2022-09-05 03:06:08 -04:00
|
|
|
/*
|
|
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
*/
|
|
|
|
|
2022-04-05 09:12:20 -04:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
2022-07-04 06:59:43 -04:00
|
|
|
"bytes"
|
2022-04-11 08:25:19 -04:00
|
|
|
"context"
|
2022-07-04 06:59:43 -04:00
|
|
|
"encoding/json"
|
2022-04-05 09:12:20 -04:00
|
|
|
"flag"
|
2022-09-08 08:45:27 -04:00
|
|
|
"net"
|
2022-07-04 06:59:43 -04:00
|
|
|
"net/http"
|
|
|
|
"net/url"
|
2022-04-05 09:12:20 -04:00
|
|
|
"path/filepath"
|
|
|
|
|
2022-09-21 07:47:57 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/disk-mapper/internal/mapper"
|
|
|
|
"github.com/edgelesssys/constellation/v2/disk-mapper/internal/recoveryserver"
|
|
|
|
"github.com/edgelesssys/constellation/v2/disk-mapper/internal/rejoinclient"
|
|
|
|
"github.com/edgelesssys/constellation/v2/disk-mapper/internal/setup"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/atls"
|
2022-10-29 22:37:20 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/aws"
|
2022-09-21 07:47:57 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/azure"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/gcp"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/qemu"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
2022-10-21 09:04:34 -04:00
|
|
|
awscloud "github.com/edgelesssys/constellation/v2/internal/cloud/aws"
|
2022-09-21 07:47:57 -04:00
|
|
|
azurecloud "github.com/edgelesssys/constellation/v2/internal/cloud/azure"
|
2022-10-21 09:04:34 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
2022-09-21 07:47:57 -04:00
|
|
|
gcpcloud "github.com/edgelesssys/constellation/v2/internal/cloud/gcp"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud/metadata"
|
2023-03-07 05:58:33 -05:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud/openstack"
|
2022-09-21 07:47:57 -04:00
|
|
|
qemucloud "github.com/edgelesssys/constellation/v2/internal/cloud/qemu"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/constants"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/grpc/dialer"
|
2023-01-16 05:19:03 -05:00
|
|
|
kmssetup "github.com/edgelesssys/constellation/v2/internal/kms/setup"
|
2022-09-21 07:47:57 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/logger"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/role"
|
2022-07-04 06:59:43 -04:00
|
|
|
tpmClient "github.com/google/go-tpm-tools/client"
|
|
|
|
"github.com/google/go-tpm/tpm2"
|
2022-04-11 08:25:19 -04:00
|
|
|
"github.com/spf13/afero"
|
2022-06-28 10:51:30 -04:00
|
|
|
"go.uber.org/zap"
|
2022-04-05 09:12:20 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
2023-02-27 12:19:52 -05:00
|
|
|
gcpStateDiskPath = "/dev/disk/by-id/google-state-disk"
|
|
|
|
azureStateDiskPath = "/dev/disk/azure/scsi1/lun0"
|
|
|
|
awsStateDiskPath = "/dev/sdb"
|
|
|
|
qemuStateDiskPath = "/dev/vda"
|
|
|
|
openstackStateDiskPath = "/dev/vdb"
|
2022-04-05 09:12:20 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
func main() {
|
2022-07-01 10:17:06 -04:00
|
|
|
csp := flag.String("csp", "", "Cloud Service Provider the image is running on")
|
2022-11-14 03:02:56 -05:00
|
|
|
verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription)
|
2022-04-11 08:25:19 -04:00
|
|
|
|
2022-07-01 10:17:06 -04:00
|
|
|
flag.Parse()
|
2022-11-14 03:02:56 -05:00
|
|
|
log := logger.New(logger.JSONLog, logger.VerbosityFromInt(*verbosity))
|
2023-03-01 05:55:12 -05:00
|
|
|
log.With(zap.String("version", constants.VersionInfo()), zap.String("cloudProvider", *csp)).
|
2022-06-28 10:51:30 -04:00
|
|
|
Infof("Starting disk-mapper")
|
2022-04-21 10:28:47 -04:00
|
|
|
|
2022-04-11 08:25:19 -04:00
|
|
|
// set up metadata API and quote issuer for aTLS connections
|
|
|
|
var err error
|
|
|
|
var diskPath string
|
2022-09-08 08:45:27 -04:00
|
|
|
var issuer atls.Issuer
|
2023-03-07 05:58:33 -05:00
|
|
|
var metadataClient setup.MetadataAPI
|
2022-10-21 09:04:34 -04:00
|
|
|
switch cloudprovider.FromString(*csp) {
|
|
|
|
case cloudprovider.AWS:
|
|
|
|
// on AWS Nitro platform, disks are attached over NVMe
|
|
|
|
// using udev rules, a symlink for our disk is created at /dev/sdb
|
|
|
|
diskPath, err = filepath.EvalSymlinks(awsStateDiskPath)
|
|
|
|
if err != nil {
|
|
|
|
_ = exportPCRs()
|
|
|
|
log.With(zap.Error(err)).Fatalf("Unable to resolve Azure state disk path")
|
|
|
|
}
|
2023-03-07 05:58:33 -05:00
|
|
|
metadataClient, err = awscloud.New(context.Background())
|
2022-10-21 09:04:34 -04:00
|
|
|
if err != nil {
|
2023-03-07 05:58:33 -05:00
|
|
|
log.With(zap.Error(err)).Fatalf("Failed to set up AWS metadata client")
|
2022-10-21 09:04:34 -04:00
|
|
|
}
|
|
|
|
|
2023-02-28 10:34:18 -05:00
|
|
|
issuer = aws.NewIssuer(log)
|
2022-10-21 09:04:34 -04:00
|
|
|
|
|
|
|
case cloudprovider.Azure:
|
2022-07-04 06:59:43 -04:00
|
|
|
diskPath, err = filepath.EvalSymlinks(azureStateDiskPath)
|
|
|
|
if err != nil {
|
|
|
|
_ = exportPCRs()
|
|
|
|
log.With(zap.Error(err)).Fatalf("Unable to resolve Azure state disk path")
|
|
|
|
}
|
2023-03-07 05:58:33 -05:00
|
|
|
metadataClient, err = azurecloud.New(context.Background())
|
2022-04-11 08:25:19 -04:00
|
|
|
if err != nil {
|
2023-03-07 05:58:33 -05:00
|
|
|
log.With(zap.Error).Fatalf("Failed to set up Azure metadata client")
|
2022-04-11 08:25:19 -04:00
|
|
|
}
|
2022-08-31 14:10:49 -04:00
|
|
|
|
2023-02-28 10:34:18 -05:00
|
|
|
issuer = azure.NewIssuer(log)
|
2022-04-11 08:25:19 -04:00
|
|
|
|
2022-10-21 09:04:34 -04:00
|
|
|
case cloudprovider.GCP:
|
2022-07-04 06:59:43 -04:00
|
|
|
diskPath, err = filepath.EvalSymlinks(gcpStateDiskPath)
|
|
|
|
if err != nil {
|
|
|
|
_ = exportPCRs()
|
|
|
|
log.With(zap.Error(err)).Fatalf("Unable to resolve GCP state disk path")
|
|
|
|
}
|
2023-02-28 10:34:18 -05:00
|
|
|
issuer = gcp.NewIssuer(log)
|
2022-11-09 08:43:48 -05:00
|
|
|
gcpMeta, err := gcpcloud.New(context.Background())
|
2022-04-11 08:25:19 -04:00
|
|
|
if err != nil {
|
2023-03-07 05:58:33 -05:00
|
|
|
log.With(zap.Error).Fatalf("Failed to create GCP metadata client")
|
2022-04-11 08:25:19 -04:00
|
|
|
}
|
2022-11-09 08:43:48 -05:00
|
|
|
defer gcpMeta.Close()
|
2023-03-07 05:58:33 -05:00
|
|
|
metadataClient = gcpMeta
|
2022-04-11 08:25:19 -04:00
|
|
|
|
2023-02-27 12:19:52 -05:00
|
|
|
case cloudprovider.OpenStack:
|
|
|
|
diskPath = openstackStateDiskPath
|
2023-03-07 05:58:33 -05:00
|
|
|
metadataClient, err = openstack.New(context.Background())
|
|
|
|
if err != nil {
|
|
|
|
log.With(zap.Error).Fatalf("Failed to create OpenStack metadata client")
|
|
|
|
}
|
|
|
|
// TODO(malt3): implement OpenStack quote issuer
|
2023-03-01 04:39:32 -05:00
|
|
|
issuer = qemu.NewIssuer(log)
|
|
|
|
_ = exportPCRs()
|
|
|
|
|
2022-10-21 09:04:34 -04:00
|
|
|
case cloudprovider.QEMU:
|
2022-04-21 10:28:47 -04:00
|
|
|
diskPath = qemuStateDiskPath
|
2023-02-28 10:34:18 -05:00
|
|
|
issuer = qemu.NewIssuer(log)
|
2023-03-07 05:58:33 -05:00
|
|
|
metadataClient = qemucloud.New()
|
2022-09-08 08:45:27 -04:00
|
|
|
_ = exportPCRs()
|
2022-04-21 10:28:47 -04:00
|
|
|
|
|
|
|
default:
|
2022-07-04 06:59:43 -04:00
|
|
|
log.Fatalf("CSP %s is not supported by Constellation", *csp)
|
2022-04-05 09:12:20 -04:00
|
|
|
}
|
|
|
|
|
2022-04-11 08:25:19 -04:00
|
|
|
// initialize device mapper
|
2022-08-02 06:35:23 -04:00
|
|
|
mapper, err := mapper.New(diskPath, log)
|
2022-04-05 09:12:20 -04:00
|
|
|
if err != nil {
|
2022-06-28 10:51:30 -04:00
|
|
|
log.With(zap.Error(err)).Fatalf("Failed to initialize device mapper")
|
2022-04-05 09:12:20 -04:00
|
|
|
}
|
|
|
|
defer mapper.Close()
|
|
|
|
|
2022-04-11 08:25:19 -04:00
|
|
|
setupManger := setup.New(
|
2022-06-28 10:51:30 -04:00
|
|
|
log.Named("setupManager"),
|
2022-04-11 08:25:19 -04:00
|
|
|
*csp,
|
2022-08-15 08:50:03 -04:00
|
|
|
diskPath,
|
2022-04-11 08:25:19 -04:00
|
|
|
afero.Afero{Fs: afero.NewOsFs()},
|
|
|
|
mapper,
|
|
|
|
setup.DiskMounter{},
|
|
|
|
vtpm.OpenVTPM,
|
|
|
|
)
|
|
|
|
|
2023-02-24 08:25:39 -05:00
|
|
|
if err := setupManger.LogDevices(); err != nil {
|
|
|
|
log.With(zap.Error(err)).Fatalf("Failed to log devices")
|
|
|
|
}
|
|
|
|
|
2022-04-11 08:25:19 -04:00
|
|
|
// prepare the state disk
|
2022-04-12 08:24:36 -04:00
|
|
|
if mapper.IsLUKSDevice() {
|
2022-09-08 08:45:27 -04:00
|
|
|
// set up rejoin client
|
|
|
|
var self metadata.InstanceMetadata
|
2023-03-07 05:58:33 -05:00
|
|
|
self, err = metadataClient.Self(context.Background())
|
2022-09-08 08:45:27 -04:00
|
|
|
if err != nil {
|
|
|
|
log.With(zap.Error(err)).Fatalf("Failed to get self metadata")
|
|
|
|
}
|
|
|
|
rejoinClient := rejoinclient.New(
|
|
|
|
dialer.New(issuer, nil, &net.Dialer{}),
|
|
|
|
self,
|
2023-03-07 05:58:33 -05:00
|
|
|
metadataClient,
|
2022-09-08 08:45:27 -04:00
|
|
|
log.Named("rejoinClient"),
|
|
|
|
)
|
|
|
|
|
2022-09-14 07:25:42 -04:00
|
|
|
// set up recovery server if control-plane node
|
|
|
|
var recoveryServer setup.RecoveryServer
|
|
|
|
if self.Role == role.ControlPlane {
|
2023-01-16 05:19:03 -05:00
|
|
|
recoveryServer = recoveryserver.New(issuer, kmssetup.KMS, log.Named("recoveryServer"))
|
2022-09-14 07:25:42 -04:00
|
|
|
} else {
|
|
|
|
recoveryServer = recoveryserver.NewStub(log.Named("recoveryServer"))
|
|
|
|
}
|
2022-09-08 08:45:27 -04:00
|
|
|
|
|
|
|
err = setupManger.PrepareExistingDisk(setup.NewNodeRecoverer(recoveryServer, rejoinClient))
|
2022-04-12 08:24:36 -04:00
|
|
|
} else {
|
2022-04-11 08:25:19 -04:00
|
|
|
err = setupManger.PrepareNewDisk()
|
2022-04-12 08:24:36 -04:00
|
|
|
}
|
|
|
|
if err != nil {
|
2022-06-28 10:51:30 -04:00
|
|
|
log.With(zap.Error(err)).Fatalf("Failed to prepare state disk")
|
2022-04-12 08:24:36 -04:00
|
|
|
}
|
|
|
|
}
|
2022-07-04 06:59:43 -04:00
|
|
|
|
|
|
|
// exportPCRs tries to export the node's PCRs to QEMU's metadata API.
|
|
|
|
// This function is called when an Azure or GCP image boots, but is unable to find a state disk.
|
|
|
|
// This happens when we boot such an image in QEMU.
|
|
|
|
// We can use this to calculate the PCRs of the image locally.
|
|
|
|
func exportPCRs() error {
|
|
|
|
// get TPM state
|
2022-11-24 04:57:58 -05:00
|
|
|
pcrs, err := vtpm.GetSelectedMeasurements(vtpm.OpenVTPM, tpmClient.FullPcrSel(tpm2.AlgSHA256))
|
2022-07-04 06:59:43 -04:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
pcrsPretty, err := json.Marshal(pcrs)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// send PCRs to metadata API
|
|
|
|
url := &url.URL{
|
|
|
|
Scheme: "http",
|
|
|
|
Host: "10.42.0.1:8080", // QEMU metadata endpoint
|
|
|
|
Path: "/pcrs",
|
|
|
|
}
|
2022-08-02 10:25:47 -04:00
|
|
|
req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, url.String(), bytes.NewBuffer(pcrsPretty))
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
req.Header.Set("Content-Type", "application/json")
|
|
|
|
resp, err := http.DefaultClient.Do(req)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
return nil
|
2022-07-04 06:59:43 -04:00
|
|
|
}
|