Remove verifyCS experiment usage (google#728)

mayafleischer · web-flow · commit baf750bc0887 · 2026-03-27T13:32:14.000-07:00
diff --git a/launcher/agent/agent.go b/launcher/agent/agent.go
@@ -398,10 +398,7 @@ func (a *agent) attestDeviceROTs(nonce []byte, opts AttestAgentOpts) ([]*attesta
 }
 
 func (a *agent) verify(ctx context.Context, req verifier.VerifyAttestationRequest, client verifier.Client) (*verifier.VerifyAttestationResponse, error) {
-	if a.launchSpec.Experiments.EnableVerifyCS {
-		return client.VerifyConfidentialSpace(ctx, req)
-	}
-	return client.VerifyAttestation(ctx, req)
+	return client.VerifyConfidentialSpace(ctx, req)
 }
 
 func convertOCIToContainerSignature(ociSig oci.Signature) (*verifier.ContainerSignature, error) {
diff --git a/launcher/agent/agent_test.go b/launcher/agent/agent_test.go
@@ -993,16 +993,15 @@ func TestAttestationEvidence_TPM_Success(t *testing.T) {
 }
 
 type testClient struct {
-	verifyCSResp  *verifier.VerifyAttestationResponse
-	verifyAttResp *verifier.VerifyAttestationResponse
+	verifyCSResp *verifier.VerifyAttestationResponse
 }
 
 func (t *testClient) CreateChallenge(_ context.Context) (*verifier.Challenge, error) {
 	return nil, errors.New("unimplemented")
 }
 
 func (t *testClient) VerifyAttestation(_ context.Context, _ verifier.VerifyAttestationRequest) (*verifier.VerifyAttestationResponse, error) {
-	return t.verifyAttResp, nil
+	return nil, errors.New("Should not be called - use VerifyConfidentialSpace")
 }
 
 func (t *testClient) VerifyConfidentialSpace(_ context.Context, _ verifier.VerifyAttestationRequest) (*verifier.VerifyAttestationResponse, error) {
@@ -1013,45 +1012,28 @@ func TestVerify(t *testing.T) {
 	expectedCSResp := &verifier.VerifyAttestationResponse{
 		ClaimsToken: []byte("verify-cs-token"),
 	}
-	expectedAttResp := &verifier.VerifyAttestationResponse{
-		ClaimsToken: []byte("verify-att-token"),
-	}
 
 	vClient := &testClient{
-		verifyCSResp:  expectedCSResp,
-		verifyAttResp: expectedAttResp,
+		verifyCSResp: expectedCSResp,
 	}
 
 	testcases := []struct {
 		name         string
 		opts         AttestAgentOpts
-		exps         experiments.Experiments
 		expectedResp *verifier.VerifyAttestationResponse
 	}{
 		{
-			name: "VerifyCS in experiment",
-			exps: experiments.Experiments{
-				EnableVerifyCS: true,
-			},
+			name:         "Verify calls VerifyConfidentialSpace",
 			expectedResp: expectedCSResp,
 		},
-		{
-			name: "VerifyAtt in experiment",
-			exps: experiments.Experiments{
-				EnableVerifyCS: false,
-			},
-			expectedResp: expectedAttResp,
-		},
 	}
 
 	ctx := context.Background()
 
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
 			attAgent := agent{
-				launchSpec: spec.LaunchSpec{
-					Experiments: tc.exps,
-				},
+				launchSpec: spec.LaunchSpec{},
 			}
 
 			resp, err := attAgent.verify(ctx, verifier.VerifyAttestationRequest{}, vClient)
diff --git a/launcher/internal/experiments/experiments.go b/launcher/internal/experiments/experiments.go
@@ -14,7 +14,6 @@ type Experiments struct {
 	EnableTestFeatureForImage    bool
 	EnableHealthMonitoring       bool
 	EnableItaVerifier            bool
-	EnableVerifyCS               bool
 	EnableAttestationEvidence    bool
 	EnableB200DriverInstallation bool
 	EnableH100DriverInstallation bool
diff --git a/launcher/internal/experiments/experiments_test.go b/launcher/internal/experiments/experiments_test.go
@@ -31,11 +31,10 @@ func TestExperiments(t *testing.T) {
 			},
 		},
 		{
-			input: "{\"EnableTestFeatureForImage\":true,\"EnableSignedContainerImage\":true,\"EnableItaVerifier\":true,\"FloatFeature\":-5.6,\"OtherTestFeatureForImage\":false,\"EnableVerifyCS\":true}",
+			input: "{\"EnableTestFeatureForImage\":true,\"EnableSignedContainerImage\":true,\"EnableItaVerifier\":true,\"FloatFeature\":-5.6,\"OtherTestFeatureForImage\":false}",
 			expectedExps: Experiments{
 				EnableTestFeatureForImage: true,
 				EnableItaVerifier:         true,
-				EnableVerifyCS:            true,
 				EnableGpuGcaSupport:       false,
 			},
 		},
@@ -58,6 +57,13 @@ func TestExperiments(t *testing.T) {
 				EnableGpuGcaSupport:          true,
 			},
 		},
+		{
+			input: "{\"EnableTestFeatureForImage\":true,\"EnableItaVerifier\":false,\"NonExistantExperiment\":true,\"EnableVerifyCS\":true}",
+			expectedExps: Experiments{
+				EnableTestFeatureForImage: true,
+				EnableItaVerifier:         false,
+			},
+		},
 	}
 
 	for i, test := range tests {

Original file line number	Diff line number	Diff line change
`@@ -398,10 +398,7 @@ func (a agent) attestDeviceROTs(nonce []byte, opts AttestAgentOpts) ([]attesta`
`398`	`398`	`}`
`399`	`399`
`400`	`400`	`func (a agent) verify(ctx context.Context, req verifier.VerifyAttestationRequest, client verifier.Client) (verifier.VerifyAttestationResponse, error) {`
`401`		`- if a.launchSpec.Experiments.EnableVerifyCS {`
`402`		`- return client.VerifyConfidentialSpace(ctx, req)`
`403`		`- }`
`404`		`- return client.VerifyAttestation(ctx, req)`
	`401`	`+ return client.VerifyConfidentialSpace(ctx, req)`
`405`	`402`	`}`
`406`	`403`
`407`	`404`	`func convertOCIToContainerSignature(ociSig oci.Signature) (*verifier.ContainerSignature, error) {`