mvp vm attestation

[jordanhendricks]

closes #1067

TODO:

• understand why we see spurious attestation failures (@jordanhendricks) (edit: this was the system working as expected, failing requests before the boot digest is done)
• enforce read-only-ness of the boot disk (@jordanhendricks)
• understand why stopping an instance with this branch failed (example on berlin) (@iximeow) (edit: this became make Attest an async trait dice-util#360 and associated work)
• understand vsock issues (edit: will be merged in XXX close connections #1094)
• attestation module comment
• fix phd test failures (@jordanhendricks)
• file follow-on issues for code cleanup, clippy fix

Testing notes

Happy path

I tested using an image @flihp built. (I've put the image for posterity in the lab at /staff/jordan/propolis-1091).

I made the instance with that image and a RO boot disk. For example:

#/usr/bin/env bash

set -euo pipefail

export OXIDE_HOST="https://recovery.sys.dublin.eng.oxide.computer/"
export PROFILE="dublin"

# image UUID
IMAGE="3fb74969-8981-437f-b4b5-2dc82d3ca191"

cat <<EOF > "./request.json"
{
  "name": "$NAME",
  "description": "demo instance",
  "hostname": "$NAME",
  "memory": 2147483648,
  "ncpus": 2,
  "start": false,
  "boot_disk": {
    "type": "create",
    "description": "a disk to run instance with name $NAME",
    "disk_backend": {
      "type": "distributed",
      "disk_source": {
        "type": "image",
        "image_id": "$IMAGE",
        "read_only": true
      }
    },
    "name": "disk-for-$NAME",
    "size": 2147483648
  }
}
EOF

$HOME/src/oxide.rs/target/debug/oxide instance create \
    --profile "$PROFILE" \
    --project "jordan" \
    --json-body "./request.json"

Inside the vm, edit vm-instance-cfg.json to have the instance UUID and the sha256sum of the image (in the case of the demo image, that's 06ff4481c775ffce878e722927985bffaa1fc7de5d3c2e231bea2adecd22615f).

Then in the VM, for a racklette (username root, password password), run:

$ appraiser --root-cert platform-id-staging.pem --reference-measurements sp-v1.0.64-1.0.64_corim.cbor --reference-measurements rot-1-v1.0.38-1.0.38_corim.cbor --vm-instance-cfg vm-instance-cfg.json vm-instance-rot vsock 605 -vvv

If everything works, you should see:

[2026-04-06T21:04:08Z INFO  appraiser] metadata from Oxide VM Instance RoT appraised
[2026-04-06T21:04:08Z INFO  appraiser] appraised attestation from VmInstanceRot over vsock

No boot disk

Steps to test: create instance, stop it (or don't auto-start it), then remove the boot disk as a boot disk. Send a challenge from inside the guest.

Result: attestation server used just the instance UUID for qualifying data

21:24:25.538Z INFO propolis-server (vm_state_driver): vm conf is ready = VmInstanceConf { uuid: 1f1ec2e3-c5cf-4eaf-8a19-aa25ec1f6895, boot_digest: None }

[iximeow]

most of the Cargo.lock weirdness from dice-verifier -> sled-agent-client -> omciron-common (some previous rev) and that's where the later API dependency stuff we saw in Omicron comes up when building the tuf. sled-agent-client re-exports items out of propolis-client which means we end up in a situation where propolis-server depends on a different rev of propolis-client and everything's Weird.

i'm not totally sure what we want or need to do about this, particularly because we're definitely not using the propolis-client-related parts of sled-agent! we're just using one small part of the API for the RoT calls. but sled-agent and propolis are (i think?) updated in the same deployment unit so the cyclic dependency is fine.

[jordanhendricks]

I want to add some comments in the attestation module but from a code-structure perspective @iximeow and I are happy with this. Ready for review!

[hawkw]

Some of the Tokio stuff felt a bit awkward here --- I'd be happy to open a PR against this branch changing some of the things I mentioned, if that's easier for you?

[hawkw]

not super important but this string could be better probably

[jordanhendricks]

done in 014950e

[hawkw]

maybe this should explicitly state that this means it will not be attested?

[jordanhendricks]

took a crack at this in 014950e

[hawkw]

Soo, it feels a bit funny to me that this thing is a task we spawn that, when it completes, sends a message over a oneshot channel and then exits, and then we have a JoinHandle<()> for that task. It kinda feels like this could just be a JoinHandle<VmInstanceConf> and make a bunch of this at least a bit simpler?

I'd be happy to throw together a patch that does that refactoring if it's too annoying.

[jordanhendricks]

That's fair. The JoinHandle was from a previous iteration of how we would structure things that looked more like the way we presently handle the VNC server. I'll take a look at how hard this is to remove.

[hawkw]

Since this and also the change in this module that I suggested in #1091 (comment) are kinda just refactoring/tidying things up, I would be fine with leaving a lot of this as-is and then merge some refactoring later --- I'd be happy to open a follow-up PR after this has merged, if that makes life easier for you?

[jordanhendricks]

I still need to do this and test on dublin.

[hawkw]

The Crucible retry stuff seems pretty much correct, I commented on some minor nitpicks. I think it's fine to defer some of the async refactoring to a subsequent PR, as there isn't anything wrong there, I just think we could maybe make the code a bit simpler. Beyond that, I think that pending whatever testing you need to do, I have no major concerns.

[hawkw]

super weird formatting here, can we do something about that? also perhaps these ought to be structured fields...

[hawkw]

and also, perhaps this ought to include the retry count?

[jordanhendricks]

both done in c096720

[hawkw]

New comments and backoff look good to me, I commented on a couple very tiny nits

[hawkw]

more weird and unpleasant line wrapping (sorry):

Suggested change

	"failed to read boot disk in {n_retries} tries \
	aborting hash of boot digest"
	);
	"failed to read boot disk in {n_retries} tries \
	aborting hash of boot digest"
	);

[hawkw]

turbo nit, sorry: mayhaps vol_uuid ought to be a structured field here as well? maybe we could build a child log context that includes it so that it's also added to the errors we log above?

[hawkw]

i'm not totally sure what the type of e is here, but are we sure that fmt::Debug is the best way to log it? not a huge deal...

[hawkw]

nit: maybe this should say

Suggested change

	//! If there is a read-only disk, the attestation server will fail challenge
	//! If there is a read-only boot disk, the attestation server will fail challenge

since currently, this sentence in isolation suggests we would hash any read-only disk...but, this is not a huge deal as i would kind of expect the reader could infer the correct thing from surrounding context...

[hawkw]

turbo nit: maybe:

Suggested change

	//! * This port is backed by a vsock device in propolis.
	//! - This port is backed by a vsock device in propolis.

[hawkw]

nit: this feels like maybe it should be its own bullet point?

Suggested change

	//! Once the VM conf is ready, these challenges are passed through to the
	//! * Once the VM conf is ready, these challenges are passed through to the