2022-09-05 03:06:08 -04:00
/ *
Copyright ( c ) Edgeless Systems GmbH
SPDX - License - Identifier : AGPL - 3.0 - only
* /
2022-03-22 11:03:15 -04:00
package vtpm
import (
"bytes"
"crypto"
"crypto/sha256"
"encoding/json"
"fmt"
"io"
2022-11-24 04:57:58 -05:00
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
2022-03-22 11:03:15 -04:00
tpmClient "github.com/google/go-tpm-tools/client"
"github.com/google/go-tpm-tools/proto/attest"
tpmProto "github.com/google/go-tpm-tools/proto/tpm"
tpmServer "github.com/google/go-tpm-tools/server"
"github.com/google/go-tpm/tpm2"
)
var (
// AzurePCRSelection are the PCR values verified for Azure Constellations.
// PCR[0] is excluded due to changing rarely, but unpredictably.
// PCR[6] is excluded due to being different for any 2 VMs. See: https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#%5B%7B%22num%22%3A157%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C33%2C400%2C0%5D
2022-04-21 10:28:37 -04:00
// PCR[10] is excluded since its value is derived from a digest of PCR[0-7]. See: https://sourceforge.net/p/linux-ima/wiki/Home/#ima-measurement-list
2022-03-22 11:03:15 -04:00
AzurePCRSelection = tpm2 . PCRSelection {
Hash : tpm2 . AlgSHA256 ,
PCRs : [ ] int { 1 , 2 , 3 , 4 , 5 , 7 , 8 , 9 , 11 , 12 , 13 , 14 , 15 , 16 , 17 , 18 , 19 , 20 , 21 , 22 , 23 } ,
}
2022-10-27 05:04:23 -04:00
2022-03-22 11:03:15 -04:00
// GCPPCRSelection are the PCR values verified for GCP Constellations.
// On GCP firmware and other host controlled systems are static. This results in the same PCRs for any 2 VMs using the same image.
GCPPCRSelection = tpmClient . FullPcrSel ( tpm2 . AlgSHA256 )
2022-10-27 05:04:23 -04:00
// AWSPCRSelection are the PCR values verified for AWS based Constellations.
// PCR[1] is excluded. See: https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#%5B%7B%22num%22:157,%22gen%22:0%7D,%7B%22name%22:%22XYZ%22%7D,33,400,0%5D
// PCR[10] is excluded since its value is derived from a digest of PCR[0-7]. See: https://sourceforge.net/p/linux-ima/wiki/Home/#ima-measurement-list
AWSPCRSelection = tpm2 . PCRSelection {
Hash : tpm2 . AlgSHA256 ,
2022-12-12 08:05:31 -05:00
PCRs : [ ] int { 0 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 11 , 12 , 13 , 14 , 15 , 16 , 17 , 18 , 19 , 20 , 21 , 22 , 23 } ,
2022-10-27 05:04:23 -04:00
}
// QEMUPCRSelection are the PCR values verified for QEMU based Constellations.
2022-04-21 10:28:37 -04:00
// PCR[1] is excluded. See: https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#%5B%7B%22num%22:157,%22gen%22:0%7D,%7B%22name%22:%22XYZ%22%7D,33,400,0%5D
// PCR[10] is excluded since its value is derived from a digest of PCR[0-7]. See: https://sourceforge.net/p/linux-ima/wiki/Home/#ima-measurement-list
QEMUPCRSelection = tpm2 . PCRSelection {
Hash : tpm2 . AlgSHA256 ,
PCRs : [ ] int { 0 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 11 , 12 , 13 , 14 , 15 , 16 , 17 , 18 , 19 , 20 , 21 , 22 , 23 } ,
}
2022-03-22 11:03:15 -04:00
)
type (
// GetTPMAttestationKey loads a TPM key to perform attestation.
GetTPMAttestationKey func ( tpm io . ReadWriter ) ( * tpmClient . Key , error )
// GetTPMTrustedAttestationPublicKey verifies and returns the attestation public key.
GetTPMTrustedAttestationPublicKey func ( akPub [ ] byte , instanceInfo [ ] byte ) ( crypto . PublicKey , error )
// GetInstanceInfo returns VM metdata.
GetInstanceInfo func ( tpm io . ReadWriteCloser ) ( [ ] byte , error )
// ValidateCVM validates confidential computing capabilities of the instance issuing the attestation.
ValidateCVM func ( attestation AttestationDocument ) error
)
2022-10-14 10:29:21 -04:00
// AttestationLogger is a logger used to print warnings and infos during attestation validation.
type AttestationLogger interface {
2022-10-25 09:51:23 -04:00
Infof ( format string , args ... any )
Warnf ( format string , args ... any )
2022-08-12 09:59:45 -04:00
}
2022-03-22 11:03:15 -04:00
// AttestationDocument contains the TPM attestation with signed user data.
type AttestationDocument struct {
// Attestation contains the TPM event log, PCR values and quotes, and public key of the key used to sign the attestation.
Attestation * attest . Attestation
// InstanceInfo is used to verify the provided public key.
InstanceInfo [ ] byte
2023-02-12 11:26:54 -05:00
// arbitrary data, quoted by the TPM.
UserData [ ] byte
2022-03-22 11:03:15 -04:00
}
// Issuer handles issuing of TPM based attestation documents.
type Issuer struct {
openTPM TPMOpenFunc
getAttestationKey GetTPMAttestationKey
getInstanceInfo GetInstanceInfo
2023-02-28 10:34:18 -05:00
log AttestationLogger
2022-03-22 11:03:15 -04:00
}
// NewIssuer returns a new Issuer.
2023-02-28 10:34:18 -05:00
func NewIssuer (
openTPM TPMOpenFunc , getAttestationKey GetTPMAttestationKey ,
getInstanceInfo GetInstanceInfo , log AttestationLogger ,
) * Issuer {
if log == nil {
log = & nopAttestationLogger { }
}
2022-03-22 11:03:15 -04:00
return & Issuer {
openTPM : openTPM ,
getAttestationKey : getAttestationKey ,
getInstanceInfo : getInstanceInfo ,
2023-02-28 10:34:18 -05:00
log : log ,
2022-03-22 11:03:15 -04:00
}
}
// Issue generates an attestation document using a TPM.
2023-02-28 10:34:18 -05:00
func ( i * Issuer ) Issue ( userData [ ] byte , nonce [ ] byte ) ( res [ ] byte , err error ) {
i . log . Infof ( "Issuing attestation statement" )
defer func ( ) {
if err != nil {
i . log . Warnf ( "Failed to issue attestation statement: %s" , err )
}
} ( )
2022-03-22 11:03:15 -04:00
tpm , err := i . openTPM ( )
if err != nil {
return nil , fmt . Errorf ( "opening TPM: %w" , err )
}
defer tpm . Close ( )
// Load the TPM's attestation key
aK , err := i . getAttestationKey ( tpm )
if err != nil {
return nil , fmt . Errorf ( "loading attestation key: %w" , err )
}
defer aK . Close ( )
// Create an attestation using the loaded key
2023-02-12 11:26:54 -05:00
extraData := makeExtraData ( userData , nonce )
2023-02-28 10:34:18 -05:00
tpmAttestation , err := aK . Attest ( tpmClient . AttestOpts { Nonce : extraData } )
2022-03-22 11:03:15 -04:00
if err != nil {
return nil , fmt . Errorf ( "creating attestation: %w" , err )
}
// Fetch instance info of the VM
instanceInfo , err := i . getInstanceInfo ( tpm )
if err != nil {
return nil , fmt . Errorf ( "fetching instance info: %w" , err )
}
attDoc := AttestationDocument {
2023-02-28 10:34:18 -05:00
Attestation : tpmAttestation ,
2023-02-12 11:26:54 -05:00
InstanceInfo : instanceInfo ,
UserData : userData ,
2022-03-22 11:03:15 -04:00
}
2023-02-28 10:34:18 -05:00
rawAttDoc , err := json . Marshal ( attDoc )
if err != nil {
return nil , fmt . Errorf ( "marshaling attestation document: %w" , err )
}
i . log . Infof ( "Successfully issued attestation statement" )
return rawAttDoc , nil
2022-03-22 11:03:15 -04:00
}
// Validator handles validation of TPM based attestation.
type Validator struct {
2023-02-12 11:33:33 -05:00
expected measurements . M
getTrustedKey GetTPMTrustedAttestationPublicKey
validateCVM ValidateCVM
2022-08-12 09:59:45 -04:00
2022-10-14 10:29:21 -04:00
log AttestationLogger
2022-03-22 11:03:15 -04:00
}
// NewValidator returns a new Validator.
2022-11-24 04:57:58 -05:00
func NewValidator ( expected measurements . M , getTrustedKey GetTPMTrustedAttestationPublicKey ,
2023-02-12 11:33:33 -05:00
validateCVM ValidateCVM , log AttestationLogger ,
2022-08-12 09:59:45 -04:00
) * Validator {
2023-01-26 05:24:29 -05:00
if log == nil {
log = & nopAttestationLogger { }
}
2022-03-22 11:03:15 -04:00
return & Validator {
2023-02-12 11:33:33 -05:00
expected : expected ,
getTrustedKey : getTrustedKey ,
validateCVM : validateCVM ,
log : log ,
2022-03-22 11:03:15 -04:00
}
}
// Validate a TPM based attestation.
2023-01-26 05:24:29 -05:00
func ( v * Validator ) Validate ( attDocRaw [ ] byte , nonce [ ] byte ) ( userData [ ] byte , err error ) {
v . log . Infof ( "Validating attestation document" )
defer func ( ) {
if err != nil {
v . log . Warnf ( "Failed to validate attestation document: %s" , err )
}
} ( )
2022-10-14 10:29:21 -04:00
2022-03-22 11:03:15 -04:00
var attDoc AttestationDocument
if err := json . Unmarshal ( attDocRaw , & attDoc ) ; err != nil {
return nil , fmt . Errorf ( "unmarshaling TPM attestation document: %w" , err )
}
// Verify and retrieve the trusted attestation public key using the provided instance info
aKP , err := v . getTrustedKey ( attDoc . Attestation . AkPub , attDoc . InstanceInfo )
if err != nil {
return nil , fmt . Errorf ( "validating attestation public key: %w" , err )
}
// Validate confidential computing capabilities of the VM
if err := v . validateCVM ( attDoc ) ; err != nil {
return nil , fmt . Errorf ( "verifying VM confidential computing capabilities: %w" , err )
}
// Verify the TPM attestation
if _ , err := tpmServer . VerifyAttestation (
attDoc . Attestation ,
tpmServer . VerifyOpts {
2023-02-12 11:26:54 -05:00
Nonce : makeExtraData ( attDoc . UserData , nonce ) ,
2022-03-22 11:03:15 -04:00
TrustedAKs : [ ] crypto . PublicKey { aKP } ,
AllowSHA1 : false ,
} ,
) ; err != nil {
return nil , fmt . Errorf ( "verifying attestation document: %w" , err )
}
// Verify PCRs
quoteIdx , err := GetSHA256QuoteIndex ( attDoc . Attestation . Quotes )
if err != nil {
return nil , err
}
2022-11-24 04:57:58 -05:00
for idx , pcr := range v . expected {
if ! bytes . Equal ( pcr . Expected [ : ] , attDoc . Attestation . Quotes [ quoteIdx ] . Pcrs . Pcrs [ idx ] ) {
if ! pcr . WarnOnly {
2022-08-12 09:59:45 -04:00
return nil , fmt . Errorf ( "untrusted PCR value at PCR index %d" , idx )
}
2023-01-26 05:24:29 -05:00
v . log . Warnf ( "Encountered untrusted PCR value at index %d" , idx )
2022-03-22 11:03:15 -04:00
}
}
2023-01-26 05:24:29 -05:00
v . log . Infof ( "Successfully validated attestation document" )
2022-03-22 11:03:15 -04:00
return attDoc . UserData , nil
}
// GetSHA256QuoteIndex performs safety checks and returns the index for SHA256 PCR quotes.
func GetSHA256QuoteIndex ( quotes [ ] * tpmProto . Quote ) ( int , error ) {
if len ( quotes ) == 0 {
return 0 , fmt . Errorf ( "attestation is missing quotes" )
}
for idx , quote := range quotes {
if quote == nil {
return 0 , fmt . Errorf ( "quote is nil" )
}
if quote . Pcrs == nil {
return 0 , fmt . Errorf ( "no PCR data in attestation" )
}
if quote . Pcrs . Hash == tpmProto . HashAlgo_SHA256 {
return idx , nil
}
}
return 0 , fmt . Errorf ( "attestation did not include SHA256 hashed PCRs" )
}
2022-11-24 04:57:58 -05:00
// GetSelectedMeasurements returns a map of Measurments for the PCRs in selection.
func GetSelectedMeasurements ( open TPMOpenFunc , selection tpm2 . PCRSelection ) ( measurements . M , error ) {
2022-03-22 11:03:15 -04:00
tpm , err := open ( )
if err != nil {
return nil , err
}
defer tpm . Close ( )
pcrList , err := tpmClient . ReadPCRs ( tpm , selection )
if err != nil {
return nil , err
}
2022-11-24 04:57:58 -05:00
m := make ( measurements . M )
for i , pcr := range pcrList . Pcrs {
if len ( pcr ) != 32 {
return nil , fmt . Errorf ( "invalid measurement: invalid length: %d" , len ( pcr ) )
}
m [ i ] = measurements . Measurement {
Expected : * ( * [ 32 ] byte ) ( pcr ) ,
}
}
return m , nil
2022-03-22 11:03:15 -04:00
}
2023-01-26 05:24:29 -05:00
2023-02-12 11:26:54 -05:00
func makeExtraData ( userData [ ] byte , nonce [ ] byte ) [ ] byte {
data := append ( [ ] byte { } , userData ... )
data = append ( data , nonce ... )
digest := sha256 . Sum256 ( data )
return digest [ : ]
}
2023-01-26 05:24:29 -05:00
// nopAttestationLogger is a no-op implementation of AttestationLogger.
type nopAttestationLogger struct { }
// Infof is a no-op.
func ( nopAttestationLogger ) Infof ( string , ... interface { } ) { }
// Warnf is a no-op.
func ( nopAttestationLogger ) Warnf ( string , ... interface { } ) { }