Skip to content

standalone: add simple instance attestation server#1076

Draft
jordanhendricks wants to merge 1 commit intomasterfrom
jhendricks/standalone-attestation-server
Draft

standalone: add simple instance attestation server#1076
jordanhendricks wants to merge 1 commit intomasterfrom
jhendricks/standalone-attestation-server

Conversation

@jordanhendricks
Copy link
Contributor

@jordanhendricks jordanhendricks commented Mar 10, 2026
edited
Loading

addresses #1068

TODO:

  • clean up how we get the attestation port
  • test on a gimlet
  • test with more up-to-date vm-attest-proto bits in the guest image

Example TOML Configurations

"Mock" RoT (mock data)

[attestation]
backend = "mock"
port = 3000
pki_path = "/home/jordan/src/vm-attest-proto/target/debug/build/vm-attest-trait-19b74ae95e889c80/out/test-alias.certlist.pem"
log_path = "/home/jordan/src/vm-attest-proto/target/debug/build/vm-attest-trait-19b74ae95e889c80/out/log.bin"
alias_key_path = "/home/jordan/src/vm-attest-proto/target/debug/build/vm-attest-trait-19b74ae95e889c80/out/test-alias.key.pem"
instance_uuid = "db5bf54c-48c5-4455-a1e1-6c7dfc26e351"
boot_digest = "be4df4e085175f3de0c8ac4837e1c2c9a34e8983209dac6b549e94154f7cdd9c"

Real RoT

# IPCC backend (communicates with real RoT)
[attestation]
backend = "ipcc"
port = 3000
instance_uuid = "db5bf54c-48c5-4455-a1e1-6c7dfc26e351"
boot_digest = "be4df4e085175f3de0c8ac4837e1c2c9a34e8983209dac6b549e94154f7cdd9c"

@jordanhendricks @flihp
standalone: instance attestation support
89adcdf 
Co-authored-by: Philip Tricca <flihp@oxide.computer>
@jordanhendricks jordanhendricks force-pushed the jhendricks/standalone-attestation-server branch from cb2d4b2 to 89adcdf Compare March 10, 2026 04:51
@flihp
Copy link

flihp commented Mar 10, 2026

I've added to this to get it working w/ the latest vm-attest. Branch is here: https://github.com/flihp/propolis/tree/standalone-new-vm-attest. With these changes I've tested both the IPCC & mock backends successfully using the image at /staff/flihp/vm-instance.raw.gz

flihp
flihp reviewed Mar 12, 2026
View reviewed changes
bin/propolis-standalone/src/attestation.rs
),
};

Ok(VmInstanceRotMock::new(ox_attest, vm_conf))
Copy link

@flihp flihp Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a problem w/ this code, but the VmInstanceRotMock type has a confusing name. The type it wraps may be a mock impl, but VmInstanceRotMock itself isn't. I'll try to come up w/ a better name to make this less inaccurate.

@flihp flihp mentioned this pull request Mar 12, 2026
Open
flihp
flihp reviewed Mar 12, 2026
View reviewed changes
bin/propolis-standalone/src/attestation.rs
uuid::Uuid::parse_str(&cfg.instance_uuid).expect("Invalid UUID");
let measurement: Measurement = serde_json::from_value(
serde_json::json!({"sha-256": cfg.boot_digest}),
)
Copy link

@flihp flihp Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This type shouldn't be so hard to construct. We should probably include the digest identifier (sha-256 in this case) in the string from the config, and provide a from_something constructor for the Measurement type.

Copy link

@flihp flihp Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR adding a FromStr impl to Measurement type is here: oxidecomputer/vm-attest#49. A commit that uses this to parse the boot_digest from a propolis-standalone TOML config is here: flihp@6fe8547. This commit was tested on atrium. NOTE: this requires taht the boot_digest field in the TOML be updated to include the IANA NIH hash algorithm prefix string like: sha-256;{hex}

@morlandi7 morlandi7 linked an issue Mar 13, 2026 that may be closed by this pull request
standalone: want ability to run attestation server backed by real or mock RoT #1068
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flihp flihp flihp left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

standalone: want ability to run attestation server backed by real or mock RoT

2 participants

@jordanhendricks @flihp