agent

package module
v0.0.0-...-f1c346c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 29, 2026 License: Apache-2.0, BSD-2-Clause Imports: 29 Imported by: 0

Documentation

Overview

Package agent coordinates the communication between the TPM and the remote attestation service. It handles:

  • All TPM-related functionality (quotes, logs, certs, etc...)
  • Fetching the relevant principal ID tokens
  • Calling VerifyAttestation on the remote service

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AttestAgentOpts 

type AttestAgentOpts struct {
	TokenOptions *models.TokenOptions
	*DeviceReportOpts
}

AttestAgentOpts contains user generated options when calling the VerifyAttestation API

type AttestationAgent 

type AttestationAgent interface {
	MeasureEvent(gecel.Content) error
	Attest(context.Context, AttestAgentOpts) ([]byte, error)
	AttestWithClient(ctx context.Context, opts AttestAgentOpts, client verifier.Client) ([]byte, error)
	AttestationEvidence(ctx context.Context, challenge []byte, extraData []byte, opts AttestAgentOpts) (*attestationpb.VmAttestation, error)
	Refresh(context.Context) error
	Close() error
}

AttestationAgent is an agent that interacts with GCE's Attestation Service to Verify an attestation message. It is an interface instead of a concrete struct to make testing easier.

func CreateAttestationAgent 

func CreateAttestationAgent(tpm io.ReadWriteCloser, akFetcher util.TpmKeyFetcher, verifierClient verifier.Client, principalFetcher principalIDTokenFetcher, sigsFetcher SignatureFetcher, exps Experiments, logger Logger, deviceROTs []DeviceROT, signedImageRepos []string) (AttestationAgent, error)

CreateAttestationAgent returns an agent capable of performing remote attestation using the machine's (v)TPM to GCE's Attestation Service. - tpm is a handle to the TPM on the instance - akFetcher is a func to fetch an attestation key: see go-tpm-tools/client. - principalFetcher is a func to fetch GCE principal tokens for a given audience. - signaturesFetcher is a func to fetch container image signatures associated with the running workload. - logger will log any partial errors returned by VerifyAttestation.

type DeviceROT 

type DeviceROT interface {
	// Attest fetches an attestation from the attached device detected by launcher.
	Attest(nonce []byte) (any, error)
}

DeviceROT defines an interface for all attached devices to collect attestation.

type DeviceReportOpts 

type DeviceReportOpts struct {
	EnableRuntimeGPUAttestation bool
}

DeviceReportOpts contains options for runtime device attestations.

type Experiments 

type Experiments struct {
	// EnableGpuGcaSupport enables the GPU attestation.
	EnableGpuGcaSupport bool
	// EnableAttestationEvidence enables the attestation evidence endpoint.
	EnableAttestationEvidence bool
}

Experiments contains the experiment flags for the AttestationAgent.

type Logger 

type Logger interface {
	Info(msg string, args ...any)
	Error(msg string, args ...any)
}

Logger defines the interface for the agent logger.

type SignatureFetcher 

type SignatureFetcher interface {
	FetchImageSignatures(ctx context.Context, targetRepository string) ([]oci.Signature, error)
}

SignatureFetcher defines the interface for fetching container image signatures.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.