Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-03-20 05:56:19 -04:00
Code Issues Packages Projects Releases Wiki Activity

measurements: refactor validation option ()

Browse Source 
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
Paul Meyer 2023-03-22 06:47:39 -04:00 committed by GitHub
parent 1ab40b7ca6
commit 02fc3dc635
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 290 additions and 281 deletions

5
bootstrapper/cmd/bootstrapper/main.go

@ -173,10 +173,7 @@ func main() {
case cloudprovider.OpenStack:
// TODO(malt3): add OpenStack TPM support
measurements := measurements.M{
15: measurements.Measurement{
Expected: [32]byte{0x0000000000000000000000000000000000000000000000000000000000000000},
WarnOnly: true,
},
15: measurements.WithAllBytes(0x0, measurements.WarnOnly),
}
cloudLogger = &logging.NopLogger{}

4
cli/internal/cloudcmd/upgrade.go

@ -272,7 +272,9 @@ func (u *Upgrader) updateMeasurements(ctx context.Context, newMeasurements measu
// don't allow potential security downgrades by setting the warnOnly flag to true
for k, newM := range newMeasurements {
if currentM, ok := currentMeasurements[k]; ok && !currentM.WarnOnly && newM.WarnOnly {
if currentM, ok := currentMeasurements[k]; ok &&
currentM.ValidationOpt != measurements.WarnOnly &&
newM.ValidationOpt == measurements.WarnOnly {
return fmt.Errorf("setting enforced measurement %d to warn only: not allowed", k)
}
}

8
cli/internal/cloudcmd/upgrade_test.go

@ -218,7 +218,7 @@ func TestUpdateMeasurements(t *testing.T) {
},
},
newMeasurements: measurements.M{
0: measurements.WithAllBytes(0xBB, false),
0: measurements.WithAllBytes(0xBB, measurements.Enforce),
},
wantUpdate: true,
},
@ -231,7 +231,7 @@ func TestUpdateMeasurements(t *testing.T) {
},
},
newMeasurements: measurements.M{
0: measurements.WithAllBytes(0xAA, false),
0: measurements.WithAllBytes(0xAA, measurements.Enforce),
},
},
"trying to set warnOnly to true results in error": {
@ -243,7 +243,7 @@ func TestUpdateMeasurements(t *testing.T) {
},
},
newMeasurements: measurements.M{
0: measurements.WithAllBytes(0xAA, true),
0: measurements.WithAllBytes(0xAA, measurements.WarnOnly),
},
wantErr: true,
},
@ -256,7 +256,7 @@ func TestUpdateMeasurements(t *testing.T) {
},
},
newMeasurements: measurements.M{
0: measurements.WithAllBytes(0xAA, false),
0: measurements.WithAllBytes(0xAA, measurements.Enforce),
},
wantUpdate: true,
},

4
cli/internal/cloudcmd/validators.go

@ -89,8 +89,8 @@ func (v *Validator) updatePCR(pcrIndex uint32, encoded string) error {
oldExpected := v.pcrs[pcrIndex].Expected
expectedPcr := sha256.Sum256(append(oldExpected[:], hashedInput[:]...))
v.pcrs[pcrIndex] = measurements.Measurement{
Expected: expectedPcr,
WarnOnly: v.pcrs[pcrIndex].WarnOnly,
Expected: expectedPcr,
ValidationOpt: v.pcrs[pcrIndex].ValidationOpt,
}
return nil
}

94
cli/internal/cloudcmd/validators_test.go

@ -29,12 +29,12 @@ import (
func TestNewValidator(t *testing.T) {
testPCRs := measurements.M{
0: measurements.WithAllBytes(0x00, false),
1: measurements.WithAllBytes(0xFF, false),
2: measurements.WithAllBytes(0x00, false),
3: measurements.WithAllBytes(0xFF, false),
4: measurements.WithAllBytes(0x00, false),
5: measurements.WithAllBytes(0x00, false),
0: measurements.WithAllBytes(0x00, measurements.Enforce),
1: measurements.WithAllBytes(0xFF, measurements.Enforce),
2: measurements.WithAllBytes(0x00, measurements.Enforce),
3: measurements.WithAllBytes(0xFF, measurements.Enforce),
4: measurements.WithAllBytes(0x00, measurements.Enforce),
5: measurements.WithAllBytes(0x00, measurements.Enforce),
}
testCases := map[string]struct {
@ -139,19 +139,19 @@ func TestNewValidator(t *testing.T) {
func TestValidatorV(t *testing.T) {
newTestPCRs := func() measurements.M {
return measurements.M{
0: measurements.WithAllBytes(0x00, true),
1: measurements.WithAllBytes(0x00, true),
2: measurements.WithAllBytes(0x00, true),
3: measurements.WithAllBytes(0x00, true),
4: measurements.WithAllBytes(0x00, true),
5: measurements.WithAllBytes(0x00, true),
6: measurements.WithAllBytes(0x00, true),
7: measurements.WithAllBytes(0x00, true),
8: measurements.WithAllBytes(0x00, true),
9: measurements.WithAllBytes(0x00, true),
10: measurements.WithAllBytes(0x00, true),
11: measurements.WithAllBytes(0x00, true),
12: measurements.WithAllBytes(0x00, true),
0: measurements.WithAllBytes(0x00, measurements.WarnOnly),
1: measurements.WithAllBytes(0x00, measurements.WarnOnly),
2: measurements.WithAllBytes(0x00, measurements.WarnOnly),
3: measurements.WithAllBytes(0x00, measurements.WarnOnly),
4: measurements.WithAllBytes(0x00, measurements.WarnOnly),
5: measurements.WithAllBytes(0x00, measurements.WarnOnly),
6: measurements.WithAllBytes(0x00, measurements.WarnOnly),
7: measurements.WithAllBytes(0x00, measurements.WarnOnly),
8: measurements.WithAllBytes(0x00, measurements.WarnOnly),
9: measurements.WithAllBytes(0x00, measurements.WarnOnly),
10: measurements.WithAllBytes(0x00, measurements.WarnOnly),
11: measurements.WithAllBytes(0x00, measurements.WarnOnly),
12: measurements.WithAllBytes(0x00, measurements.WarnOnly),
}
}
@ -200,37 +200,37 @@ func TestValidatorV(t *testing.T) {
}
func TestValidatorUpdateInitPCRs(t *testing.T) {
zero := measurements.WithAllBytes(0x00, true)
one := measurements.WithAllBytes(0x11, true)
zero := measurements.WithAllBytes(0x00, measurements.WarnOnly)
one := measurements.WithAllBytes(0x11, measurements.WarnOnly)
one64 := base64.StdEncoding.EncodeToString(one.Expected[:])
oneHash := sha256.Sum256(one.Expected[:])
pcrZeroUpdatedOne := sha256.Sum256(append(zero.Expected[:], oneHash[:]...))
newTestPCRs := func() measurements.M {
return measurements.M{
0: measurements.WithAllBytes(0x00, true),
1: measurements.WithAllBytes(0x00, true),
2: measurements.WithAllBytes(0x00, true),
3: measurements.WithAllBytes(0x00, true),
4: measurements.WithAllBytes(0x00, true),
5: measurements.WithAllBytes(0x00, true),
6: measurements.WithAllBytes(0x00, true),
7: measurements.WithAllBytes(0x00, true),
8: measurements.WithAllBytes(0x00, true),
9: measurements.WithAllBytes(0x00, true),
10: measurements.WithAllBytes(0x00, true),
11: measurements.WithAllBytes(0x00, true),
12: measurements.WithAllBytes(0x00, true),
13: measurements.WithAllBytes(0x00, true),
14: measurements.WithAllBytes(0x00, true),
15: measurements.WithAllBytes(0x00, true),
16: measurements.WithAllBytes(0x00, true),
17: measurements.WithAllBytes(0x11, true),
18: measurements.WithAllBytes(0x11, true),
19: measurements.WithAllBytes(0x11, true),
20: measurements.WithAllBytes(0x11, true),
21: measurements.WithAllBytes(0x11, true),
22: measurements.WithAllBytes(0x11, true),
23: measurements.WithAllBytes(0x00, true),
0: measurements.WithAllBytes(0x00, measurements.WarnOnly),
1: measurements.WithAllBytes(0x00, measurements.WarnOnly),
2: measurements.WithAllBytes(0x00, measurements.WarnOnly),
3: measurements.WithAllBytes(0x00, measurements.WarnOnly),
4: measurements.WithAllBytes(0x00, measurements.WarnOnly),
5: measurements.WithAllBytes(0x00, measurements.WarnOnly),
6: measurements.WithAllBytes(0x00, measurements.WarnOnly),
7: measurements.WithAllBytes(0x00, measurements.WarnOnly),
8: measurements.WithAllBytes(0x00, measurements.WarnOnly),
9: measurements.WithAllBytes(0x00, measurements.WarnOnly),
10: measurements.WithAllBytes(0x00, measurements.WarnOnly),
11: measurements.WithAllBytes(0x00, measurements.WarnOnly),
12: measurements.WithAllBytes(0x00, measurements.WarnOnly),
13: measurements.WithAllBytes(0x00, measurements.WarnOnly),
14: measurements.WithAllBytes(0x00, measurements.WarnOnly),
15: measurements.WithAllBytes(0x00, measurements.WarnOnly),
16: measurements.WithAllBytes(0x00, measurements.WarnOnly),
17: measurements.WithAllBytes(0x11, measurements.WarnOnly),
18: measurements.WithAllBytes(0x11, measurements.WarnOnly),
19: measurements.WithAllBytes(0x11, measurements.WarnOnly),
20: measurements.WithAllBytes(0x11, measurements.WarnOnly),
21: measurements.WithAllBytes(0x11, measurements.WarnOnly),
22: measurements.WithAllBytes(0x11, measurements.WarnOnly),
23: measurements.WithAllBytes(0x00, measurements.WarnOnly),
}
}
@ -335,8 +335,8 @@ func TestValidatorUpdateInitPCRs(t *testing.T) {
func TestUpdatePCR(t *testing.T) {
emptyMap := measurements.M{}
defaultMap := measurements.M{
0: measurements.WithAllBytes(0xAA, false),
1: measurements.WithAllBytes(0xBB, false),
0: measurements.WithAllBytes(0xAA, measurements.Enforce),
1: measurements.WithAllBytes(0xBB, measurements.Enforce),
}
testCases := map[string]struct {

32
cli/internal/cmd/init_test.go

@ -438,13 +438,13 @@ func TestAttestation(t *testing.T) {
cfg.Image = "image"
cfg.AttestationVariant = oid.QEMUVTPM{}.String()
cfg.RemoveProviderExcept(cloudprovider.QEMU)
cfg.Provider.QEMU.Measurements[0] = measurements.WithAllBytes(0x00, false)
cfg.Provider.QEMU.Measurements[1] = measurements.WithAllBytes(0x11, false)
cfg.Provider.QEMU.Measurements[2] = measurements.WithAllBytes(0x22, false)
cfg.Provider.QEMU.Measurements[3] = measurements.WithAllBytes(0x33, false)
cfg.Provider.QEMU.Measurements[4] = measurements.WithAllBytes(0x44, false)
cfg.Provider.QEMU.Measurements[9] = measurements.WithAllBytes(0x99, false)
cfg.Provider.QEMU.Measurements[12] = measurements.WithAllBytes(0xcc, false)
cfg.Provider.QEMU.Measurements[0] = measurements.WithAllBytes(0x00, measurements.Enforce)
cfg.Provider.QEMU.Measurements[1] = measurements.WithAllBytes(0x11, measurements.Enforce)
cfg.Provider.QEMU.Measurements[2] = measurements.WithAllBytes(0x22, measurements.Enforce)
cfg.Provider.QEMU.Measurements[3] = measurements.WithAllBytes(0x33, measurements.Enforce)
cfg.Provider.QEMU.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
cfg.Provider.QEMU.Measurements[9] = measurements.WithAllBytes(0x99, measurements.Enforce)
cfg.Provider.QEMU.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, cfg, file.OptNone))
ctx := context.Background()
@ -538,23 +538,23 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs
conf.Provider.Azure.ResourceGroup = "test-resource-group"
conf.Provider.Azure.AppClientID = "01234567-0123-0123-0123-0123456789ab"
conf.Provider.Azure.ClientSecretValue = "test-client-secret"
conf.Provider.Azure.Measurements[4] = measurements.WithAllBytes(0x44, false)
conf.Provider.Azure.Measurements[9] = measurements.WithAllBytes(0x11, false)
conf.Provider.Azure.Measurements[12] = measurements.WithAllBytes(0xcc, false)
conf.Provider.Azure.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
conf.Provider.Azure.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce)
conf.Provider.Azure.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
case cloudprovider.GCP:
conf.AttestationVariant = oid.GCPSEVES{}.String()
conf.Provider.GCP.Region = "test-region"
conf.Provider.GCP.Project = "test-project"
conf.Provider.GCP.Zone = "test-zone"
conf.Provider.GCP.ServiceAccountKeyPath = "test-key-path"
conf.Provider.GCP.Measurements[4] = measurements.WithAllBytes(0x44, false)
conf.Provider.GCP.Measurements[9] = measurements.WithAllBytes(0x11, false)
conf.Provider.GCP.Measurements[12] = measurements.WithAllBytes(0xcc, false)
conf.Provider.GCP.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
conf.Provider.GCP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce)
conf.Provider.GCP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
case cloudprovider.QEMU:
conf.AttestationVariant = oid.QEMUVTPM{}.String()
conf.Provider.QEMU.Measurements[4] = measurements.WithAllBytes(0x44, false)
conf.Provider.QEMU.Measurements[9] = measurements.WithAllBytes(0x11, false)
conf.Provider.QEMU.Measurements[12] = measurements.WithAllBytes(0xcc, false)
conf.Provider.QEMU.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
conf.Provider.QEMU.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce)
conf.Provider.QEMU.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
}
conf.RemoveProviderExcept(csp)

6
cli/internal/helm/loader_test.go

@ -396,7 +396,7 @@ func prepareGCPValues(values map[string]any) error {
}
m := measurements.M{
1: measurements.WithAllBytes(0xAA, false),
1: measurements.WithAllBytes(0xAA, measurements.Enforce),
}
mJSON, err := json.Marshal(m)
if err != nil {
@ -471,7 +471,7 @@ func prepareOpenStackValues(values map[string]any) error {
if !ok {
return errors.New("missing 'join-service' key")
}
m := measurements.M{1: measurements.WithAllBytes(0xAA, false)}
m := measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)}
mJSON, err := json.Marshal(m)
if err != nil {
return err
@ -506,7 +506,7 @@ func prepareQEMUValues(values map[string]any) error {
if !ok {
return errors.New("missing 'join-service' key")
}
m := measurements.M{1: measurements.WithAllBytes(0xAA, false)}
m := measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)}
mJSON, err := json.Marshal(m)
if err != nil {
return err

4
internal/attestation/measurements/measurement-generator/generate.go

@ -226,7 +226,7 @@ func measurementsEntryKeyValueExpr(pcr uint32, measuremnt measurements.Measureme
warnOnlyColon := warnOnlyKeyPos + 9 // 9 = len("WarnOnly")
warnOnlyValuePos := warnOnlyColon + 2 // 2 = len(": ")
var rbrace token.Pos
if measuremnt.WarnOnly {
if measuremnt.ValidationOpt {
rbrace = warnOnlyValuePos + 9 // 9 = len("true") + padding
} else {
rbrace = warnOnlyValuePos + 10 // 10 = len("false") + padding
@ -250,7 +250,7 @@ func measurementsEntryKeyValueExpr(pcr uint32, measuremnt measurements.Measureme
&ast.KeyValueExpr{
Key: &ast.Ident{NamePos: warnOnlyKeyPos, Name: "WarnOnly"},
Colon: warnOnlyColon,
Value: &ast.Ident{NamePos: warnOnlyValuePos, Name: strconv.FormatBool(measuremnt.WarnOnly)},
Value: &ast.Ident{NamePos: warnOnlyValuePos, Name: strconv.FormatBool(bool(measuremnt.ValidationOpt))},
},
},
Rbrace: rbrace,

44
internal/attestation/measurements/measurements.go

@ -131,7 +131,7 @@ func (m *M) EqualTo(other M) bool {
if !bytes.Equal(v.Expected[:], otherExpected[:]) {
return false
}
if v.WarnOnly != other[k].WarnOnly {
if v.ValidationOpt != other[k].ValidationOpt {
return false
}
}
@ -143,7 +143,7 @@ func (m *M) EqualTo(other M) bool {
func (m *M) GetEnforced() []uint32 {
var enforced []uint32
for idx, measurement := range *m {
if !measurement.WarnOnly {
if !measurement.ValidationOpt {
enforced = append(enforced, idx)
}
}
@ -158,8 +158,8 @@ func (m *M) SetEnforced(enforced []uint32) error {
// set all measurements to warn only
for idx, measurement := range *m {
newM[idx] = Measurement{
Expected: measurement.Expected,
WarnOnly: true,
Expected: measurement.Expected,
ValidationOpt: WarnOnly,
}
}
@ -169,7 +169,7 @@ func (m *M) SetEnforced(enforced []uint32) error {
if !ok {
return fmt.Errorf("measurement %d not in list, but set to enforced", idx)
}
measurement.WarnOnly = false
measurement.ValidationOpt = Enforce
newM[idx] = measurement
}
@ -181,10 +181,20 @@ func (m *M) SetEnforced(enforced []uint32) error {
type Measurement struct {
// Expected measurement value.
Expected [32]byte `json:"expected" yaml:"expected"`
// WarnOnly if set to true, a mismatching measurement will only result in a warning.
WarnOnly bool `json:"warnOnly" yaml:"warnOnly"`
// ValidationOpt indicates how measurement mismatches should be handled.
ValidationOpt MeasurementValidationOption `json:"warnOnly" yaml:"warnOnly"`
}
// MeasurementValidationOption indicates how measurement mismatches should be handled.
type MeasurementValidationOption bool
const (
// WarnOnly will only result in a warning in case of a mismatching measurement.
WarnOnly MeasurementValidationOption = true
// Enforce will result in an error in case of a mismatching measurement, and operation will be aborted.
Enforce MeasurementValidationOption = false
)
// UnmarshalJSON reads a Measurement either as json object,
// or as a simple hex or base64 encoded string.
func (m *Measurement) UnmarshalJSON(b []byte) error {
@ -210,7 +220,7 @@ func (m *Measurement) UnmarshalJSON(b []byte) error {
func (m Measurement) MarshalJSON() ([]byte, error) {
return json.Marshal(encodedMeasurement{
Expected: hex.EncodeToString(m.Expected[:]),
WarnOnly: m.WarnOnly,
WarnOnly: m.ValidationOpt,
})
}
@ -239,7 +249,7 @@ func (m *Measurement) UnmarshalYAML(unmarshal func(any) error) error {
func (m Measurement) MarshalYAML() (any, error) {
return encodedMeasurement{
Expected: hex.EncodeToString(m.Expected[:]),
WarnOnly: m.WarnOnly,
WarnOnly: m.ValidationOpt,
}, nil
}
@ -264,24 +274,24 @@ func (m *Measurement) unmarshal(eM encodedMeasurement) error {
}
m.Expected = *(*[32]byte)(expected)
m.WarnOnly = eM.WarnOnly
m.ValidationOpt = eM.WarnOnly
return nil
}
// WithAllBytes returns a measurement value where all 32 bytes are set to b.
func WithAllBytes(b byte, warnOnly bool) Measurement {
func WithAllBytes(b byte, validationOpt MeasurementValidationOption) Measurement {
return Measurement{
Expected: *(*[32]byte)(bytes.Repeat([]byte{b}, 32)),
WarnOnly: warnOnly,
Expected: *(*[32]byte)(bytes.Repeat([]byte{b}, 32)),
ValidationOpt: validationOpt,
}
}
// PlaceHolderMeasurement returns a measurement with placeholder values for Expected.
func PlaceHolderMeasurement() Measurement {
return Measurement{
Expected: *(*[32]byte)(bytes.Repeat([]byte{0x12, 0x34}, 16)),
WarnOnly: false,
Expected: *(*[32]byte)(bytes.Repeat([]byte{0x12, 0x34}, 16)),
ValidationOpt: Enforce,
}
}
@ -307,8 +317,8 @@ func getFromURL(ctx context.Context, client *http.Client, sourceURL *url.URL) ([
}
type encodedMeasurement struct {
Expected string `json:"expected" yaml:"expected"`
WarnOnly bool `json:"warnOnly" yaml:"warnOnly"`
Expected string `json:"expected" yaml:"expected"`
WarnOnly MeasurementValidationOption `json:"warnOnly" yaml:"warnOnly"`
}
// mYamlContent is the Content of a yaml.Node encoding of an M. It implements sort.Interface.

96
internal/attestation/measurements/measurements_enterprise.go

@ -27,7 +27,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xe2, 0xfe, 0x2d, 0xd9, 0xf9, 0x07, 0x85, 0x57,
0x79, 0x69, 0xd7, 0xa2, 0x01, 0x3e, 0x8c, 0x12,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
2: {
Expected: [32]byte{
@ -36,7 +36,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
3: {
Expected: [32]byte{
@ -45,7 +45,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
4: {
Expected: [32]byte{
@ -54,7 +54,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x50, 0x73, 0xd6, 0x64, 0xa0, 0x32, 0x2f, 0x73,
0xcd, 0x4b, 0x89, 0x79, 0x87, 0x2f, 0xeb, 0x74,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
5: {
Expected: [32]byte{
@ -63,7 +63,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x93, 0x07, 0x31, 0x38, 0x74, 0x38, 0x40, 0x95,
0x24, 0x8e, 0x6e, 0x66, 0x75, 0x99, 0x68, 0xde,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
6: {
Expected: [32]byte{
@ -72,7 +72,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
7: {
Expected: [32]byte{
@ -81,7 +81,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x43, 0xe1, 0x0b, 0xf0, 0x61, 0xeb, 0x7a, 0x76,
0xec, 0xca, 0x55, 0x09, 0xa2, 0x23, 0x89, 0x01,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
8: {
Expected: [32]byte{
@ -90,7 +90,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
9: {
Expected: [32]byte{
@ -99,7 +99,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xa2, 0xdc, 0x95, 0xf9, 0x8e, 0xd7, 0x2d, 0x54,
0x47, 0xcc, 0x67, 0x5a, 0xf9, 0xbf, 0x06, 0x29,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
11: {
Expected: [32]byte{
@ -108,7 +108,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
12: {
Expected: [32]byte{
@ -117,7 +117,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xfa, 0x7c, 0x9d, 0x16, 0x95, 0x2e, 0xed, 0x94,
0xaa, 0xbb, 0xf8, 0x59, 0x3e, 0x22, 0x76, 0x34,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
13: {
Expected: [32]byte{
@ -126,7 +126,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
14: {
Expected: [32]byte{
@ -135,7 +135,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x17, 0x20, 0xb5, 0xb8, 0x6c, 0xf1, 0x75, 0x3c,
0xad, 0x83, 0x0f, 0x95, 0xe7, 0x91, 0x92, 0x6f,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
15: {
Expected: [32]byte{
@ -144,7 +144,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
}
case cloudprovider.Azure:
@ -156,7 +156,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
2: {
Expected: [32]byte{
@ -165,7 +165,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
3: {
Expected: [32]byte{
@ -174,7 +174,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
4: {
Expected: [32]byte{
@ -183,7 +183,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x2b, 0x64, 0x5c, 0x67, 0x99, 0x3c, 0xe2, 0x0e,
0x87, 0xed, 0x98, 0x1b, 0xbf, 0xe0, 0x3a, 0xcb,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
5: {
Expected: [32]byte{
@ -192,7 +192,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x14, 0x13, 0x75, 0x7d, 0x98, 0x11, 0xcc, 0xa3,
0xe9, 0x29, 0x3d, 0x18, 0x5b, 0x11, 0x0c, 0xe7,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
7: {
Expected: [32]byte{
@ -201,7 +201,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x9c, 0xb5, 0x02, 0xf0, 0x15, 0x6e, 0x91, 0x55,
0x38, 0x04, 0x51, 0xee, 0xa1, 0xb3, 0xf0, 0xed,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
8: {
Expected: [32]byte{
@ -210,7 +210,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
9: {
Expected: [32]byte{
@ -219,7 +219,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x26, 0xc5, 0x4c, 0x52, 0x4f, 0xe4, 0xc2, 0x03,
0x24, 0x50, 0xe0, 0x10, 0x82, 0x89, 0xae, 0x9d,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
11: {
Expected: [32]byte{
@ -228,7 +228,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
12: {
Expected: [32]byte{
@ -237,7 +237,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xa3, 0xa5, 0x93, 0x65, 0x46, 0x74, 0xeb, 0xf6,
0xa1, 0x2a, 0x79, 0xc3, 0x7c, 0xb7, 0x77, 0x45,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
13: {
Expected: [32]byte{
@ -246,7 +246,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
14: {
Expected: [32]byte{
@ -255,7 +255,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x17, 0x20, 0xb5, 0xb8, 0x6c, 0xf1, 0x75, 0x3c,
0xad, 0x83, 0x0f, 0x95, 0xe7, 0x91, 0x92, 0x6f,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
15: {
Expected: [32]byte{
@ -264,7 +264,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
}
case cloudprovider.GCP:
@ -276,7 +276,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x9e, 0xb6, 0x8c, 0x28, 0x87, 0x0e, 0x7d, 0xd5,
0xd1, 0xa1, 0x53, 0x58, 0x54, 0x32, 0x5e, 0x56,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
2: {
Expected: [32]byte{
@ -285,7 +285,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
3: {
Expected: [32]byte{
@ -294,7 +294,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
4: {
Expected: [32]byte{
@ -303,7 +303,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x35, 0xd7, 0xbb, 0x7b, 0x9a, 0xad, 0x31, 0x7d,
0x40, 0x1f, 0x2f, 0x80, 0xad, 0xce, 0xae, 0xab,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
5: {
Expected: [32]byte{
@ -312,7 +312,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xdd, 0x14, 0xbd, 0x50, 0x22, 0xe8, 0xfc, 0x23,
0x0d, 0x09, 0x01, 0xf7, 0x2a, 0xe2, 0x9e, 0xea,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
6: {
Expected: [32]byte{
@ -321,7 +321,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
7: {
Expected: [32]byte{
@ -330,7 +330,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x8e, 0xeb, 0xfa, 0x01, 0x14, 0x3e, 0x4d, 0x88,
0x44, 0xe4, 0x0e, 0x06, 0x2e, 0x9b, 0x6c, 0xd5,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
8: {
Expected: [32]byte{
@ -339,7 +339,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
9: {
Expected: [32]byte{
@ -348,7 +348,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x4c, 0xd1, 0x2e, 0xf2, 0xe5, 0xa3, 0x6d, 0x3d,
0x81, 0x3e, 0x5b, 0x4b, 0x12, 0xf8, 0x87, 0xf3,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
11: {
Expected: [32]byte{
@ -357,7 +357,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
12: {
Expected: [32]byte{
@ -366,7 +366,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xd3, 0xbf, 0xa2, 0x73, 0x9d, 0xdb, 0x3f, 0x1c,
0x91, 0x95, 0x87, 0x9e, 0x21, 0xd5, 0xfb, 0xb5,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
13: {
Expected: [32]byte{
@ -375,7 +375,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
14: {
Expected: [32]byte{
@ -384,7 +384,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x17, 0x20, 0xb5, 0xb8, 0x6c, 0xf1, 0x75, 0x3c,
0xad, 0x83, 0x0f, 0x95, 0xe7, 0x91, 0x92, 0x6f,
},
WarnOnly: true,
ValidationOpt: WarnOnly,
},
15: {
Expected: [32]byte{
@ -393,7 +393,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
}
case cloudprovider.QEMU:
@ -405,7 +405,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xb8, 0x10, 0x5c, 0x4c, 0x00, 0xad, 0xf7, 0xb6,
0x48, 0xbf, 0x37, 0x61, 0x16, 0x85, 0xf0, 0x2f,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
8: {
Expected: [32]byte{
@ -414,7 +414,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
9: {
Expected: [32]byte{
@ -423,7 +423,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x35, 0x17, 0x0e, 0xfc, 0xd4, 0xfa, 0x68, 0x7d,
0x5b, 0xc9, 0x9b, 0xa7, 0x78, 0x46, 0x77, 0xe4,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
11: {
Expected: [32]byte{
@ -432,7 +432,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
12: {
Expected: [32]byte{
@ -441,7 +441,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x7c, 0x52, 0x5e, 0xe4, 0x9a, 0xb9, 0xe1, 0x24,
0x3d, 0x38, 0xd0, 0x03, 0x90, 0x53, 0x09, 0x44,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
13: {
Expected: [32]byte{
@ -450,7 +450,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
15: {
Expected: [32]byte{
@ -459,7 +459,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
},
WarnOnly: false,
ValidationOpt: Enforce,
},
}
default:

32
internal/attestation/measurements/measurements_oss.go

@ -16,42 +16,42 @@ func DefaultsFor(provider cloudprovider.Provider) M {
case cloudprovider.AWS:
return M{
4: PlaceHolderMeasurement(),
8: WithAllBytes(0x00, false),
8: WithAllBytes(0x00, Enforce),
9: PlaceHolderMeasurement(),
11: WithAllBytes(0x00, false),
11: WithAllBytes(0x00, Enforce),
12: PlaceHolderMeasurement(),
13: WithAllBytes(0x00, false),
uint32(PCRIndexClusterID): WithAllBytes(0x00, false),
13: WithAllBytes(0x00, Enforce),
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
}
case cloudprovider.Azure:
return M{
4: PlaceHolderMeasurement(),
8: WithAllBytes(0x00, false),
8: WithAllBytes(0x00, Enforce),
9: PlaceHolderMeasurement(),
11: WithAllBytes(0x00, false),
11: WithAllBytes(0x00, Enforce),
12: PlaceHolderMeasurement(),
13: WithAllBytes(0x00, false),
uint32(PCRIndexClusterID): WithAllBytes(0x00, false),
13: WithAllBytes(0x00, Enforce),
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
}
case cloudprovider.GCP:
return M{
4: PlaceHolderMeasurement(),
8: WithAllBytes(0x00, false),
8: WithAllBytes(0x00, Enforce),
9: PlaceHolderMeasurement(),
11: WithAllBytes(0x00, false),
11: WithAllBytes(0x00, Enforce),
12: PlaceHolderMeasurement(),
13: WithAllBytes(0x00, false),
uint32(PCRIndexClusterID): WithAllBytes(0x00, false),
13: WithAllBytes(0x00, Enforce),
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
}
case cloudprovider.QEMU:
return M{
4: PlaceHolderMeasurement(),
8: WithAllBytes(0x00, false),
8: WithAllBytes(0x00, Enforce),
9: PlaceHolderMeasurement(),
11: WithAllBytes(0x00, false),
11: WithAllBytes(0x00, Enforce),
12: PlaceHolderMeasurement(),
13: WithAllBytes(0x00, false),
uint32(PCRIndexClusterID): WithAllBytes(0x00, false),
13: WithAllBytes(0x00, Enforce),
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
}
default:
return nil

176
internal/attestation/measurements/measurements_test.go

@ -37,8 +37,8 @@ func TestMarshal(t *testing.T) {
},
"warn only": {
m: Measurement{
Expected: [32]byte{1, 2, 3, 4}, // implicitly padded with 0s
WarnOnly: true,
Expected: [32]byte{1, 2, 3, 4}, // implicitly padded with 0s
ValidationOpt: WarnOnly,
},
wantYAML: "expected: \"0102030400000000000000000000000000000000000000000000000000000000\"\nwarnOnly: true",
wantJSON: `{"expected":"0102030400000000000000000000000000000000000000000000000000000000","warnOnly":true}`,
@ -242,48 +242,48 @@ func TestMeasurementsCopyFrom(t *testing.T) {
"add to empty": {
current: M{},
newMeasurements: M{
1: WithAllBytes(0x00, true),
2: WithAllBytes(0x01, true),
3: WithAllBytes(0x02, true),
1: WithAllBytes(0x00, WarnOnly),
2: WithAllBytes(0x01, WarnOnly),
3: WithAllBytes(0x02, WarnOnly),
},
wantMeasurements: M{
1: WithAllBytes(0x00, true),
2: WithAllBytes(0x01, true),
3: WithAllBytes(0x02, true),
1: WithAllBytes(0x00, WarnOnly),
2: WithAllBytes(0x01, WarnOnly),
3: WithAllBytes(0x02, WarnOnly),
},
},
"keep existing": {
current: M{
4: WithAllBytes(0x01, false),
5: WithAllBytes(0x02, true),
4: WithAllBytes(0x01, Enforce),
5: WithAllBytes(0x02, WarnOnly),
},
newMeasurements: M{
1: WithAllBytes(0x00, true),
2: WithAllBytes(0x01, true),
3: WithAllBytes(0x02, true),
1: WithAllBytes(0x00, WarnOnly),
2: WithAllBytes(0x01, WarnOnly),
3: WithAllBytes(0x02, WarnOnly),
},
wantMeasurements: M{
1: WithAllBytes(0x00, true),
2: WithAllBytes(0x01, true),
3: WithAllBytes(0x02, true),
4: WithAllBytes(0x01, false),
5: WithAllBytes(0x02, true),
1: WithAllBytes(0x00, WarnOnly),
2: WithAllBytes(0x01, WarnOnly),
3: WithAllBytes(0x02, WarnOnly),
4: WithAllBytes(0x01, Enforce),
5: WithAllBytes(0x02, WarnOnly),
},
},
"overwrite existing": {
current: M{
2: WithAllBytes(0x04, false),
3: WithAllBytes(0x05, false),
2: WithAllBytes(0x04, Enforce),
3: WithAllBytes(0x05, Enforce),
},
newMeasurements: M{
1: WithAllBytes(0x00, true),
2: WithAllBytes(0x01, true),
3: WithAllBytes(0x02, true),
1: WithAllBytes(0x00, WarnOnly),
2: WithAllBytes(0x01, WarnOnly),
3: WithAllBytes(0x02, WarnOnly),
},
wantMeasurements: M{
1: WithAllBytes(0x00, true),
2: WithAllBytes(0x01, true),
3: WithAllBytes(0x02, true),
1: WithAllBytes(0x00, WarnOnly),
2: WithAllBytes(0x01, WarnOnly),
3: WithAllBytes(0x02, WarnOnly),
},
},
}
@ -318,7 +318,7 @@ func urlMustParse(raw string) *url.URL {
}
func TestMeasurementsFetchAndVerify(t *testing.T) {
// Cosign private key used to sign the measurements.
// Cosign private key used to sign the
// Generated with: cosign generate-key-pair
// Password left empty.
//
@ -352,7 +352,7 @@ func TestMeasurementsFetchAndVerify(t *testing.T) {
signature: "MEYCIQD1RR91pWPw1BMWXTSmTBHg/JtfKerbZNQ9PJTWDdW0sgIhANQbETJGb67qzQmMVmcq007VUFbHRMtYWKZeeyRf0gVa",
signatureStatus: http.StatusOK,
wantMeasurements: M{
0: WithAllBytes(0x00, false),
0: WithAllBytes(0x00, Enforce),
},
wantSHA: "c04e13c1312b6f5659303871d14bf49b05c99a6515548763b6322f60bbb61a24",
},
@ -363,7 +363,7 @@ func TestMeasurementsFetchAndVerify(t *testing.T) {
signature: "MEUCIQC9WI2ijlQjBktYFctKpbnqkUTey3U9W99Jp1NTLi5AbQIgNZxxOtiawgTkWPXLoH9D2CxpEjxQrqLn/zWF6NoKxWQ=",
signatureStatus: http.StatusOK,
wantMeasurements: M{
0: WithAllBytes(0x00, false),
0: WithAllBytes(0x00, Enforce),
},
wantSHA: "648fcfd5d22e623a948ab2dd4eb334be2701d8f158231726084323003daab8d4",
},
@ -417,8 +417,8 @@ func TestMeasurementsFetchAndVerify(t *testing.T) {
},
}
measurementsURL := urlMustParse("https://somesite.com/measurements.yaml")
signatureURL := urlMustParse("https://somesite.com/measurements.yaml.sig")
measurementsURL := urlMustParse("https://somesite.com/yaml")
signatureURL := urlMustParse("https://somesite.com/yaml.sig")
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
@ -473,15 +473,15 @@ func TestGetEnforced(t *testing.T) {
}{
"only warnings": {
input: M{
0: WithAllBytes(0x00, true),
1: WithAllBytes(0x01, true),
0: WithAllBytes(0x00, WarnOnly),
1: WithAllBytes(0x01, WarnOnly),
},
want: map[uint32]struct{}{},
},
"all enforced": {
input: M{
0: WithAllBytes(0x00, false),
1: WithAllBytes(0x01, false),
0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0x01, Enforce),
},
want: map[uint32]struct{}{
0: {},
@ -490,9 +490,9 @@ func TestGetEnforced(t *testing.T) {
},
"mixed": {
input: M{
0: WithAllBytes(0x00, false),
1: WithAllBytes(0x01, true),
2: WithAllBytes(0x02, false),
0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0x01, WarnOnly),
2: WithAllBytes(0x02, Enforce),
},
want: map[uint32]struct{}{
0: {},
@ -524,56 +524,56 @@ func TestSetEnforced(t *testing.T) {
}{
"no enforced measurements": {
input: M{
0: WithAllBytes(0x00, false),
1: WithAllBytes(0x01, false),
0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0x01, Enforce),
},
enforced: []uint32{},
wantM: M{
0: WithAllBytes(0x00, true),
1: WithAllBytes(0x01, true),
0: WithAllBytes(0x00, WarnOnly),
1: WithAllBytes(0x01, WarnOnly),
},
},
"all enforced measurements": {
input: M{
0: WithAllBytes(0x00, false),
1: WithAllBytes(0x01, false),
0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0x01, Enforce),
},
enforced: []uint32{0, 1},
wantM: M{
0: WithAllBytes(0x00, false),
1: WithAllBytes(0x01, false),
0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0x01, Enforce),
},
},
"mixed": {
input: M{
0: WithAllBytes(0x00, false),
1: WithAllBytes(0x01, false),
2: WithAllBytes(0x02, false),
3: WithAllBytes(0x03, false),
0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0x01, Enforce),
2: WithAllBytes(0x02, Enforce),
3: WithAllBytes(0x03, Enforce),
},
enforced: []uint32{0, 2},
wantM: M{
0: WithAllBytes(0x00, false),
1: WithAllBytes(0x01, true),
2: WithAllBytes(0x02, false),
3: WithAllBytes(0x03, true),
0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0x01, WarnOnly),
2: WithAllBytes(0x02, Enforce),
3: WithAllBytes(0x03, WarnOnly),
},
},
"warn only to enforced": {
input: M{
0: WithAllBytes(0x00, true),
1: WithAllBytes(0x01, true),
0: WithAllBytes(0x00, WarnOnly),
1: WithAllBytes(0x01, WarnOnly),
},
enforced: []uint32{0, 1},
wantM: M{
0: WithAllBytes(0x00, false),
1: WithAllBytes(0x01, false),
0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0x01, Enforce),
},
},
"more enforced than measurements": {
input: M{
0: WithAllBytes(0x00, true),
1: WithAllBytes(0x01, true),
0: WithAllBytes(0x00, WarnOnly),
1: WithAllBytes(0x01, WarnOnly),
},
enforced: []uint32{0, 1, 2},
wantErr: true,
@ -598,55 +598,55 @@ func TestSetEnforced(t *testing.T) {
func TestWithAllBytes(t *testing.T) {
testCases := map[string]struct {
b byte
warnOnly bool
warnOnly MeasurementValidationOption
wantMeasurement Measurement
}{
"0x00 warnOnly": {
b: 0x00,
warnOnly: true,
wantMeasurement: Measurement{
Expected: [32]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
WarnOnly: true,
Expected: [32]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
ValidationOpt: WarnOnly,
},
},
"0x00": {
b: 0x00,
warnOnly: false,
wantMeasurement: Measurement{
Expected: [32]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
WarnOnly: false,
Expected: [32]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
ValidationOpt: Enforce,
},
},
"0x01 warnOnly": {
b: 0x01,
warnOnly: true,
wantMeasurement: Measurement{
Expected: [32]byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
WarnOnly: true,
Expected: [32]byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
ValidationOpt: WarnOnly,
},
},
"0x01": {
b: 0x01,
warnOnly: false,
wantMeasurement: Measurement{
Expected: [32]byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
WarnOnly: false,
Expected: [32]byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
ValidationOpt: Enforce,
},
},
"0xFF warnOnly": {
b: 0xFF,
warnOnly: true,
wantMeasurement: Measurement{
Expected: [32]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
WarnOnly: true,
Expected: [32]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
ValidationOpt: WarnOnly,
},
},
"0xFF": {
b: 0xFF,
warnOnly: false,
wantMeasurement: Measurement{
Expected: [32]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
WarnOnly: false,
Expected: [32]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
ValidationOpt: Enforce,
},
},
}
@ -668,44 +668,44 @@ func TestEqualTo(t *testing.T) {
}{
"same values": {
given: M{
0: WithAllBytes(0x00, false),
1: WithAllBytes(0xFF, false),
0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0xFF, Enforce),
},
other: M{
0: WithAllBytes(0x00, false),
1: WithAllBytes(0xFF, false),
0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0xFF, Enforce),
},
wantEqual: true,
},
"different number of elements": {
given: M{
0: WithAllBytes(0x00, false),
1: WithAllBytes(0xFF, false),
0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0xFF, Enforce),
},
other: M{
0: WithAllBytes(0x00, false),
0: WithAllBytes(0x00, Enforce),
},
wantEqual: false,
},
"different values": {
given: M{
0: WithAllBytes(0x00, false),
1: WithAllBytes(0xFF, false),
0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0xFF, Enforce),
},
other: M{
0: WithAllBytes(0xFF, false),
1: WithAllBytes(0x00, false),
0: WithAllBytes(0xFF, Enforce),
1: WithAllBytes(0x00, Enforce),
},
wantEqual: false,
},
"different warn settings": {
given: M{
0: WithAllBytes(0x00, false),
1: WithAllBytes(0xFF, false),
0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0xFF, Enforce),
},
other: M{
0: WithAllBytes(0x00, false),
1: WithAllBytes(0xFF, true),
0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0xFF, WarnOnly),
},
wantEqual: false,
},

2
internal/attestation/vtpm/attestation.go

@ -227,7 +227,7 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) (userData []byte, e
}
for idx, pcr := range v.expected {
if !bytes.Equal(pcr.Expected[:], attDoc.Attestation.Quotes[quoteIdx].Pcrs.Pcrs[idx]) {
if !pcr.WarnOnly {
if !pcr.ValidationOpt {
return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx)
}
v.log.Warnf("Encountered untrusted PCR value at index %d", idx)

30
internal/attestation/vtpm/attestation_test.go

@ -69,9 +69,9 @@ func TestValidate(t *testing.T) {
}
testExpectedPCRs := measurements.M{
0: measurements.WithAllBytes(0x00, false),
1: measurements.WithAllBytes(0x00, false),
uint32(measurements.PCRIndexClusterID): measurements.WithAllBytes(0x00, false),
0: measurements.WithAllBytes(0x00, measurements.Enforce),
1: measurements.WithAllBytes(0x00, measurements.Enforce),
uint32(measurements.PCRIndexClusterID): measurements.WithAllBytes(0x00, measurements.Enforce),
}
warnLog := &testAttestationLogger{}
@ -116,23 +116,23 @@ func TestValidate(t *testing.T) {
require.Error(err)
expectedPCRs := measurements.M{
0: measurements.WithAllBytes(0x00, true),
1: measurements.WithAllBytes(0x00, true),
0: measurements.WithAllBytes(0x00, measurements.WarnOnly),
1: measurements.WithAllBytes(0x00, measurements.WarnOnly),
2: measurements.Measurement{
Expected: [32]byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20},
WarnOnly: true,
Expected: [32]byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20},
ValidationOpt: measurements.WarnOnly,
},
3: measurements.Measurement{
Expected: [32]byte{0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40},
WarnOnly: true,
Expected: [32]byte{0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40},
ValidationOpt: measurements.WarnOnly,
},
4: measurements.Measurement{
Expected: [32]byte{0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60},
WarnOnly: true,
Expected: [32]byte{0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60},
ValidationOpt: measurements.WarnOnly,
},
5: measurements.Measurement{
Expected: [32]byte{0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80},
WarnOnly: true,
Expected: [32]byte{0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80},
ValidationOpt: measurements.WarnOnly,
},
}
warningValidator := NewValidator(
@ -200,8 +200,8 @@ func TestValidate(t *testing.T) {
validator: NewValidator(
measurements.M{
0: measurements.Measurement{
Expected: [32]byte{0xFF},
WarnOnly: false,
Expected: [32]byte{0xFF},
ValidationOpt: measurements.Enforce,
},
},
fakeGetTrustedKey,

14
internal/config/config_test.go

@ -130,7 +130,7 @@ func TestNewWithDefaultOptions(t *testing.T) {
c.Provider.Azure.ResourceGroup = "test"
c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity"
c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e"
c.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, false)}
c.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, measurements.Enforce)}
return c
}(),
envToSet: map[string]string{
@ -151,7 +151,7 @@ func TestNewWithDefaultOptions(t *testing.T) {
c.Provider.Azure.ClientSecretValue = "other-value" // < Note secret set in config, as well.
c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity"
c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e"
c.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, false)}
c.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, measurements.Enforce)}
return c
}(),
envToSet: map[string]string{
@ -246,7 +246,7 @@ func TestValidate(t *testing.T) {
az.ClientSecretValue = "test-client-secret"
cnf.Provider = ProviderConfig{}
cnf.Provider.Azure = az
cnf.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, false)}
cnf.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, measurements.Enforce)}
return cnf
}(),
},
@ -273,7 +273,7 @@ func TestValidate(t *testing.T) {
gcp.ServiceAccountKeyPath = "test-key-path"
cnf.Provider = ProviderConfig{}
cnf.Provider.GCP = gcp
cnf.Provider.GCP.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, false)}
cnf.Provider.GCP.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, measurements.Enforce)}
return cnf
}(),
},
@ -397,9 +397,9 @@ func TestConfigGeneratedDocsFresh(t *testing.T) {
func TestConfig_UpdateMeasurements(t *testing.T) {
assert := assert.New(t)
newMeasurements := measurements.M{
1: measurements.WithAllBytes(0x00, false),
2: measurements.WithAllBytes(0x01, false),
3: measurements.WithAllBytes(0x02, false),
1: measurements.WithAllBytes(0x00, measurements.Enforce),
2: measurements.WithAllBytes(0x01, measurements.Enforce),
3: measurements.WithAllBytes(0x02, measurements.Enforce),
}
{ // AWS

8
internal/watcher/validator_test.go

@ -77,7 +77,7 @@ func TestNewUpdateableValidator(t *testing.T) {
if tc.writeFile {
require.NoError(handler.WriteJSON(
filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename),
measurements.M{11: measurements.WithAllBytes(0x00, false)},
measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)},
))
require.NoError(handler.WriteJSON(
@ -122,7 +122,7 @@ func TestUpdate(t *testing.T) {
// write measurement config
require.NoError(handler.WriteJSON(
filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename),
measurements.M{11: measurements.WithAllBytes(0x00, false)},
measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)},
))
require.NoError(handler.WriteJSON(
filepath.Join(constants.ServiceBasePath, constants.IDKeyConfigFilename),
@ -185,7 +185,7 @@ func TestOIDConcurrency(t *testing.T) {
handler := file.NewHandler(afero.NewMemMapFs())
require.NoError(handler.WriteJSON(
filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename),
measurements.M{11: measurements.WithAllBytes(0x00, false)},
measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)},
))
require.NoError(handler.WriteJSON(
filepath.Join(constants.ServiceBasePath, constants.IDKeyConfigFilename),
@ -232,7 +232,7 @@ func TestUpdateConcurrency(t *testing.T) {
}
require.NoError(handler.WriteJSON(
filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename),
measurements.M{11: measurements.WithAllBytes(0x00, false)},
measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)},
file.OptNone,
))
require.NoError(handler.WriteJSON(

12
measurement-reader/internal/tpm/tpm_test.go

@ -22,9 +22,9 @@ func TestSortMeasurements(t *testing.T) {
}{
"pre sorted": {
input: measurements.M{
0: measurements.WithAllBytes(0x11, false),
1: measurements.WithAllBytes(0x22, false),
2: measurements.WithAllBytes(0x33, false),
0: measurements.WithAllBytes(0x11, measurements.Enforce),
1: measurements.WithAllBytes(0x22, measurements.Enforce),
2: measurements.WithAllBytes(0x33, measurements.Enforce),
},
want: []sorted.Measurement{
{
@ -43,9 +43,9 @@ func TestSortMeasurements(t *testing.T) {
},
"unsorted": {
input: measurements.M{
1: measurements.WithAllBytes(0x22, false),
0: measurements.WithAllBytes(0x11, false),
2: measurements.WithAllBytes(0x33, false),
1: measurements.WithAllBytes(0x22, measurements.Enforce),
0: measurements.WithAllBytes(0x11, measurements.Enforce),
2: measurements.WithAllBytes(0x33, measurements.Enforce),
},
want: []sorted.Measurement{
{