From 4b210ff8513017e24682bff5b0adb1196ebb65eb Mon Sep 17 00:00:00 2001 From: augustuswm Date: Tue, 21 Apr 2026 09:43:00 -0500 Subject: [PATCH 1/4] Add project and silo ids to vm instance data --- Cargo.lock | 2 +- Cargo.toml | 2 +- bin/propolis-server/src/lib/initializer.rs | 4 +++- lib/propolis/src/attestation/server.rs | 11 ++++++++--- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c6320d360..b090f08fa 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -10090,7 +10090,7 @@ dependencies = [ [[package]] name = "vm-attest" version = "0.1.0" -source = "git+https://github.com/oxidecomputer/vm-attest?rev=2cdd17580a4fc6c871d24797016af8dbaac9421d#2cdd17580a4fc6c871d24797016af8dbaac9421d" +source = "git+https://github.com/oxidecomputer/vm-attest?rev=acd6ca808d3b081d89b713d64dbce14ba7a50aec#acd6ca808d3b081d89b713d64dbce14ba7a50aec" dependencies = [ "anyhow", "attest-data", diff --git a/Cargo.toml b/Cargo.toml index 83c87705c..ed005ed8f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -97,7 +97,7 @@ crucible-client-types = { git = "https://github.com/oxidecomputer/crucible", rev # Attestation dice-verifier = { git = "https://github.com/oxidecomputer/dice-util", rev = "1d3084b514389847e8e0f5d966d2be4f18d02d32", features = ["sled-agent"] } -vm-attest = { git = "https://github.com/oxidecomputer/vm-attest", rev = "2cdd17580a4fc6c871d24797016af8dbaac9421d", default-features = false } +vm-attest = { git = "https://github.com/oxidecomputer/vm-attest", rev = "acd6ca808d3b081d89b713d64dbce14ba7a50aec", default-features = false } # External dependencies anyhow = "1.0" diff --git a/bin/propolis-server/src/lib/initializer.rs b/bin/propolis-server/src/lib/initializer.rs index 89658c840..cd6088deb 100644 --- a/bin/propolis-server/src/lib/initializer.rs +++ b/bin/propolis-server/src/lib/initializer.rs @@ -700,6 +700,8 @@ impl MachineInitializer<'_> { vm_rot: &mut AttestationSock, ) -> Result<(), MachineInitError> { let uuid = self.properties.id; + let project = self.properties.metadata.project_id; + let silo = self.properties.metadata.silo_id; // The first boot entry is a key into `self.spec.disks`, which is how // we'll get to a Crucible volume backing this boot option. @@ -781,7 +783,7 @@ impl MachineInitializer<'_> { None }; - vm_rot.prepare_instance_conf(uuid, boot_backend); + vm_rot.prepare_instance_conf(uuid, project, silo, boot_backend); Ok(()) } diff --git a/lib/propolis/src/attestation/server.rs b/lib/propolis/src/attestation/server.rs index fb47e0c3f..1bfbc11e2 100644 --- a/lib/propolis/src/attestation/server.rs +++ b/lib/propolis/src/attestation/server.rs @@ -58,6 +58,8 @@ pub struct AttestationSockInit { log: slog::Logger, vm_conf_send: oneshot::Sender, uuid: uuid::Uuid, + project: uuid::Uuid, + silo: uuid::Uuid, boot_backend_ref: Option, } @@ -65,10 +67,9 @@ impl AttestationSockInit { /// Do any any remaining work of collecting VM RoT measurements in support /// of this VM's attestation server. pub async fn run(self) { - let AttestationSockInit { log, vm_conf_send, uuid, boot_backend_ref } = - self; + let AttestationSockInit { log, vm_conf_send, uuid, project, silo, boot_backend_ref } = self; - let mut vm_conf = vm_attest::VmInstanceConf { uuid, boot_digest: None }; + let mut vm_conf = vm_attest::VmInstanceConf { uuid, project, silo, boot_digest: None }; if let Some(digest_backend) = boot_backend_ref { let boot_digest = match crate::attestation::boot_digest::compute( @@ -274,6 +275,8 @@ impl AttestationSock { pub fn prepare_instance_conf( &mut self, uuid: uuid::Uuid, + project: uuid::Uuid, + silo: uuid::Uuid, boot_backend_ref: Option, ) { let init_state = std::mem::replace( @@ -292,6 +295,8 @@ impl AttestationSock { let init = AttestationSockInit { log: self.log.clone(), uuid, + project, + silo, boot_backend_ref, vm_conf_send, }; From 0a676d1ebcf896049b848dc1ef48273a04341313 Mon Sep 17 00:00:00 2001 From: augustuswm Date: Tue, 21 Apr 2026 09:44:31 -0500 Subject: [PATCH 2/4] Fmt --- lib/propolis/src/attestation/server.rs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/propolis/src/attestation/server.rs b/lib/propolis/src/attestation/server.rs index 1bfbc11e2..fbc3d1847 100644 --- a/lib/propolis/src/attestation/server.rs +++ b/lib/propolis/src/attestation/server.rs @@ -69,7 +69,12 @@ impl AttestationSockInit { pub async fn run(self) { let AttestationSockInit { log, vm_conf_send, uuid, project, silo, boot_backend_ref } = self; - let mut vm_conf = vm_attest::VmInstanceConf { uuid, project, silo, boot_digest: None }; + let mut vm_conf = vm_attest::VmInstanceConf { + uuid, + project, + silo, + boot_digest: None, + }; if let Some(digest_backend) = boot_backend_ref { let boot_digest = match crate::attestation::boot_digest::compute( From 23ce88146b1b91706b81cbaf0af13b858354ca7e Mon Sep 17 00:00:00 2001 From: augustuswm Date: Tue, 21 Apr 2026 09:44:49 -0500 Subject: [PATCH 3/4] Format --- lib/propolis/src/attestation/server.rs | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/propolis/src/attestation/server.rs b/lib/propolis/src/attestation/server.rs index fbc3d1847..150797c62 100644 --- a/lib/propolis/src/attestation/server.rs +++ b/lib/propolis/src/attestation/server.rs @@ -67,7 +67,14 @@ impl AttestationSockInit { /// Do any any remaining work of collecting VM RoT measurements in support /// of this VM's attestation server. pub async fn run(self) { - let AttestationSockInit { log, vm_conf_send, uuid, project, silo, boot_backend_ref } = self; + let AttestationSockInit { + log, + vm_conf_send, + uuid, + project, + silo, + boot_backend_ref, + } = self; let mut vm_conf = vm_attest::VmInstanceConf { uuid, From a6df494aed8ea442d789c7407b9a2193a1486ccf Mon Sep 17 00:00:00 2001 From: augustuswm Date: Tue, 21 Apr 2026 10:06:34 -0500 Subject: [PATCH 4/4] Refactor vm attestation property passing --- bin/propolis-server/src/lib/initializer.rs | 9 ++++++- lib/propolis/src/attestation/server.rs | 29 ++++++---------------- 2 files changed, 15 insertions(+), 23 deletions(-) diff --git a/bin/propolis-server/src/lib/initializer.rs b/bin/propolis-server/src/lib/initializer.rs index cd6088deb..f0eb195cf 100644 --- a/bin/propolis-server/src/lib/initializer.rs +++ b/bin/propolis-server/src/lib/initializer.rs @@ -703,6 +703,13 @@ impl MachineInitializer<'_> { let project = self.properties.metadata.project_id; let silo = self.properties.metadata.silo_id; + let vm_attestation_conf = vm_attest::VmInstanceConf { + uuid, + project, + silo, + boot_digest: None, + }; + // The first boot entry is a key into `self.spec.disks`, which is how // we'll get to a Crucible volume backing this boot option. let boot_disk_entry = @@ -783,7 +790,7 @@ impl MachineInitializer<'_> { None }; - vm_rot.prepare_instance_conf(uuid, project, silo, boot_backend); + vm_rot.prepare_init_state(vm_attestation_conf, boot_backend); Ok(()) } diff --git a/lib/propolis/src/attestation/server.rs b/lib/propolis/src/attestation/server.rs index 150797c62..e326b60e1 100644 --- a/lib/propolis/src/attestation/server.rs +++ b/lib/propolis/src/attestation/server.rs @@ -57,9 +57,7 @@ enum AttestationInitState { pub struct AttestationSockInit { log: slog::Logger, vm_conf_send: oneshot::Sender, - uuid: uuid::Uuid, - project: uuid::Uuid, - silo: uuid::Uuid, + vm_instance_conf: vm_attest::VmInstanceConf, boot_backend_ref: Option, } @@ -70,19 +68,10 @@ impl AttestationSockInit { let AttestationSockInit { log, vm_conf_send, - uuid, - project, - silo, + mut vm_instance_conf, boot_backend_ref, } = self; - let mut vm_conf = vm_attest::VmInstanceConf { - uuid, - project, - silo, - boot_digest: None, - }; - if let Some(digest_backend) = boot_backend_ref { let boot_digest = match crate::attestation::boot_digest::compute( digest_backend, @@ -102,12 +91,12 @@ impl AttestationSockInit { } }; - vm_conf.boot_digest = Some(boot_digest); + vm_instance_conf.boot_digest = Some(boot_digest); } else { slog::warn!(log, "not computing boot disk digest"); } - let send_res = vm_conf_send.send(vm_conf); + let send_res = vm_conf_send.send(vm_instance_conf); if let Err(_) = send_res { slog::error!( log, @@ -284,11 +273,9 @@ impl AttestationSock { Ok(()) } - pub fn prepare_instance_conf( + pub fn prepare_init_state( &mut self, - uuid: uuid::Uuid, - project: uuid::Uuid, - silo: uuid::Uuid, + vm_instance_conf: vm_attest::VmInstanceConf, boot_backend_ref: Option, ) { let init_state = std::mem::replace( @@ -306,11 +293,9 @@ impl AttestationSock { }; let init = AttestationSockInit { log: self.log.clone(), - uuid, - project, - silo, boot_backend_ref, vm_conf_send, + vm_instance_conf, }; let init_task = tokio::spawn(init.run()); self.init_state = AttestationInitState::Running { init_task };