[experiments] Add Escrow-Xput Experiment

[csegarragonz]

Closes #56

[gemini-code-assist]

Summary of Changes

Hello @csegarragonz, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new experiment, 'Escrow-Xput', to benchmark the performance of secret-key-release operations. It significantly enhances the Azure integration by improving VM management, SCP capabilities, and robust error handling. The attestation service has undergone substantial refactoring to support Azure vTPM attestation, modularize verification logic, and centralize key exchange. These changes are supported by numerous dependency updates and refined Ansible provisioning scripts, ensuring a more robust and feature-rich confidential computing environment.

Highlights

• New Experiment Added: Introduced the 'Escrow-Xput' experiment, designed to measure the throughput of secret-key-release operations within the Accless framework. This includes new C++ applications (breakdown-snp, hello-snp) and a time_breakdown utility.
• Enhanced Azure Integration: Significant improvements to Azure VM management within accli, including robust SCP functionality for file transfers, updated error handling for Azure CLI commands, and a change of the default Azure username from tless to accless.
• Attestation Service Refactoring: The attestation service now features modularized SNP and vTPM verification logic, a centralized ECDHE key exchange process, and improved TLS certificate generation that considers the external IP. It also includes dynamic route registration based on enabled features (SGX, SNP, Azure CVM).
• Dependency Updates: Numerous Rust dependencies have been updated across Cargo.lock and Cargo.toml, including core components like abe4, accli, attestation-service, and jwt. New dependencies such as az-snp-vtpm, openssl, and sha2 were added to support new functionalities, particularly Azure vTPM integration.
• Azure vTPM Support: Added comprehensive support for Azure Confidential VMs (CVMs) utilizing vTPM for attestation. This involves new C++ functions to fetch reports from vTPM, and server-side logic to parse and verify these complex vTPM reports and quotes.
• Ansible Provisioning Improvements: Ansible playbooks for Azure deployments have been refactored to streamline the provisioning of attestation services and client applications, including automated certificate copying and systemd service setup for the attestation service.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/release.yml
  • .github/workflows/snp.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds a new Escrow Throughput experiment and introduces significant refactoring across the accli and attestation-service crates. The changes improve error handling by replacing panics with Result types, enhance modularity by using feature flags for TEE-specific routes, and centralize provisioning logic in Ansible. Overall, these are positive changes that increase the robustness and maintainability of the codebase. My review includes a critical security comment regarding incomplete attestation verification and a couple of suggestions for code clarity and completeness.