constellation/internal/attestation/azure/snp/issuer.go

102 lines
2.5 KiB
Go
Raw Normal View History

/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
package snp
import (
"context"
"encoding/json"
"fmt"
"io"
"github.com/edgelesssys/constellation/v2/internal/attestation"
"github.com/edgelesssys/constellation/v2/internal/attestation/snp"
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
2022-09-21 07:47:57 -04:00
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
"github.com/edgelesssys/go-azguestattestation/maa"
tpmclient "github.com/google/go-tpm-tools/client"
)
const tpmAkIdx = 0x81000003
// Issuer for Azure TPM attestation.
type Issuer struct {
variant.AzureSEVSNP
*vtpm.Issuer
imds imdsAPI
maa maaTokenCreator
}
// NewIssuer initializes a new Azure Issuer.
func NewIssuer(log attestation.Logger) *Issuer {
i := &Issuer{
imds: newIMDSClient(),
maa: newMAAClient(),
}
i.Issuer = vtpm.NewIssuer(
vtpm.OpenVTPM,
getAttestationKey,
i.getInstanceInfo,
log,
)
return i
}
func (i *Issuer) getInstanceInfo(ctx context.Context, tpm io.ReadWriteCloser, userData []byte) ([]byte, error) {
params, err := i.maa.newParameters(ctx, userData, tpm)
if err != nil {
return nil, fmt.Errorf("getting system parameters: %w", err)
}
var maaToken string
maaURL, err := i.imds.getMAAURL(ctx)
if err != nil {
return nil, fmt.Errorf("retrieving MAA URL from IMDS API: %w", err)
}
if maaURL != "" {
maaToken, err = i.maa.createToken(ctx, tpm, maaURL, userData, params)
if err != nil {
return nil, fmt.Errorf("creating MAA token: %w", err)
}
}
instanceInfo := snp.InstanceInfo{
attestation: use `go-sev-guest` library (#2269) * wip: switch to attestation * add extra comments Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * MAA checks Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use provided functions to parse report / cert chain Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * replace `CommitedTCB` check with `LaunchTCB` check Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove debug check Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove `LaunchTCB` == `CommitedTCB` check Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * custom IdKeyDigests check Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * basic test of report parsing from instance info Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * retrieve VCEK from AMD KDS Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove VCEK from `azureInstanceInfo` Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use `go-sev-guest` TCB version type Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix validation parsing test Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix error message * fix comment Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove certificate chain from `instanceInfo` Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add test for idkeydigest check Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update buildfiles Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * wip: update tests Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update buildfiles Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * [remove] debug prints Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * wip: fix tests Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * wip: fix tests Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix tests, do some clean-up Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add test case for fetching error Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * Update internal/attestation/azure/snp/validator.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * correct `hack` dependency Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix id key check Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * [remove] comment out wip unit tests Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add missing newline Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * switch to released version of `go-sev-guest` Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add constructor test Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add VMPL check Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add test assertions Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update buildfiles Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * switch to pseudoversion Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use fork with windows fix Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix linter checks Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use data from THIM Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update embeds Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * verify against ARK in config Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * invalid ASK Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * Update internal/attestation/azure/snp/validator.go Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update internal/attestation/azure/snp/validator.go Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update internal/attestation/azure/snp/validator.go Co-authored-by: 3u13r <lc@edgeless.systems> * Update internal/attestation/azure/snp/validator.go Co-authored-by: 3u13r <lc@edgeless.systems> * nits Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove unnecessary checks Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * refactoring Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * Update internal/attestation/azure/snp/validator.go Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update internal/attestation/azure/snp/validator.go Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update internal/attestation/azure/snp/validator.go Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * use upstream library with pseudoversion Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * Update internal/attestation/azure/snp/validator.go Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> * Update internal/attestation/azure/snp/validator.go Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> * Update internal/attestation/azure/snp/validator.go Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> * simplify control flow Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix return error Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix VCEK test Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * revert unintentional changes Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use new upstream release Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix removed AuthorKeyEn field Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix verification report printing Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --------- Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: 3u13r <lc@edgeless.systems> Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-09-21 08:08:00 -04:00
VCEK: params.VcekCert,
CertChain: params.VcekChain,
AttestationReport: params.SNPReport,
RuntimeData: params.RuntimeData,
MAAToken: maaToken,
}
statement, err := json.Marshal(instanceInfo)
if err != nil {
return nil, fmt.Errorf("marshalling AzureInstanceInfo: %w", err)
}
return statement, nil
}
// getAttestationKey reads the attestation key put into the TPM during early boot.
func getAttestationKey(tpm io.ReadWriter) (*tpmclient.Key, error) {
ak, err := tpmclient.LoadCachedKey(tpm, tpmAkIdx, tpmclient.NullSession{})
if err != nil {
return nil, fmt.Errorf("reading HCL attestation key from TPM: %w", err)
}
return ak, nil
}
type imdsAPI interface {
getMAAURL(ctx context.Context) (string, error)
}
type maaTokenCreator interface {
newParameters(context.Context, []byte, io.ReadWriter) (maa.Parameters, error)
createToken(context.Context, io.ReadWriter, string, []byte, maa.Parameters) (string, error)
}