Skip to content

attested-get: add support for dcap-tdx, and use auto detection mode by default #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+34 −15
Open

attested-get: add support for dcap-tdx, and use auto detection mode by default #45

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8f9b092
attested-get dcap-tdx support
metachris Nov 12, 2025
1e7aa92
simplify (thx copilot)
metachris Nov 12, 2025
71ff6bd
also allow 'auto' attestation mode
metachris Nov 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 34 additions & 15 deletions cmd/attested-get/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ package main
// Make a HTTP GET request over a TEE-attested connection (to a server with aTLS support),
// and print the verified measurements and the response payload.
//
// Currently only works for Azure TDX but is straight-forward to expand.
// Currently supports Azure TDX and DCAP TDX attestation.
//
// Usage:
//
Expand Down Expand Up @@ -37,6 +37,7 @@ import (
"fmt"
"io"
"log"
"log/slog"
"net/http"
"os"
"strings"
Expand All @@ -50,6 +51,7 @@ import (
"github.com/flashbots/cvm-reverse-proxy/internal/config"
"github.com/flashbots/cvm-reverse-proxy/multimeasurements"
"github.com/flashbots/cvm-reverse-proxy/proxy"
dcap_tdx "github.com/flashbots/cvm-reverse-proxy/tdx"
"github.com/urfave/cli/v2" // imports as package "cli"
)

Expand All @@ -70,9 +72,9 @@ var flags []cli.Flag = []cli.Flag{
Usage: "Output file for the response payload",
},
&cli.StringFlag{
Name: "attestation-type", // TODO: Add support for other attestation types
Value: string(proxy.AttestationAzureTDX),
Usage: "type of attestation to present (currently only azure-tdx)",
Name: "attestation-type",
Value: string(proxy.AttestationAuto),
Usage: "type of attestation to present (auto, azure-tdx, or dcap-tdx)",
},
&cli.StringFlag{
Name: "expected-measurements",
Expand Down Expand Up @@ -105,6 +107,23 @@ func main() {
}
}

// createAzureTDXValidator creates an Azure TDX validator without required measurements
func createAzureTDXValidator(log *slog.Logger, overrideAzurev6Tcbinfo bool) atls.Validator {
attConfig := config.DefaultForAzureTDX()
attConfig.SetMeasurements(measurements.M{})
Comment on lines +112 to +113
Copy link
Member

@MoeMahhouk MoeMahhouk Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would this also work as you did below for QEMUTDX? something like config.AzureTDX{Measurements: measurements.M{}}

validator := azure_tdx.NewValidator(attConfig, proxy.AttestationLogger{Log: log})
if overrideAzurev6Tcbinfo {
azure_tcbinfo_override.OverrideAzureValidatorsForV6SEAMLoader(log, []atls.Validator{validator})
}
return validator
}

// createDCAPTDXValidator creates a DCAP TDX validator without required measurements
func createDCAPTDXValidator(log *slog.Logger) atls.Validator {
attConfig := &config.QEMUTDX{Measurements: measurements.M{}}
return dcap_tdx.NewValidator(attConfig, proxy.AttestationLogger{Log: log})
}

func runClient(cCtx *cli.Context) (err error) {
logDebug := cCtx.Bool("log-debug")
addr := cCtx.String("addr")
Expand Down Expand Up @@ -137,17 +156,17 @@ func runClient(cCtx *cli.Context) (err error) {
var validators []atls.Validator
switch attestationType {
case proxy.AttestationAzureTDX:
// Prepare an azure-tdx validator without any required measurements
attConfig := config.DefaultForAzureTDX()
attConfig.SetMeasurements(measurements.M{})
validator := azure_tdx.NewValidator(attConfig, proxy.AttestationLogger{Log: log})
if overrideAzurev6Tcbinfo {
azure_tcbinfo_override.OverrideAzureValidatorsForV6SEAMLoader(log, []atls.Validator{validator})
}
validators = append(validators, validator)
validators = append(validators, createAzureTDXValidator(log, overrideAzurev6Tcbinfo))
case proxy.AttestationDCAPTDX:
validators = append(validators, createDCAPTDXValidator(log))
case proxy.AttestationAuto:
// In auto mode, add all validators to support any attestation type
log.Info("Auto mode: creating validators for all supported attestation types")
validators = append(validators, createAzureTDXValidator(log, overrideAzurev6Tcbinfo))
validators = append(validators, createDCAPTDXValidator(log))
Comment on lines +162 to +166
Copy link
Member

@MoeMahhouk MoeMahhouk Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would this mean that it would try to verify with all validators and see which ones passes?
Would it errors if any of the validators returns an error? or would it just continue with the next one until one passes?
Just checking in case it would result in the same error one would encounter when it is not validating for the correct platform

default:
log.Error("currently only azure-tdx attestation is supported")
return errors.New("currently only azure-tdx attestation is supported")
log.Error("unsupported attestation type, see --help for available options")
return errors.New("unsupported attestation type")
}

// Load expected measurements from file or URL (if provided)
Expand Down Expand Up @@ -188,7 +207,7 @@ func runClient(cCtx *cli.Context) (err error) {
}

// Extract the aTLS variant and measurements from the TLS connection
atlsVariant, extractedMeasurements, err := proxy.GetMeasurementsFromTLS(resp.TLS.PeerCertificates, []asn1.ObjectIdentifier{variant.AzureTDX{}.OID()})
atlsVariant, extractedMeasurements, err := proxy.GetMeasurementsFromTLS(resp.TLS.PeerCertificates, []asn1.ObjectIdentifier{variant.AzureTDX{}.OID(), variant.QEMUTDX{}.OID()})
if err != nil {
log.Error("Error in getMeasurementsFromTLS", "err", err)
return err
Expand Down