From 9c4ad215b79b476113b4b402bedbdb156e9dd118 Mon Sep 17 00:00:00 2001
From: Laura Abbott <laura@atrium.eng.oxide.computer>
Date: Wed, 22 Oct 2025 14:07:33 +0000
Subject: [PATCH] Add `measurement-set` command

It's useful to see what the current set of measurements is on device
---
 verifier-cli/src/main.rs | 39 +++++++++++++++++++++++++++++++++++++++
 verifier/src/lib.rs      |  9 +++++++++
 2 files changed, 48 insertions(+)

diff --git a/verifier-cli/src/main.rs b/verifier-cli/src/main.rs
index abc348d..8500ae5 100644
--- a/verifier-cli/src/main.rs
+++ b/verifier-cli/src/main.rs
@@ -144,6 +144,9 @@ enum AttestCommand {
         #[clap(env)]
         corpus: PathBuf,
     },
+    /// Show the set of measurements currently on the RoT. This includes
+    /// the cert chain and the measurement log
+    MeasurementSet,
 }
 
 /// An enum of the possible routes to the `Attest` task.
@@ -209,6 +212,7 @@ fn main() -> Result<()> {
             let cert_chain = attest
                 .get_certificates()
                 .context("Getting attestation certificate chain")?;
+
             for cert in cert_chain {
                 let cert = cert
                     .to_pem(LineEnding::default())
@@ -299,11 +303,46 @@ fn main() -> Result<()> {
         } => {
             verify_measurements(&cert_chain, &log, &corpus)?;
         }
+        AttestCommand::MeasurementSet => {
+            let set = measurement_set(attest.as_ref())?;
+            for item in set.into_iter() {
+                println!("* {item}");
+            }
+        }
     }
 
     Ok(())
 }
 
+fn measurement_set(attest: &dyn Attest) -> Result<MeasurementSet> {
+    // get log
+    info!("getting measurement log");
+    let log = attest
+        .get_measurement_log()
+        .context("Get measurement log from attestor")?;
+    let mut cert_chain = Vec::new();
+
+    let certs = attest
+        .get_certificates()
+        .context("Get certificate chain from attestor")?;
+
+    for (index, cert) in certs.iter().enumerate() {
+        info!("writing cert[{index}]");
+        let pem = cert
+            .to_pem(LineEnding::default())
+            .context(format!("Encode cert {index} as PEM"))?;
+        cert_chain
+            .write_all(pem.as_bytes())
+            .context(format!("Write cert {index}",))?;
+    }
+
+    let cert_chain: PkiPath = Certificate::load_pem_chain(&cert_chain)
+        .context("loading PkiPath from PEM cert chain")?;
+
+    MeasurementSet::from_artifacts(&cert_chain, &log)
+        .context("MeasurementSet from PkiPath")
+}
+
 // Check that the measurments in `cert_chain` and `log` are all present in
 // the `corpus`.
 // NOTE: The output of this function is only as trustworthy as its inputs.
diff --git a/verifier/src/lib.rs b/verifier/src/lib.rs
index cf6eb1b..81f2ad8 100644
--- a/verifier/src/lib.rs
+++ b/verifier/src/lib.rs
@@ -448,6 +448,15 @@ impl MeasurementSet {
     }
 }
 
+impl std::iter::IntoIterator for MeasurementSet {
+    type Item = Measurement;
+    type IntoIter = <std::collections::HashSet<attest_data::Measurement> as std::iter::IntoIterator>::IntoIter;
+
+    fn into_iter(self) -> Self::IntoIter {
+        self.0.into_iter()
+    }
+}
+
 /// A collection of measurement values that is used as a source of truth when
 /// appraising the set of measurements derived from an attestation.
 pub struct ReferenceMeasurements(pub(crate) HashSet<Measurement>);