[experiments] Fix Escrow Baselines

.github/workflows/azure.yml

@@ -0,0 +1,23 @@
+name: "SNP End-to-End Tests"
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: bash
+
+# Cancel previous running actions for the same PR
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+  snp-vtpm-test:
+    runs-on: [self-hosted]
+    steps:
+      - name: "Check out the code"
+        uses: actions/checkout@v4
+

.github/workflows/snp.yml

@@ -44,7 +44,7 @@ jobs:
 
       # Build SNP applications and embed the attestation service's certificate.
       - name: "Build SNP applications"
-        run: ./scripts/accli_wrapper.sh applications build --clean --as-cert-path ./certs/cert.pem --in-cvm
+        run: ./scripts/accli_wrapper.sh applications build --clean --as-cert-dir ./certs/cert.pem --in-cvm
 
       - name: "Run supported SNP applications"
         run: |

accless/libs/attestation/CMakeLists.txt

@@ -25,6 +25,7 @@ add_library(${CMAKE_PROJECT_TARGET}
     mock_snp.cpp
     utils.cpp
     snp.cpp
+    vcek_cache.cpp
 )
 target_link_libraries(${CMAKE_PROJECT_TARGET} PUBLIC
     azguestattestation

accless/libs/attestation/http_client.cpp

@@ -1,4 +1,5 @@
 #include "attestation.h"
+#include "vcek_cache.h"
 
 #include <cstring>
 #include <curl/curl.h>
@@ -19,6 +20,11 @@ static size_t curlWriteCallback(char *ptr, size_t size, size_t nmemb,
 }
 
 HttpClient::HttpClient(const std::string &certPath) : certPath_(certPath) {
+    // Initialize process-wide VCEK cache once. This is only populated if
+    // we are deployed inside an Azure cVM, otherwise will return empty
+    // strings.
+    accless::attestation::snp::getVcekPemBundle();
+
     curl_ = curl_easy_init();
     if (!curl_) {
         throw std::runtime_error("accless(att): failed to init curl");

accless/libs/attestation/utils.cpp

@@ -1,4 +1,5 @@
 #include "attestation.h"
+#include "vcek_cache.h"
 
 #include <nlohmann/json.hpp>
 
@@ -49,6 +50,15 @@ std::string buildRequestBody(const std::string &quoteB64,
     body["quote"] = quoteB64;
     body["runtimeData"]["data"] = runtimeB64;
     body["runtimeData"]["dataType"] = "Binary";
+
+    const auto &vcekPem = accless::attestation::snp::getVcekCertPem();
+    const auto &chainPem = accless::attestation::snp::getVcekChainPem();
+
+    if (!vcekPem.empty()) {
+        body["collateral"]["vcekCertPem"] = vcekPem;
+        body["collateral"]["certificateChainPem"] = chainPem;
+    }
+
     return body.dump();
 }
 } // namespace accless::attestation::utils

accless/libs/attestation/vcek_cache.cpp

@@ -0,0 +1,123 @@
+#include "vcek_cache.h"
+
+#include <curl/curl.h>
+#include <nlohmann/json.hpp>
+
+#include <stdexcept>
+#include <string>
+
+namespace accless::attestation::snp {
+namespace {
+
+constexpr const char *THIM_URL =
+    "http://169.254.169.254/metadata/THIM/amd/certification";
+constexpr const char *THIM_METADATA_HEADER = "Metadata:true";
+
+struct VcekCache {
+    std::once_flag once;
+    std::string vcekCert;
+    std::string certChain;
+    std::string bundle;
+    std::string error;
+};
+
+VcekCache g_cache;
+
+size_t curlWriteCallback(char *ptr, size_t size, size_t nmemb, void *userdata) {
+    auto *out = static_cast<std::string *>(userdata);
+    if (!out)
+        return 0;
+    const size_t total = size * nmemb;
+    out->append(ptr, total);
+    return total;
+}
+
+// Perform one-time VCEK fetch, but *never throw*. If unavailable, returns empty
+// PEM strings.
+void initVcekCache() {
+    CURL *curl = curl_easy_init();
+    if (!curl) {
+        g_cache.error = "failed to init curl for VCEK fetch";
+        return;
+    }
+
+    std::string response;
+    char errbuf[CURL_ERROR_SIZE] = {0};
+
+    curl_easy_setopt(curl, CURLOPT_URL, THIM_URL);
+    curl_easy_setopt(curl, CURLOPT_HTTPGET, 1L);
+    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, curlWriteCallback);
+    curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response);
+    curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errbuf);
+    curl_easy_setopt(curl, CURLOPT_TIMEOUT_MS, 500L); // do not block
+    curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT_MS, 300L);
+
+    // Add Metadata:true header
+    struct curl_slist *headers = nullptr;
+    headers = curl_slist_append(headers, THIM_METADATA_HEADER);
+    curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
+
+    CURLcode res = curl_easy_perform(curl);
+    long status = 0;
+    curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &status);
+
+    curl_easy_setopt(curl, CURLOPT_HTTPHEADER, nullptr);
+    curl_slist_free_all(headers);
+    curl_easy_cleanup(curl);
+
+    // IMDS unreachable → not a CVM → silently return empty values
+    if (res != CURLE_OK) {
+        g_cache.error = std::string("VCEK fetch failed: curl error: ") +
+                        (errbuf[0] ? errbuf : curl_easy_strerror(res));
+        return;
+    }
+
+    if (status != 200) {
+        g_cache.error =
+            "VCEK fetch failed: HTTP status " + std::to_string(status);
+        return;
+    }
+
+    // Parse JSON.
+    try {
+        auto json = nlohmann::json::parse(response);
+
+        g_cache.vcekCert = json.value("vcekCert", "");
+        g_cache.certChain = json.value("certificateChain", "");
+
+        // Normalize newlines
+        if (!g_cache.vcekCert.empty() && g_cache.vcekCert.back() != '\n')
+            g_cache.vcekCert.push_back('\n');
+
+        if (!g_cache.certChain.empty() && g_cache.certChain.back() != '\n')
+            g_cache.certChain.push_back('\n');
+
+        g_cache.bundle = g_cache.vcekCert + g_cache.certChain;
+    } catch (const std::exception &e) {
+        g_cache.error = std::string("VCEK fetch JSON parse error: ") + e.what();
+        // Leave empty certs
+        return;
+    }
+}
+
+void ensureInitialized() { std::call_once(g_cache.once, initVcekCache); }
+
+} // namespace
+
+// --- Public API ---
+
+const std::string &getVcekPemBundle() {
+    ensureInitialized();
+    return g_cache.bundle;
+}
+
+const std::string &getVcekCertPem() {
+    ensureInitialized();
+    return g_cache.vcekCert;
+}
+
+const std::string &getVcekChainPem() {
+    ensureInitialized();
+    return g_cache.certChain;
+}
+} // namespace accless::attestation::snp

accless/libs/attestation/vcek_cache.h

@@ -0,0 +1,14 @@
+#pragma once
+
+#include <mutex>
+#include <string>
+
+namespace accless::attestation::snp {
+
+// Returns concatenated PEM (VCEK + chain) or an empty string on failure.
+const std::string &getVcekPemBundle();
+
+// If you prefer separate pieces:
+const std::string &getVcekCertPem();
+const std::string &getVcekChainPem();
+} // namespace accless::attestation::snp

accli/Cargo.toml

@@ -17,6 +17,7 @@ path = "src/lib.rs"
 
 [dependencies]
 anyhow.workspace = true
+az-snp-vtpm.workspace = true
 base64.workspace = true
 bytes.workspace = true
 chrono.workspace = true