CvmAttestation: changing to use new cvm library for cvm attestation

[yangjie-msft]

using https://github.com/[Azure/cvm-attestation-tools](https://github.com/Azure/cvm-attestation-tools) for cvm attestation tests and adding support for tdx cvm attestation tests.

[Copilot]

Pull request overview

This PR migrates CVM (Confidential VM) attestation tests to use a new library from Azure/cvm-attestation-tools, replacing the previous Azure/confidential-computing-cvm-guest-attestation library. The update adds support for Intel TDX CVM attestation alongside the existing AMD SEV-SNP support.

Changes:

• Replaces the old attestation library with cvm-attestation-tools from GitHub
• Adds Intel TDX CPU support in addition to AMD SEV-SNP for CVM attestation
• Simplifies installation by using install.sh script instead of manual cmake/make build process
• Updates attestation validation to use string-based output checking instead of JWT decoding

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

File	Description
lisa/microsoft/testsuites/cvm/cvm_attestation_tool.py	Refactored AzureCVMAttestationTests to use new cvm-attestation-tools library, updated repository URL, simplified installation process, changed attestation validation from JWT to string matching, and updated file output handling
lisa/microsoft/testsuites/cvm/cvm_attestation.py	Extended CPU type check to support Intel TDX in addition to AMD SEV-SNP, added config file selection logic based on CPU type

---

[kamalca]

@yangjie-msft Do we expect guest attestation to fail when the VM is deployed with encryption type NonPersistedTPM? Can you consider this scenario and how you would like to handle it in your test case logic?

I think ideally we would still test platform attestation for NonPersistedTPM but skip guest attestation if it is not possible.

In LISA, the NonPersistedTPM encryption type is SecurityProfileType.Stateless

[yangjie-msft]

Member

@yangjie-msft Do we expect guest attestation to fail when the VM is deployed with encryption type NonPersistedTPM? Can you consider this scenario and how you would like to handle it in your test case logic?

I think ideally we would still test platform attestation for NonPersistedTPM but skip guest attestation if it is not possible.

In LISA, the NonPersistedTPM encryption type is SecurityProfileType.Stateless

For stateless CVM both guest and platform attestation will need to be run, so both tests should pass.

[kamalca]

For stateless CVM both guest and platform attestation will need to be run, so both tests should pass.

@yangjie-msft I am seeing failures on Standard_DCes_v6 when deployed with Stateless. Can you please test this scenario and see what is failing.

Figure out it was related to SB setting. Now just waiting for final changes and meaningful commit messages.

[kamalca]

@LiliDeng LGTM

[LiliDeng]

I saw failures when run against this branch. Please check it. @yangjie-msft

    func_timeout(
  File "C:\Python\Lib\site-packages\func_timeout\dafunc.py", line 108, in func_timeout
    raise_exception(exception)
  File "C:\Python\Lib\site-packages\func_timeout\py3_raise.py", line 7, in raise_exception
    raise exception[0] from None
  File "C:\app\lsg-lisa\lisa\lisa\testsuite.py", line 612, in wrapper
    func(*args, **parameters)
  File "C:\app\lsg-lisa\lisa\lisa\microsoft\testsuites\cvm\cvm_attestation.py", line 88, in verify_azure_cvm_attestation_report
    cvm_tests.run_cvm_attestation(
  File "C:\app\lsg-lisa\lisa\lisa\microsoft\testsuites\cvm\cvm_attestation_tool.py", line 43, in run_cvm_attestation
    command = self.run(
              ^^^^^^^^^
  File "C:\app\lsg-lisa\lisa\lisa\executable.py", line 329, in run
    return process.wait_result(
           ^^^^^^^^^^^^^^^^^^^^
  File "C:\app\lsg-lisa\lisa\lisa\util\process.py", line 373, in wait_result
    return self._wait_result(
           ^^^^^^^^^^^^^^^^^^
  File "C:\app\lsg-lisa\lisa\lisa\util\process.py", line 454, in _wait_result
    result.assert_exit_code(
  File "C:\app\lsg-lisa\lisa\lisa\util\process.py", line 95, in assert_exit_code
    return assert_that(expected_exit_codes, message).contains(self.exit_code)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Python\Lib\site-packages\assertpy\contains.py", line 83, in contains
    self.error('Expected <%s> to contain item <%s>, but did not.' % (self.val, items[0]))
  File "C:\Python\Lib\site-packages\assertpy\assertpy.py", line 433, in error
    raise AssertionError(out)
AssertionError: [CVM platform attestation report generation failed
Get unexpected exit code on cmd 1708 ['sudo', 'sh', '-c', '/usr/local/bin/attest --c /home/lisatest/lisa_working/tool/azurecvmattestationtests/cvm-attestation-tools/cvm-attestation/config_tdx_guest.json']] Expected <[0]> to contain item <1>, but did not.
2026-03-03 16:23:41.591[4228][DEBUG] lisa.env[generated_0].node[0] detecting hardware_disk_controller_type .

[yangjie-msft]

I saw failures when run against this branch. Please check it. @yangjie-msft

    func_timeout(
  File "C:\Python\Lib\site-packages\func_timeout\dafunc.py", line 108, in func_timeout
    raise_exception(exception)
  File "C:\Python\Lib\site-packages\func_timeout\py3_raise.py", line 7, in raise_exception
    raise exception[0] from None
  File "C:\app\lsg-lisa\lisa\lisa\testsuite.py", line 612, in wrapper
    func(*args, **parameters)
  File "C:\app\lsg-lisa\lisa\lisa\microsoft\testsuites\cvm\cvm_attestation.py", line 88, in verify_azure_cvm_attestation_report
    cvm_tests.run_cvm_attestation(
  File "C:\app\lsg-lisa\lisa\lisa\microsoft\testsuites\cvm\cvm_attestation_tool.py", line 43, in run_cvm_attestation
    command = self.run(
              ^^^^^^^^^
  File "C:\app\lsg-lisa\lisa\lisa\executable.py", line 329, in run
    return process.wait_result(
           ^^^^^^^^^^^^^^^^^^^^
  File "C:\app\lsg-lisa\lisa\lisa\util\process.py", line 373, in wait_result
    return self._wait_result(
           ^^^^^^^^^^^^^^^^^^
  File "C:\app\lsg-lisa\lisa\lisa\util\process.py", line 454, in _wait_result
    result.assert_exit_code(
  File "C:\app\lsg-lisa\lisa\lisa\util\process.py", line 95, in assert_exit_code
    return assert_that(expected_exit_codes, message).contains(self.exit_code)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Python\Lib\site-packages\assertpy\contains.py", line 83, in contains
    self.error('Expected <%s> to contain item <%s>, but did not.' % (self.val, items[0]))
  File "C:\Python\Lib\site-packages\assertpy\assertpy.py", line 433, in error
    raise AssertionError(out)
AssertionError: [CVM platform attestation report generation failed
Get unexpected exit code on cmd 1708 ['sudo', 'sh', '-c', '/usr/local/bin/attest --c /home/lisatest/lisa_working/tool/azurecvmattestationtests/cvm-attestation-tools/cvm-attestation/config_tdx_guest.json']] Expected <[0]> to contain item <1>, but did not.
2026-03-03 16:23:41.591[4228][DEBUG] lisa.env[generated_0].node[0] detecting hardware_disk_controller_type .

It appeared to be a breakage of the attestation lib during the day of March 3 which was fixed at 19:40 UTC.