[experiments] Fix Escrow Baselines

[csegarragonz]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @csegarragonz, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refines the AMD SEV-SNP attestation process within the system, particularly for experimental setups and Azure Confidential VMs. It introduces mechanisms for clients to provide VCEK collateral directly, reducing reliance on external KDS lookups and improving efficiency. Furthermore, it automates the configuration of attestation policies and reference values for the Key Broker Service during experiments, ensuring more accurate and reproducible baseline measurements. These changes collectively enhance the robustness and performance of the attestation pipeline and streamline experimental workflows.

Highlights

• Enhanced AMD SNP Attestation: Introduced client-provided VCEK collateral handling in the attestation service, allowing for more flexible and potentially faster VCEK verification, especially for Azure CVMs.
• Automated Attestation Policy Setup: Added functionality in accli experiments to automatically compute and set reference values and attestation policies for the Key Broker Service (KBS) based on the current vTPM's attestation report.
• VCEK Caching in C++ Library: Implemented a process-wide VCEK cache in the C++ attestation library, fetching VCEK and certificate chain from Azure's THIM layer to optimize attestation requests.
• Experiment Baseline Fixes: Updated escrow experiment plotting parameters and refined the ubench logic to correctly set up attestation policies and reference values, addressing issues implied by 'Fix Escrow Baselines'.
• JWKS Configuration for Trustee: Modified Ansible playbook to generate and configure JSON Web Key Sets (JWKS) for the Key Broker Service, improving token key management.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a VCEK cache to optimize attestation by reducing calls to AMD's KDS and allowing clients to provide their own collateral. The changes also include significant updates to the escrow baseline experiments. My review focuses on improving the robustness, maintainability, and security of the new code, with specific suggestions for error handling, documentation, and code structure.