COCOS-390 - Add IGVM measurement on manager (#404)

jovan-djukic · web-flow · commit 33744a12a86e · 2025-03-12T13:43:26.000+01:00
* resolved issue 390

* updated readme.md for issue 390

* resolved issue 390

* updated readme.md for issue 390

* implemented suggested changes

* refactored code so it passes the linter test

* change the Run fn so it prints the meassurement t a buffer

* refactored code so it passes the linter test

* fixed the test Run_-_Failure_Execution

* changed recipe so it builds igvmmeasure binary when building manager
diff --git a/Makefile b/Makefile
@@ -30,7 +30,7 @@ all: $(SERVICES)
 
 $(SERVICES): 
 	$(call compile_service,$@)
-	@if [ "$@" = "cli" ]; then $(MAKE) build-igvm; fi
+	@if [ "$@" = "cli" ] || [ "$@" = "manager" ]; then $(MAKE) build-igvm; fi
 
 $(ATTESTATION_POLICY):
 	$(MAKE) -C ./scripts/attestation_policy
diff --git a/manager/README.md b/manager/README.md
@@ -11,7 +11,7 @@ The service is configured using the environment variables from the following tab
 | COCOS_JAEGER_URL                          | The URL for the Jaeger tracing endpoint.                                                                         | http://localhost:4318        |
 | COCOS_JAEGER_TRACE_RATIO                  | The ratio of traces to sample.                                                                                   | 1.0                          |
 | MANAGER_INSTANCE_ID                       | The instance ID for the manager service.                                                                         |                              |
-| MANAGER_ATTESTATION_POLICY_BINARY         | The file path for the attestation policy binary.                                                                 | ../../build                  |
+| MANAGER_ATTESTATION_POLICY_BINARY         | The file path for the attestation policy and igvmmeassure binaries.                                              | ../../build                  |
 | MANAGER_GRPC_CLIENT_CERT                  | The file path for the client certificate.                                                                        |                              |
 | MANAGER_GRPC_CLIENT_KEY                   | The file path for the client private key.                                                                        |                              |
 | MANAGER_GRPC_SERVER_CA_CERTS              | The file path for the server CA certificate(s).                                                                  |                              |
diff --git a/manager/attestation_policy.go b/manager/attestation_policy.go
@@ -7,6 +7,8 @@
 package manager
 
 import (
+	"bufio"
+	"bytes"
 	"context"
 	"encoding/base64"
 	"fmt"
@@ -16,6 +18,7 @@ import (
 
 	"github.com/google/go-sev-guest/proto/check"
 	"github.com/ultravioletrs/cocos/manager/qemu"
+	"github.com/ultravioletrs/cocos/pkg/attestation/igvmmeasure"
 	"github.com/virtee/sev-snp-measure-go/cpuid"
 	"github.com/virtee/sev-snp-measure-go/guest"
 	"github.com/virtee/sev-snp-measure-go/vmmtypes"
@@ -67,11 +70,27 @@ func (ms *managerService) FetchAttestationPolicy(_ context.Context, computationI
 			return nil, err
 		}
 	case vmi.Config.EnableSEVSNP:
-		measurement, err = guest.CalcLaunchDigest(guest.SEV_SNP, vmi.Config.SMPCount, uint64(cpuid.CpuSigs[vmi.Config.CPU]), vmi.Config.OVMFCodeConfig.File, vmi.Config.KernelFile, vmi.Config.RootFsFile, strconv.Quote(qemu.KernelCommandLine), defGuestFeatures, "", vmmtypes.QEMU, false, "", 0)
+		igvmMeasurementBinaryPath := fmt.Sprintf("%s/igvmmeasure", ms.attestationPolicyBinaryPath)
+
+		var stdoutBuffer bytes.Buffer
+		var stderrBuffer bytes.Buffer
+
+		stdout := bufio.NewWriter(&stdoutBuffer)
+		stderr := bufio.NewWriter(&stderrBuffer)
+
+		igvmMeasurement, err := igvmmeasure.NewIgvmMeasurement(igvmMeasurementBinaryPath, stderr, stdout)
 		if err != nil {
 			return nil, err
 		}
+
+		err = igvmMeasurement.Run(ms.qemuCfg.IGVMConfig.File)
+		if err != nil {
+			return nil, err
+		}
+
+		measurement = stdoutBuffer.Bytes()
 	}
+
 	if measurement != nil {
 		attestationPolicy.Policy.Measurement = measurement
 	}
diff --git a/pkg/attestation/igvmmeasure/igvmmeasure.go b/pkg/attestation/igvmmeasure/igvmmeasure.go
@@ -3,6 +3,7 @@
 package igvmmeasure
 
 import (
+	"bytes"
 	"fmt"
 	"io"
 	"os/exec"
@@ -43,17 +44,24 @@ func (m *IgvmMeasurement) Run(pathToFile string) error {
 	args = append(args, "measure")
 	args = append(args, "-b")
 
-	out, err := m.execCommand(binary, args...).CombinedOutput()
-	if err != nil {
-		fmt.Println("Error:", err)
+	outBuf := &bytes.Buffer{}
+	cmd := m.execCommand(binary, args...)
+	cmd.Stderr = m.stderr
+	cmd.Stdout = outBuf
+
+	if err := cmd.Run(); err != nil {
+		return err
 	}
-	outputString := string(out)
+	outputString := outBuf.String()
 
 	lines := strings.Split(strings.TrimSpace(outputString), "\n")
 
 	if len(lines) == 1 {
 		outputString = strings.ToLower(outputString)
-		fmt.Print(outputString)
+		_, err := m.stdout.Write([]byte(outputString))
+		if err != nil {
+			return err
+		}
 	} else {
 		return fmt.Errorf("error: %s", outputString)
 	}
diff --git a/pkg/attestation/igvmmeasure/igvmmeasure_test.go b/pkg/attestation/igvmmeasure/igvmmeasure_test.go
@@ -51,7 +51,7 @@ func TestIgvmMeasurement(t *testing.T) {
 				return igvm
 			},
 			expectErr:   true,
-			expectedErr: "error: some error occurred\nextra line",
+			expectedErr: "exit status 1",
 		},
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ func TestIgvmMeasurement(t *testing.T) {`
`51`	`51`	`return igvm`
`52`	`52`	`},`
`53`	`53`	`expectErr: true,`
`54`		`- expectedErr: "error: some error occurred\nextra line",`
	`54`	`+ expectedErr: "exit status 1",`
`55`	`55`	`},`
`56`	`56`	`}`
`57`	`57`