constellation/cli/internal/cloudcmd/validators.go

176 lines
5.3 KiB
Go
Raw Normal View History

/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
2022-04-19 11:02:02 -04:00
package cloudcmd
import (
2022-04-27 05:17:41 -04:00
"crypto/sha256"
"encoding/base64"
"encoding/hex"
2022-04-19 11:02:02 -04:00
"errors"
"fmt"
2022-09-21 07:47:57 -04:00
"github.com/edgelesssys/constellation/v2/internal/atls"
2022-10-21 11:09:10 -04:00
"github.com/edgelesssys/constellation/v2/internal/attestation/aws"
2022-09-21 07:47:57 -04:00
"github.com/edgelesssys/constellation/v2/internal/attestation/azure/snp"
"github.com/edgelesssys/constellation/v2/internal/attestation/azure/trustedlaunch"
"github.com/edgelesssys/constellation/v2/internal/attestation/gcp"
"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
2022-09-21 07:47:57 -04:00
"github.com/edgelesssys/constellation/v2/internal/attestation/qemu"
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/v2/internal/config"
"github.com/spf13/cobra"
"go.uber.org/multierr"
2022-04-19 11:02:02 -04:00
)
// Validator validates Platform Configuration Registers (PCRs).
type Validator struct {
provider cloudprovider.Provider
pcrs measurements.M
idkeydigests idkeydigest.IDKeyDigests
enforceIDKeyDigest bool
azureCVM bool
validator atls.Validator
2022-04-19 11:02:02 -04:00
}
// NewValidator creates a new Validator.
2022-10-21 11:09:10 -04:00
func NewValidator(provider cloudprovider.Provider, conf *config.Config) (*Validator, error) {
v := Validator{}
2022-04-27 05:17:41 -04:00
if provider == cloudprovider.Unknown {
return nil, errors.New("unknown cloud provider")
}
v.provider = provider
2022-10-21 11:09:10 -04:00
if err := v.setPCRs(conf); err != nil {
2022-04-27 05:17:41 -04:00
return nil, err
}
if v.provider == cloudprovider.Azure {
2022-10-21 11:09:10 -04:00
v.azureCVM = *conf.Provider.Azure.ConfidentialVM
if v.azureCVM {
2022-10-21 11:09:10 -04:00
v.enforceIDKeyDigest = *conf.Provider.Azure.EnforceIDKeyDigest
v.idkeydigests = conf.Provider.Azure.IDKeyDigests
}
}
2022-04-27 05:17:41 -04:00
return &v, nil
}
// UpdateInitPCRs sets the owner and cluster PCR values.
func (v *Validator) UpdateInitPCRs(ownerID, clusterID string) error {
if err := v.updatePCR(uint32(measurements.PCRIndexOwnerID), ownerID); err != nil {
2022-04-27 05:17:41 -04:00
return err
}
return v.updatePCR(uint32(measurements.PCRIndexClusterID), clusterID)
2022-04-27 05:17:41 -04:00
}
// updatePCR adds a new entry to the measurements of v, or removes the key if the input is an empty string.
2022-04-27 05:17:41 -04:00
//
// When adding, the input is first decoded from hex or base64.
2022-04-27 05:17:41 -04:00
// We then calculate the expected PCR by hashing the input using SHA256,
// appending expected PCR for initialization, and then hashing once more.
func (v *Validator) updatePCR(pcrIndex uint32, encoded string) error {
2022-04-27 05:17:41 -04:00
if encoded == "" {
delete(v.pcrs, pcrIndex)
return nil
}
// decode from hex or base64
decoded, err := hex.DecodeString(encoded)
2022-04-27 05:17:41 -04:00
if err != nil {
hexErr := err
decoded, err = base64.StdEncoding.DecodeString(encoded)
if err != nil {
return multierr.Append(
fmt.Errorf("input [%s] is not hex encoded: %w", encoded, hexErr),
fmt.Errorf("input [%s] is not base64 encoded: %w", encoded, err),
)
}
2022-04-27 05:17:41 -04:00
}
// new_pcr_value := hash(old_pcr_value || data_to_extend)
// Since we use the TPM2_PCR_Event call to extend the PCR, data_to_extend is the hash of our input
hashedInput := sha256.Sum256(decoded)
oldExpected := v.pcrs[pcrIndex].Expected
expectedPcr := sha256.Sum256(append(oldExpected[:], hashedInput[:]...))
v.pcrs[pcrIndex] = measurements.Measurement{
Expected: expectedPcr,
WarnOnly: v.pcrs[pcrIndex].WarnOnly,
}
2022-04-27 05:17:41 -04:00
return nil
}
func (v *Validator) setPCRs(config *config.Config) error {
2022-04-27 05:17:41 -04:00
switch v.provider {
case cloudprovider.AWS:
awsPCRs := config.Provider.AWS.Measurements
if len(awsPCRs) == 0 {
return errors.New("no expected measurement provided")
2022-04-19 11:02:02 -04:00
}
v.pcrs = awsPCRs
2022-04-19 11:02:02 -04:00
case cloudprovider.Azure:
azurePCRs := config.Provider.Azure.Measurements
if len(azurePCRs) == 0 {
return errors.New("no expected measurement provided")
2022-04-19 11:02:02 -04:00
}
2022-04-27 05:17:41 -04:00
v.pcrs = azurePCRs
case cloudprovider.GCP:
gcpPCRs := config.Provider.GCP.Measurements
if len(gcpPCRs) == 0 {
return errors.New("no expected measurement provided")
}
v.pcrs = gcpPCRs
case cloudprovider.QEMU:
qemuPCRs := config.Provider.QEMU.Measurements
if len(qemuPCRs) == 0 {
return errors.New("no expected measurement provided")
}
v.pcrs = qemuPCRs
2022-04-19 11:02:02 -04:00
}
2022-04-27 05:17:41 -04:00
return nil
2022-04-19 11:02:02 -04:00
}
// V returns the validator as atls.Validator.
func (v *Validator) V(cmd *cobra.Command) atls.Validator {
v.updateValidator(cmd)
return v.validator
2022-04-19 11:02:02 -04:00
}
// PCRS returns the validator's PCR map.
func (v *Validator) PCRS() measurements.M {
return v.pcrs
}
func (v *Validator) updateValidator(cmd *cobra.Command) {
log := warnLogger{cmd: cmd}
2022-04-27 05:17:41 -04:00
switch v.provider {
case cloudprovider.GCP:
v.validator = gcp.NewValidator(v.pcrs, log)
2022-04-27 05:17:41 -04:00
case cloudprovider.Azure:
if v.azureCVM {
v.validator = snp.NewValidator(v.pcrs, v.idkeydigests, v.enforceIDKeyDigest, log)
} else {
v.validator = trustedlaunch.NewValidator(v.pcrs, log)
}
2022-10-21 11:09:10 -04:00
case cloudprovider.AWS:
v.validator = aws.NewValidator(v.pcrs, log)
case cloudprovider.QEMU:
v.validator = qemu.NewValidator(v.pcrs, log)
2022-04-27 05:17:41 -04:00
}
}
// warnLogger implements logging of warnings for validators.
type warnLogger struct {
cmd *cobra.Command
}
// Infof is a no-op since we don't want extra info messages when using the CLI.
2022-10-25 09:51:23 -04:00
func (wl warnLogger) Infof(format string, args ...any) {}
// Warnf prints a formatted warning from the validator.
2022-10-25 09:51:23 -04:00
func (wl warnLogger) Warnf(fmtStr string, args ...any) {
wl.cmd.PrintErrf("Warning: %s\n", fmt.Sprintf(fmtStr, args...))
2022-04-19 11:02:02 -04:00
}