Skip to content

Commit

Permalink
Adding memory monitor measurement
Browse files Browse the repository at this point in the history
  • Loading branch information
@yawangwang
yawangwang committed Dec 21, 2023
1 parent f7d91b3 commit 860a4aa
Show file tree
Hide file tree
Showing 6 changed files with 257 additions and 137 deletions.
1 change: 1 addition & 0 deletions cel/cos_tlv.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ const (
OverrideEnvType
// EventContent is empty on success, or contains an error message on failure.
LaunchSeparatorType
MemoryMonitorType
)

// CosTlv is a specific event type created for the COS (Google Container-Optimized OS),
Expand Down
26 changes: 22 additions & 4 deletions launcher/container_runner.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,11 @@ func appendTokenMounts(mounts []specs.Mount) []specs.Mount {
return append(mounts, m)
}

var launchEventSeparator = cel.CosTlv{
EventType: cel.LaunchSeparatorType,
EventContent: nil, // Success
}

// measureContainerClaims will measure various container claims into the COS
// eventlog in the AttestationAgent.
func (r *ContainerRunner) measureContainerClaims(ctx context.Context) error {
Expand Down Expand Up @@ -334,11 +339,20 @@ func (r *ContainerRunner) measureContainerClaims(ctx context.Context) error {
}
}

separator := cel.CosTlv{
EventType: cel.LaunchSeparatorType,
EventContent: nil, // Success
return r.attestAgent.MeasureEvent(launchEventSeparator)
}

// measureHealthMonitoringClaims will measure health monitoring related claims into the COS eventlog in the AttestationAgent.
// For now only memory monitoring will be measured into the COS eventlog, but more measurements (cpu, disk, network, etc.) will be added in the future.
func (r *ContainerRunner) measureHealthMonitoringClaims() error {
var memoryMonitorBit uint8
if r.launchSpec.MemoryMonitoringEnabled {
memoryMonitorBit = 1
}
return r.attestAgent.MeasureEvent(separator)
if err := r.attestAgent.MeasureEvent(cel.CosTlv{EventType: cel.MemoryMonitorType, EventContent: []byte{memoryMonitorBit}}); err != nil {
return err
}
return r.attestAgent.MeasureEvent(launchEventSeparator)
}

// Retrieves the default OIDC token from the attestation service, and returns how long
Expand Down Expand Up @@ -528,6 +542,10 @@ func (r *ContainerRunner) Run(ctx context.Context) error {
} else {
r.logger.Println("MemoryMonitoring is disabled by the VM operator")
}

if err := r.measureHealthMonitoringClaims(); err != nil {
return fmt.Errorf("failed to measure health monitoring claims: %v", err)
}
}

var streamOpt cio.Opt
Expand Down
6 changes: 6 additions & 0 deletions proto/attest.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,10 +186,16 @@ message SemanticVersion {
uint32 patch = 3;
}

message HealthMonitoringState {
// Whether memory monitoring is enabled.
bool memory_enabled = 1;
}

message AttestedCosState {
ContainerState container = 1;
SemanticVersion cos_version = 2;
SemanticVersion launcher_version = 3;
HealthMonitoringState health_monitoring = 4;
}

message EfiApp {
Expand Down

0 comments on commit 860a4aa

Please sign in to comment.