constellation/internal/attestation/azure/trustedlaunch/validator.go

/*
Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only
*/

package trustedlaunch

import (
	"crypto"

	"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
	"github.com/edgelesssys/constellation/v2/internal/oid"
	"github.com/google/go-tpm/tpm2"
)

// Validator for Azure trusted launch VM attestation.
type Validator struct {
	oid.AzureTrustedLaunch
	*vtpm.Validator
}

// NewValidator initializes a new Azure validator with the provided PCR values.
func NewValidator(pcrs map[uint32][]byte, enforcedPCRs []uint32, log vtpm.WarnLogger) *Validator {
	return &Validator{
		Validator: vtpm.NewValidator(
			pcrs,
			enforcedPCRs,
			trustedKey,
			validateVM,
			vtpm.VerifyPKCS1v15,
			log,
		),
	}
}

// trustedKey returns the key encoded in the given TPMT_PUBLIC message.
func trustedKey(akPub, instanceInfo []byte) (crypto.PublicKey, error) {
	pubArea, err := tpm2.DecodePublic(akPub)
	if err != nil {
		return nil, err
	}
	return pubArea.Key()
}

// validateVM returns nil.
func validateVM(attestation vtpm.AttestationDocument) error {
	return nil
}
AB#2386: TrustedLaunch support for azure attestation * There are now two attestation packages on azure. The issuer on the server side is created base on successfully querying the idkeydigest from the TPM. Fallback on err: Trusted Launch. * The bootstrapper's issuer choice is validated by the CLI's validator, which is created based on the local config. * Add "azureCVM" field to new "internal-config" cm. This field is populated by the bootstrapper. * Group attestation OIDs by CSP (#42) * Bootstrapper now uses IssuerWrapper type to pass the issuer (and some context info) to the initserver. * Introduce VMType package akin to cloudprovider. Used by IssuerWrapper. * Extend unittests. * Remove CSP specific attestation integration tests Co-authored-by: <dw@edgeless.systems> Signed-off-by: Otto Bittner <cobittner@posteo.net> 2022-08-31 14:10:49 -04:00			`/*`
			`Copyright (c) Edgeless Systems GmbH`

			`SPDX-License-Identifier: AGPL-3.0-only`
			`*/`

			`package trustedlaunch`

			`import (`
			`"crypto"`

Upgrade go module to v2 2022-09-21 07:47:57 -04:00			`"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"`
			`"github.com/edgelesssys/constellation/v2/internal/oid"`
AB#2386: TrustedLaunch support for azure attestation * There are now two attestation packages on azure. The issuer on the server side is created base on successfully querying the idkeydigest from the TPM. Fallback on err: Trusted Launch. * The bootstrapper's issuer choice is validated by the CLI's validator, which is created based on the local config. * Add "azureCVM" field to new "internal-config" cm. This field is populated by the bootstrapper. * Group attestation OIDs by CSP (#42) * Bootstrapper now uses IssuerWrapper type to pass the issuer (and some context info) to the initserver. * Introduce VMType package akin to cloudprovider. Used by IssuerWrapper. * Extend unittests. * Remove CSP specific attestation integration tests Co-authored-by: <dw@edgeless.systems> Signed-off-by: Otto Bittner <cobittner@posteo.net> 2022-08-31 14:10:49 -04:00			`"github.com/google/go-tpm/tpm2"`
			`)`

			`// Validator for Azure trusted launch VM attestation.`
			`type Validator struct {`
			`oid.AzureTrustedLaunch`
			`*vtpm.Validator`
			`}`

			`// NewValidator initializes a new Azure validator with the provided PCR values.`
			`func NewValidator(pcrs map[uint32][]byte, enforcedPCRs []uint32, log vtpm.WarnLogger) *Validator {`
			`return &Validator{`
			`Validator: vtpm.NewValidator(`
			`pcrs,`
			`enforcedPCRs,`
			`trustedKey,`
			`validateVM,`
			`vtpm.VerifyPKCS1v15,`
			`log,`
			`),`
			`}`
			`}`

			`// trustedKey returns the key encoded in the given TPMT_PUBLIC message.`
			`func trustedKey(akPub, instanceInfo []byte) (crypto.PublicKey, error) {`
			`pubArea, err := tpm2.DecodePublic(akPub)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return pubArea.Key()`
			`}`

			`// validateVM returns nil.`
			`func validateVM(attestation vtpm.AttestationDocument) error {`
			`return nil`
			`}`