Azure policy and build update#815
Open
haitaohuang wants to merge 2 commits intointel:mainfrom
Open
Conversation
Contributor
haitaohuang
commented
Apr 28, 2026
haitaohuang
commented
- Added a use-mock-quote feature to enable testing on real TDX hw but by-passing GetQuote
- Misc build script improvements
- Switch to SPDM build by default
- Update policy
Add a use-mock-quote build feature that lets MigTD run on a real TDX platform but bypass the GetQuote vmcall path to the host, returning a canned mock quote instead. This is useful for testing and development when the host infrastructure does not yet fully support real quote generation. Code changes: - attestation: add use-mock-quote feature with mock TD report and quote generation, mutually exclusive with igvm-attest (compile_error guard) - attestation/tdreport: new wrapper module that overrides tdcall_report() to return a mock TdxReport when use-mock-quote is enabled, and re-exports the rest of tdx-tdcall's tdreport API unchanged - migtd: add use-mock-quote Cargo feature plumbing through to attestation - event_log: bypass RTMR verification in use-mock-quote mode (mock quote cannot match the live event log) - ratls: bypass public-key-hash check in TD report under use-mock-quote - spdm: add use-mock-quote cfg guards in verify_report_data_binding and in v1/v2 peer attestation REPORTDATA binding checks Build and test infrastructure: - Azure/Makefile: add build-igvm-mock-quote and build-igvm-mock-quote-allow-all build targets and supporting generate-policy-mock-quote* recipes - build_azure_mock_test.sh: end-to-end policy generation from mock data with auto-generated default templates when not present Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Haitao Huang <haitaohuang@microsoft.com>
- Add allow-all policy config for accept-all migration testing - Fix reject-all build to use IGVM_FEATURES_BASE - Set tcbDate for migTD in policy_data_raw.json - Add spdm_attestation to IGVM_FEATURES_BASE for SPDM support - Add early preflight checks for AzCVMEmu build dependencies: check cargo, pkg-config, tss2-sys, nasm, unzip, autoreconf, ocamlbuild and print actionable install commands when missing; fix azcvm-extract-report binary path resolution (local vs workspace target); replace build output filtering with explicit error reporting so the build fails fast with clear messages instead of cryptic tool-not-found errors. Co-authored-by: mvasantarao <mvasantarao@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Haitao Huang <haitaohuang@microsoft.com>
Contributor
Author
|
build failure was network caused |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.