NOISSUE: Add attestation-test wasm component example using elastic:hal#168

Merged

rodneyosodo merged 15 commits intoabsmach:mainfrom

JeffMboya:feat/platform-attestation-examples

Apr 21, 2026

Contributor

JeffMboya commented Mar 19, 2026 •

edited

Loading

What type of PR is this?

Feature: adds an attestation-test WASM component example using the elastic:hal/attestation@0.1.0 interface from wasmhal.

What does this do?

Adds examples/attestation-test — a wasm32-wasip2 component that calls elastic:hal/attestation to generate a TEE attestation report. The component exports elastic:hal/run and is built with wit-bindgen against a minimal local WIT file (attestation interface + world only).

Which issue(s) does this PR fix/relate to?

N/A

Have you included tests for your changes?

Tested on an Intel TDX CVM (kernel 6.11.0-17-generic, /dev/tdx_guest present) using hal-runtime built from wasmhal @ cfe99ef. Component loads, WIT interface resolves, and attestation call returns successfully (exit 0).

Did you document any new/modified features?

N/A

Notes

WIT sourced from wasmhal @ cfe99ef. The local hal.wit is intentionally minimal — only the attestation interface and hal-consumer world, since wit_bindgen::generate! requires a local path at compile time.

JeffMboya mentioned this pull request

NOISSUE - Add attestation-test example absmach/propeller-website#25

Merged

rodneyosodo requested changes

View reviewed changes

examples/attestation-test/wit/hal.wit Outdated

Makefile Outdated

examples/attestation-test/Cargo.toml

Contributor Author

JeffMboya commented Apr 20, 2026

TDX test results (ran on uv-intel, commit 7ff9ad4)

Tested inside a real Intel TDX CVM (kernel 6.11.0-17-generic, /dev/tdx_guest present) using hal-runtime built from wasmhal @ cfe99ef:

Component loads and runs — exit 0
WIT interface (elastic:hal/attestation@0.1.0) resolves correctly against hal-runtime
TDX detected correctly by the HAL: Intel CPU ✓, /dev/tdx_guest ✓, TSM support ✓, TDX CPU flag ✓
report_data (32 × 0x42) passed through correctly

One note: the attestation response still returns a placeholder (platform: amd-sev-snp, measurements: placeholder_hash). The HAL detects TDX correctly but falls through to its simulated path rather than issuing TDXGUEST_GET_REPORT0 via /dev/tdx_guest. That is a gap in wasmhal @ cfe99ef, not in this PR.

JeffMboya changed the title ~~NOISSUE: Add platform-test and attestation-test wasm examples~~ NOISSUE: Add attestation-test wasm component example using elastic:hal

rodneyosodo requested changes

View reviewed changes

examples/attestation-test/src/lib.rs Outdated

examples/attestation-test/wit/hal.wit Outdated

JeffMboya force-pushed the feat/platform-attestation-examples branch from 8048a31 to 52a829c Compare

April 21, 2026 07:46

JeffMboya added 11 commits

April 21, 2026 11:28


          feat(examples): add platform-test and attestation-test wasm examples

5b6df9d

Signed-off-by: JeffMboya <jangina.mboya@gmail.com>


          fix(examples): align wasm examples with elastic:tee-hal/platform inte…

5b315cb

…rface

Fix incorrect WIT import namespaces in platform-test and attestation-test:
- attestation-test: elastic:attestation/hal -> elastic:tee-hal/platform, get-attestation -> attestation
- platform-test: elastic:platform/platform -> elastic:tee-hal/platform, get-platform-info -> platform-info

Add wasm-hal-runner binary to proplet for standalone testing of wasip1 WASM
files with HAL host imports, and expose hal_linker as a public module in lib.rs.

Verified against real Intel TDX hardware — both examples produce valid
attestation evidence with platform_type: IntelTdx.


          fix(proplet): remove doc comments from wasm-hal-runner

92ce470


          remove wasm-hal-runner: test via full MQTT/task pipeline instead


          revert(attestation-test): use elastic:attestation/hal interface from …

b28b1d2

…wasmhal PR#4


          feat(examples): consolidate into single attestation-test WASM component

01beec3

Drop platform-test. Rewrite attestation-test as a proper WASM component
using wit-bindgen against the elastic:hal@0.1.0 interface from wasmhal
commit cfe99ef.

The component implements the hal-consumer world: queries platform info,
generates a random nonce via the HAL random interface, requests attestation
evidence from the TEE platform, and returns it from the exported run()
function. Build with: cargo build --target wasm32-wasip2


          fix(examples): remove platform-test target, fix attestation-test buil…

1fc9e95

…d target, add to dependabot


          fix(attestation-test): trim hal.wit to attestation-only, remove platf…

02754ac

…orm and random calls


          fix(attestation-test): inline WIT, remove hal.wit, drop #[allow(warni…

48fea21

…ngs)]

Replaces the external wit/ path with an inline WIT string in
wit_bindgen::generate!, eliminating the hal.wit file entirely.
Removes the mod bindings wrapper and #[allow(warnings)].


          feat(proplet): add component model linker for elastic:hal interfaces

b00b1ee

Adds hal_component_linker.rs registering elastic:hal/attestation@0.1.0,
elastic:hal/platform@0.1.0, and elastic:hal/random@0.1.0 for wasmtime's
component model linker. Adds is_hal_component detection and routing in
wasmtime_runtime.rs so HAL components invoke start_app_component_export
instead of the wasi:cli/run path.


          fix(proplet): resolve rebase conflicts in start_app_component_export

45687d9

Merges upstream WAVE arg parsing with our HAL linker block and interface-
searching func finder. Result extraction keeps byte extraction for list<u8>
(attestation evidence).

JeffMboya force-pushed the feat/platform-attestation-examples branch from a2b0917 to 45687d9 Compare

April 21, 2026 08:29

JeffMboya added 4 commits

April 21, 2026 11:34


          fix(proplet): resolve clippy warnings in wasmtime_runtime

540b139


          fix(proplet): apply cargo fmt formatting

4eea7d6


          fix(proplet): remove unreachable HAL block from start_app_component

94cfb8c


          refactor(attestation-test): rewrite as WASI P1 module using elastic:t…

2895fd9

…ee-hal, remove proplet component model changes

Contributor Author

JeffMboya commented Apr 21, 2026

Updated: Rewritten as WASI P1 core module

Following reviewer feedback, the example has been refactored from a WASI P2 component model approach to a WASI P1 core module, matching the pattern used by hal-test. All proplet changes have been removed — the PR now only adds examples/attestation-test.

What changed

Replaced src/lib.rs (wit-bindgen component) with src/main.rs using raw extern "C" imports against the elastic:tee-hal/* namespace
Removed wit-bindgen dependency and local WIT files
Target is now wasm32-wasip1 (via .cargo/config.toml)
Routes through the existing hal_linker.rs path in proplet — no proplet changes needed

Verified on Intel TDX CVM

Ran the new WASI P1 binary (attestation-test.wasm, 54KB) on the TDX CVM (kernel 6.11.0-17-generic, /dev/tdx_guest present):

platform-info: {"platform_type":"IntelTdx","version":"0.1.0","attestation_support":true}
attestation: ok (evidence len=863)
evidence: {"measurements":{"mrtd":"69485508...","rtmr0":"ae6a79a0...","rtmr1":"fc7cecbe...","rtmr2":"35713c45...","rtmr3":"94a170d5..."},"platform":"intel-tdx","tdx_module_version":"1.5.0","version":"0.1.0"}

Real TDX measurements returned. The WASI P1 module dispatches correctly through start_app_core → hal_linker.rs → HalProvider::platform.attestation().

rodneyosodo approved these changes

View reviewed changes

rodneyosodo merged commit fdfdba8 into absmach:main

15 checks passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet