@super-protocol/addons-tee 1.0.0 → 2.0.0

package/bindings/nvidia-native/README.md

@@ -0,0 +1,174 @@
+# NVIDIA Native Attestation Module
+
+Node.js native addon for GPU attestation using NVIDIA Attestation SDK.
+
+## Features
+
+- **Remote Attestation via NRAS**: Generate JWT tokens via NVIDIA Remote Attestation Service
+- **Policy Verification**: Verify JWT with Rego policies
+- **Device Topology**: Retrieve GPU and NVSwitch counts with dynamic library loading
+- **Device Information**: Get NVIDIA GPU device information
+- **TypeScript Support**: Full type support
+
+## Dependencies
+
+### Runtime (System Libraries)
+
+```bash
+# Ubuntu/Debian
+sudo apt-get install -y \
+    libcurl4-openssl-dev \
+    libxml2-dev \
+    libssl-dev \
+    libxmlsec1-dev \
+    libxmlsec1-openssl
+```
+
+### Build Dependencies
+
+```bash
+sudo apt-get install -y build-essential cmake git python3
+```
+
+### NVIDIA Attestation SDK
+
+The SDK is included as a git submodule and is built automatically on first build.
+
+## Build
+
+```bash
+# 1. Initialize submodules
+git submodule update --init --recursive
+
+# 2. Build
+./build.sh
+```
+
+## Usage
+
+### TypeScript (Recommended)
+
+```typescript
+import { 
+  NvidiaAttestationService,
+  PERMISSIVE_POLICY 
+} from 'tee-addon';
+
+const service = new NvidiaAttestationService();
+
+// Attestation via NRAS
+const result = await service.attestGpuWithNRAS({
+  serviceKey: 'your-api-key'
+});
+
+console.log('Success:', result.success);
+console.log('JWT:', result.jwt);
+console.log('Claims:', result.claims);
+```
+
+### Native C++
+
+```javascript
+const { TNvidiaAttestation } = require('./build/Release/nvidia_native.node');
+
+const attestation = new TNvidiaAttestation();
+const nonce = Buffer.alloc(32);
+const result = attestation.attestGpuWithNRAS(nonce);
+console.log(result.success, result.jwt, result.claims);
+```
+
+## API Reference
+
+### generateNonce(nonceLength?)
+
+Generates a cryptographic nonce via NVIDIA Attestation SDK.
+
+**Parameters**:
+- `nonceLength?: number` — length in bytes (default `32`)
+
+**Returns**: `Buffer`
+
+### attestGpuWithNRAS(nonce?, serviceKey?, nrasUrl?)
+
+Performs GPU attestation via NRAS.
+
+**Returns**: `{success: boolean, jwt: string, claims: string}`
+
+### attestNvSwitchWithNRAS(nonce?, serviceKey?, nrasUrl?)
+
+Performs NVSwitch attestation via NRAS.
+
+**Returns**: `{success: boolean, jwt: string, claims: string}`
+
+### verifyJwt(jwt, serviceKey?, nrasUrl?)
+
+Verifies detached EAT JWT cryptographically via NRAS and returns decoded claims.
+
+**Returns**: `{result: boolean, claims: string, msg: string, logs: string}`
+
+**Behavior**:
+- Returns `{result: true, claims, msg: "Success"}` when cryptographic verification succeeds
+- Returns `{result: false, claims, msg: "Attestation overall result is false"}` when verification reaches decision stage but overall result is false
+- Throws `TypeError` for invalid input argument types/shape
+- Throws `Error` for hard failures (malformed/invalid JWT payload, validate/decode failure, claims extraction/serialization failure, HTTP/JWKS processing failure)
+
+### evaluatePolicy(claims, regoPolicy)
+
+Evaluates attestation claims against a Rego policy and returns policy diagnostics.
+
+**Returns**: `{result: boolean, msg: string, details: string[], logs: string}`
+
+**Behavior**:
+- Returns `{result: true, msg: "Success", details: []}` when claims match the policy
+- Returns `{result: false, msg, details}` when claims do not match the policy, with failed rule names in `details`
+- Throws `TypeError` for invalid input argument types/shape
+- Throws `Error` for policy evaluation failures
+
+### getDeviceTopology()
+
+Retrieves NVIDIA device topology information (GPU and NVSwitch).
+
+Dynamically loads NVML and NSCQ libraries, gets device counts, and unloads libraries automatically.
+
+**Parameters**: None
+
+**Returns**: `{gpuCount: number, nvswitchCount: number}`
+
+**Throws**: Error if libraries are loaded but data retrieval fails
+
+**Example**:
+```javascript
+const topology = attestation.getDeviceTopology();
+console.log(`GPUs: ${topology.gpuCount}`);
+console.log(`NVSwitches: ${topology.nvswitchCount}`);
+```
+
+**Error Handling**:
+```javascript
+try {
+    const topology = attestation.getDeviceTopology();
+    console.log(`Found ${topology.gpuCount} GPUs and ${topology.nvswitchCount} NVSwitches`);
+} catch (error) {
+    console.error('Failed to get topology:', error.message);
+}
+```
+
+**Notes**:
+- Requires NVIDIA Driver with NVML support
+- NVSwitch requires NSCQ library (optional)
+- Returns 0 if libraries are not installed (graceful degradation)
+- Throws if libraries are loaded but data retrieval fails
+
+### getDeviceInfo()
+
+Retrieves device information.
+
+**Returns**: `{deviceId: string, vendor: string, attestationSupported: boolean}`
+
+## See also
+
+See the main project README for full documentation.
+
+## License
+
+ISC

package/bindings/nvidia-native/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "nvidia-native",
+  "version": "1.0.0",
+  "description": "Native Node.js addon for NVIDIA attestation",
+  "main": "index.js",
+  "scripts": {
+    "install": "node-gyp rebuild",
+    "build": "node-gyp rebuild",
+    "clean": "node-gyp clean"
+  },
+  "gypfile": true,
+  "dependencies": {
+    "node-addon-api": "^5.0.0"
+  },
+  "devDependencies": {
+    "node-gyp": "^9.0.0"
+  },
+  "keywords": [
+    "nvidia",
+    "attestation",
+    "tee",
+    "native"
+  ],
+  "author": "",
+  "license": "ISC"
+}

package/bindings/nvidia-native/postinstall.js

@@ -0,0 +1,40 @@
+#!/usr/bin/env node
+
+const fs = require('fs');
+const path = require('path');
+
+const releaseDir = path.join(__dirname, 'build', 'Release');
+const libFile = 'libnvat.so.1.1.0';
+const libPath = path.join(releaseDir, libFile);
+
+if (!fs.existsSync(libPath)) {
+  console.error(`FATAL: Required library not found: ${libPath}`);
+  process.exit(1);
+}
+
+const symlink1 = path.join(releaseDir, 'libnvat.so.1');
+const symlink2 = path.join(releaseDir, 'libnvat.so');
+
+// Create symlink libnvat.so.1 -> libnvat.so.1.1.0
+try {
+  if (fs.existsSync(symlink1)) {
+    fs.unlinkSync(symlink1);
+  }
+  fs.symlinkSync(libFile, symlink1);
+  console.log('Created symlink: libnvat.so.1 -> libnvat.so.1.1.0');
+} catch (err) {
+  console.error(`FATAL: Failed to create symlink ${symlink1}: ${err.message}`);
+  process.exit(1);
+}
+
+// Create symlink libnvat.so -> libnvat.so.1
+try {
+  if (fs.existsSync(symlink2)) {
+    fs.unlinkSync(symlink2);
+  }
+  fs.symlinkSync('libnvat.so.1', symlink2);
+  console.log('Created symlink: libnvat.so -> libnvat.so.1');
+} catch (err) {
+  console.error(`FATAL: Failed to create symlink ${symlink2}: ${err.message}`);
+  process.exit(1);
+}

package/dist/index.d.ts

@@ -1 +1 @@
-export * as SgxNative from "./sgx-native-module";
+export {};

package/dist/index.js

@@ -1,28 +1 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.SgxNative = void 0;
-exports.SgxNative = __importStar(require("./sgx-native-module"));
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSxpRUFBaUQifQ==
+module.exports = {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@super-protocol/addons-tee",
-  "version": "1.0.0",
+  "version": "2.0.0",
   "description": "The TEE trusted loader addons",
   "tags": [
     "tee"
@@ -26,7 +26,9 @@
   },
   "scripts": {
     "build": "tsc -p tsconfig.build.json",
-    "build:clean": "rm -rf ./dist && tsc -p tsconfig.build.json",
+    "postbuild": "mkdir -p dist/nvidia-native-module && cp src/nvidia-native-module/*.rego dist/nvidia-native-module/",
+    "build:clean": "rm -rf ./dist && npm run build",
+    "postinstall": "node bindings/nvidia-native/postinstall.js",
     "lint": "eslint --ext .ts src",
     "lint:fix": "eslint --ext .ts src --fix",
     "start": "yarn build",

package/.editorconfig

@@ -1,15 +0,0 @@
-root = true
-
-[*]
-charset = utf-8
-end_of_line = lf
-trim_trailing_whitespace = true
-insert_final_newline = true
-
-[*.md]
-insert_final_newline = true
-trim_trailing_whitespace = true
-
-[*.{js,jsx,json,ts,tsx,yml}]
-indent_size = 2
-indent_style = space

package/.eslintrc.json

@@ -1,61 +0,0 @@
-{
-    "env": {
-        "node": true,
-        "es2021": true
-    },
-    "extends": [
-        "eslint:recommended",
-        "plugin:@typescript-eslint/recommended",
-        "plugin:prettier/recommended"
-    ],
-    "globals": {
-        "Atomics": "readonly",
-        "SharedArrayBuffer": "readonly"
-    },
-    "parser": "@typescript-eslint/parser",
-    "parserOptions": {
-        "project": ["./tsconfig.json"]
-    },
-    "plugins": [
-        "@typescript-eslint"
-    ],
-    "rules": {
-        "@typescript-eslint/ban-ts-comment": ["warn"],
-        "@typescript-eslint/no-var-requires": ["off"],
-        "@typescript-eslint/no-unused-vars": ["off"],
-        "@typescript-eslint/interface-name-prefix": ["off"],
-        "@typescript-eslint/no-empty-function": ["warn"],
-        "comma-dangle": [
-            "error",
-            {
-                "arrays": "always-multiline",
-                "objects": "always-multiline",
-                "imports": "always-multiline",
-                "exports": "always-multiline",
-                "functions": "always-multiline"
-            }
-        ],
-        "linebreak-style": [
-            "error",
-            "unix"
-        ],
-        "newline-before-return": "warn",
-        "no-cond-assign": "error",
-        "no-console": "warn",
-        "no-mixed-operators": "warn",
-        "no-constant-condition": [
-            "error", {
-                "checkLoops": false
-            }],
-        "no-extra-boolean-cast": "off",
-        "no-multiple-empty-lines": ["error", {
-            "max": 1,
-            "maxEOF": 0
-        }],
-        "object-curly-spacing": ["error", "always"],
-        "object-property-newline": ["error", {
-            "allowAllPropertiesOnSameLine": false
-        }],
-        "semi": ["error", "always"]
-    }
-}

package/.prettierignore

@@ -1,3 +0,0 @@
-dist/**/*
-bindings/**/*
-**/gen/*

package/.prettierrc

@@ -1,15 +0,0 @@
-{
-  "singleQuote": false,
-  "trailingComma": "all",
-  "tabWidth": 4,
-  "printWidth": 120,
-  "useTabs": false,
-  "overrides": [
-    {
-      "files": "*.ts",
-      "options": {
-        "parser": "typescript"
-      }
-    }
-  ]
-}

package/bindings/amd-sev-snp-napi-rs/index.d.ts

@@ -1,51 +0,0 @@
-/* tslint:disable */
-/* eslint-disable */
-
-/* auto-generated by NAPI-RS */
-
-export const SNP_REPORT_DATA_SIZE: number
-export const KDS_CERT_SITE: string
-export const KDS_VCEK: string
-export const SHA256_BUFFER_SIZE: number
-export const ARK_MILAN_PEM: Uint8Array
-export const ARK_GENOA_PEM: Uint8Array
-export const ARK_TURIN_PEM: Uint8Array
-export const ASK_MILAN_PEM: Uint8Array
-export const ASK_GENOA_PEM: Uint8Array
-export const ASK_TURIN_PEM: Uint8Array
-/** Well-known AMD SEV-SNP code names as JS string enum. */
-export enum WellKnownSnpCodeNames {
-  Milan = 'Milan',
-  Genoa = 'Genoa',
-  Turin = 'Turin'
-}
-export interface CpuInfo {
-  family: number
-  model: number
-  stepping: number
-}
-export interface ImportantSecurityFields {
-  vmpl: number
-  debugAllowed: boolean
-  ciphertextHiding: boolean
-  pageSwapDisabled: boolean
-  snp: number
-}
-export const IMPORTANT_SECURITY_FIELDS_DUMMY: ImportantSecurityFields
-export declare function getSnpReport(data: Buffer, vmpl: number): Buffer
-export declare function getVcekKdsUrl(report: Buffer, generation: string): string
-export declare function getReportData(report: Buffer): Buffer
-export declare function getReportMeasure(report: Buffer): Buffer
-export declare function getReportVmpl(report: Buffer): number
-export declare function getReportPolicy(report: Buffer): bigint
-export declare function getReportImportantSecurityFields(report: Buffer): ImportantSecurityFields
-export declare function getReportCpuInfo(report: Buffer): CpuInfo
-/**
- * Identify EPYC generation from provided CpuInfo (family/model).
- * Returns a `WellKnownSnpCodeNames` enum for known SNP generations.
- */
-export declare function getCpuGeneration(cpuInfo: CpuInfo): WellKnownSnpCodeNames
-export declare function getCpuInfo(): CpuInfo
-export declare function getCpuSig(cpuInfo: CpuInfo): number
-export declare function getLogicalCoresCount(): number
-export declare function calcSnpMeasure(ovmfPath: string, kernelSha256: Buffer, initrdSha256: Buffer, cmdlineSha256: Buffer, vcpuSig: number, vcpuCount: number): Buffer