.SGXVendorID[:], cfg.SGXVendorIDHex); err != nil {
return nil, fmt.Errorf("SGXVendorID: %w", err)
}
if err := decodeFixed(policy.MinTdxSvn[:], cfg.MinTdxSvnHex); err != nil {
return nil, fmt.Errorf("MinTdxSvn: %w", err)
}
if err := decodeFixed(policy.TdAttributes[:], cfg.TdAttributesHex); err != nil {
return nil, fmt.Errorf("TdAttributes: %w", err)
}
if err := decodeFixed(policy.Xfam[:], cfg.XfamHex); err != nil {
return nil, fmt.Errorf("Xfam: %w", err)
}

mrSeam, err := hex.DecodeString(strings.TrimSpace(cfg.MrSeamHex))
if err != nil {
return nil, fmt.Errorf("MrSeam: %w", err)
}
policy.MrSeam = mrSeam

mrTd, err := hex.DecodeString(strings.TrimSpace(cfg.MrTdHex))
if err != nil {
return nil, fmt.Errorf("MrTd: %w", err)
}
policy.MrTd = mrTd

for i, s := range []string{cfg.RTMR0Hex, cfg.RTMR1Hex, cfg.RTMR2Hex, cfg.RTMR3Hex} {
b, err := hex.DecodeString(strings.TrimSpace(s))
if err != nil {
return nil, fmt.Errorf("RTMR%d: %w", i, err)
}
policy.RTMR[i] = b
}

return &policy, nil
}
14 changes: 13 additions & 1 deletion cocos-manager.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ COCOS_JAEGER_TRACE_RATIO=1.0

# Manager Service Configuration
MANAGER_INSTANCE_ID=
MANAGER_ATTESTATION_POLICY_BINARY=../../build
MANAGER_IGVMMEASURE_BINARY=../../build
MANAGER_PCR_VALUES=/etc/cocos/pcr_values.json
MANAGER_GRPC_SERVER_CERT=
Expand All @@ -25,6 +24,19 @@ MANAGER_GRPC_TIMEOUT=60s
MANAGER_EOS_VERSION=""
MANAGER_MAX_VMS=10

# Manager TDX Policy Configuration
MANAGER_MRSEAM=5b38e33a6487958b72c3c12a938eaa5e3fd4510c51aeeab58c7d5ecee41d7c436489d6c8e4f92f160b7cad34207b00c1
MANAGER_TD_ATTRIBUTES=0000001000000000
MANAGER_XFAM=e702060000000000
MANAGER_MRTD=91eb2b44d141d4ece09f0c75c2c53d247a3c68edd7fafe8a3520c942a604a407de03ae6dc5f87f27428b2538873118b7
MANAGER_RTMR0=ce0891f46a18db93e7691f1cf73ed76593f7dec1b58f0927ccb56a99242bf63bc9551561f9ee7833d40395fae59547ab
MANAGER_RTMR1=062ac322e26b10874a84977a09735408a856aec77ff62b4975b1e90e33c18f05220ea522cdbffc3b2cf4451cc209e418
MANAGER_RTMR2=5fd86e8c3d5e45386f1ed0852de7e83ae1b774ee4366bd5213c9890e8e3ac8fad3f7e690891d37f7c81ac20a445cc0ff
MANAGER_RTMR3=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

# Manager SEV-SNP Policy Configuration
MANAGER_SEV_SNP_POLICY=196608

# QEMU Configuration
MANAGER_QEMU_MEMORY_SIZE=25G
MANAGER_QEMU_MEMORY_SLOTS=5
Expand Down
10 changes: 9 additions & 1 deletion manager/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ The service is configured using the environment variables from the following tab
| COCOS_JAEGER_URL | The URL for the Jaeger tracing endpoint. | http://localhost:4318 |
| COCOS_JAEGER_TRACE_RATIO | The ratio of traces to sample. | 1.0 |
| MANAGER_INSTANCE_ID | The instance ID for the manager service. | |
| MANAGER_ATTESTATION_POLICY_BINARY | The file path for the attestation policy binarie. | ../../build/attestation_policy |
| MANAGER_IGVMMEASURE_BINARY | The file path for the igvmmeasure binarie. | ../../build/igvmmeasure |
| MANAGER_PCR_VALUES | The file path for the file with the expected PCR values. | |
| MANAGER_HTTP_HOST | Manager service HTTP host | "" |
Expand Down Expand Up @@ -74,6 +73,15 @@ The service is configured using the environment variables from the following tab
| MANAGER_QEMU_MONITOR | The type of monitor to use. | pty |
| MANAGER_QEMU_HOST_FWD_RANGE | The range of host ports to forward. | 6100-6200 |
| MANAGER_MAX_VMS | The maximum number of vms running concurrently on manager. | 10 |
| MANAGER_MRSEAM | Expected **MRSEAM** measurement (hex). | |
| MANAGER_TD_ATTRIBUTES | Expected **TD Attributes** (hex, 8 bytes). | |
| MANAGER_XFAM | Expected **XFAM** (Extended Features Available Mask) (hex, 8 bytes). | |
| MANAGER_MRTD | Expected **MRTD** measurement (hex). | |
| MANAGER_RTMR0 | Expected **RTMR[0]** (runtime measurement register 0) (hex). | |
| MANAGER_RTMR1 | Expected **RTMR[1]** (runtime measurement register 1) (hex). | |
| MANAGER_RTMR2 | Expected **RTMR[2]** (runtime measurement register 2) (hex). | |
| MANAGER_RTMR3 | Expected **RTMR[3]** (runtime measurement register 3) (hex). | |
| MANAGER_SEV_SNP_POLICY | Expected **SEV SNP CVM launch policy**. | 196608 |

## Setup

Expand Down
Loading