Remove automatic TEE detection in token command.

Author: yanchengchen7

cmd/token.go

@@ -132,19 +132,38 @@ The OIDC token includes claims regarding the GCE VM, which is verified by Attest
 		if err != nil {
 			return fmt.Errorf("failed to get an AK: %w", err)
 		}
-		attestation, err := ak.Attest(client.AttestOpts{Nonce: challenge.Nonce, CertChainFetcher: http.DefaultClient})
+		
+		attestOpts := client.AttestOpts{Nonce: challenge.Nonce, CertChainFetcher: http.DefaultClient}
+
+		// Add logic to open other hardware devices when required.
+		switch teeTechnology {
+		case SevSnp:
+			attestOpts.TEEDevice, err = client.CreateSevSnpQuoteProvider()
+			if err != nil {
+				return fmt.Errorf("failed to open %s device: %v", SevSnp, err)
+			}
+			attestOpts.TEENonce = teeNonce
+		case Tdx:
+			attestOpts.TEEDevice, err = client.CreateTdxQuoteProvider()
+			if err != nil {
+				return fmt.Errorf("failed to create %s quote provider: %v", Tdx, err)
+			}
+			attestOpts.TEENonce = teeNonce
+		case "":
+			if len(teeNonce) != 0 {
+				return fmt.Errorf("use of --tee-nonce requires specifying TEE hardware type with --tee-technology")
+			}
+		default:
+			// Change the return statement when more devices are added
+			return fmt.Errorf("tee-technology should be either empty or should have values %s or %s", SevSnp, Tdx)
+		}
+
+		attestation, err := ak.Attest(attestOpts)
 		if err != nil {
 			return fmt.Errorf("failed to attest: %v", err)
 		}
 		ak.Close()
 
-		// If teeTechnology is not set, try to detect it from the attestation.
-		if teeTechnology == "" {
-			if attestation.GetTdxAttestation() != nil {
-				teeTechnology = Tdx
-			}
-		}
-
 		req := verifier.VerifyAttestationRequest{
 			Challenge:      challenge,
 			GcpCredentials: principalTokens,

cmd/token_test.go

@@ -86,12 +86,12 @@ func TestTokenWithGCEAK(t *testing.T) {
 			}
 
 			if op.fail {
-				RootCmd.SetArgs([]string{"token", "--algo", op.algo, "--output", secretFile1, "--verifier-endpoint", mockAttestationServer.Server.URL, "--cloud-log", "--audience", util.FakeCustomAudience, "--custom-nonce", "fail test"})
+				RootCmd.SetArgs([]string{"token", "--algo", op.algo, "--output", secretFile1, "--verifier-endpoint", mockAttestationServer.Server.URL, "--cloud-log", "--audience", util.FakeCustomAudience, "--custom-nonce", "fail test", "--tee-technology", "", "--tee-nonce", ""})
 				if err := RootCmd.Execute(); err != nil && !strings.Contains(err.Error(), "googleapi: Error 400") {
 					t.Error(err)
 				}
 			} else {
-				RootCmd.SetArgs([]string{"token", "--algo", op.algo, "--output", secretFile1, "--verifier-endpoint", mockAttestationServer.Server.URL, "--cloud-log", "--audience", util.FakeCustomAudience, "--custom-nonce", util.FakeCustomNonce[0], "--custom-nonce", util.FakeCustomNonce[1]})
+				RootCmd.SetArgs([]string{"token", "--algo", op.algo, "--output", secretFile1, "--verifier-endpoint", mockAttestationServer.Server.URL, "--cloud-log", "--audience", util.FakeCustomAudience, "--custom-nonce", util.FakeCustomNonce[0], "--custom-nonce", util.FakeCustomNonce[1], "--tee-technology", "", "--tee-nonce", ""})
 				if err := RootCmd.Execute(); err != nil {
 					t.Error(err)
 				}