feat(cicd-tee): pin SecretVM v0.0.27-alpha.1, SEV-SNP per-template measurements, baked LOG_LEVEL_* in attestation manifest#722
Merged
Conversation
…plate measurements, bake LOG_LEVEL_* into attestation manifest Brings the TEE CI/CD pipeline in line with SCRT Labs' new portal-mandated SecretVM release v0.0.27-alpha.1 and PRs #718/#720 (AMD SEV-SNP support in proxy-router runtime). Extends the cosign-signed attestation manifest so verifiers can match per-template SEV-SNP launch digests and prove that verbose logging cannot leak privacy data from a TEE-deployed image. Changes - .github/tee/secretvm.env: pin SECRETVM_RELEASE=v0.0.27-alpha.1; add TDX and SEV rootfs URLs/SHA-256s; add SEV artifact registry pointer - proxy-router/scripts/compute-sev-measurement.py (new): Python port of CalcSevMeasurement; computes SHA-384 launch digests for all 5 SecretVM vCPU templates (small/medium/large/2xlarge/4xlarge); mirrors the existing compute-rtmr3.py CI pattern - proxy-router/internal/attestation/sev_python_parity_test.go (new): hermetic Go-vs-Python parity test using a version-agnostic synthetic fixture (artifacts_ver=parity-test-fixture-v1) so future SecretVM bumps do not require touching the test - proxy-router/internal/attestation/golden.go: rename JSON tag amd_sev -> amd_sev_snp; add SEVMeasurements.PerTemplate map and GoldenValues.SEVPerTemplate + MatchSEVMeasurement helper - .github/workflows/build.yml: - download both TDX + SEV rootfs ISOs (SHA-verify both) - fetch SCRT Labs SEV artifact registry, record its SHA-256 - run compute-sev-measurement.py for all 5 templates, expose as job outputs - extract baked LOG_LEVEL_*/LOG_COLOR/LOG_JSON/LOG_IS_PROD from Dockerfile.tee with privacy gate (hard-fails build if LOG_LEVEL_APP=debug or any required LOG_LEVEL_* missing) - manifest now publishes measurements.amd_sev_snp.per_template (×5) and baked_env.LOG_* fields alongside intel_tdx.rtmr3 - proxy-router/.gitignore + .dockerignore: ignore Python __pycache__/ - .ai-docs/TEE_Attestation_Architecture.md + TEE_CICD_Supply_Chain_Hardening.md: document v0.0.27-alpha.1 pin, SEV per-template asymmetry, baked log levels, updated manifest schema Auto-deploy + RTMR3-poll (Deploy-SecretVM-Test) remains TDX-only for this PR; SEV auto-deploy is deferred (manual verifier flow works today via the SEVPerTemplate map). Validation - python3 -m py_compile compute-sev-measurement.py: clean - TestComputeSevMeasurementPythonParity: PASS (Go and Python produce identical SHA-384 chains for all 5 templates) - go vet ./internal/attestation/...: clean - yaml.safe_load(build.yml): clean - jq dry-run of manifest assembly: produces well-formed manifest with amd_sev_snp.per_template and baked_env.LOG_* populated Made-with: Cursor
Merged
3 tasks
nomadicrogue
added a commit
that referenced
this pull request
Apr 29, 2026
…late + baked LOG_LEVEL_*) (#723) ## Summary Promotes #722 from \`dev\` to \`test\`. Single commit: - \`beeb09c\` — feat(cicd-tee): pin SecretVM v0.0.27-alpha.1, SEV-SNP per-template measurements, baked LOG_LEVEL_* in attestation manifest ## What this delivers to the test environment - TEE pipeline pinned to **SecretVM v0.0.27-alpha.1** (SCRT Labs' new portal-mandated release) - AMD SEV-SNP per-template launch digests (×5: small/medium/large/2xlarge/4xlarge) computed in CI and signed into the attestation manifest at \`measurements.amd_sev_snp.per_template\` - Privacy gate: \`LOG_LEVEL_*\` extracted from \`Dockerfile.tee\` and signed into \`baked_env\`; build hard-fails if \`LOG_LEVEL_APP=debug\` or any required \`LOG_LEVEL_*\` is missing - \`golden.go\` parser updated (\`amd_sev\` → \`amd_sev_snp\`; \`PerTemplate\` map; \`MatchSEVMeasurement(live)\` helper) - Hermetic Go ↔ Python parity test ensures CI's \`compute-sev-measurement.py\` stays in lockstep with runtime \`sev_gctx.go\` ## Why this is safe End-to-end already validated on the cicd branch (run [25120743562](https://github.com/MorpheusAIs/Morpheus-Lumerin-Node/actions/runs/25120743562)): - ✅ Standard image built and pushed to GHCR - ✅ TEE image built and pushed (with cosign keyless signature + SBOM) - ✅ SecretVM SEV artifact registry fetched, all 5 per-template SEV measurements computed - ✅ TDX RTMR3 computed, manifest assembled with \`amd_sev_snp.per_template\` + \`baked_env.LOG_*\` + signed and attached to GHCR - ✅ Deployed to the new SecretVM test instance (UUID updated by ops to point at v0.0.27-alpha.1 VM) - ✅ Post-deploy attestation poll: live RTMR3 from VM matched expected RTMR3 from the manifest on attempt 2/12 (after VM reboot) The dev-branch run ([25122325951](https://github.com/MorpheusAIs/Morpheus-Lumerin-Node/actions/runs/25122325951)) is also green; per existing repo policy, GHCR-push and SecretVM-deploy jobs only fire for \`cicd/*\`, \`test\`, and \`main\` branches, so the dev run validated tests + tag generation only. Merging into \`test\` will retrigger the full pipeline (this time with \`:latest-test\` tag promotion). ## Scope explicitly NOT in this PR - SEV auto-deploy + auto-verify (\`Deploy-SecretVM-Test\` extracts RTMR3 at a TDX-quote-specific offset, so it's still TDX-only). Manual SEV verification works today via the runtime verifier consuming \`SEVPerTemplate\` from the signed manifest. SEV auto-deploy is a tracked follow-up. ## Test plan (after merge to test) - [ ] CI-CD on \`test\` branch runs cleanly: standard image + TEE image both built, signed, pushed; \`:latest-test\` tag promoted - [ ] Deploy-SecretVM-Test runs against the new test VM UUID and post-deploy RTMR3 poll matches manifest \`intel_tdx.rtmr3\` - [ ] Manual: pull manifest from GHCR for the new \`:latest-test\` tag, confirm \`measurements.amd_sev_snp.per_template\` has 5 entries and \`baked_env.LOG_LEVEL_APP=info\` (not debug) Made with [Cursor](https://cursor.com)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings the TEE CI/CD pipeline in line with SCRT Labs' new portal-mandated SecretVM release v0.0.27-alpha.1 and integrates the AMD SEV-SNP runtime support landed in #718 / #720, while explicitly baking
LOG_LEVEL_*into the attestation manifest so privacy-relevant logging cannot drift silently from a TEE-deployed image.SECRETVM_RELEASE=v0.0.27-alpha.1in.github/tee/secretvm.envwith both TDX and SEV rootfs URLs + SHA-256s, plus a SCRT Labs SEV artifact-registry pointerproxy-router/scripts/compute-sev-measurement.pyportsCalcSevMeasurement(sev_gctx.go) to Python; mirrors the existingcompute-rtmr3.pyCI pattern. CI now produces SHA-384 launch digests for all 5 SecretVM vCPU templates (small/medium/large/2xlarge/4xlarge) — the manifest publishesmeasurements.amd_sev_snp.per_templateso verifiers pick the entry matching the live quote's vCPU countExtract baked log levels from Dockerfile.teestep readsLOG_LEVEL_APP/TCP/ETH_RPC/STORAGE+LOG_COLOR/JSON/IS_PRODand hard-fails the build ifLOG_LEVEL_APP=debugor any requiredLOG_LEVEL_*is missing; values are signed intobaked_envTestComputeSevMeasurementPythonParityensures Go (sev_gctx.go— runtime source of truth) and the Python CI tool produce byte-identical SHA-384 chains for all 5 templates. Fixture is intentionally version-agnostic (artifacts_ver=parity-test-fixture-v1) so future SecretVM bumps do not require touching the testgolden.goJSON tagamd_sev→amd_sev_snp; addsSEVMeasurements.PerTemplatemap andGoldenValues.MatchSEVMeasurement(live)helperTEE_Attestation_Architecture.mdandTEE_CICD_Supply_Chain_Hardening.mdupdated with the v0.0.27-alpha.1 pin, SEV per-template measurement asymmetry table, baked log-level explanation, and updated manifest schemaScope explicitly NOT in this PR
Deploy-SecretVM-Test) stays TDX-only — extracts RTMR3 from a raw TDX quote at fixed offset, so it does not work for SEV. Manual SEV verification works today via the publishedSEVPerTemplatemap; deferred to a follow-up.Validation
python3 -m py_compile compute-sev-measurement.py— cleanTestComputeSevMeasurementPythonParity— PASS (Go ↔ Python identical for all 5 templates)go vet ./internal/attestation/...— cleanyaml.safe_load(build.yml)— cleanjqdry-run of manifest assembly — produces well-formed manifest withamd_sev_snp.per_templateandbaked_env.LOG_*populatedTest plan (post-merge)
GHCR-Build-and-Push-TEEjob runs cleanly on dev push, including:sev.jsonSHA-256 recordedsev_measurement_{small,medium,large,2xlarge,4xlarge}populated)amd_sev_snp.per_templateandbaked_env.LOG_*cicd/...branch (or merged totest),Deploy-SecretVM-Testruns against the new test VM UUID and post-deploy attestation poll matches manifest RTMR3Made with Cursor