veraison · thomas-fossati · Nov 5, 2025 · Apr 10, 2025 · Apr 11, 2025 · Mar 25, 2025
diff --git a/.github/workflows/ci-go-cover.yml b/.github/workflows/ci-go-cover.yml
@@ -24,7 +24,7 @@ jobs:
       GO111MODULE: on
       CI_PIPELINE: true
     steps:
-    - uses: actions/setup-go@v3
+    - uses: actions/setup-go@v5
       with:
         go-version: "1.24"
     - name: Checkout code

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,7 +10,7 @@ jobs:
       GO111MODULE: on
       CI_PIPELINE: true
     steps:
-    - uses: actions/setup-go@v3
+    - uses: actions/setup-go@v5
       with:
         go-version: "1.24"
     - name: Checkout code

diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
@@ -8,7 +8,7 @@ jobs:
     env:
       GO111MODULE: on
     steps:
-    - uses: actions/setup-go@v3
+    - uses: actions/setup-go@v5
       with:
         go-version: "1.24"
     - name: Checkout code

diff --git a/.github/workflows/time-package.yml b/.github/workflows/time-package.yml
@@ -16,7 +16,7 @@ jobs:
       GO111MODULE: on
       CI_PIPELINE: true
     steps:
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: "1.24"
           cache: false

diff --git a/Makefile b/Makefile
@@ -12,6 +12,7 @@ SHELL = /bin/bash
 
 SUBDIR += builtin
 SUBDIR += config
+SUBDIR += coserv
 SUBDIR += handler
 SUBDIR += kvstore
 SUBDIR += log
@@ -49,6 +50,11 @@ IGNORE_COVERAGE += github.com/veraison/services/verification/verifier
 IGNORE_COVERAGE += github.com/veraison/services/vts/cmd/vts-service
 IGNORE_COVERAGE += github.com/veraison/services/vts/trustedservices
 IGNORE_COVERAGE += github.com/veraison/services/vtsclient
+IGNORE_COVERAGE += github.com/veraison/services/coserv/api
+IGNORE_COVERAGE += github.com/veraison/services/coserv/cmd/coserv-service
+IGNORE_COVERAGE += github.com/veraison/services/scheme/amd-kds-coserv
+IGNORE_COVERAGE += github.com/veraison/services/scheme/nvidia-coserv
+IGNORE_COVERAGE += github.com/veraison/services/scheme/arm-cca
 
 include mk/cover.mk
 

diff --git a/builtin/Makefile b/builtin/Makefile
@@ -4,9 +4,6 @@
 
 all:
 
-schemes.gen.go: $(shell find ../scheme/ -type f -name \*.go)
-	python3 ../scripts/gen-schemes ../scheme/ > schemes.gen.go
-
 include ../mk/common.mk
 include ../mk/pkg.mk
 include ../mk/lint.mk

diff --git a/builtin/README.md b/builtin/README.md
@@ -4,11 +4,7 @@ and loading (and, thus, any potential security issues associated with running
 external executables).
 
 Instead, plugins are "discovered" at build time by iterating over an array of
-plugin implementations defined inside [schemes.gen.go](schemes.gen.go), which,
-in turn, can be (re-)generated by running [gen-schemes](../scripts/gen-schemes)
-script.
+plugin implementations defined inside [schemes.go](schemes.go).
 
-> **Note**: `gen-schemes` script repeatedly invokes `gopls` and `guru` in order
-> to identify plugin implementations. This means that it is very slow. Because of
-> this, a static version of `schemes.gen.go` is currently submitted as part of
-> the source.
+> **Note**: When a new plugin is added, [schemes.go](schemes.go) must be
+> manually updated.
diff --git a/builtin/builtin_loader.go b/builtin/builtin_loader.go
@@ -1,4 +1,4 @@
-// Copyright 2023 Contributors to the Veraison project.
+// Copyright 2023-2025 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 package builtin
 
@@ -146,7 +146,7 @@ func GetBuiltinHandleByAttestationSchemeUsing[I plugin.IPluggable](
 		if ictx.GetAttestationScheme() != scheme {
 			continue
 		}
-		ldr.logger.Debugw("found plugin implenting scheme",
+		ldr.logger.Debugw("found plugin implementing scheme",
 			"plugin", name, "scheme", scheme)
 
 		impl, ok = ictx.(I)
@@ -158,7 +158,7 @@ func GetBuiltinHandleByAttestationSchemeUsing[I plugin.IPluggable](
 
 	if !found {
 		return *new(I), fmt.Errorf( // nolint:gocritic
-			"could not find plugin providing schdme %q and implementing interface %s",
+			"could not find plugin providing scheme %q and implementing interface %s",
 			scheme, iface)
 	}
 

diff --git a/builtin/schemes.gen.go b/builtin/schemes.gen.go
diff --git a/builtin/schemes.go b/builtin/schemes.go
@@ -0,0 +1,38 @@
+// Copyright 2022-2025 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package builtin
+
+import (
+	"github.com/veraison/services/plugin"
+
+	scheme8 "github.com/veraison/services/scheme/amd-kds-coserv"
+	scheme3 "github.com/veraison/services/scheme/arm-cca"
+	scheme7 "github.com/veraison/services/scheme/nvidia-coserv"
+	scheme1 "github.com/veraison/services/scheme/parsec-cca"
+	scheme5 "github.com/veraison/services/scheme/parsec-tpm"
+	scheme6 "github.com/veraison/services/scheme/psa-iot"
+	scheme2 "github.com/veraison/services/scheme/riot"
+	scheme4 "github.com/veraison/services/scheme/tpm-enacttrust"
+)
+
+var plugins = []plugin.IPluggable{
+	&scheme1.EvidenceHandler{},
+	&scheme1.EndorsementHandler{},
+	&scheme1.StoreHandler{},
+	&scheme2.EvidenceHandler{},
+	&scheme2.StoreHandler{},
+	&scheme3.EvidenceHandler{},
+	&scheme3.EndorsementHandler{},
+	&scheme3.StoreHandler{},
+	&scheme4.EvidenceHandler{},
+	&scheme4.EndorsementHandler{},
+	&scheme4.StoreHandler{},
+	&scheme5.EvidenceHandler{},
+	&scheme5.EndorsementHandler{},
+	&scheme5.StoreHandler{},
+	&scheme6.EvidenceHandler{},
+	&scheme6.EndorsementHandler{},
+	&scheme6.StoreHandler{},
+	&scheme7.CoservProxyHandler{},
+	&scheme8.CoservProxyHandler{},
+}
diff --git a/coserv/Makefile b/coserv/Makefile
@@ -0,0 +1,7 @@
+# Copyright 2025 Contributors to the Veraison project.
+# SPDX-License-Identifier: Apache-2.0
+
+SUBDIR := api
+SUBDIR += cmd/coserv-service
+
+include ../mk/subdir.mk
diff --git a/coserv/api/Makefile b/coserv/api/Makefile
@@ -0,0 +1,9 @@
+# Copyright 2025 Contributors to the Veraison project.
+# SPDX-License-Identifier: Apache-2.0
+
+.DEFAULT_GOAL := test
+
+include ../../mk/common.mk
+include ../../mk/pkg.mk
+include ../../mk/lint.mk
+include ../../mk/test.mk
diff --git a/coserv/api/discovery.go b/coserv/api/discovery.go
@@ -0,0 +1,39 @@
+// Copyright 2025 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package api
+
+import (
+	"github.com/lestrrat-go/jwx/v2/jwk"
+)
+
+const (
+	CoservDiscoveryMediaType = "application/coserv-discovery+json"
+)
+
+type Capability struct {
+	MediaType       string          `json:"media-type"`
+	ArtifactSupport ArtifactSupport `json:"artifact-support"`
+}
+
+type ArtifactSupport []string
+
+type CoservWellKnownInfo struct {
+	Version                string            `json:"version,omitempty"`
+	Capabilities           []Capability      `json:"capabilities,omitempty"`
+	ApiEndpoints           map[string]string `json:"api-endpoints,omitempty"`
+	ResultVerificationKeys []jwk.Key         `json:"result-verification-key,omitempty"`
+}
+
+func NewCoservWellKnownInfo(
+	version string,
+	capabilities []Capability,
+	apiEndpoints map[string]string,
+	resultVerificationKeys []jwk.Key,
+) *CoservWellKnownInfo {
+	return &CoservWellKnownInfo{
+		Version:                version,
+		Capabilities:           capabilities,
+		ResultVerificationKeys: resultVerificationKeys,
+		ApiEndpoints:           apiEndpoints,
+	}
+}