nvtrust release v2.1.2 (#83)

nvTrust v2.1.2

Attestation SDK - Version 2.1.2
-Configurable cert-hold option has been added
-Documentation changes

Local GPU Verifier - Version 2.1.1
-Documentation changes
-Protected PCIE Verifier - Version 1.1.2
-Configurable cert-hold option has been added

Documentation changes
-Topology checks fixed for H800 SKU

guest_tools/attestation_sdk/README.md

@@ -121,15 +121,17 @@ Please note that the Schema/EAT claim information is subject to change in future
 
 ## Compatibility Matrix 
 
-SDK version     |  NRAS API Version | Claims Version
---------------- |------------------|----------------
-v1.1.0          | v1               | N/A
-v1.2.0          | v1               | N/A
-v1.3.0          | v1               | N/A
-v1.4.0          | v1               | N/A
-v1.5.0          | v2               | N/A
-v2.0.0          | v3               | 2.0
-v2.1.0          | v3               | 2.0
+SDK version     | NRAS API Version | Claims Version
+--------------- |-----------------|----------------
+v1.1.0          | v1              | N/A
+v1.2.0          | v1              | N/A
+v1.3.0          | v1              | N/A
+v1.4.0          | v1              | N/A
+v1.5.0          | v2              | N/A
+v2.0.0          | v3              | 2.0
+v2.1.0          | v3              | 2.0
+v2.1.1          | v3              | 2.0
+v2.1.2          | v3              | 2.0
 
 More information on claims can be found [here](https://github.com/NVIDIA/nvtrust/blob/main/guest_tools/attestation_troubleshooting_guide.md)
 
@@ -148,6 +150,11 @@ More information on claims can be found [here](https://github.com/NVIDIA/nvtrust
 | get_token()                                                                                                                     | Retrieves the Attestation token that contains claims corresponding to the Attestation result.                                             |
 | validate_token(<-attestation-results-policy->)                                                                                  | Validate the Attestation Claims against a policy                                                                                      |
 | decode_token(<-jwt-token->)                                                                                                     | Decodes the JWT token to claims received by the verifier                                                                              |
+## Attestation SDK configuration
+The below configuration can be set using environment variables in the console
+Configuration            | Values           |                                   Explanation                                                                                  |
+-------------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------
+NV_ALLOW_HOLD_CERT       | true/false       | Enable attestation if the OCSP revocation status of the certificate in the RIM files is 'certificate_hold'. Defaults to false.'|
 
 ## Note
 Please note that starting from nvTrust v1.5.0, the NRAS v1 API and Relying Party Policy version 1.0 have been deprecated. Additionally, installation via wheel files will no longer be supported from v1.5.0 onward.

guest_tools/attestation_sdk/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "nv-attestation-sdk"
-version = "2.1.1"
+version = "2.1.2"
 description = "The Attestation SDK provides developers with a easy to use APIs for implementing attestation capabilities into their applications."
 authors = ["Karthik Jayaraman <kjayaraman@nvidia.com>"]
 readme = "README.md"
@@ -22,7 +22,7 @@ xmlschema = "==2.2.3"
 pyOpenSSL = "==24.2.1"
 PyJWT = "==2.7.0"
 nvidia-ml-py = ">=12.535.77"
-nv-local-gpu-verifier = "2.1.0"
+nv-local-gpu-verifier = "2.1.1"
 build = ">=0.7.0"
 twine = ">=3.7.1"
 pylint = ">=2.9.6"

guest_tools/attestation_sdk/src/nv_attestation_sdk/gpu/attest_gpu_remote.py

@@ -11,8 +11,7 @@
 from nv_attestation_sdk.utils.logging_config import get_logger
 from ..utils import unified_eat_parser
 from ..utils import nras_utils
-from ..utils.config import REMOTE_GPU_VERIFIER_SERVICE_URL, GPU_ARCH
-
+from ..utils.config import REMOTE_GPU_VERIFIER_SERVICE_URL, GPU_ARCH, ALLOW_HOLD_CERT
 logger = get_logger()
 
 
@@ -56,6 +55,8 @@ def attest(nonce: str, gpu_evidence_list, verifier_url, ppcie_mode: bool = True,
     attestation_result = False
     jwt_token = ""
     headers = {"Content-Type": "application/json"}
+    if ALLOW_HOLD_CERT:
+        headers["X-NVIDIA-OCSP-ALLOW-CERT-HOLD"] = "true"
     try:
         payload = build_payload(nonce, gpu_evidence_list)
         logger.debug("NRAS URL for GPU Attestation: %s", verifier_url)

guest_tools/attestation_sdk/src/nv_attestation_sdk/nvswitch/attest_nvswitch_remote.py

@@ -10,7 +10,7 @@
 import requests
 from nv_attestation_sdk.verifiers.nv_switch_verifier import nvswitch_admin
 from nv_attestation_sdk.utils.logging_config import get_logger
-from ..utils.config import REMOTE_NVSWITCH_VERIFIER_SERVICE_URL
+from ..utils.config import REMOTE_NVSWITCH_VERIFIER_SERVICE_URL, ALLOW_HOLD_CERT
 from ..utils import unified_eat_parser
 from ..utils import nras_utils
 
@@ -54,6 +54,8 @@ def attest(nonce: str, gpu_evidence_list, verifier_url, timeout=30):
     attestation_result = False
     jwt_token = ""
     headers = {"Content-Type": "application/json"}
+    if ALLOW_HOLD_CERT:
+        headers["X-NVIDIA-OCSP-ALLOW-CERT-HOLD"] = "true"
     try:
         payload = build_payload(nonce, gpu_evidence_list)
         logger.debug("NRAS URL for NvSwitch Attestation: %s", verifier_url)

guest_tools/attestation_sdk/src/nv_attestation_sdk/utils/config.py

@@ -4,7 +4,7 @@
 import os
 
 RIM_SERVICE_URL = os.getenv("NV_RIM_URL", "https://rim.attestation.nvidia.com/v1/rim/")
-ALLOW_HOLD_CERT = True
+ALLOW_HOLD_CERT = os.getenv("NV_ALLOW_HOLD_CERT") == "true"
 OCSP_SERVICE_URL = os.getenv("NV_OCSP_URL", "https://ocsp.ndis.nvidia.com/")
 REMOTE_GPU_VERIFIER_SERVICE_URL = os.getenv(
     "NV_NRAS_GPU_URL", "https://nras.attestation.nvidia.com/v3/attest/gpu"

guest_tools/gpu_verifiers/local_gpu_verifier/README.md

@@ -89,11 +89,11 @@ If you want the verifier to set the GPU Ready State based on the Attestation res
 
          rm -rf src/nv_local_gpu_verifier.egg-info 
          rm -rf /build
-  - If you encounter warning and installation issues similar to the below while installing the package:
-      `WARNING: Ignoring invalid distribution ~v-local-gpu-verifier <site-package-directory>`
-    Please execute the following commands to clean up packages that were not installed properly and then re-try the installation:
+- If you encounter warning and installation issues similar to the below while installing the package:
+    `WARNING: Ignoring invalid distribution ~v-local-gpu-verifier <site-package-directory>`
+  Please execute the following commands to clean up packages that were not installed properly and then re-try the installation:
 
-         rm -rf $(ls -l <site-packages-directory> | grep '~' | awk '{print $9}')
+       rm -rf $(ls -l <site-packages-directory> | grep '~' | awk '{print $9}')
 
 
 ## Usage
@@ -151,5 +151,7 @@ v1.4.0          | r550TRD4
 v1.5.0          | r550TRD5
 v2.0.0          | r550TRD6
 v2.1.0          | r550TRD7, r550TRD6, r550TRD5
+v2.1.1          | r550TRD7, r550TRD6, r550TRD5
+
 ## Claims and Troubleshooting information
 For local and remote verifier claims information for NVIDIA GPUs, switches, and related troubleshooting information, please refer to the [Attestation Troubleshooting documentation](../../attestation_troubleshooting_guide.md).

guest_tools/gpu_verifiers/local_gpu_verifier/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "nv-local-gpu-verifier"
-version = "2.1.0"
+version = "2.1.1"
 description = "A Python-based tool that validates GPU measurements by comparing GPU runtime measurements with authenticated golden measurements"
 authors = [
     {name = "NVIDIA"}

guest_tools/ppcie-verifier/README.md

@@ -91,13 +91,12 @@ Method 2: Using PyPI (Requires python virtual environment creation)
 
 #### Options
 
-| Option                     | Description                           | Value Options                                                            |
-|----------------------------|---------------------------------------|--------------------------------------------------------------------------|
-| `--gpu-attestation-mode`   | Type of GPU Attestation               | LOCAL, REMOTE                                                          |
-| `--switch-attestation-mode`| Type of nvSwitch Attestation          | LOCAL,  REMOTE                                                          |
-| `--log`                    | Configure log level                   | DEBUG, INFO, WARNING, ERROR, TRACE, CRITICAL               |
-
-
+| Option                      | Description                           | Value Options                                                            |
+|-----------------------------|---------------------------------------|--------------------------------------------------------------------------|
+| `--gpu-attestation-mode`    | Type of GPU Attestation               | LOCAL, REMOTE                                                          |
+| `--switch-attestation-mode` | Type of nvSwitch Attestation          | LOCAL,  REMOTE                                                          |
+| `--log`                     | Configure log level                   | DEBUG, INFO, WARNING, ERROR, TRACE, CRITICAL               |
+| `--allow-hold-cert`         | Enable attestation when OCSP status of certificate is cert hold | N/A                                        |
 ## Troubleshooting
 Below are some of the common issues that have been encountered:
 ### Installation Issues:

guest_tools/ppcie-verifier/ppcie/verifier/src/topology/validate_topology.py

@@ -154,6 +154,8 @@ def gpu_topology_check(
                     switch_pdis[i] = read_field_as_little_endian(switch_pdis_in_evidence[i])
 
                 switch_sids_set = set(switch_pdis)
+                # Removing the disabled links
+                switch_sids_set.discard("0000000000000000")
                 logger.debug(
                     "PPCIE: GPU Topology check: Unique switch sids found are %s",
                     switch_sids_set,

guest_tools/ppcie-verifier/ppcie/verifier/verification.py

@@ -59,6 +59,12 @@ def verification():
             choices=["DEBUG", "INFO", "WARNING", "ERROR", "TRACE", "CRITICAL"],
             help="Define log level Example --log=DEBUG",
         )
+        parser.add_argument(
+            "--allow-hold-cert",
+            help="If the user wants to continue the attestation in case of the OCSP revocation status of the certificate "
+                 "is held. The default value is False",
+            action="store_true"
+        )
         args = vars(parser.parse_args())
         logger = get_logger(args["log"])
 
@@ -74,6 +80,8 @@ def verification():
             logger.error("PPCIE: Number of GPUs present are : %d and Switches are %d which do not meet the required "
                          "configuration. Exiting..", number_of_gpus, number_of_switches)
             sys.exit()
+        if args["allow_hold_cert"]:
+            os.environ['NV_ALLOW_HOLD_CERT'] = "true"
         if args["gpu_attestation_mode"] != args["switch_attestation_mode"]:
             logger.error(
                 "PPCIE: GPU attestation mode and Switch attestation mode should be same. Exiting..")

guest_tools/ppcie-verifier/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "nv-ppcie-verifier"
-version = "1.1.1"
+version = "1.1.2"
 description = "Protected PCIE Verifier"
 authors = ["Shwetha Kalyanaraman <skalyanarama@nvidia.com>"]
 license = "OSI Approved :: Apache Software License"
@@ -26,8 +26,8 @@ build = "1.2.1"
 nvidia-ml-py = "^12.550.52"
 prettytable = "^3.10.0"
 pytest-cov = "^5.0.0"
-nv-local-gpu-verifier = "2.1.0"
-nv-attestation-sdk = "2.1.1"
+nv-local-gpu-verifier = "2.1.1"
+nv-attestation-sdk = "2.1.2"
 
 [build-system]
 requires = ["poetry-core"]

guest_tools/ppcie-verifier/tests/test_validate_topology.py

@@ -53,4 +53,21 @@ def test_switch_topology_check(self, mock_switch_attestation_report, mock_gpu_at
 
         self.assertTrue(result_status.topology_checks)
 
+    @patch("ppcie.verifier.src.topology.validate_topology.GpuAttestationReport")
+    def test_gpu_topology_check_with_disabled_links(self, mock_gpu_attestation_report):
+        topology = TopologyValidation()
+        mock_gpu_attestation_report.return_value.get_response_message.return_value.get_opaque_data.return_value.get_data.return_value = [
+            b'@\xb9\xc6\xb3\xd7H\xfd\x90', b'\xfd\xb5)\xf1G<\xb2%', b'\x10C\xc1N\x83Y\x96c',
+            b'\xd0\xf6\x9d\x02\x8e\x15\n\xaa', b'\x00\x00\x00\x00\x00\x00\x00\x00']
+
+        gpu_attestation_report_list = [mock_gpu_attestation_report] * 8
+        status = Status()
+        result_status = topology.gpu_topology_check(
+            gpu_attestation_report_list, 4, status
+        )
+        # Verify the result
+        self.assertTrue(result_status.topology_checks)
+        self.assertEqual(topology.unique_switches,
+                         {'639659834ec14310', '90fd48d7b3c6b940', 'aa0a158e029df6d0', '25b23c47f129b5fd'})
+