veraison · setrofim · Jan 14, 2026 · Jan 27, 2026 · Jan 27, 2026
diff --git a/.gitignore b/.gitignore
@@ -21,6 +21,8 @@ __generated__
 __pycache__
 __debug_bin*
 management/cmd/management-service/management-service
+coserv/cmd/coserv-service/coserv-service
+__build*
 
 # Test binary, built with `go test -c`
 *.test

diff --git a/.golangci.yml b/.golangci.yml
@@ -1,2 +1,21 @@
 run:
-  go: '1.18'
+  go: "1.18"
+linters:
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/Makefile b/Makefile
@@ -1,13 +1,6 @@
-# Copyright 2021-2025 Contributors to the Veraison project.
+# Copyright 2021-2026 Contributors to the Veraison project.
 # SPDX-License-Identifier: Apache-2.0
 
-export TOPDIR := $(dir $(realpath $(lastword $(MAKEFILE_LIST))))
-
-# There will be one plugin built for each scheme. Removing this definition will
-# cause a separate plugin to be built for each handler interface (endorsement,
-# store, and verification), resulting in three plugins per scheme.
-export COMBINED_PLUGINS = 1
-
 SHELL = /bin/bash
 
 SUBDIR += builtin
@@ -55,6 +48,12 @@ IGNORE_COVERAGE += github.com/veraison/services/coserv/cmd/coserv-service
 IGNORE_COVERAGE += github.com/veraison/services/scheme/amd-kds-coserv
 IGNORE_COVERAGE += github.com/veraison/services/scheme/nvidia-coserv
 IGNORE_COVERAGE += github.com/veraison/services/scheme/arm-cca
+IGNORE_COVERAGE += github.com/veraison/services/scheme/parsec-cca
+IGNORE_COVERAGE += github.com/veraison/services/scheme/parsec-tpm
+IGNORE_COVERAGE += github.com/veraison/services/scheme/psa-iot
+IGNORE_COVERAGE += github.com/veraison/services/scheme/riot
+IGNORE_COVERAGE += github.com/veraison/services/scheme/sevsnp
+IGNORE_COVERAGE += github.com/veraison/services/scheme/tpm-enacttrust
 
 include mk/cover.mk
 

diff --git a/auth/keycloak.go b/auth/keycloak.go
@@ -1,10 +1,10 @@
-// Copyright 2023-2024 Contributors to the Veraison project.
+// Copyright 2023-2026 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 package auth
 
 import (
-	"crypto/x509"
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"flag"
 	"fmt"
@@ -20,11 +20,11 @@ import (
 )
 
 type keycloakCfg struct {
-	Backend   string   `mapstructure:"backend"`
-	Host      string   `mapstructure:"host"`
-	Port      string   `mapstructure:"port"`
-	Realm     string   `mapstructure:"realm"`
-	CACert  string   `mapstructure:"ca-cert"`
+	Backend string `mapstructure:"backend"`
+	Host    string `mapstructure:"host"`
+	Port    string `mapstructure:"port"`
+	Realm   string `mapstructure:"realm"`
+	CACert  string `mapstructure:"ca-cert"`
 }
 
 type KeycloakAuthorizer struct {
@@ -43,9 +43,9 @@ func (o *KeycloakAuthorizer) Init(v *viper.Viper, logger *zap.SugaredLogger) err
 	flag.Parse()
 
 	cfg := keycloakCfg{
-		Host:  "localhost",
-		Port:  "11111",
-		Realm: "veraison",
+		Host:   "localhost",
+		Port:   "11111",
+		Realm:  "veraison",
 		CACert: "[unset]",
 	}
 

diff --git a/builtin/builtin_loader.go b/builtin/builtin_loader.go
@@ -1,4 +1,4 @@
-// Copyright 2023-2025 Contributors to the Veraison project.
+// Copyright 2023-2026 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 package builtin
 
@@ -52,6 +52,19 @@ func (o *BuiltinLoader) GetRegisteredMediaTypes() []string {
 	return mediaTypes
 }
 
+func (o *BuiltinLoader) GetRegisteredMediaTypesByCategory(category string) []string {
+	var mediaTypes []string // nolint:prealloc
+
+	for _, pluggable := range o.loadedByMediaType {
+		mts, ok := pluggable.GetSupportedMediaTypes()[category]
+		if ok {
+			mediaTypes = append(mediaTypes, mts...)
+		}
+	}
+
+	return mediaTypes
+}
+
 func DiscoverBuiltin[I plugin.IPluggable]() error {
 	return DiscoverBuiltinUsing[I](defaultBuiltinLoader)
 }
@@ -71,15 +84,17 @@ func DiscoverBuiltinUsing[I plugin.IPluggable](loader *BuiltinLoader) error {
 		loader.logger.Debugw("found plugin", "name", name)
 		loader.loadedByName[name] = p
 
-		for _, mt := range p.GetSupportedMediaTypes() {
-			if existing, ok := loader.loadedByMediaType[mt]; ok {
-				loader.logger.Panicw("media type handled by two plugins",
-					"media-type", mt,
-					"plugin1", existing.GetName(), "plugin2", name)
-			}
+		for _, mts := range p.GetSupportedMediaTypes() {
+			for _, mt := range mts {
+				if existing, ok := loader.loadedByMediaType[mt]; ok {
+					loader.logger.Panicw("media type handled by two plugins",
+						"media-type", mt,
+						"plugin1", existing.GetName(), "plugin2", name)
+				}
 
-			loader.logger.Debugw("media type handled", "media-type", mt, "name", name)
-			loader.loadedByMediaType[mt] = p
+				loader.logger.Debugw("media type handled", "media-type", mt, "name", name)
+				loader.loadedByMediaType[mt] = p
+			}
 		}
 	}
 

diff --git a/builtin/builtin_manager.go b/builtin/builtin_manager.go
@@ -1,4 +1,4 @@
-// Copyright 2023 Contributors to the Veraison project.
+// Copyright 2023-2026 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 package builtin
 
@@ -73,15 +73,30 @@ func (o *BuiltinManager[I]) IsRegisteredMediaType(mediaType string) bool {
 func (o *BuiltinManager[I]) GetRegisteredMediaTypes() []string {
 	var registeredMediatTypes []string
 
-	for mtName, mt := range o.loader.loadedByMediaType {
-		if _, ok := mt.(I); ok {
+	for mtName, pc := range o.loader.loadedByMediaType {
+		if _, ok := pc.(I); ok {
 			registeredMediatTypes = append(registeredMediatTypes, mtName)
 		}
 	}
 
 	return registeredMediatTypes
 }
 
+func (o *BuiltinManager[I]) GetRegisteredMediaTypesByCategory(category string) []string {
+	var registeredMediatTypes []string
+
+	for _, pc := range o.loader.loadedByName {
+		if pluggable, ok := pc.(I); ok {
+			mts, ok := pluggable.GetSupportedMediaTypes()[category]
+			if ok {
+				registeredMediatTypes = append(registeredMediatTypes, mts...)
+			}
+		}
+	}
+
+	return registeredMediatTypes
+}
+
 func (o *BuiltinManager[I]) GetRegisteredAttestationSchemes() []string {
 	return GetBuiltinLoadedAttestationSchemes[I](o.loader)
 }

diff --git a/builtin/schemes.go b/builtin/schemes.go
@@ -1,38 +1,30 @@
-// Copyright 2022-2025 Contributors to the Veraison project.
+// Copyright 2022-2026 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 package builtin
 
 import (
+	"github.com/veraison/services/handler"
 	"github.com/veraison/services/plugin"
 
-	scheme8 "github.com/veraison/services/scheme/amd-kds-coserv"
+	scheme9 "github.com/veraison/services/scheme/amd-kds-coserv"
 	scheme3 "github.com/veraison/services/scheme/arm-cca"
-	scheme7 "github.com/veraison/services/scheme/nvidia-coserv"
+	scheme8 "github.com/veraison/services/scheme/nvidia-coserv"
 	scheme1 "github.com/veraison/services/scheme/parsec-cca"
 	scheme5 "github.com/veraison/services/scheme/parsec-tpm"
 	scheme6 "github.com/veraison/services/scheme/psa-iot"
 	scheme2 "github.com/veraison/services/scheme/riot"
+	scheme7 "github.com/veraison/services/scheme/sevsnp"
 	scheme4 "github.com/veraison/services/scheme/tpm-enacttrust"
 )
 
 var plugins = []plugin.IPluggable{
-	&scheme1.EvidenceHandler{},
-	&scheme1.EndorsementHandler{},
-	&scheme1.StoreHandler{},
-	&scheme2.EvidenceHandler{},
-	&scheme2.StoreHandler{},
-	&scheme3.EvidenceHandler{},
-	&scheme3.EndorsementHandler{},
-	&scheme3.StoreHandler{},
-	&scheme4.EvidenceHandler{},
-	&scheme4.EndorsementHandler{},
-	&scheme4.StoreHandler{},
-	&scheme5.EvidenceHandler{},
-	&scheme5.EndorsementHandler{},
-	&scheme5.StoreHandler{},
-	&scheme6.EvidenceHandler{},
-	&scheme6.EndorsementHandler{},
-	&scheme6.StoreHandler{},
-	&scheme7.CoservProxyHandler{},
+	handler.MustNewSchemeImplementationWrapper(scheme1.Descriptor, scheme1.NewImplementation()),
+	handler.MustNewSchemeImplementationWrapper(scheme2.Descriptor, scheme2.NewImplementation()),
+	handler.MustNewSchemeImplementationWrapper(scheme3.Descriptor, scheme3.NewImplementation()),
+	handler.MustNewSchemeImplementationWrapper(scheme4.Descriptor, scheme4.NewImplementation()),
+	handler.MustNewSchemeImplementationWrapper(scheme5.Descriptor, scheme5.NewImplementation()),
+	handler.MustNewSchemeImplementationWrapper(scheme6.Descriptor, scheme6.NewImplementation()),
+	handler.MustNewSchemeImplementationWrapper(scheme7.Descriptor, scheme7.NewImplementation()),
 	&scheme8.CoservProxyHandler{},
+	&scheme9.CoservProxyHandler{},
 }
diff --git a/coserv/test-harness/amd.sh b/coserv/test-harness/amd.sh
@@ -1,4 +1,6 @@
 #!/bin/bash
+# Copyright 2026 Contributors to the Veraison project.
+# SPDX-License-Identifier: Apache-2.0
 
 set -o pipefail
 set -eu

diff --git a/coserv/test-harness/nvidia.sh b/coserv/test-harness/nvidia.sh
@@ -1,4 +1,6 @@
 #!/bin/bash
+# Copyright 2026 Contributors to the Veraison project.
+# SPDX-License-Identifier: Apache-2.0
 
 set -o pipefail
 set -eu

diff --git a/coserv/test-harness/query.sh b/coserv/test-harness/query.sh
@@ -1,4 +1,6 @@
 #!/bin/bash
+# Copyright 2026 Contributors to the Veraison project.
+# SPDX-License-Identifier: Apache-2.0
 
 set -o pipefail
 set -eu

diff --git a/deployments/aws/bin/veraison b/deployments/aws/bin/veraison
@@ -1,4 +1,6 @@
 #!/usr/bin/env python
+# Copyright 2026 Contributors to the Veraison project.
+# SPDX-License-Identifier: Apache-2.0
 # pyright: reportOptionalMemberAccess=false
 # pyright: reportOptionalSubscript=false
 # pyright: reportOperatorIssue=false
@@ -18,6 +20,7 @@ import socket
 import stat
 import string
 import sys
+import tempfile
 import time
 from asyncio.subprocess import Process, PIPE
 from collections import defaultdict
@@ -1503,13 +1506,28 @@ class CreateSentinelImageCommand(BaseCommand):
                 '../misc/sentinel-commands',
             )),
         )
+        parser.add_argument(
+            '-P', '--package',
+            default='github.com/veraison/corim-store/cmd/corim-store',
+        )
+        parser.add_argument( '-R', '--rev', default='9e4ba68b')
         parser.add_argument('-T', '--instance-type')
 
     def run(self, args):
-        command_create_image(self, args, 'sentinel',
-                             {
-                                 'command_dispatcher_path': args.dispatcher,
-                             })
+        dir = tempfile.mkdtemp()
+        try: 
+            run_in_shell(f"GOBIN={dir} go install {args.package}@{args.rev}", args.verbose)
+            path = os.path.join(dir, 'corim-store')
+            self.logger.debug(f'installed corim-store: {path}')
+
+            command_create_image(self, args, 'sentinel',
+                                 {
+                                     'corim_store_exe_path': path,
+                                     'command_dispatcher_path': args.dispatcher,
+                                 })
+        finally:
+            self.logger.debug(f'deleting: {dir}')
+            shutil.rmtree(dir)
 
 
 class DeleteImageCommand(BaseCommand):

diff --git a/deployments/aws/deployment.sh b/deployments/aws/deployment.sh
@@ -1,4 +1,6 @@
 #!/bin/bash
+# Copyright 2026 Contributors to the Veraison project.
+# SPDX-License-Identifier: Apache-2.0
 set -ueo pipefail
 
 _error='\e[0;31mERROR\e[0m'