feat: auto detect tee env on issuer side

Frieder Paape · Frieder Paape · commit 86f62127902b · 2025-02-03T17:26:21.000+01:00
diff --git a/cmd/proxy-client/main.go b/cmd/proxy-client/main.go
@@ -45,8 +45,8 @@ var flags []cli.Flag = []cli.Flag{
 	},
 	&cli.StringFlag{
 		Name:  "client-attestation-type",
-		Value: string(proxy.AttestationNone),
-		Usage: "type of attestation to present (" + proxy.AvailableAttestationTypes + ")",
+		Value: "auto",
+		Usage: "type of attestation to present (" + proxy.AvailableAttestationTypes + "). If not set, automatically detected.",
 	},
 	&cli.BoolFlag{
 		Name:  "log-json",
diff --git a/cmd/proxy-server/main.go b/cmd/proxy-server/main.go
@@ -40,8 +40,8 @@ var flags []cli.Flag = []cli.Flag{
 	&cli.StringFlag{
 		Name:    "server-attestation-type",
 		EnvVars: []string{"SERVER_ATTESTATION_TYPE"},
-		Value:   string(proxy.AttestationAzureTDX),
-		Usage:   "type of attestation to present (" + proxy.AvailableAttestationTypes + ")",
+		Value:   "auto",
+		Usage:   "type of attestation to present (" + proxy.AvailableAttestationTypes + "). If not set, automatically detected.",
 	},
 	&cli.StringFlag{
 		Name:    "tls-certificate-path",
diff --git a/proxy/atls_config.go b/proxy/atls_config.go
@@ -24,16 +24,19 @@ type AttestationType string
 
 const (
 	AttestationNone     AttestationType = "none"
+	AttestationAuto     AttestationType = "auto"
 	AttestationAzureTDX AttestationType = "azure-tdx"
 	AttestationDCAPTDX  AttestationType = "dcap-tdx"
 )
 
-const AvailableAttestationTypes string = "none, azure-tdx, dcap-tdx"
+const AvailableAttestationTypes string = "none, auto, azure-tdx, dcap-tdx"
 
 func ParseAttestationType(attestationType string) (AttestationType, error) {
 	switch attestationType {
 	case string(AttestationNone):
 		return AttestationNone, nil
+	case string(AttestationAuto):
+		return AttestationAuto, nil
 	case string(AttestationAzureTDX):
 		return AttestationAzureTDX, nil
 	case string(AttestationDCAPTDX):
@@ -56,7 +59,31 @@ func CreateAttestationIssuer(log *slog.Logger, attestationType AttestationType)
 	}
 }
 
+// DetectAttestationType determines the attestation type based on environment
+func DetectAttestationType() AttestationType {
+	// Check for TDX device files - these indicate DCAP TDX
+	_, tdxErr1 := os.Stat("/dev/tdx-guest")
+	_, tdxErr2 := os.Stat("/dev/tdx_guest")
+	if tdxErr1 == nil || tdxErr2 == nil {
+		return AttestationDCAPTDX
+	}
+
+	// Try Azure TDX attestation - if it works, we're in Azure TDX
+	issuer := azure_tdx.NewIssuer(nil) // nil logger for detection
+	_, err := issuer.Issue(context.Background(), []byte("test"), []byte("test"))
+	if err == nil {
+		return AttestationAzureTDX
+	}
+
+	return AttestationNone
+}
+
 func CreateAttestationValidators(log *slog.Logger, attestationType AttestationType, jsonMeasurementsPath string) ([]atls.Validator, error) {
+	if attestationType == AttestationAuto {
+                attestationType = DetectAttestationType()
+		log.With("detected_attestation", attestationType).Info("Auto-detected attestation type")
+        }
+
 	if attestationType == AttestationNone {
 		return nil, nil
 	}
