Draft
Conversation
This adds Intel TDX (Trust Domain Extensions) support for secure attestation of the recording oracle running in a confidential computing environment. Features: - GitHub Action workflow to measure recording oracle on real TDX hardware - Reproducible Docker image for recording oracle (Dockerfile.tdx) - TDX attestation module for recording oracle to generate quotes - TDX verification module for reputation oracle to verify attestations - Measurements baked into build at compile time (not dynamically fetched) - Consolidated deployment script (deploy-to-tdx.sh) with commands: deploy, measure, start, stop, restart, status, quote The workflow: 1. Build reproducible Docker image with pinned versions 2. Deploy to TDX guest VM and get MRTD/RTMR measurements 3. Bake measurements into reputation oracle at build time 4. Reputation oracle verifies recording oracle attestations against known measurements Co-authored-by: openhands <openhands@all-hands.dev>
- Remove TDX attestation module from recording oracle (handled by sidecar) - Consolidate all shell scripts into single tdx.py Python script - Extract cloud-init embedded files to tdx-tools/ directory: - tdx-attestation-proxy.py: HTTP proxy for TDX quotes - tdx_quote_gen.c: C program to generate TDX quotes - tdx-attestation-proxy.service: Systemd service for proxy - recording-oracle.service: Systemd service for oracle - docker-compose.yml: Full stack deployment - setup.sh: VM setup script (fails if TDX libs not found) - Update GitHub workflow to use tdx.py - Update README documentation
- Recording Oracle attestation module with /attestation/quote endpoint - Intel DCAP service for certificate chain validation against Intel Root CA - TSM configfs-based full quote generation (5006 bytes) - Fix AppArmor blocking QEMU access to QGS socket - Add seclabel type='none' to VM XML for TDX compatibility - E2E tests and manual test script for verification - Ansible README with deployment instructions 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Create qgs_host role to automate TDX host configuration: - Install tdx-qgs package - Create runtime directory with proper permissions - Configure AppArmor for libvirt QGS socket access - Enable and start QGS daemon Add setup-host.yml playbook for standalone host setup. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create reputation-oracle/docker-compose.yml with postgres, minio, and app - Add src/server.ts HTTP server entry point for TDX verification endpoints - Add Docker installation to qgs_host Ansible role Tested: DCAP signature verification working against live TDX quote. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Parse QE Report Certification Data (type 6/7) to extract nested certs - Add Intel PCS API fallback for fetching PCK certificates - Use TDX-specific endpoint for TCB info (/tdx/certification/v4) - Fix FMSPC extraction from PCK certificate OID - Add @nestjs/platform-express for HTTP server support DCAP now verifies: - Quote signature validity - Certificate chain to Intel Root CA - TCB status from Intel's TDX API 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Regenerated lockfile using Yarn 4.12.0 (via corepack in Docker) to fix CI "lockfile would have been modified" error. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Apply prettier formatting to reputation-oracle files - Rename unused VerificationResult interface to _VerificationResult 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Run TDX measurements on pull requests to main - Only tag with :latest on push events (not PRs) - Releases still only created on push to main 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds ansible-sev/ with roles and playbooks for deploying recording oracle in AMD SEV-SNP protected VMs on OVH Scale-a1 servers (AMD EPYC 9004). Includes: - sev_vm role: VM provisioning with SEV-SNP launchSecurity - sev_attestation role: SEV attestation report generation - SEV attestation proxy (Python) for /dev/sev-guest and TSM interfaces - Playbooks: deploy, destroy, measure, status 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use Canonical's TDX setup script instead of manual Intel repo - Install TDX kernel, Docker, libvirt automatically via qgs_host role - Update README with BIOS prerequisites and reboot requirement - Fix SSH key handling in workflow (write to file, not stdin) - Add error validation for measurements.json - Fix release conditional operator precedence - Add timeouts and cleanup step to workflow - Generate ephemeral VM credentials at runtime for confidentiality
- Add tmpfiles.d config for QGS runtime directory (survives reboots) - Remove stale QGS socket before starting service - Configure PCCS UserTokenHash for non-interactive PCKIDRetrievalTool - Add user_token parameter to PCKIDRetrievalTool command - Update README with SGX Auto MP Registration requirement - Add troubleshooting for "No certificate data for this platform" error 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Docker registry requires lowercase repository names. Convert github.repository to lowercase before using in image tags. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Dockerfile for reputation-oracle with TDX measurement build args - Create build-reputation-oracle.yml workflow that automatically builds reputation oracle with baked-in measurements from recording oracle releases - Modify tdx-measure-recording-oracle.yml to trigger reputation oracle build via repository_dispatch after creating a release
posix4e
force-pushed
the
fix/reputation-oracle-server-startup
branch
2 times, most recently
from
bb1f56a to
19b38d7
Compare
- Add required environment variables (WEB3_PRIVATE_KEY, S3_ACCESS_KEY, S3_SECRET_KEY, RPC_URL_ETHEREUM) for container startup - Improve wait loop with container health check and failure logging - Container was failing silently; now properly detects crashes and outputs logs for debugging qgs vsock based
posix4e
force-pushed
the
fix/reputation-oracle-server-startup
branch
from
19b38d7 to
6ee8ee9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue tracking
Context behind the change
How has this been tested?
Release plan
Potential risks; What to monitor; Rollback plan