Skip to content

CUBE-148 - Fix attestation policy doc and bugs#177

Open
WashingtonKK wants to merge 5 commits intoultravioletrs:mainfrom
WashingtonKK:cube-148
Open

CUBE-148 - Fix attestation policy doc and bugs#177
WashingtonKK wants to merge 5 commits intoultravioletrs:mainfrom
WashingtonKK:cube-148

Conversation

@WashingtonKK
Copy link
Contributor

@WashingtonKK WashingtonKK commented Feb 9, 2026

What type of PR is this?

What does this do?

Which issue(s) does this PR fix/relate to?

Have you included tests for your changes?

Did you document any new/modified features?

Notes

@WashingtonKK
CUBE-148 - Fix attestation policy doc
21fbb4d 
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
SammyOina
SammyOina requested changes Feb 9, 2026
View reviewed changes
agent/workflows/attestation-policy.md Outdated
Comment on lines 108 to 111
# Method depends on your platform and kernel version
# The SEV-SNP guest device is typically at /dev/sev-guest
# Use a SNP attestation tool or library to produce the report
# For example, using snpguest or configfs-tsm:
Copy link
Contributor

@SammyOina SammyOina Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just be specific to cube HAL and ubuntu images

agent/workflows/attestation-policy.md Outdated
Comment on lines 148 to 151
# The TDX guest device is typically at /dev/tdx_guest
# Use a TDX quote generation tool or library to produce the quote
# For example, using the go-tdx-guest library or configfs-tsm:
cd /sys/kernel/config/tsm/report/report0
Copy link
Contributor

@SammyOina SammyOina Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above, examples should be reproducible with our environments

agent/workflows/attestation-policy.md Outdated
Comment on lines 172 to 179
- `--mr_config_id <hex>`: Expected MR_CONFIG_ID (48 bytes hex)
- `--mr_owner <hex>`: Expected MR_OWNER (48 bytes hex)
- `--mr_config_owner <hex>`: Expected MR_OWNER_CONFIG (48 bytes hex)
- `--rtmrs <hex,hex,hex,hex>`: Comma-separated RTMR values (4 values, 48 bytes each)
- `--minimum_tee_tcb_svn <hex>`: Minimum TEE_TCB_SVN (16 bytes hex)
- `--minimum_qe_svn <value>`: Minimum QE_SVN
- `--minimum_pce_svn <value>`: Minimum PCE_SVN
- `--minimum_qe_svn <value>`: Minimum QE_SVN (uint32)
- `--minimum_pce_svn <value>`: Minimum PCE_SVN (uint32)
- `--trusted_root <paths>`: Comma-separated paths to PEM CA bundles for Intel TDX root certificates
Copy link
Contributor

@SammyOina SammyOina Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this the command output

@WashingtonKK
CUBE-148 - Use cocos-cli for attestation report retrieval
31005ef 
Replace generic Linux commands (configfs-tsm, sev-guest device) with
cocos-cli attestation commands specific to Cube's HAL and ubuntu images.

Signed-off-by: WashingtonKK <washington@ultraviolet.rs>
@WashingtonKK
NOISSUE - Fix deploy workflow overwriting fresh .env with stale backup
45e93a7 
The deploy workflow calls `make down-cloud` which runs
`restore-cloud-config`, restoring `.env.backup` from a previous
deployment. This overwrites the fresh `.env` pulled from git,
causing any newly added env variables (like CUBE_AI_ATTESTATION_URL)
to be permanently lost.

Fix by removing stale backup files before `make down-cloud` so
`restore-cloud-config` is a no-op and the fresh `.env` is preserved.

Signed-off-by: WashingtonKK <washington@ultraviolet.rs>
SammyOina
SammyOina requested changes Feb 10, 2026
View reviewed changes
agent/workflows/attestation-policy.md Outdated
```bash
# Inside the CVM
sudo cat /sys/kernel/security/tpm0/binary_bios_measurements > attestation.bin
cocos-cli attestation get snp-vtpm --tee <512-bit-hex-nonce> --vtpm <256-bit-hex-nonce>
Copy link
Contributor

@SammyOina SammyOina Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cocos cli cannot to connect to cube, use working examples that are actually reproducible

@WashingtonKK
CUBE-148 - Use Cube Proxy API for attestation report retrieval
ba61d21 
Replace cocos-cli attestation get commands with Cube Proxy API
curl examples. cocos-cli cannot connect directly to Cube's CVM;
the proxy API (POST /<domain_id>/attestation) is the correct
way to retrieve attestation reports in Cube's environment.

Signed-off-by: WashingtonKK <washington@ultraviolet.rs>
SammyOina
SammyOina requested changes Feb 11, 2026
View reviewed changes
agent/workflows/attestation-policy.md Outdated
```bash
# Inside the CVM
sudo cat /sys/kernel/security/tpm0/binary_bios_measurements > attestation.bin
curl -X POST http://<proxy-host>:<proxy-port>/<domain_id>/attestation \
Copy link
Contributor

@SammyOina SammyOina Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if curl is to be used make sure it is configured correctly and you give proper restart info. or you have chicken and the egg problem, atls needs attestation policy which is what you're trying to find here

agent/workflows/attestation-policy.md Outdated
curl -X POST http://<proxy-host>:<proxy-port>/<domain_id>/attestation \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{"report_data": "", "nonce": "", "attestation_type": "snp", "to_json": true}' \
Copy link
Contributor

@SammyOina SammyOina Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will not return azure token, go through the code and test in this environment. some of the options in this request are no longer supported. This is supposed to be a working tutorial

@WashingtonKK
CUBE-148 - Fix attestation policy doc based on testing and review
78914b0 
- Remove invalid attestation_type field from all curl examples (agent
  auto-detects TEE platform at startup, field is not accepted)
- Add upfront section about aTLS chicken-and-egg problem: proxy must
  have aTLS disabled for initial attestation report retrieval
- Add API reference table documenting request/response format
- Fix Azure section: API returns vTPM protobuf, not MAA token. Document
  that cocos-cli policy azure requires the MAA JWT token obtained
  directly from the CVM
- Consolidate proxy configuration section (remove duplicate aTLS steps)
- All curl examples tested and verified on TDX deployment

Signed-off-by: WashingtonKK <washington@ultraviolet.rs>
@WashingtonKK WashingtonKK deleted the cube-148 branch February 11, 2026 16:21
@WashingtonKK WashingtonKK restored the cube-148 branch February 11, 2026 16:22
@WashingtonKK WashingtonKK reopened this Feb 11, 2026
SammyOina
SammyOina requested changes Feb 13, 2026
View reviewed changes
agent/workflows/attestation-policy.md
# Use Azure's attestation client to get the MAA token
# Save the token to a file
echo "<maa_token>" > maa_token.txt
cocos-cli attestation get --maa-token -o maa_token.txt
Copy link
Contributor

@SammyOina SammyOina Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will not work

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SammyOina SammyOina SammyOina requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Validate and update attestation policy doc

2 participants

@WashingtonKK @SammyOina