Merge pull request #55 from SammyOina/pd-49

PD-49 - Validate and document aTLS
ultravioletrs · Nov 27, 2024 · 502cb32 · 502cb32
2 parents 935711f + 17838d9
commit 502cb32
Show file tree

Hide file tree

Showing 10 changed files with 65 additions and 47 deletions.
diff --git a/docs/backends.md b/docs/backends.md
@@ -107,52 +107,6 @@ Content-Length: 129
 {"id":"ca219243-0dd4-4e6e-94ad-54fbf3dd8b32","name":"my dell server","description":"some description","address":"192.168.100.4"}
 ```
 
-## View Backend Information
-
-For a SEV enabled backend, the backend information can be viewed using prism. This information is measured by a Rust script found [here](https://github.com/ultravioletrs/cocos/blob/main/scripts/backend_info/src/main.rs). Once compiled and the binary is stored in `/build`, the backend information can be measured by Prism as shown below.
-
-On the backend page, click the Backend Information button:
-![backend_page](img/backend_page.png)
-
-If the measurement binary is absent and no measurement is found, an empty measurement file is displayed:
-
-![empty_info](img/empty_backend_info.png)
-
-If the measurement is present or measurement is found in the db, the measurement file will be available for download.
-
-![backend_info](img/backend_info.png)
-
-The backend_info.json file is useful in cocos for [attested TLS](https://docs.cocos.ultraviolet.rs/attestation/#attested-tls), and can be used to verify [attestation report](https://docs.cocos.ultraviolet.rs/cli/#fetch-and-validate-attestation-report). The file is provided to [cocos-cli](https://docs.cocos.ultraviolet.rs/cli/#backend-info) which can add measurement data or host data. The file contains the SnpPolicy and RootOfTrust as shown:
-
-```json
-{
-  "snp_policy": {
-    "policy": 1966081,
-    "family_id": "AA==",
-    "image_id": "AA==",
-    "vmpl": {
-      "value": 0
-    },
-    "minimum_tcb": 1506397780360888800,
-    "minimum_launch_tcb": 1506397780360888800,
-    "require_author_key": false,
-    "measurement": "AA==",
-    "host_data": "AA==",
-    "report_id_ma": "AA==",
-    "chip_id": "GrFqQtRklrsjBslu9pcQ6X4rkftFW1Ar1oT+I4guQ1sVC6qakgSvEtE4P/SLSJ6mHNp0kY0mHnGpvz1Ov+k/w==",
-    "minimum_build": 7,
-    "minimum_version": "1.55",
-    "permit_provisional_firmware": false,
-    "require_id_block": false
-  },
-  "root_of_trust": {
-    "product": "Milan",
-    "check_crl": true,
-    "disallow_network": false
-  }
-}
-```
-
 ## Terminate Backend
 
 This is used to disconnect and close the associated backend connection. This is usually triggered when a certificate is revoked while the backend is connected using this certificate or user initiated for any reason.

diff --git a/docs/computations.md b/docs/computations.md
@@ -172,6 +172,70 @@ Common issues and solutions:
 - Check CA trust chain
 - Confirm client/server certificate compatibility
 
+#### Example: Attestated TLS configuration
+
+Agent can be configured to run with [attested TLS](https://docs.cocos.ultraviolet.rs/attestation/#attested-tls).
+
+1. Set agent tls configuration to aTLS. ![atls config](./img/ui/setatlsconfig.png)
+Click on close to save config and click the update/create button to save the computation.
+2. To confirm aTLS was configured, click on the update computation button.
+![atls config](./img/ui/confirmatls.png)
+3. Next Run the computation and wait for the virtual machine provisioning to be complete.
+![vm provision](./img/ui/provisioncomplete.png)
+4. Download the attestation policy. This file is used to set the expected values in the attestation report and is required for validation.
+![attestation-policy-download-list](./img/ui/attestation-policy-download-list.png)
+![download-attestation-list](./img/ui/download-policy-download.png)
+
+5. Finally to connect to agent, we need to configure the env variables on cli.
+
+```shell
+export AGENT_GRPC_URL=<backend_host>:<agent_port>
+export AGENT_GRPC_ATTESTED_TLS=true
+export AGENT_GRPC_ATTESTATION_POLICY=<path_to_attestation_policy_file>
+```
+
+after this configuration you can connect to agent normally using cli and perform [operations](https://docs.cocos.ultraviolet.rs/cli/) on cli such as algo/data upload etc.
+
+##### Calculating measurement manually (optional)
+
+Optionally, you can calculate and confirm the measurement in the attestation report. You'll need the kernel and rootfs file which can be downloaded from cocos releases based on versions.
+
+![svm info](./img/ui/svminfo.png)
+
+to calculate the expected measurement:
+
+```shell
+OVMF_CODE=/home/cocosai/danko/test/ovmf/OVMF.fd
+INITRD="/home/sammy/rootfs.cpio.gz"
+KERNEL="/home/sammy/bzImage"
+LINE='"quiet console=null rootfstype=ramfs"'
+./build/cocos-cli sevsnpmeasure --mode snp --vcpus 4 --vcpu-type EPYC-v4 --ovmf $OVMF_CODE --kernel $KERNEL --initrd $INITRD --append "$LINE"
+```
+
+Once caluated this can be replaced on the attestation policy file using:
+
+```shell
+./build/cocos-cli backend measurement <base64-string-of-measurement> <attestation_policy.json file>
+```
+
+##### Calculating the host-data (Optional)
+
+The host data set on the virtual machine is based on the computation mmanifest. The manifest should be downloaded from the computation page. Click on preview manifest and then download the manifest for the specific computation run.
+
+![download-manifest](./img/ui/hostdata.png)
+
+The host data value us calculated using the cli as below:
+
+```shell
+./build/cocos-cli checksum <path-to-manifest-json-file> --manifest -b
+```
+
+This can also be edited into the downloaded attestation policy as below:
+
+```shell
+./build/cocos-cli backend hostdata <base64-string-of-measurement> <attestation_policy.json file>
+```
+
 ## Retrieve Computations
 
 In order to get all computations:

diff --git a/docs/getting-started.md b/docs/getting-started.md
@@ -239,7 +239,7 @@ We'll then run manager to connect the backend.
 example:
 
 ```bash
-MANAGER_GRPC_URL=192.168.100.4:7011 MANAGER_LOG_LEVEL=debug MANAGER_QEMU_USE_SUDO=false  MANAGER_QEMU_ENABLE_SEV=false MANAGER_QEMU_SEV_CBITPOS=51 MANAGER_QEMU_OVMF_CODE_FILE=/usr/share/edk2/x64/OVMF_CODE.fd MANAGER_QEMU_OVMF_VARS_FILE=/usr/share/edk2/x64/OVMF_VARS.fd MANAGER_QEMU_ENABLE_SEV_SNP=false MANAGER_GRPC_CLIENT_CERT=cert.pem MANAGER_GRPC_CLIENT_KEY=key.pem MANAGER_GRPC_SERVER_CA_CERTS=ca.pem go run main.go
+MANAGER_GRPC_URL=prism.ultraviolet.rs:7011 MANAGER_LOG_LEVEL=debug MANAGER_QEMU_USE_SUDO=false  MANAGER_QEMU_ENABLE_SEV=false MANAGER_QEMU_SEV_CBITPOS=51 MANAGER_QEMU_OVMF_CODE_FILE=/usr/share/edk2/x64/OVMF_CODE.fd MANAGER_QEMU_OVMF_VARS_FILE=/usr/share/edk2/x64/OVMF_VARS.fd MANAGER_QEMU_ENABLE_SEV_SNP=false MANAGER_GRPC_CLIENT_CERT=cert.pem MANAGER_GRPC_CLIENT_KEY=key.pem MANAGER_GRPC_SERVER_CA_CERTS=ca.pem go run main.go
 ```
 
 Once manager is connected we should notice the associated backend marked as active:

diff --git a/docs/img/ui/attestation-policy-download-list.png b/docs/img/ui/attestation-policy-download-list.png
diff --git a/docs/img/ui/confirmatls.png b/docs/img/ui/confirmatls.png
diff --git a/docs/img/ui/download-policy-download.png b/docs/img/ui/download-policy-download.png
diff --git a/docs/img/ui/hostdata.png b/docs/img/ui/hostdata.png
diff --git a/docs/img/ui/provisioncomplete.png b/docs/img/ui/provisioncomplete.png
diff --git a/docs/img/ui/setatlsconfig.png b/docs/img/ui/setatlsconfig.png
diff --git a/docs/img/ui/svminfo.png b/docs/img/ui/svminfo.png