constellation/cli/internal/cloudcmd/validators.go

175 lines
4.9 KiB
Go
Raw Normal View History

2022-04-19 11:02:02 -04:00
package cloudcmd
import (
2022-04-27 05:17:41 -04:00
"crypto/sha256"
"encoding/base64"
2022-04-19 11:02:02 -04:00
"errors"
"fmt"
"strings"
"github.com/edgelesssys/constellation/internal/atls"
"github.com/edgelesssys/constellation/internal/attestation/azure"
"github.com/edgelesssys/constellation/internal/attestation/gcp"
"github.com/edgelesssys/constellation/internal/attestation/qemu"
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
2022-04-19 11:02:02 -04:00
"github.com/edgelesssys/constellation/internal/config"
)
2022-05-04 03:13:46 -04:00
const warningStr = "Warning: not verifying the Constellation cluster's %s measurements\n"
2022-04-27 05:17:41 -04:00
type Validator struct {
provider cloudprovider.Provider
pcrs map[uint32][]byte
validator atls.Validator
2022-04-19 11:02:02 -04:00
}
func NewValidator(provider cloudprovider.Provider, config *config.Config) (*Validator, error) {
v := Validator{}
2022-04-27 05:17:41 -04:00
if provider == cloudprovider.Unknown {
return nil, errors.New("unknown cloud provider")
}
v.provider = provider
if err := v.setPCRs(config); err != nil {
return nil, err
}
return &v, nil
}
func (v *Validator) UpdateInitPCRs(ownerID, clusterID string) error {
2022-04-27 05:17:41 -04:00
if err := v.updatePCR(uint32(vtpm.PCRIndexOwnerID), ownerID); err != nil {
return err
}
return v.updatePCR(uint32(vtpm.PCRIndexClusterID), clusterID)
}
// updatePCR adds a new entry to the pcr map of v, or removes the key if the input is an empty string.
//
// When adding, the input is first decoded from base64.
// We then calculate the expected PCR by hashing the input using SHA256,
// appending expected PCR for initialization, and then hashing once more.
func (v *Validator) updatePCR(pcrIndex uint32, encoded string) error {
2022-04-27 05:17:41 -04:00
if encoded == "" {
delete(v.pcrs, pcrIndex)
return nil
}
decoded, err := base64.StdEncoding.DecodeString(encoded)
if err != nil {
return fmt.Errorf("input [%s] is not base64 encoded: %w", encoded, err)
}
// new_pcr_value := hash(old_pcr_value || data_to_extend)
// Since we use the TPM2_PCR_Event call to extend the PCR, data_to_extend is the hash of our input
hashedInput := sha256.Sum256(decoded)
expectedPcr := sha256.Sum256(append(v.pcrs[pcrIndex], hashedInput[:]...))
v.pcrs[pcrIndex] = expectedPcr[:]
return nil
}
func (v *Validator) setPCRs(config *config.Config) error {
2022-04-27 05:17:41 -04:00
switch v.provider {
2022-04-19 11:02:02 -04:00
case cloudprovider.GCP:
gcpPCRs := config.Provider.GCP.Measurements
2022-04-19 11:02:02 -04:00
if err := v.checkPCRs(gcpPCRs); err != nil {
2022-04-27 05:17:41 -04:00
return err
2022-04-19 11:02:02 -04:00
}
2022-04-27 05:17:41 -04:00
v.pcrs = gcpPCRs
2022-04-19 11:02:02 -04:00
case cloudprovider.Azure:
azurePCRs := config.Provider.Azure.Measurements
2022-04-19 11:02:02 -04:00
if err := v.checkPCRs(azurePCRs); err != nil {
2022-04-27 05:17:41 -04:00
return err
2022-04-19 11:02:02 -04:00
}
2022-04-27 05:17:41 -04:00
v.pcrs = azurePCRs
case cloudprovider.QEMU:
qemuPCRs := config.Provider.QEMU.Measurements
if err := v.checkPCRs(qemuPCRs); err != nil {
return err
}
v.pcrs = qemuPCRs
2022-04-19 11:02:02 -04:00
}
2022-04-27 05:17:41 -04:00
return nil
2022-04-19 11:02:02 -04:00
}
// V returns the validator as atls.Validator.
func (v *Validator) V() atls.Validator {
v.updateValidator()
return v.validator
2022-04-19 11:02:02 -04:00
}
// PCRS returns the validator's PCR map.
func (v *Validator) PCRS() map[uint32][]byte {
return v.pcrs
}
func (v *Validator) updateValidator() {
2022-04-27 05:17:41 -04:00
switch v.provider {
case cloudprovider.GCP:
v.validator = gcp.NewValidator(v.pcrs)
2022-04-27 05:17:41 -04:00
case cloudprovider.Azure:
v.validator = azure.NewValidator(v.pcrs)
case cloudprovider.QEMU:
v.validator = qemu.NewValidator(v.pcrs)
2022-04-19 11:02:02 -04:00
}
}
2022-04-27 05:17:41 -04:00
// Warnings returns warnings for the specifc PCR values that are not verified.
//
// PCR allocation inspired by https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_12#Tab1
func (v *Validator) Warnings() string {
2022-04-19 11:02:02 -04:00
sb := &strings.Builder{}
2022-04-27 05:17:41 -04:00
if v.pcrs[0] == nil || v.pcrs[1] == nil {
writeWarnFmt(sb, "BIOS")
2022-04-19 11:02:02 -04:00
}
2022-04-27 05:17:41 -04:00
if v.pcrs[2] == nil || v.pcrs[3] == nil {
writeWarnFmt(sb, "OPROM")
2022-04-19 11:02:02 -04:00
}
2022-04-27 05:17:41 -04:00
if v.pcrs[4] == nil || v.pcrs[5] == nil {
writeWarnFmt(sb, "MBR")
2022-04-19 11:02:02 -04:00
}
// GRUB measures kernel command line and initrd into pcrs 8 and 9
2022-04-27 05:17:41 -04:00
if v.pcrs[8] == nil {
writeWarnFmt(sb, "kernel command line")
2022-04-19 11:02:02 -04:00
}
2022-04-27 05:17:41 -04:00
if v.pcrs[9] == nil {
writeWarnFmt(sb, "initrd")
2022-04-19 11:02:02 -04:00
}
2022-04-27 05:17:41 -04:00
return sb.String()
}
// WarningsIncludeInit returns warnings for the specific PCR values that are not verified.
2022-04-27 05:17:41 -04:00
// Warnings regarding the initialization are included.
//
// PCR allocation inspired by https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_12#Tab1
func (v *Validator) WarningsIncludeInit() string {
2022-04-27 05:17:41 -04:00
warnings := v.Warnings()
if v.pcrs[uint32(vtpm.PCRIndexOwnerID)] == nil || v.pcrs[uint32(vtpm.PCRIndexClusterID)] == nil {
warnings = warnings + fmt.Sprintf(warningStr, "initialization status")
}
return warnings
}
func (v *Validator) checkPCRs(pcrs map[uint32][]byte) error {
2022-04-27 05:17:41 -04:00
if len(pcrs) == 0 {
return errors.New("no PCR values provided")
}
for k, v := range pcrs {
if len(v) != 32 {
return fmt.Errorf("bad config: PCR[%d]: expected length: %d, but got: %d", k, 32, len(v))
}
2022-04-19 11:02:02 -04:00
}
2022-04-27 05:17:41 -04:00
return nil
2022-04-19 11:02:02 -04:00
}
func writeWarnFmt(sb *strings.Builder, args ...any) {
writeFmt(sb, warningStr, args...)
}
func writeFmt(sb *strings.Builder, fmtStr string, args ...any) {
2022-04-19 11:02:02 -04:00
sb.WriteString(fmt.Sprintf(fmtStr, args...))
}