feat: auto detect tee env

Author: fnerdman

cmd/proxy-client/main.go

@@ -45,8 +45,8 @@ var flags []cli.Flag = []cli.Flag{
 	},
 	&cli.StringFlag{
 		Name:  "client-attestation-type",
-		Value: string(proxy.AttestationNone),
-		Usage: "type of attestation to present (" + proxy.AvailableAttestationTypes + ")",
+		Value: "",
+		Usage: "type of attestation to present (" + proxy.AvailableAttestationTypes + "). If not set, automatically detected.",
 	},
 	&cli.BoolFlag{
 		Name:  "log-json",
@@ -101,10 +101,17 @@ func runClient(cCtx *cli.Context) error {
 		return errors.New("invalid combination of --verify-tls and --server-attestation-type passed (only 'none' is allowed)")
 	}
 
+	// Auto-detect client attestation type if not specified
 	clientAttestationType, err := proxy.ParseAttestationType(cCtx.String("client-attestation-type"))
 	if err != nil {
-		log.With("attestation-type", cCtx.String("client-attestation-type")).Error("invalid client-attestation-type passed, see --help")
-		return err
+		// If parsing fails and no type was specified, use auto-detection
+		if cCtx.String("client-attestation-type") == "" {
+			clientAttestationType = proxy.DetectAttestationType()
+			log.With("detected_attestation", clientAttestationType).Info("Auto-detected client attestation type")
+		} else {
+			log.With("attestation-type", cCtx.String("client-attestation-type")).Error("invalid client-attestation-type passed, see --help")
+			return err
+		}
 	}
 
 	serverAttestationType, err := proxy.ParseAttestationType(cCtx.String("server-attestation-type"))

cmd/proxy-server/main.go

@@ -40,8 +40,8 @@ var flags []cli.Flag = []cli.Flag{
 	&cli.StringFlag{
 		Name:    "server-attestation-type",
 		EnvVars: []string{"SERVER_ATTESTATION_TYPE"},
-		Value:   string(proxy.AttestationAzureTDX),
-		Usage:   "type of attestation to present (" + proxy.AvailableAttestationTypes + ")",
+		Value:   "",
+		Usage:   "type of attestation to present (" + proxy.AvailableAttestationTypes + "). If not set, automatically detected.",
 	},
 	&cli.StringFlag{
 		Name:    "tls-certificate-path",
@@ -132,10 +132,17 @@ func runServer(cCtx *cli.Context) error {
 		return errors.New("not all of --tls-certificate-path and --tls-private-key-path specified")
 	}
 
-	serverAttestationType, err := proxy.ParseAttestationType(serverAttestationTypeFlag)
+	// Auto-detect server attestation type if not specified
+	serverAttestationType, err := proxy.ParseAttestationType(cCtx.String("server-attestation-type"))
 	if err != nil {
-		log.With("attestation-type", cCtx.String("server-attestation-type")).Error("invalid server-attestation-type passed, see --help")
-		return err
+		// If parsing fails and no type was specified, use auto-detection
+		if cCtx.String("server-attestation-type") == "" {
+			serverAttestationType = proxy.DetectAttestationType()
+			log.With("detected_attestation", serverAttestationType).Info("Auto-detected server attestation type")
+		} else {
+			log.With("attestation-type", cCtx.String("server-attestation-type")).Error("invalid server-attestation-type passed, see --help")
+			return err
+		}
 	}
 
 	clientAttestationType, err := proxy.ParseAttestationType(cCtx.String("client-attestation-type"))

proxy/atls_config.go

@@ -30,6 +30,25 @@ const (
 
 const AvailableAttestationTypes string = "none, azure-tdx, dcap-tdx"
 
+// DetectAttestationType determines the attestation type based on environment
+func DetectAttestationType() AttestationType {
+    // Check for TDX device files - these indicate DCAP TDX
+    _, tdxErr1 := os.Stat("/dev/tdx-guest")
+    _, tdxErr2 := os.Stat("/dev/tdx_guest")
+    if tdxErr1 == nil || tdxErr2 == nil {
+        return AttestationDCAPTDX
+    }
+
+    // Try Azure TDX attestation - if it works, we're in Azure TDX
+    issuer := azure_tdx.NewIssuer(nil) // nil logger for detection
+    _, err := issuer.Issue(context.Background(), []byte("test"), []byte("test"))
+    if err == nil {
+        return AttestationAzureTDX
+    }
+
+    return AttestationNone
+}
+
 func ParseAttestationType(attestationType string) (AttestationType, error) {
 	switch attestationType {
 	case string(AttestationNone):