@@ -4,7 +4,7 @@ package main
44// Make a HTTP GET request over a TEE-attested connection (to a server with aTLS support),
55// and print the verified measurements and the response payload.
66//
7- // Currently only works for Azure TDX but is straight-forward to expand .
7+ // Currently supports Azure TDX and DCAP TDX attestation .
88//
99// Usage:
1010//
@@ -37,6 +37,7 @@ import (
3737 "fmt"
3838 "io"
3939 "log"
40+ "log/slog"
4041 "net/http"
4142 "os"
4243 "strings"
@@ -50,6 +51,7 @@ import (
5051 "github.com/flashbots/cvm-reverse-proxy/internal/config"
5152 "github.com/flashbots/cvm-reverse-proxy/multimeasurements"
5253 "github.com/flashbots/cvm-reverse-proxy/proxy"
54+ dcap_tdx "github.com/flashbots/cvm-reverse-proxy/tdx"
5355 "github.com/urfave/cli/v2" // imports as package "cli"
5456)
5557
@@ -70,9 +72,9 @@ var flags []cli.Flag = []cli.Flag{
7072 Usage : "Output file for the response payload" ,
7173 },
7274 & cli.StringFlag {
73- Name : "attestation-type" , // TODO: Add support for other attestation types
74- Value : string (proxy .AttestationAzureTDX ),
75- Usage : "type of attestation to present (currently only azure-tdx)" ,
75+ Name : "attestation-type" ,
76+ Value : string (proxy .AttestationAuto ),
77+ Usage : "type of attestation to present (auto, azure-tdx, or dcap -tdx)" ,
7678 },
7779 & cli.StringFlag {
7880 Name : "expected-measurements" ,
@@ -111,6 +113,24 @@ func main() {
111113 }
112114}
113115
116+ // createAzureTDXValidator creates an Azure TDX validator without required measurements
117+ func createAzureTDXValidator (log * slog.Logger , overrideAzurev6Tcbinfo bool , verifyAKCertificate bool ) atls.Validator {
118+ attConfig := config .DefaultForAzureTDX ()
119+ attConfig .SetMeasurements (measurements.M {})
120+ validator := azure_tdx .NewValidator (attConfig , proxy.AttestationLogger {Log : log })
121+ validator .SetVerifyAKCertificate (verifyAKCertificate )
122+ if overrideAzurev6Tcbinfo {
123+ azure_tcbinfo_override .OverrideAzureValidatorsForV6SEAMLoader (log , []atls.Validator {validator })
124+ }
125+ return validator
126+ }
127+
128+ // createDCAPTDXValidator creates a DCAP TDX validator without required measurements
129+ func createDCAPTDXValidator (log * slog.Logger ) atls.Validator {
130+ attConfig := & config.QEMUTDX {Measurements : measurements.M {}}
131+ return dcap_tdx .NewValidator (attConfig , proxy.AttestationLogger {Log : log })
132+ }
133+
114134func runClient (cCtx * cli.Context ) (err error ) {
115135 logDebug := cCtx .Bool ("log-debug" )
116136 addr := cCtx .String ("addr" )
@@ -144,18 +164,17 @@ func runClient(cCtx *cli.Context) (err error) {
144164 var validators []atls.Validator
145165 switch attestationType {
146166 case proxy .AttestationAzureTDX :
147- // Prepare an azure-tdx validator without any required measurements
148- attConfig := config .DefaultForAzureTDX ()
149- attConfig .SetMeasurements (measurements.M {})
150- validator := azure_tdx .NewValidator (attConfig , proxy.AttestationLogger {Log : log })
151- validator .SetVerifyAKCertificate (verifyAKCertificate )
152- if overrideAzurev6Tcbinfo {
153- azure_tcbinfo_override .OverrideAzureValidatorsForV6SEAMLoader (log , []atls.Validator {validator })
154- }
155- validators = append (validators , validator )
167+ validators = append (validators , createAzureTDXValidator (log , overrideAzurev6Tcbinfo , verifyAKCertificate ))
168+ case proxy .AttestationDCAPTDX :
169+ validators = append (validators , createDCAPTDXValidator (log ))
170+ case proxy .AttestationAuto :
171+ // In auto mode, add all validators to support any attestation type
172+ log .Info ("Auto mode: creating validators for all supported attestation types" )
173+ validators = append (validators , createAzureTDXValidator (log , overrideAzurev6Tcbinfo , verifyAKCertificate ))
174+ validators = append (validators , createDCAPTDXValidator (log ))
156175 default :
157- log .Error ("currently only azure-tdx attestation is supported " )
158- return errors .New ("currently only azure-tdx attestation is supported " )
176+ log .Error ("unsupported attestation type, see --help for available options " )
177+ return errors .New ("unsupported attestation type " )
159178 }
160179
161180 // Load expected measurements from file or URL (if provided)
@@ -196,7 +215,7 @@ func runClient(cCtx *cli.Context) (err error) {
196215 }
197216
198217 // Extract the aTLS variant and measurements from the TLS connection
199- atlsVariant , extractedMeasurements , err := proxy .GetMeasurementsFromTLS (resp .TLS .PeerCertificates , []asn1.ObjectIdentifier {variant.AzureTDX {}.OID ()})
218+ atlsVariant , extractedMeasurements , err := proxy .GetMeasurementsFromTLS (resp .TLS .PeerCertificates , []asn1.ObjectIdentifier {variant.AzureTDX {}.OID (), variant. QEMUTDX {}. OID () })
200219 if err != nil {
201220 log .Error ("Error in getMeasurementsFromTLS" , "err" , err )
202221 return err
0 commit comments