measure gpu cc mode

Author: meetrajvala

launcher/container_runner.go

@@ -191,7 +191,7 @@ func NewRunner(ctx context.Context, cdClient *containerd.Client, token oauth2.To
 		}
 
 		for _, deviceFile := range gpuDeviceFiles {
-			logger.Info("device file : %s", deviceFile)
+			logger.Info(fmt.Sprintf("GPU device file : %s", deviceFile))
 			specOpts = append(specOpts, oci.WithDevices(deviceFile, deviceFile, "crw-rw-rw-"))
 		}
 	}
@@ -341,6 +341,14 @@ func (r *ContainerRunner) measureCELEvents(ctx context.Context) error {
 		return fmt.Errorf("failed to measure memory monitoring state: %v", err)
 	}
 
+	if r.launchSpec.Experiments.EnableConfidentialGPUSupport && r.launchSpec.InstallGpuDriver {
+		ccModeCmd := gpu.NvidiaSmiOutputFunc("conf-compute", "-f")
+		devToolsCmd := gpu.NvidiaSmiOutputFunc("conf-compute", "-d")
+		if err := r.measureGPUCCMode(ccModeCmd, devToolsCmd); err != nil {
+			return fmt.Errorf("failed to measure GPU CC mode status: %v", err)
+		}
+	}
+
 	separator := cel.CosTlv{
 		EventType:    cel.LaunchSeparatorType,
 		EventContent: nil, // Success
@@ -418,6 +426,18 @@ func (r *ContainerRunner) measureMemoryMonitor() error {
 	return nil
 }
 
+func (r *ContainerRunner) measureGPUCCMode(ccModeCmd, devToolsCmd gpu.NvidiaSmiCmdOutput) error {
+	ccMode, err := gpu.QueryCCMode(ccModeCmd, devToolsCmd)
+	if err != nil {
+		return err
+	}
+	if err := r.attestAgent.MeasureEvent(cel.CosTlv{EventType: cel.GpuCCModeType, EventContent: []byte(ccMode.String())}); err != nil {
+		return err
+	}
+	r.logger.Info("Successfully measured GPU CC mode status")
+	return nil
+}
+
 // Retrieves the default OIDC token from the attestation service, and returns how long
 // to wait before attemping to refresh it.
 // The token file will be written to a tmp file and then renamed.

launcher/container_runner_test.go

@@ -23,6 +23,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-tpm-tools/cel"
 	"github.com/google/go-tpm-tools/launcher/agent"
+	"github.com/google/go-tpm-tools/launcher/internal/gpu"
 	"github.com/google/go-tpm-tools/launcher/internal/logging"
 	"github.com/google/go-tpm-tools/launcher/launcherfile"
 	"github.com/google/go-tpm-tools/launcher/spec"
@@ -638,6 +639,77 @@ func TestMeasureCELEvents(t *testing.T) {
 	}
 }
 
+func TestMeasureGPUCCMode(t *testing.T) {
+	fakeContainer := &fakeContainer{
+		image: &fakeImage{
+			name:   "fake image name",
+			digest: "fake digest",
+			id:     "fake id",
+		},
+		args: []string{"fake args"},
+		env:  []string{"fake env"},
+	}
+	launchSpec := spec.LaunchSpec{
+		InstallGpuDriver: true,
+	}
+
+	tests := []struct {
+		name            string
+		mockCCModeCmd   gpu.NvidiaSmiCmdOutput
+		mockDevToolsCmd gpu.NvidiaSmiCmdOutput
+		wantErr         bool
+		wantEvents      []cel.CosType
+	}{
+		{
+			name:            "Successful GPU CC mode measurement",
+			mockCCModeCmd:   func() ([]byte, error) { return []byte("CC status: ON"), nil },
+			mockDevToolsCmd: func() ([]byte, error) { return []byte("DevTools Mode: OFF"), nil },
+			wantErr:         false,
+			wantEvents: []cel.CosType{
+				cel.GpuCCModeType,
+			},
+		},
+		{
+			name:            "Failed GPU CC mode measurement",
+			mockCCModeCmd:   func() ([]byte, error) { return []byte("CC status: ON"), nil },
+			mockDevToolsCmd: func() ([]byte, error) { return nil, fmt.Errorf("nvidia-smi DevTools mode error") },
+			wantErr:         true,
+			wantEvents:      []cel.CosType{},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			gotEvents := []cel.CosType{}
+
+			fakeAgent := &fakeAttestationAgent{
+				measureEventFunc: func(content cel.Content) error {
+					got, _ := content.GetTLV()
+					tlv := &cel.TLV{}
+					tlv.UnmarshalBinary(got.Value)
+					gotEvents = append(gotEvents, cel.CosType(tlv.Type))
+					return nil
+				},
+			}
+
+			r := ContainerRunner{
+				attestAgent: fakeAgent,
+				container:   fakeContainer,
+				launchSpec:  launchSpec,
+				logger:      logging.SimpleLogger(),
+			}
+
+			err := r.measureGPUCCMode(tc.mockCCModeCmd, tc.mockDevToolsCmd)
+			if (err != nil) != tc.wantErr {
+				t.Errorf("measureGPUCCMode() error = %v, wantErr %v", err, tc.wantErr)
+			}
+			if !cmp.Equal(gotEvents, tc.wantEvents) {
+				t.Errorf("failed to measure GPU CC mode event, got %v, but want %v", gotEvents, tc.wantEvents)
+			}
+		})
+	}
+}
+
 func TestPullImageWithRetries(t *testing.T) {
 	testCases := []struct {
 		name        string

launcher/image/test/scripts/gpu/test_gpu_nometadata.sh

@@ -0,0 +1,15 @@
+ #!/bin/bash
+set -euo pipefail
+source util/read_serial.sh
+
+SERIAL_OUTPUT=$(read_serial $1 $2) 
+print_serial=false
+
+if echo $SERIAL_OUTPUT | grep -q 'tee-install-gpu-driver is expected to set to true'
+then
+    echo "- GPU driver installation without metadata flag is verified"
+else
+    echo "FAILED: Driver installation metadata flag is not set"
+    echo 'TEST FAILED.' > /workspace/status.txt
+    print_serial=true
+fi

launcher/image/test/test_gpu_driver_installation_cloudbuild.yaml

@@ -46,6 +46,21 @@ steps:
           '-c', '1',
           '-x', 'TDX',
         ]
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CreateTDXCVMWithCGPUNoMetadataFlag
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_gpu_vm.sh','-i', '${_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-container-log-redirect=true',
+          '-n', '${_VM_NAME_PREFIX}-${BUILD_ID}-noflag',
+          '-z', 'us-east5-a', # H100 GPU with Confidential Compute on are available only under us-central1 and us-east5 regions.  
+          '-v', 'a3-highgpu-1g',
+          '-g', 'nvidia-h100-80gb',
+          '-c', '1',
+          '-x', 'TDX',
+        ]
 - name: 'gcr.io/cloud-builders/gcloud'
   id: UnsupportedGpuWorkloadTest
   entrypoint: 'bash'
@@ -58,6 +73,10 @@ steps:
   id: ConfidentialGpuWorkloadTest
   entrypoint: 'bash'
   args: ['scripts/gpu/test_gpu_workload.sh', '${_VM_NAME_PREFIX}-${BUILD_ID}-tdxcvm-cgpu', 'us-east5-a']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: NoMetadataFlagWorkloadTest
+  entrypoint: 'bash'
+  args: ['scripts/gpu/test_gpu_nometadata.sh', '${_VM_NAME_PREFIX}-${BUILD_ID}-noflag', 'us-east5-a']
 - name: 'gcr.io/cloud-builders/gcloud'
   id: UnsupportedGpuVmCleanUp
   entrypoint: 'bash'
@@ -76,6 +95,12 @@ steps:
   env:
   - 'CLEANUP=$_CLEANUP'
   args: ['cleanup.sh', '${_VM_NAME_PREFIX}-${BUILD_ID}-tdxcvm-cgpu', 'us-east5-a']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: NoMetadataVmCleanUp
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_VM_NAME_PREFIX}-${BUILD_ID}-noflag', 'us-east5-a']
 # Must come after cleanup.
 - name: 'gcr.io/cloud-builders/gcloud'
   id: NoGpuVmCheckFailure

launcher/internal/gpu/driverinstaller.go

@@ -30,8 +30,13 @@ var supportedCGPUTypes = []deviceinfo.GPUType{
 	deviceinfo.H100,
 }
 
-type nvidiaSmiCmdOutput func() ([]byte, error)
-type nvidiaSmiCmdRun func() error
+// NvidiaSmiCmdOutput defines a function type for executing an NVIDIA SMI command
+// and returning the raw byte output along with any error.
+type NvidiaSmiCmdOutput func() ([]byte, error)
+
+// NvidiaSmiCmdRun defines a function type for executing an NVIDIA SMI command
+// and returning only an error, if any.
+type NvidiaSmiCmdRun func() error
 
 // DriverInstaller contains information about the GPU driver installer settings
 type DriverInstaller struct {
@@ -165,21 +170,21 @@ func (di *DriverInstaller) InstallGPUDrivers(ctx context.Context) error {
 		return fmt.Errorf("failed to start nvidia-persistenced process: %v", err)
 	}
 
-	nvidiaSmiVerifyCmd := nvidiaSmiRunFunc()
+	nvidiaSmiVerifyCmd := NvidiaSmiRunFunc()
 	if err = verifyDriverInstallation(nvidiaSmiVerifyCmd); err != nil {
 		return fmt.Errorf("failed to verify GPU driver installation: %v", err)
 	}
 
-	ccModeCmd := nvidiaSmiOutputFunc("conf-compute", "-f")
-	devToolsCmd := nvidiaSmiOutputFunc("conf-compute", "-d")
+	ccModeCmd := NvidiaSmiOutputFunc("conf-compute", "-f")
+	devToolsCmd := NvidiaSmiOutputFunc("conf-compute", "-d")
 
 	ccEnabled, err := QueryCCMode(ccModeCmd, devToolsCmd)
 	if err != nil {
 		return fmt.Errorf("failed to check confidential compute mode status: %v", err)
 	}
 	// Explicitly need to set the GPU state to READY for GPUs with confidential compute mode ON.
 	if ccEnabled == attest.GPUDeviceCCMode_ON {
-		setGPUStateCmd := nvidiaSmiRunFunc("conf-compute", "-srs", "1")
+		setGPUStateCmd := NvidiaSmiRunFunc("conf-compute", "-srs", "1")
 		if err = setGPUStateToReady(setGPUStateCmd); err != nil {
 			return fmt.Errorf("failed to set the GPU state to ready: %v", err)
 		}
@@ -238,14 +243,14 @@ func remountAsExecutable(dir string) error {
 	return nil
 }
 
-func verifyDriverInstallation(nvidiaSmiVerifyCmd nvidiaSmiCmdRun) error {
+func verifyDriverInstallation(nvidiaSmiVerifyCmd NvidiaSmiCmdRun) error {
 	if err := nvidiaSmiVerifyCmd(); err != nil {
 		return fmt.Errorf("failed to verify GPU driver installation : %v", err)
 	}
 	return nil
 }
 
-func setGPUStateToReady(nvidiaSmiSetGPUStateCmd nvidiaSmiCmdRun) error {
+func setGPUStateToReady(nvidiaSmiSetGPUStateCmd NvidiaSmiCmdRun) error {
 	if err := nvidiaSmiSetGPUStateCmd(); err != nil {
 		return fmt.Errorf("failed to set the GPU state to ready: %v", err)
 	}
@@ -254,7 +259,7 @@ func setGPUStateToReady(nvidiaSmiSetGPUStateCmd nvidiaSmiCmdRun) error {
 
 // QueryCCMode executes nvidia-smi to determine the current Confidential Computing (CC) mode status of the GPU.
 // If DEVTOOLS mode is enabled, it would override CC mode as DEVTOOLS. DEVTOOLS mode would be enabled only when CC mode is ON.
-func QueryCCMode(ccModeCmd, devToolsCmd nvidiaSmiCmdOutput) (attest.GPUDeviceCCMode, error) {
+func QueryCCMode(ccModeCmd, devToolsCmd NvidiaSmiCmdOutput) (attest.GPUDeviceCCMode, error) {
 	ccMode := attest.GPUDeviceCCMode_UNSET
 	ccModeOutput, err := ccModeCmd()
 	if err != nil {
@@ -301,12 +306,16 @@ func isConfidentialComputeSupported(gpuType deviceinfo.GPUType, supportedCGPUTyp
 	return fmt.Errorf("unsupported confidential GPU type %s, please retry with one of the supported confidential GPU types: %v", gpuType.String(), supportedCGPUTypes)
 }
 
-func nvidiaSmiOutputFunc(args ...string) nvidiaSmiCmdOutput {
+// NvidiaSmiOutputFunc returns a function which executes the nvidia-smi command with the given arguments
+// and returns the raw byte output and any error.
+func NvidiaSmiOutputFunc(args ...string) NvidiaSmiCmdOutput {
 	cmd := fmt.Sprintf("%s/bin/nvidia-smi", InstallationHostDir)
 	return func() ([]byte, error) { return exec.Command(cmd, args...).Output() }
 }
 
-func nvidiaSmiRunFunc(args ...string) nvidiaSmiCmdRun {
+// NvidiaSmiRunFunc returns a function which executes the nvidia-smi command with the given arguments
+// and returns an error, if any.
+func NvidiaSmiRunFunc(args ...string) NvidiaSmiCmdRun {
 	cmd := fmt.Sprintf("%s/bin/nvidia-smi", InstallationHostDir)
 	return func() error { return exec.Command(cmd, args...).Run() }
 }

launcher/internal/gpu/driverinstaller_test.go

@@ -77,7 +77,7 @@ func TestGetInstallerImageReference(t *testing.T) {
 func TestVerifyDriverInstallation(t *testing.T) {
 	tests := []struct {
 		name          string
-		mockVerifyCmd nvidiaSmiCmdRun
+		mockVerifyCmd NvidiaSmiCmdRun
 		wantErr       bool
 		errSubstr     string
 	}{
@@ -110,7 +110,7 @@ func TestVerifyDriverInstallation(t *testing.T) {
 func TestSetGPUStateToReady(t *testing.T) {
 	tests := []struct {
 		name      string
-		mockCmd   nvidiaSmiCmdRun
+		mockCmd   NvidiaSmiCmdRun
 		wantErr   bool
 		errSubstr string
 	}{
@@ -143,8 +143,8 @@ func TestSetGPUStateToReady(t *testing.T) {
 func TestQueryCCMode(t *testing.T) {
 	tests := []struct {
 		name            string
-		mockCCModeCmd   nvidiaSmiCmdOutput
-		mockDevToolsCmd nvidiaSmiCmdOutput
+		mockCCModeCmd   NvidiaSmiCmdOutput
+		mockDevToolsCmd NvidiaSmiCmdOutput
 		expectedCCMode  attest.GPUDeviceCCMode
 		wantErr         bool
 		errSubstr       string

launcher/launcher/main.go

@@ -14,6 +14,7 @@ import (
 	"time"
 
 	"cloud.google.com/go/compute/metadata"
+	"cos.googlesource.com/cos/tools.git/src/cmd/cos_gpu_installer/deviceinfo"
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/defaults"
 	"github.com/containerd/containerd/namespaces"
@@ -189,20 +190,6 @@ func startLauncher(launchSpec spec.LaunchSpec, serialConsole *os.File) error {
 	}
 	defer containerdClient.Close()
 
-	ctx := namespaces.WithNamespace(context.Background(), namespaces.Default)
-	if launchSpec.InstallGpuDriver {
-		if launchSpec.Experiments.EnableConfidentialGPUSupport {
-			installer := gpu.NewDriverInstaller(containerdClient, launchSpec, logger)
-			err = installer.InstallGPUDrivers(ctx)
-			if err != nil {
-				return fmt.Errorf("failed to install gpu drivers: %v", err)
-			}
-		} else {
-			logger.Info("Confidential GPU support experiment flag is not enabled for this project. Ensure that it is enabled when tee-install-gpu-driver is set to true")
-			return fmt.Errorf("confidential gpu support experiment flag is not enabled")
-		}
-	}
-
 	tpm, err := tpm2.OpenTPM("/dev/tpmrm0")
 	if err != nil {
 		return &launcher.RetryableError{Err: err}
@@ -245,6 +232,26 @@ func startLauncher(launchSpec spec.LaunchSpec, serialConsole *os.File) error {
 		logger.Info(fmt.Sprintf("failed to retrieve auth token: %v, using empty auth for image pulling\n", err))
 	}
 
+	ctx := namespaces.WithNamespace(context.Background(), namespaces.Default)
+	if launchSpec.InstallGpuDriver {
+		if launchSpec.Experiments.EnableConfidentialGPUSupport {
+			installer := gpu.NewDriverInstaller(containerdClient, launchSpec, logger)
+			err = installer.InstallGPUDrivers(ctx)
+			if err != nil {
+				return fmt.Errorf("failed to install gpu drivers: %v", err)
+			}
+		} else {
+			logger.Error("Confidential GPU support experiment flag is not enabled for this project. Ensure that it is enabled when tee-install-gpu-driver is set to true")
+			return fmt.Errorf("confidential gpu support experiment flag is not enabled")
+		}
+	} else {
+		deviceInfo, _ := deviceinfo.GetGPUTypeInfo()
+		if deviceInfo != deviceinfo.NO_GPU {
+			logger.Error("GPU is attached, tee-install-gpu-driver is not set")
+			return fmt.Errorf("tee-install-gpu-driver is expected to set to true when GPU is attached")
+		}
+	}
+
 	logger.Info("Launch started", "duration_sec", time.Since(start).Seconds())
 
 	r, err := launcher.NewRunner(ctx, containerdClient, token, launchSpec, mdsClient, tpm, logger, serialConsole)