Added Granular claim changes (#100)

- Added the ability to pass `service_key` to the Attestation SDK, Local Verifier, and PPCIE Verifier.
- Introduced granular claims, including individual OCSP status, expiration dates, and revocation reasons for driver and vBIOS certificates.
- Refactored the SDK, Local Verifier, and PPCIE Verifier to support these granular claims.
- Enhanced code structure across the SDK and verifier components to improve maintainability and scalability.
- Various improvements and fixes across the source code to enhance stability and performance.
- Created new unit and end-to-end test files to validate the functionality of claims version 3.0.

Author: thisiskarthikj

.gitignore

@@ -8,3 +8,4 @@
 *.log
 venv
 *.bak
+.coverage

README.md

@@ -24,8 +24,6 @@ For more information, including documentation, white papers, and videos regardin
 
 This repository is licensed under Apache License v2.0 except where otherwise noted.
 
-Users who use NVIDIA Attestation Cloud Services or the NVIDIA Trust software components, without an Enterprise Product license may exercise the software and services solely for the purposes of development of a confidential computing service, not a commercial offering/ redistribution. A commercial Enterprise Product license must be obtained before offering the software within a paid commercial service.
-
 ## Support
 
 For issues or questions, please [file a bug](https://github.com/NVIDIA/nvtrust/issues). For additional support, contact us at [attestation-support@nvidia.com](mailto:attestation-support@nvidia.com)

guest_tools/README.md

@@ -119,8 +119,6 @@ NVIDIA also offers Trust Outpost, a comprehensive GPU attestation solution for e
 ## License
 This repository is licensed under Apache License v2.0 except where otherwise noted.
 
-Users who use NVIDIA Attestation Cloud Services or the NVIDIA Trust software components, without an Enterprise Product license may exercise the software and services solely for the purposes of development of a confidential computing service, not a commercial offering/ redistribution. A commercial Enterprise Product license must be obtained before offering the software within a paid commercial service.
-
 # Support
 For issues or questions, please [file a bug](https://github.com/NVIDIA/nvtrust/issues). For additional support, contact us at [attestation-support@nvidia.com](mailto:attestation-support@nvidia.com)
 

guest_tools/attestation_sdk/README.md

@@ -37,6 +37,7 @@ Before installation, please review the [Compatibility Matrix](#compatibility-mat
 
 ### From Source
 
+Install nv-local-gpu-verifier as a pre-requisite. 
 If you choose to install the Attestation SDK from the source code, use the following commands:
 
     cd attestation_sdk
@@ -75,7 +76,7 @@ Please execute the following commands to clean up packages that were not install
 4. Run the following command and ensure that you have the 'nv-local-gpu-verifier' Python module installed.
     ```
     pip list | grep nv-local-gpu-verifier
-    nv-local-gpu-verifier               1.5.0
+    nv-local-gpu-verifier  <version>
     ```
 
 ### How to do Attestation
@@ -125,40 +126,45 @@ Please note that the Schema/EAT claim information is subject to change in future
 
 ## Compatibility Matrix 
 
-SDK version     | NRAS API Version | Claims Version
---------------- |-----------------|----------------
-v1.1.0          | v1              | N/A
-v1.2.0          | v1              | N/A
-v1.3.0          | v1              | N/A
-v1.4.0          | v1              | N/A
-v1.5.0          | v2              | N/A
-v2.0.0          | v3              | 2.0
-v2.1.0          | v3              | 2.0
-v2.1.1          | v3              | 2.0
-v2.1.2          | v3              | 2.0
-v2.1.3          | v3              | 2.0
-v2.1.4          | v3              | 2.0
-v2.3.0          | v3              | 2.0
+SDK version     | Claims Version
+--------------- |----------------
+v1.1.0          | N/A
+v1.2.0          | N/A
+v1.3.0          | N/A
+v1.4.0          | N/A
+v1.5.0          | N/A
+v2.0.0          | 2.0
+v2.1.0          | 2.0
+v2.1.1          | 2.0
+v2.1.2          | 2.0
+v2.1.3          | 2.0
+v2.1.4          | 2.0
+v2.3.0          | 2.0
+v2.4.0          | 2.0, 3.0
 
 More information on claims can be found [here](https://github.com/NVIDIA/nvtrust/blob/main/guest_tools/attestation_troubleshooting_guide.md)
 
 ## Attestation SDK APIs
 
 **nv_attestation_sdk import attestation**
-| API                                                                                                                             | Description                                                                                                                           |
-|---------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
-| Attestation(<-name->)                                                                                                           | Create a new Attestation Object used to call other Attestation methods.                                                               |
-| set_name(<-name->)                                                                                                              | Set a name for the Attestation SDK client                                                                                             |
-| set_nonce(<-nonce->)                                                                                                            | Set a nonce for Attestation                                                                                                           |
-| set_ocsp_nonce_disabled(<-bool->)                                                                                               | Flag which indicates whether to include a nonce when calling OCSP. Only applicable for local GPU attestation. False by default        |
-| add_verifier(<-attestation-device-type->, <-local/remote->, <-remote-attestation-service-url->, <-attestation-results-policy->) | Add a specific type of verifier for the client object. The verifier will be invoked during the attest operation                       |
-| get_verifiers()                                                                                                                 | Retrieves the list of verifiers added to the client object.                                                                              |
-| get_evidence()                                                                                                                  | Retrieves the list of evidence based on the attestation device (e.g., GPU, switch) and the type of attestation (e.g., local, remote). |
-| attest()                                                                                                                        | Trigger the Attestation for the client object, This uses the Attestation type configured in the add_verifier method                           |
-| get_token()                                                                                                                     | Retrieves the Attestation token that contains claims corresponding to the Attestation result.                                             |
-| get_ocsp_nonce_disabled()                                                                                                       | Retrieves the flag which indicates whether a nonce is included when calling OCSP.                                                     |
-| validate_token(<-attestation-results-policy->)                                                                                  | Validate the Attestation Claims against a policy                                                                                      |
-| decode_token(<-jwt-token->)                                                                                                     | Decodes the JWT token to claims received by the verifier                                                                              |
+
+| API                                                                                                                             | Description                                                                                                                                                                                                      |
+|---------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Attestation(<-name->)                                                                                                           | Create a new Attestation Object used to call other Attestation methods.                                                                                                                                          |
+| set_name(<-name->)                                                                                                              | Set a name for the Attestation SDK client                                                                                                                                                                        |
+| set_nonce(<-nonce->)                                                                                                            | Set a nonce for Attestation                                                                                                                                                                                      |
+| set_ocsp_nonce_disabled(<-bool->)                                                                                               | Flag which indicates whether to include a nonce when calling OCSP. Only applicable for local GPU attestation. False by default                                                                                   |
+| set_service_key(<-key->)                                                                                                        | Service key which is used to auth remote service calls to attestation services. None by default. Note: No valid service keys have been created by admins yet - using any key will result in attestation failure. |                               |
+| set_claims_version(<-version->)                                                                                                 | Set a claims version for Attestation. Please refer to the [Attestation Troubleshooting documentation](../attestation_troubleshooting_guide.md) for the claims. If claims version is not set, it defaults to 2.0. |
+| add_verifier(<-attestation-device-type->, <-local/remote->, <-remote-attestation-service-url->, <-attestation-results-policy->) | Add a specific type of verifier for the client object. The verifier will be invoked during the attest operation                                                                                                  |
+| get_verifiers()                                                                                                                 | Retrieves the list of verifiers added to the client object.                                                                                                                                                      |
+| get_evidence()                                                                                                                  | Retrieves the list of evidence based on the attestation device (e.g., GPU, switch) and the type of attestation (e.g., local, remote).                                                                            |
+| attest()                                                                                                                        | Trigger the Attestation for the client object, This uses the Attestation type configured in the add_verifier method                                                                                              |
+| get_token()                                                                                                                     | Retrieves the Attestation token that contains claims corresponding to the Attestation result.                                                                                                                    |
+| get_ocsp_nonce_disabled()                                                                                                       | Retrieves the flag which indicates whether a nonce is included when calling OCSP.                                                                                                                                |
+| get_claims_version()                                                                                                            | Retrieves the claims version added to the client object.                                                                                                                                                         |
+| validate_token(<-attestation-results-policy->)                                                                                  | Validate the Attestation Claims against a policy                                                                                                                                                                 |
+| decode_token(<-jwt-token->)                                                                                                     | Decodes the JWT token to claims received by the verifier                                                                                                                                                         |
 ## Attestation SDK configuration
 The below configuration can be set using environment variables in the console
 Configuration            | Values           |                                   Explanation                                                                                  |
@@ -171,7 +177,5 @@ Please note that starting from nvTrust v1.5.0, the NRAS v1 API and Relying Party
 ## License
 This repository is licensed under Apache License v2.0 except where otherwise noted.
 
-Users who use NVIDIA Attestation Cloud Services or the NVIDIA Trust software components, without an Enterprise Product license may exercise the software and services solely for the purposes of development of a confidential computing service, not a commercial offering/ redistribution. A commercial Enterprise Product license must be obtained before offering the software within a paid commercial service.
-
 ## Support
 For issues or questions, please [file a bug](https://github.com/NVIDIA/nvtrust/issues). For additional support, contact us at [attestation-support@nvidia.com](mailto:attestation-support@nvidia.com)

guest_tools/attestation_sdk/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "nv-attestation-sdk"
-version = "2.3.0"
+version = "2.4.0"
 description = "The Attestation SDK provides developers with a easy to use APIs for implementing attestation capabilities into their applications."
 authors = ["Karthik Jayaraman <kjayaraman@nvidia.com>"]
 readme = "README.md"
@@ -22,7 +22,7 @@ xmlschema = "==2.2.3"
 pyOpenSSL = "==24.2.1"
 PyJWT = "==2.7.0"
 nvidia-ml-py = ">=12.535.77"
-nv-local-gpu-verifier = "2.3.0"
+nv-local-gpu-verifier = "2.4.0"
 build = ">=0.7.0"
 twine = ">=3.7.1"
 pylint = ">=2.9.6"

guest_tools/attestation_sdk/src/nv_attestation_sdk/attestation.py

@@ -18,6 +18,7 @@
 from .gpu import attest_gpu_local, attest_gpu_remote
 from .nvswitch import attest_nvswitch_local, attest_nvswitch_remote
 from .utils import claim_utils, local_utils, nras_utils
+from .utils.config import REMOTE_GPU_VERIFIER_SERVICE_URL, REMOTE_NVSWITCH_VERIFIER_SERVICE_URL
 from typing import Tuple, List
 
 decorative_logger = setup_logging()
@@ -91,22 +92,43 @@ class Attestation:
 
     _staticNonce = None
     _name = None
+    _serviceKey = None
     _nonceServer = None
     _tokens = None
     _verifiers = []
     _instance = None
     _ocsp_nonce_disabled = False
     _no_gpu_mode = False
+    _claims_version = "2.0"
 
     def __new__(cls, name=None):
         if cls._instance is None:
             cls._instance = super(Attestation, cls).__new__(cls)
             cls._name = name if isinstance(name, str) else ""
+            cls._serviceKey = None
             cls._nonceServer = ""
             cls._staticNonce = ""
             cls._verifiers = []
             cls._tokens = {}
         return cls._instance
+    
+    @classmethod
+    def set_service_key(cls, service_key: str) -> None:
+        """Service key which is used to auth remote service calls to attestation services.
+
+        Args:
+            service_key (str): Service key which is used to auth remote service calls to attestation services
+        """
+        cls._serviceKey = service_key
+
+    @classmethod
+    def get_service_key(cls) -> str:
+        """Service key which is used to auth remote service calls to attestation services.
+
+        Returns:
+            Str: Service key which is used to auth remote service calls to attestation services
+        """
+        return cls._serviceKey
 
     @classmethod
     def set_name(cls, name: str) -> None:
@@ -164,6 +186,23 @@ def get_ocsp_nonce_disabled(cls) -> bool:
         """
         return cls._ocsp_nonce_disabled
 
+    @classmethod
+    def set_claims_version(cls, claims_version: str) -> None:
+        """To set the version of claims to be returned.  v2.0 by default
+
+        Args:
+            claims_version (str): claims version
+        """
+        cls._claims_version = claims_version
+
+    @classmethod
+    def get_claims_version(cls) -> str:
+        """Get the claims version
+
+        Returns:
+            str: claims version
+        """
+        return cls._claims_version
 
     @classmethod
     def add_verifier(
@@ -186,7 +225,12 @@ def add_verifier(
             (Devices.SWITCH, Environment.REMOTE): "REMOTE_SWITCH_CLAIMS",
             (Devices.CPU, Environment.TEST): "TEST_CPU_CLAIMS",
         }
-
+        if env == Environment.REMOTE and not url:
+            if dev == Devices.GPU:
+                url = REMOTE_GPU_VERIFIER_SERVICE_URL
+            elif dev == Devices.SWITCH:
+                url = REMOTE_NVSWITCH_VERIFIER_SERVICE_URL
+            logger.info("Using default Remote verifier URL: %s", url)
         name = verifier_name_mapping.get((dev, env), "UNKNOWN_CLAIMS")
         lst = [name, dev, env, url, evidence, "", ocsp_url, rim_url]
         cls._verifiers.append(lst)
@@ -273,17 +317,19 @@ def attest(cls, evidence_list) -> bool:
             attestation_func = attestation_mapping.get(
                 (device, environment), cls._unknown_verifier
             )
+            attestation_options = {
+                "ocsp_nonce_disabled": cls._ocsp_nonce_disabled,
+                "rim_service_url": verifier[VerifierFields.RIM_URL],
+                "ocsp_url": verifier[VerifierFields.OCSP_URL],
+                "claims_version": cls._claims_version,
+                "verifier_url": verifier_url,
+                "service_key": cls._serviceKey
+            }
             if environment == Environment.REMOTE:
                 this_result, jwt_token = attestation_func(
-                    nonce, evidence_list, verifier_url
+                    nonce, evidence_list, attestation_options
                 )
             else:
-                attestation_options = {
-                    "ocsp_nonce_disabled": cls._ocsp_nonce_disabled,
-                    "rim_service_url": verifier[VerifierFields.RIM_URL],
-                    "ocsp_url": verifier[VerifierFields.OCSP_URL]
-                }
-
                 this_result, jwt_token = attestation_func(
                     nonce, evidence_list, attestation_options
                 )