Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity
3fde118b33
constellation/internal/attestation/azure/snp/issuer_test.go

178 lines
4.2 KiB
Go
Raw Normal View History

add license headers sed -i '1i/*\nCopyright (c) Edgeless Systems GmbH\n\nSPDX-License-Identifier: AGPL-3.0-only\n*/\n' `grep -rL --include='*.go' 'DO NOT EDIT'` gofumpt -w .
2022-09-05 03:06:08 -04:00
/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
AB#2386: TrustedLaunch support for azure attestation * There are now two attestation packages on azure. The issuer on the server side is created base on successfully querying the idkeydigest from the TPM. Fallback on err: Trusted Launch. * The bootstrapper's issuer choice is validated by the CLI's validator, which is created based on the local config. * Add "azureCVM" field to new "internal-config" cm. This field is populated by the bootstrapper. * Group attestation OIDs by CSP (#42) * Bootstrapper now uses IssuerWrapper type to pass the issuer (and some context info) to the initserver. * Introduce VMType package akin to cloudprovider. Used by IssuerWrapper. * Extend unittests. * Remove CSP specific attestation integration tests Co-authored-by: <dw@edgeless.systems> Signed-off-by: Otto Bittner <cobittner@posteo.net>
2022-08-31 14:10:49 -04:00
package snp
monorepo Co-authored-by: Malte Poll <mp@edgeless.systems> Co-authored-by: katexochen <katexochen@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> Co-authored-by: Benedict Schlueter <bs@edgeless.systems> Co-authored-by: leongross <leon.gross@rub.de> Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2022-03-22 11:03:15 -04:00
import (
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
"context"
"encoding/json"
"errors"
"io"
monorepo Co-authored-by: Malte Poll <mp@edgeless.systems> Co-authored-by: katexochen <katexochen@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> Co-authored-by: Benedict Schlueter <bs@edgeless.systems> Co-authored-by: leongross <leon.gross@rub.de> Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2022-03-22 11:03:15 -04:00
"testing"
bazel: add build files for go (#1186) * build: correct toolchain order * build: gazelle-update-repos * build: use pregenerated proto for dependencies * update bazeldnf * deps: tpm simulator * Update Google trillian module * cli: add stamping as alternative build info source * bazel: add go_test wrappers, mark special tests and select testing deps * deps: add libvirt deps * deps: go-libvirt patches * deps: cloudflare circl patches * bazel: add go_test wrappers, mark special tests and select testing deps * bazel: keep gazelle overrides * bazel: cleanup bazelrc * bazel: switch CMakeLists.txt to use bazel * bazel: fix injection of version information via stamping * bazel: commit all build files * dev-docs: document bazel usage * deps: upgrade zig-cc for go 1.20 * bazel: update Perl for macOS arm64 & Linux arm64 support * bazel: use static perl toolchain for OpenSSL * bazel: use static protobuf (protoc) toolchain * deps: add git and go to nix deps Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-09 09:23:42 -05:00
"github.com/edgelesssys/constellation/v2/internal/attestation/simulator"
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
"github.com/edgelesssys/go-azguestattestation/maa"
AB#2444 Verify Azure trusted launch attestation keys (#203) Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-04 10:44:44 -04:00
tpmclient "github.com/google/go-tpm-tools/client"
"github.com/google/go-tpm/tpm2"
monorepo Co-authored-by: Malte Poll <mp@edgeless.systems> Co-authored-by: katexochen <katexochen@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> Co-authored-by: Benedict Schlueter <bs@edgeless.systems> Co-authored-by: leongross <leon.gross@rub.de> Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2022-03-22 11:03:15 -04:00
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestGetSNPAttestation(t *testing.T) {
testCases := map[string]struct {
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
maaURL string
maaToken string
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
apiError error
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
tokenErr error
paramsErr error
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
wantErr bool
monorepo Co-authored-by: Malte Poll <mp@edgeless.systems> Co-authored-by: katexochen <katexochen@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> Co-authored-by: Benedict Schlueter <bs@edgeless.systems> Co-authored-by: leongross <leon.gross@rub.de> Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2022-03-22 11:03:15 -04:00
}{
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
"success without maa": {
wantErr: false,
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
},
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
"success with maa": {
maaURL: "maaurl",
maaToken: "maatoken",
wantErr: false,
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
},
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
"api fails": {
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
apiError: errors.New(""),
wantErr: true,
monorepo Co-authored-by: Malte Poll <mp@edgeless.systems> Co-authored-by: katexochen <katexochen@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> Co-authored-by: Benedict Schlueter <bs@edgeless.systems> Co-authored-by: leongross <leon.gross@rub.de> Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2022-03-22 11:03:15 -04:00
},
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
"createToken fails": {
maaURL: "maaurl",
tokenErr: errors.New(""),
wantErr: true,
},
"newParameters fails": {
paramsErr: errors.New(""),
wantErr: true,
},
monorepo Co-authored-by: Malte Poll <mp@edgeless.systems> Co-authored-by: katexochen <katexochen@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> Co-authored-by: Benedict Schlueter <bs@edgeless.systems> Co-authored-by: leongross <leon.gross@rub.de> Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2022-03-22 11:03:15 -04:00
}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
imdsClient := stubImdsClient{
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
maaURL: tc.maaURL,
apiError: tc.apiError,
}
params := maa.Parameters{
SNPReport: []byte("snpreport"),
RuntimeData: []byte("runtimedata"),
VcekCert: []byte("vcekcert"),
VcekChain: []byte("vcekchain"),
}
maa := &stubMaaTokenCreator{
token: tc.maaToken,
tokenErr: tc.tokenErr,
params: params,
paramsErr: tc.paramsErr,
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
}
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
issuer := Issuer{
imds: imdsClient,
maa: maa,
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
}
AB#2386: TrustedLaunch support for azure attestation * There are now two attestation packages on azure. The issuer on the server side is created base on successfully querying the idkeydigest from the TPM. Fallback on err: Trusted Launch. * The bootstrapper's issuer choice is validated by the CLI's validator, which is created based on the local config. * Add "azureCVM" field to new "internal-config" cm. This field is populated by the bootstrapper. * Group attestation OIDs by CSP (#42) * Bootstrapper now uses IssuerWrapper type to pass the issuer (and some context info) to the initserver. * Introduce VMType package akin to cloudprovider. Used by IssuerWrapper. * Extend unittests. * Remove CSP specific attestation integration tests Co-authored-by: <dw@edgeless.systems> Signed-off-by: Otto Bittner <cobittner@posteo.net>
2022-08-31 14:10:49 -04:00
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
data := []byte("data")
attestationJSON, err := issuer.getInstanceInfo(context.Background(), nil, data)
Ref/want err from err expected (#82) consistent naming for test values using 'want' instead of 'expect/ed'
2022-04-26 10:54:05 -04:00
if tc.wantErr {
monorepo Co-authored-by: Malte Poll <mp@edgeless.systems> Co-authored-by: katexochen <katexochen@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> Co-authored-by: Benedict Schlueter <bs@edgeless.systems> Co-authored-by: leongross <leon.gross@rub.de> Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2022-03-22 11:03:15 -04:00
assert.Error(err)
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
return
}
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
require.NoError(err)
assert.Equal(data, maa.gotParamsData)
if tc.maaURL == "" {
assert.Empty(maa.gotTokenData)
} else {
assert.Equal(data, maa.gotTokenData)
}
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
var instanceInfo azureInstanceInfo
Feat/revive (#212) * enable revive as linter * fix var-naming revive issues * fix blank-imports revive issues * fix receiver-naming revive issues * fix exported revive issues * fix indent-error-flow revive issues * fix unexported-return revive issues * fix indent-error-flow revive issues Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-10-05 09:02:46 -04:00
err = json.Unmarshal(attestationJSON, &instanceInfo)
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
require.NoError(err)
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
assert.Equal(params.VcekCert, instanceInfo.Vcek)
assert.Equal(params.VcekChain, instanceInfo.CertChain)
assert.Equal(params.SNPReport, instanceInfo.AttestationReport)
assert.Equal(params.RuntimeData, instanceInfo.RuntimeData)
assert.Equal(tc.maaToken, instanceInfo.MAAToken)
monorepo Co-authored-by: Malte Poll <mp@edgeless.systems> Co-authored-by: katexochen <katexochen@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> Co-authored-by: Benedict Schlueter <bs@edgeless.systems> Co-authored-by: leongross <leon.gross@rub.de> Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2022-03-22 11:03:15 -04:00
})
}
}
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
// TestGetHCLAttestationKey is a basic smoke test that only checks if getAkPub can be run error free.
// Testing anything else will only verify that the simulator works as expected, since getAkPub
// only retrieves the attestation key from the TPM.
func TestGetHCLAttestationKey(t *testing.T) {
AB#2444 Verify Azure trusted launch attestation keys (#203) Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-04 10:44:44 -04:00
require := require.New(t)
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
assert := assert.New(t)
bazel: add build files for go (#1186) * build: correct toolchain order * build: gazelle-update-repos * build: use pregenerated proto for dependencies * update bazeldnf * deps: tpm simulator * Update Google trillian module * cli: add stamping as alternative build info source * bazel: add go_test wrappers, mark special tests and select testing deps * deps: add libvirt deps * deps: go-libvirt patches * deps: cloudflare circl patches * bazel: add go_test wrappers, mark special tests and select testing deps * bazel: keep gazelle overrides * bazel: cleanup bazelrc * bazel: switch CMakeLists.txt to use bazel * bazel: fix injection of version information via stamping * bazel: commit all build files * dev-docs: document bazel usage * deps: upgrade zig-cc for go 1.20 * bazel: update Perl for macOS arm64 & Linux arm64 support * bazel: use static perl toolchain for OpenSSL * bazel: use static protobuf (protoc) toolchain * deps: add git and go to nix deps Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-09 09:23:42 -05:00
tpm, err := simulator.OpenSimulatedTPM()
AB#2444 Verify Azure trusted launch attestation keys (#203) Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-04 10:44:44 -04:00
require.NoError(err)
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
defer tpm.Close()
AB#2444 Verify Azure trusted launch attestation keys (#203) Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-10-04 10:44:44 -04:00
// we should receive an error if no key was saved at index `tpmAkIdx`
_, err = getAttestationKey(tpm)
assert.Error(err)
// create a key at the index
tpmAk, err := tpmclient.NewCachedKey(tpm, tpm2.HandleOwner, tpm2.Public{
Type: tpm2.AlgRSA,
NameAlg: tpm2.AlgSHA256,
Attributes: tpm2.FlagFixedTPM | tpm2.FlagFixedParent | tpm2.FlagSensitiveDataOrigin | tpm2.FlagUserWithAuth | tpm2.FlagNoDA | tpm2.FlagRestricted | tpm2.FlagSign,
RSAParameters: &tpm2.RSAParams{
Sign: &tpm2.SigScheme{
Alg: tpm2.AlgRSASSA,
Hash: tpm2.AlgSHA256,
},
KeyBits: 2048,
},
}, tpmAkIdx)
require.NoError(err)
defer tpmAk.Close()
// we should now be able to retrieve the key
AB#2386: TrustedLaunch support for azure attestation * There are now two attestation packages on azure. The issuer on the server side is created base on successfully querying the idkeydigest from the TPM. Fallback on err: Trusted Launch. * The bootstrapper's issuer choice is validated by the CLI's validator, which is created based on the local config. * Add "azureCVM" field to new "internal-config" cm. This field is populated by the bootstrapper. * Group attestation OIDs by CSP (#42) * Bootstrapper now uses IssuerWrapper type to pass the issuer (and some context info) to the initserver. * Introduce VMType package akin to cloudprovider. Used by IssuerWrapper. * Extend unittests. * Remove CSP specific attestation integration tests Co-authored-by: <dw@edgeless.systems> Signed-off-by: Otto Bittner <cobittner@posteo.net>
2022-08-31 14:10:49 -04:00
_, err = getAttestationKey(tpm)
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
assert.NoError(err)
}
type stubImdsClient struct {
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
maaURL string
apiError error
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
}
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
func (c stubImdsClient) getMAAURL(_ context.Context) (string, error) {
return c.maaURL, c.apiError
}
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
type stubMaaTokenCreator struct {
token string
tokenErr error
gotTokenData []byte
params maa.Parameters
paramsErr error
gotParamsData []byte
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
}
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
func (s *stubMaaTokenCreator) newParameters(_ context.Context, data []byte, _ io.ReadWriter) (maa.Parameters, error) {
s.gotParamsData = data
return s.params, s.paramsErr
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
}
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257) * Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 07:46:49 -04:00
func (s *stubMaaTokenCreator) createToken(_ context.Context, _ io.ReadWriter, _ string, data []byte, _ maa.Parameters) (string, error) {
s.gotTokenData = data
return s.token, s.tokenErr
AB#2333: Add AMD SNP-based attestation Currently only available on Azure CVMs. * Get the public attestation key from the TPM. * Get the snp report from the TPM. * Get the VCEK and ASK certificate from the metadata api. * Verify VCEK using hardcoded root key (ARK) * Verify SNP report using VCEK * Verify HCLAkPub using SNP report by comparing AK with runtimeData * Extend unittest Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2022-08-19 06:26:29 -04:00
}
Reference in New Issue Copy Permalink