cli: embed multiple reference values

[msanft]

This adds support for embedding a more versatile format of reference values (i.e. a structured type) into the Contrast binaries. This will allow us to embed all reference values at build-time from a single source (the Nix build file) rather than having SVNs in Go code and inserting trusted measurements via the go build commandline. It will now embed a JSON file containing the reference values, which is unmarshaled at first default manifest generation.

[Freax13]

CI's failing.

[katexochen]

Ticket said

ReferenceValues section should be a list of the same type

Which isn't reflected in this PR. Will that be done in a follow-up?

[katexochen]

Runtime handler isn't printed anymore.

[msanft]

Because there's no singular valid runtime handler anymore

[katexochen]

That was already anticipated, that's why there was a platform-specific section in the output.

[msanft]

So do you want to roll back to how it was before, but showing everything for SNP and TDX?

[katexochen]

I'm just saying you shouldn't throw away the work other developers put in there without a thought. Should users construct the runtime name themselves in the future and count the offset of the prefix we are using? Is the length of the offset documented anywhere?

[msanft]

I'm fine with changing it back, but then I'd also suggest we don't print the JSON at all. Are you fine with "reverting" that @burgerdev?

[burgerdev]

Sounds like we need to discuss the question of runtime handlers vs. reference values first - we want this to be a 1:1 mapping, right? So, should it go into ReferenceValues fields?

[msanft]

Implicitly, I'd say it's already there due to the presence of TrustedMeasurement in each of the ReferenceValues. But I think this is something so adjacent to the general discussion of how we want to handle these that we should discuss it in the sync today.

[katexochen]

Let's fix the output in a follow up.

[msanft]

Created a ticket for this

[katexochen]

This reduced readability of the output a lot. If we want to keep this as json output, we should move it to the end and start the json doc in a separate line so you can cut it and process it with jq if needed.

[burgerdev]

I'd rather have a --json for this use case.

[katexochen]

That would mean a refactoring of the command structure, as we are currently using the builtin --version flag, not a command, right?

[msanft]

Which isn't reflected in this PR. Will that be done in a follow-up?

@katexochen With the current design, I don't think this is necessary anymore? Also, we discussed in-person that a structured format makes more sense, and you agreed

[katexochen]

Which isn't reflected in this PR. Will that be done in a follow-up?

With the current design, I don't think this is necessary anymore? Also, we discussed in-person that a structured format makes more sense, and you agreed

We discussed the embedding of the reference values in a structured format (json).

In the manifest, we still target a list of reference value configurations, as discussed in previous meetings and documented in the ticket. This will allow us to add multiple platforms of different configuration (heterogeneous clusters with different types of SNP CPUs, for example), which is something we must support but cannot be enabled by the manifest structure given in this PR.

[msanft]

@katexochen I think there was a misunderstanding of the tickets on my side. Consider this PR to handle 4459, while a follow-up PR should handle 4299

[Freax13]

What's the status on this PR?

[msanft]

What's the status on this PR?

I'd like to merge it, but require a review from @katexochen