[applications] Add Escrow-Xput Function In Bare-Metal SNP #57

csegarragonz · 2025-11-25T17:10:37Z

Closes #25

csegarragonz · 2025-11-25T17:50:15Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces significant new functionality for running and attesting applications in a bare-metal AMD SEV-SNP environment. This includes a new escrow-xput application, extensive CLI tooling in accli for managing confidential VMs (cVMs) and a new attestation service, and the core logic for SNP report verification in the attestation service itself. The changes are extensive and well-structured, particularly the cVM orchestration in accli and the caching mechanisms in the attestation service.

My review focuses on a critical security gap in the SNP attestation flow, several maintainability issues in the new application code, and opportunities to improve the robustness of the new tooling. The most critical issue is the missing validation of the SNP report's measurement, which must be addressed to ensure only trusted code is attested. Other points include removing a large amount of commented-out code and improving configuration handling in the new benchmark application.

attestation-service/src/snp.rs

applications/functions/escrow-xput/src/main.cpp

accli/src/tasks/applications.rs

applications/functions/escrow-xput/src/main.cpp

scripts/snp/setup.sh

csegarragonz added 30 commits November 21, 2025 15:52

[accless] E: Unify Headers Under Shared Dir

8dd12fa

[accli] E: Clarify ApplicationsCommand Help

c00830c

[scripts] E: Remove Obsolete Scripts

ad4f89f

[accli] E: Add AttestationService Task

f1a5ffa

[scripts] E: Add Scripts To Spawn SNP cVM

d132660

[accli] B: Ignore Paths In Dev

568b2d1

[scripts] E: Refine SNP SetUp Scripts

fb7c366

[attestation-service] E: Log Node URL On Startup

3b0b054

[accli] E: Add --rebuild Flag To attestation-service run

a4f5be7

[accli] E: Pass /dev/sev-guest To Docker If Available

1d429a3

[applications] E: Add Preliminary Escrow-Xput Function

23c96fb

[attestation-service] E: Verify Bare-Metal SNP Reports

f4dc393

Closes #25

[accli] E: Launch Applications By Name

43df72e

[accless] B: Add Warning Around Mock Quote

61a9b90

[accli] E: Add Wrappers To Run In cVM

38d44dc

[scripts] B: Make accli_wrapper.sh Resilient

1c96ecf

[scripts] E: Add Offline Disk Provisioning for SNP

ff16d9c

[scripts] B: Do Not Use Sudo On Workon.sh

d88e034

[accli] E: Add 'dev cvm cli'

ac6c3e4

[accli] B: Fix Application Path

20e87e7

[accli] B: Make Plural Of Function/Workflow

7a3c30a

[scripts] E: Refine SNP Scripts

4f19bb9

[accli] E: Pass SEV_GID If /dev/sev-guest Present

6cd2249

[attestation-service] E: Print Info On Start

be7811b

[accli] E: Unify --as-* Flags

da30430

[applications] B: Adapt --as-cert-path Flag

1da30df

[scripts] E: Build Accli In Snp Setup

71ad626

[ci] E: Add SNP Bare Metal Test

4d02d77

[build] E: Fix num-bigint Warning

43a697b

[attestation-service] W: Clarify azcVM Regression

b823653

gemini-code-assist bot reviewed Nov 25, 2025

View reviewed changes

csegarragonz force-pushed the feature-escrow-func branch from 7ab1ea7 to 56da6ea Compare November 25, 2025 18:02

csegarragonz added 2 commits November 25, 2025 18:13

[scripts] E: Refine SNP Setup Script

79dedcc

[ci] B: Install APT Deps

7e915c5

csegarragonz force-pushed the feature-escrow-func branch from 56da6ea to 7e915c5 Compare November 25, 2025 18:13

csegarragonz added 13 commits November 25, 2025 18:59

[ci] B: Build AS In SNP Tests

5128f13

[attestation-service] E: Refactor API Tests

7a144a5

[accli] E: Homogeneize AS Cert Path Parsing

f550f0c

[applications] B: Use Mock Values From Mock Header

d74fdb5

[config] E: Avoid Expensive Chowns On Entry

d46213c

[build] E: Bump Minor Version To 0.9.0

663865e

[scripts] E: Do Not Pin Code Branch In cVM

bfb4e67

[scripts] B: Fix Code Ownership In Ctr

3208837

[accli] B: Fix Persistance In cVMs

7bfc09e

[docs] E: Update README

fe6373a

[scripts] B: Make Sure Workon.sh Is Run In Ctr

978c737

[accli] B: Create PID File Dirs In AS BG Spawn

38b5ce9

[accli] B: Fix Spawn Of Background AS

5f35f1b

csegarragonz force-pushed the feature-escrow-func branch from 88d6ebf to 5f35f1b Compare November 27, 2025 11:31

csegarragonz added 2 commits November 27, 2025 12:24

[scripts] E: Check Host Reqs In SNP Setup

b6946f1

[attestation-service] B: Properly Poll Certs

8ca0c2c

csegarragonz force-pushed the feature-escrow-func branch 3 times, most recently from d33ed5c to 739bbcc Compare November 27, 2025 16:31

[ci] B: Fix Syntax Error In snp.yml

9100a3e

csegarragonz force-pushed the feature-escrow-func branch from 739bbcc to 9100a3e Compare November 27, 2025 17:49

csegarragonz merged commit d9f1100 into main Nov 28, 2025
4 checks passed

csegarragonz deleted the feature-escrow-func branch November 28, 2025 09:40

csegarragonz mentioned this pull request Nov 28, 2025

[ci] Add SGX And SNP Tests #54

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[applications] Add Escrow-Xput Function In Bare-Metal SNP #57

[applications] Add Escrow-Xput Function In Bare-Metal SNP #57

Uh oh!

csegarragonz commented Nov 25, 2025

Uh oh!

csegarragonz commented Nov 25, 2025

Uh oh!

gemini-code-assist bot left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

[applications] Add Escrow-Xput Function In Bare-Metal SNP #57

[applications] Add Escrow-Xput Function In Bare-Metal SNP #57

Uh oh!

Conversation

csegarragonz commented Nov 25, 2025

Uh oh!

csegarragonz commented Nov 25, 2025

Uh oh!

gemini-code-assist bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants