Jinnan-Guo · Jinnan-Guo · Nov 28, 2023 · Aug 2, 2023 · Aug 9, 2023 · Aug 18, 2023
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -81,10 +81,14 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.19
+        go-version: "1.19"
 
     - name: Go Build
       run: go build -v ./...
 
     - name: Go Tests
-      run: go test -v ./...
+      run: |
+        # Can't use `go test -v ./...` because some of the tests depend on SEV-SNP or Confidential ACI features
+        go test -v ./... -tags skip_e2e,skip_snp_required
+
+
diff --git a/.github/workflows/cleanup_registry.yml b/.github/workflows/cleanup_registry.yml
@@ -24,8 +24,8 @@ jobs:
           REGISTRY_NAME: ${{ secrets.REGISTRY_NAME }}
           REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
         run: |
-          repos=("skr" "skr_debug" "encfs")
-          branches=$(git ls-remote --heads origin)
+          repos=("skr" "skr_debug" "encfs" "attestation")
+          branches=$(git ls-remote --heads origin | sed 's/[^a-zA-Z0-9]/-/g')
 
           # Delete any tags which don't have a corresponding branch
           for repo in "${repos[@]}"; do

diff --git a/.github/workflows/push_attestation_image.yml b/.github/workflows/push_attestation_image.yml
@@ -0,0 +1,64 @@
+name: Push Attestation Image
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - .github/workflows/push_attestation_image.yml
+      - cmd/attestation-container/**
+      - docker/attestation-container/**
+      - pkg/attest
+      - pkg/common
+      - vendor/**
+      - internal/**
+
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/push_attestation_image.yml
+      - cmd/attestation-container/**
+      - docker/attestation-container/**
+      - pkg/attest
+      - pkg/common
+      - vendor/**
+      - internal/**
+
+jobs:
+  push-attestation-image:
+    name: Push Attestation Image
+    runs-on: ubuntu-latest
+    if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Login to Azure Container Registry
+        uses: azure/docker-login@v1
+        with:
+          login-server: ${{ secrets.REGISTRY_NAME }}.${{ secrets.REGISTRY_DOMAIN }}
+          username: ${{ secrets.REGISTRY_NAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Get Image Tag
+        id: get_image_tag
+        run: |
+          if [ ${{ github.event_name }} == "push" ]; then
+            branch_name=main
+          elif [ ${{ github.event_name }} == "workflow_dispatch" ]; then
+            branch_name=${{ github.ref }}
+            branch_name=${branch_name:11}
+          else
+            branch_name=${{ github.head_ref }}
+          fi
+          echo "image_tag=$(echo ${branch_name:0:128} | sed 's/[^a-zA-Z0-9]/-/g')" >> $GITHUB_OUTPUT
+
+      - name: Build and Push Docker Image
+        uses: docker/build-push-action@v3
+        with:
+          file: docker/attestation-container/Dockerfile.run
+          push: true
+          tags: |
+            ${{ secrets.REGISTRY_NAME }}.${{ secrets.REGISTRY_DOMAIN }}/attestation:${{ steps.get_image_tag.outputs.image_tag }}
diff --git a/.github/workflows/push_encfs_image.yml b/.github/workflows/push_encfs_image.yml
@@ -10,8 +10,10 @@ on:
       - cmd/azmount/**
       - cmd/remotefs/**
       - docker/encfs/**
-      - tools/get-snp-report/bin/get-snp-report
-      - tools/get-snp-report/bin/get-fake-snp-report
+      - tools/get-snp-report/**
+      - vendor/**
+      - internal/**
+      - pkg/**
   push:
     branches:
       - main
@@ -20,14 +22,16 @@ on:
       - cmd/azmount/**
       - cmd/remotefs/**
       - docker/encfs/**
-      - tools/get-snp-report/bin/get-snp-report
-      - tools/get-snp-report/bin/get-fake-snp-report
+      - tools/get-snp-report/**
+      - vendor/**
+      - internal/**
+      - pkg/**
 
 jobs:
   push-encfs-image:
     name: Push Encrypted FS Image
     runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }}
+    if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository }}
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -46,11 +50,15 @@ jobs:
         run: |
           if [ ${{ github.event_name }} == "push" ]; then
             branch_name=main
+          elif [ ${{ github.event_name }} == "workflow_dispatch" ]; then
+            branch_name=${{ github.ref }}
+            branch_name=${branch_name:11}
           else  
-            branch_name=$(echo ${{ github.head_ref }})
+            branch_name=${{ github.head_ref }}
           fi
+          image_tag=$(echo ${branch_name:0:128} | sed 's/[^a-zA-Z0-9]/-/g')
           docker/encfs/push.sh \
             ${{ secrets.REGISTRY_NAME }} \
             ${{ secrets.REGISTRY_DOMAIN }} \
-            encfs:$branch_name \
+            encfs:$image_tag \
             --skip-login
diff --git a/.github/workflows/push_skr_debug_image.yml b/.github/workflows/push_skr_debug_image.yml
@@ -9,26 +9,28 @@ on:
       - .github/workflows/push_skr_debug_image.yml
       - cmd/skr/**
       - docker/skr/**
-      - tools/get-snp-report/bin/get-snp-report
-      - tools/get-snp-report/bin/get-fake-snp-report
-      - tools/get-snp-report/bin/verbose-report
-
+      - tools/get-snp-report/**
+      - vendor/**
+      - internal/**
+      - pkg/**
+
   push:
     branches:
       - main
     paths:
       - .github/workflows/push_skr_debug_image.yml
       - cmd/skr/**
       - docker/skr/**
-      - tools/get-snp-report/bin/get-snp-report
-      - tools/get-snp-report/bin/get-fake-snp-report
-      - tools/get-snp-report/bin/verbose-report
-
+      - tools/get-snp-report/**
+      - vendor/**
+      - internal/**
+      - pkg/**
+
 jobs:
-  push-skr-debug-image: 
+  push-skr-debug-image:
     name: Push SKR Debug Image
     runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }}
+    if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository }}
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -42,16 +44,20 @@ jobs:
 
       - name: Build Image
         run: docker/skr/build-debug.sh
-        
+
       - name: Push Image
         run: |
           if [ ${{ github.event_name }} == "push" ]; then
             branch_name=main
+          elif [ ${{ github.event_name }} == "workflow_dispatch" ]; then
+            branch_name=${{ github.ref }}
+            branch_name=${branch_name:11}
           else  
-            branch_name=$(echo ${{ github.head_ref }})
+            branch_name=${{ github.head_ref }}
           fi
+          image_tag=$(echo ${branch_name:0:128} | sed 's/[^a-zA-Z0-9]/-/g')
           docker/skr/push.sh \
             ${{ secrets.REGISTRY_NAME }} \
             ${{ secrets.REGISTRY_DOMAIN }} \
-            skr_debug:$branch_name \
+            skr_debug:$image_tag \
             --skip-login
diff --git a/.github/workflows/push_skr_image.yml b/.github/workflows/push_skr_image.yml
@@ -9,8 +9,10 @@ on:
       - .github/workflows/push_skr_image.yml
       - cmd/skr/**
       - docker/skr/**
-      - tools/get-snp-report/bin/get-snp-report
-      - tools/get-snp-report/bin/get-fake-snp-report
+      - tools/get-snp-report/**
+      - vendor/**
+      - internal/**
+      - pkg/**
 
   push:
     branches:
@@ -19,14 +21,16 @@ on:
       - .github/workflows/push_skr_image.yml
       - cmd/skr/**
       - docker/skr/**
-      - tools/get-snp-report/bin/get-snp-report
-      - tools/get-snp-report/bin/get-fake-snp-report
+      - tools/get-snp-report/**
+      - vendor/**
+      - internal/**
+      - pkg/**
 
 jobs:
   push-skr-image:
     name: Push SKR Image
     runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }}
+    if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository }}
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -45,11 +49,15 @@ jobs:
         run: |
           if [ ${{ github.event_name }} == "push" ]; then
             branch_name=main
+          elif [ ${{ github.event_name }} == "workflow_dispatch" ]; then
+            branch_name=${{ github.ref }}
+            branch_name=${branch_name:11}
           else  
-            branch_name=$(echo ${{ github.head_ref }})
+            branch_name=${{ github.head_ref }}
           fi
+          image_tag=$(echo ${branch_name:0:128} | sed 's/[^a-zA-Z0-9]/-/g')
           docker/skr/push.sh \
             ${{ secrets.REGISTRY_NAME }} \
             ${{ secrets.REGISTRY_DOMAIN }} \
-            skr:$branch_name \
+            skr:$image_tag \
             --skip-login
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,72 @@
+name: Create Release
+
+on:
+  push:
+    branches:
+      - main
+    tags:        
+      - '*'
+    paths:
+      - .github/workflows/release.yml
+      - tools/get-snp-report/**
+      - tools/importkey/**
+      - pkg/common/akv.go
+      - pkg/common/keyblob.go
+
+env:
+  GO_VERSION: "1.19.x"
+
+jobs:
+  build:
+    name: Build Binaries
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Build Linux Executables
+        run: |
+          pushd tools/get-snp-report && make && popd
+          cp -a tools/get-snp-report/bin/* .
+          go build ./tools/importkey
+          go build ./cmd/skr
+
+      - name: Build Windows Executables
+        run: |
+          go build ./tools/importkey
+        env:
+          GOOS: windows
+          GOARCH: amd64
+
+      - name: Upload Executables
+        uses: actions/upload-artifact@v3
+        with:
+          name: binaries
+          path: |
+            get-snp-report
+            verbose-report
+            importkey.exe
+            importkey
+            skr
+
+  create_release:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: binaries
+
+      - name: Publish release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ github.ref_name }}
+          files: |
+            get-snp-report
+            verbose-report
+            importkey.exe
+            importkey
+            skr
diff --git a/.gitignore b/.gitignore
@@ -6,3 +6,4 @@
 /docker/skr/bin
 /docker/encfs/bin
 /tools/get-snp-report/bin
+.vscode
diff --git a/README.md b/README.md
@@ -12,7 +12,7 @@ The skr sidecar can be queried by application containers hosted in the same pod
 The ``examples/skr`` shows an example of how the skr sidecar can be deployed and tested within a confidential container group on ACI.
 
 ## Fetching an attestion report.
-``tools/get-snp-report provides a tool which will return an SNP attestation report from the AMD PSP via linux IOCTLs. it can take a hex encoded report data value on the command line. The output is a hex encoded binary object. If piped through hex2report it can be read by people. There are two implementations inside the one tool to support the different IOCTLs requirements between linux 5.15 and 6.1 and later.
+``tools/get-snp-report`` provides a tool which will return an SNP attestation report from the AMD PSP via linux IOCTLs. it can take a hex encoded report data value on the command line. The output is a hex encoded binary object. If piped through hex2report it can be read by people. There are two implementations inside the one tool to support the different IOCTLs requirements between linux 5.15 and 6.1 and later.
 
 ### Third-party code 
 We modified the [AES unwrap key without padding method](https://github.com/NickBall/go-aes-key-wrap/blob/master/keywrap.go) to implement the aes key unwrap with padding method.
@@ -23,6 +23,7 @@ The ``docker/encfs/build.sh`` script builds all necessary Go tools (for encrypte
 The encrypted filesystem sidecar uses the SKR library to release key material from Azure Key Vault instances required for mounting the encrypted filesystems required by the application.
 
 The ``examples/encfs`` shows an example of how the encrypted filesystem sidecar can be deployed within a confidential container group on ACI.
+
 ## Dependencies:
 - Golang 1.19 or later
 - Docker

diff --git a/buildall.sh b/buildall.sh
@@ -19,7 +19,7 @@ popd
 
 echo building get-snp-report
 pushd tools/get-snp-report
-make 
+make
 popd
 cp tools/get-snp-report/bin/get-snp-report ./bin
 cp tools/get-snp-report/bin/get-fake-snp-report ./bin

diff --git a/cmd/attestation-container/.dockerignore b/cmd/attestation-container/.dockerignore
@@ -0,0 +1 @@
+**/*.test
diff --git a/cmd/attestation-container/.gitignore b/cmd/attestation-container/.gitignore
@@ -0,0 +1,3 @@
+attestation-container
+attestation-container.test
+attest/attest.test