diff --git a/bootstrapper/cmd/bootstrapper/main.go b/bootstrapper/cmd/bootstrapper/main.go index 18feaba27..6f40d0ef7 100644 --- a/bootstrapper/cmd/bootstrapper/main.go +++ b/bootstrapper/cmd/bootstrapper/main.go @@ -173,10 +173,7 @@ func main() { case cloudprovider.OpenStack: // TODO(malt3): add OpenStack TPM support measurements := measurements.M{ - 15: measurements.Measurement{ - Expected: [32]byte{0x0000000000000000000000000000000000000000000000000000000000000000}, - WarnOnly: true, - }, + 15: measurements.WithAllBytes(0x0, measurements.WarnOnly), } cloudLogger = &logging.NopLogger{} diff --git a/cli/internal/cloudcmd/upgrade.go b/cli/internal/cloudcmd/upgrade.go index 6f9e886b8..90cfe103a 100644 --- a/cli/internal/cloudcmd/upgrade.go +++ b/cli/internal/cloudcmd/upgrade.go @@ -272,7 +272,9 @@ func (u *Upgrader) updateMeasurements(ctx context.Context, newMeasurements measu // don't allow potential security downgrades by setting the warnOnly flag to true for k, newM := range newMeasurements { - if currentM, ok := currentMeasurements[k]; ok && !currentM.WarnOnly && newM.WarnOnly { + if currentM, ok := currentMeasurements[k]; ok && + currentM.ValidationOpt != measurements.WarnOnly && + newM.ValidationOpt == measurements.WarnOnly { return fmt.Errorf("setting enforced measurement %d to warn only: not allowed", k) } } diff --git a/cli/internal/cloudcmd/upgrade_test.go b/cli/internal/cloudcmd/upgrade_test.go index 5860760de..2ec2ce75a 100644 --- a/cli/internal/cloudcmd/upgrade_test.go +++ b/cli/internal/cloudcmd/upgrade_test.go @@ -218,7 +218,7 @@ func TestUpdateMeasurements(t *testing.T) { }, }, newMeasurements: measurements.M{ - 0: measurements.WithAllBytes(0xBB, false), + 0: measurements.WithAllBytes(0xBB, measurements.Enforce), }, wantUpdate: true, }, @@ -231,7 +231,7 @@ func TestUpdateMeasurements(t *testing.T) { }, }, newMeasurements: measurements.M{ - 0: measurements.WithAllBytes(0xAA, false), + 0: measurements.WithAllBytes(0xAA, measurements.Enforce), }, }, "trying to set warnOnly to true results in error": { @@ -243,7 +243,7 @@ func TestUpdateMeasurements(t *testing.T) { }, }, newMeasurements: measurements.M{ - 0: measurements.WithAllBytes(0xAA, true), + 0: measurements.WithAllBytes(0xAA, measurements.WarnOnly), }, wantErr: true, }, @@ -256,7 +256,7 @@ func TestUpdateMeasurements(t *testing.T) { }, }, newMeasurements: measurements.M{ - 0: measurements.WithAllBytes(0xAA, false), + 0: measurements.WithAllBytes(0xAA, measurements.Enforce), }, wantUpdate: true, }, diff --git a/cli/internal/cloudcmd/validators.go b/cli/internal/cloudcmd/validators.go index 7268c7081..b30ef9338 100644 --- a/cli/internal/cloudcmd/validators.go +++ b/cli/internal/cloudcmd/validators.go @@ -89,8 +89,8 @@ func (v *Validator) updatePCR(pcrIndex uint32, encoded string) error { oldExpected := v.pcrs[pcrIndex].Expected expectedPcr := sha256.Sum256(append(oldExpected[:], hashedInput[:]...)) v.pcrs[pcrIndex] = measurements.Measurement{ - Expected: expectedPcr, - WarnOnly: v.pcrs[pcrIndex].WarnOnly, + Expected: expectedPcr, + ValidationOpt: v.pcrs[pcrIndex].ValidationOpt, } return nil } diff --git a/cli/internal/cloudcmd/validators_test.go b/cli/internal/cloudcmd/validators_test.go index 2a4e319dc..5e8b4185c 100644 --- a/cli/internal/cloudcmd/validators_test.go +++ b/cli/internal/cloudcmd/validators_test.go @@ -29,12 +29,12 @@ import ( func TestNewValidator(t *testing.T) { testPCRs := measurements.M{ - 0: measurements.WithAllBytes(0x00, false), - 1: measurements.WithAllBytes(0xFF, false), - 2: measurements.WithAllBytes(0x00, false), - 3: measurements.WithAllBytes(0xFF, false), - 4: measurements.WithAllBytes(0x00, false), - 5: measurements.WithAllBytes(0x00, false), + 0: measurements.WithAllBytes(0x00, measurements.Enforce), + 1: measurements.WithAllBytes(0xFF, measurements.Enforce), + 2: measurements.WithAllBytes(0x00, measurements.Enforce), + 3: measurements.WithAllBytes(0xFF, measurements.Enforce), + 4: measurements.WithAllBytes(0x00, measurements.Enforce), + 5: measurements.WithAllBytes(0x00, measurements.Enforce), } testCases := map[string]struct { @@ -139,19 +139,19 @@ func TestNewValidator(t *testing.T) { func TestValidatorV(t *testing.T) { newTestPCRs := func() measurements.M { return measurements.M{ - 0: measurements.WithAllBytes(0x00, true), - 1: measurements.WithAllBytes(0x00, true), - 2: measurements.WithAllBytes(0x00, true), - 3: measurements.WithAllBytes(0x00, true), - 4: measurements.WithAllBytes(0x00, true), - 5: measurements.WithAllBytes(0x00, true), - 6: measurements.WithAllBytes(0x00, true), - 7: measurements.WithAllBytes(0x00, true), - 8: measurements.WithAllBytes(0x00, true), - 9: measurements.WithAllBytes(0x00, true), - 10: measurements.WithAllBytes(0x00, true), - 11: measurements.WithAllBytes(0x00, true), - 12: measurements.WithAllBytes(0x00, true), + 0: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 1: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 2: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 3: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 4: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 5: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 6: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 7: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 8: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 9: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 10: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 11: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 12: measurements.WithAllBytes(0x00, measurements.WarnOnly), } } @@ -200,37 +200,37 @@ func TestValidatorV(t *testing.T) { } func TestValidatorUpdateInitPCRs(t *testing.T) { - zero := measurements.WithAllBytes(0x00, true) - one := measurements.WithAllBytes(0x11, true) + zero := measurements.WithAllBytes(0x00, measurements.WarnOnly) + one := measurements.WithAllBytes(0x11, measurements.WarnOnly) one64 := base64.StdEncoding.EncodeToString(one.Expected[:]) oneHash := sha256.Sum256(one.Expected[:]) pcrZeroUpdatedOne := sha256.Sum256(append(zero.Expected[:], oneHash[:]...)) newTestPCRs := func() measurements.M { return measurements.M{ - 0: measurements.WithAllBytes(0x00, true), - 1: measurements.WithAllBytes(0x00, true), - 2: measurements.WithAllBytes(0x00, true), - 3: measurements.WithAllBytes(0x00, true), - 4: measurements.WithAllBytes(0x00, true), - 5: measurements.WithAllBytes(0x00, true), - 6: measurements.WithAllBytes(0x00, true), - 7: measurements.WithAllBytes(0x00, true), - 8: measurements.WithAllBytes(0x00, true), - 9: measurements.WithAllBytes(0x00, true), - 10: measurements.WithAllBytes(0x00, true), - 11: measurements.WithAllBytes(0x00, true), - 12: measurements.WithAllBytes(0x00, true), - 13: measurements.WithAllBytes(0x00, true), - 14: measurements.WithAllBytes(0x00, true), - 15: measurements.WithAllBytes(0x00, true), - 16: measurements.WithAllBytes(0x00, true), - 17: measurements.WithAllBytes(0x11, true), - 18: measurements.WithAllBytes(0x11, true), - 19: measurements.WithAllBytes(0x11, true), - 20: measurements.WithAllBytes(0x11, true), - 21: measurements.WithAllBytes(0x11, true), - 22: measurements.WithAllBytes(0x11, true), - 23: measurements.WithAllBytes(0x00, true), + 0: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 1: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 2: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 3: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 4: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 5: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 6: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 7: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 8: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 9: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 10: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 11: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 12: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 13: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 14: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 15: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 16: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 17: measurements.WithAllBytes(0x11, measurements.WarnOnly), + 18: measurements.WithAllBytes(0x11, measurements.WarnOnly), + 19: measurements.WithAllBytes(0x11, measurements.WarnOnly), + 20: measurements.WithAllBytes(0x11, measurements.WarnOnly), + 21: measurements.WithAllBytes(0x11, measurements.WarnOnly), + 22: measurements.WithAllBytes(0x11, measurements.WarnOnly), + 23: measurements.WithAllBytes(0x00, measurements.WarnOnly), } } @@ -335,8 +335,8 @@ func TestValidatorUpdateInitPCRs(t *testing.T) { func TestUpdatePCR(t *testing.T) { emptyMap := measurements.M{} defaultMap := measurements.M{ - 0: measurements.WithAllBytes(0xAA, false), - 1: measurements.WithAllBytes(0xBB, false), + 0: measurements.WithAllBytes(0xAA, measurements.Enforce), + 1: measurements.WithAllBytes(0xBB, measurements.Enforce), } testCases := map[string]struct { diff --git a/cli/internal/cmd/init_test.go b/cli/internal/cmd/init_test.go index a09c33e35..a2694414c 100644 --- a/cli/internal/cmd/init_test.go +++ b/cli/internal/cmd/init_test.go @@ -438,13 +438,13 @@ func TestAttestation(t *testing.T) { cfg.Image = "image" cfg.AttestationVariant = oid.QEMUVTPM{}.String() cfg.RemoveProviderExcept(cloudprovider.QEMU) - cfg.Provider.QEMU.Measurements[0] = measurements.WithAllBytes(0x00, false) - cfg.Provider.QEMU.Measurements[1] = measurements.WithAllBytes(0x11, false) - cfg.Provider.QEMU.Measurements[2] = measurements.WithAllBytes(0x22, false) - cfg.Provider.QEMU.Measurements[3] = measurements.WithAllBytes(0x33, false) - cfg.Provider.QEMU.Measurements[4] = measurements.WithAllBytes(0x44, false) - cfg.Provider.QEMU.Measurements[9] = measurements.WithAllBytes(0x99, false) - cfg.Provider.QEMU.Measurements[12] = measurements.WithAllBytes(0xcc, false) + cfg.Provider.QEMU.Measurements[0] = measurements.WithAllBytes(0x00, measurements.Enforce) + cfg.Provider.QEMU.Measurements[1] = measurements.WithAllBytes(0x11, measurements.Enforce) + cfg.Provider.QEMU.Measurements[2] = measurements.WithAllBytes(0x22, measurements.Enforce) + cfg.Provider.QEMU.Measurements[3] = measurements.WithAllBytes(0x33, measurements.Enforce) + cfg.Provider.QEMU.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce) + cfg.Provider.QEMU.Measurements[9] = measurements.WithAllBytes(0x99, measurements.Enforce) + cfg.Provider.QEMU.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce) require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, cfg, file.OptNone)) ctx := context.Background() @@ -538,23 +538,23 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs conf.Provider.Azure.ResourceGroup = "test-resource-group" conf.Provider.Azure.AppClientID = "01234567-0123-0123-0123-0123456789ab" conf.Provider.Azure.ClientSecretValue = "test-client-secret" - conf.Provider.Azure.Measurements[4] = measurements.WithAllBytes(0x44, false) - conf.Provider.Azure.Measurements[9] = measurements.WithAllBytes(0x11, false) - conf.Provider.Azure.Measurements[12] = measurements.WithAllBytes(0xcc, false) + conf.Provider.Azure.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce) + conf.Provider.Azure.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce) + conf.Provider.Azure.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce) case cloudprovider.GCP: conf.AttestationVariant = oid.GCPSEVES{}.String() conf.Provider.GCP.Region = "test-region" conf.Provider.GCP.Project = "test-project" conf.Provider.GCP.Zone = "test-zone" conf.Provider.GCP.ServiceAccountKeyPath = "test-key-path" - conf.Provider.GCP.Measurements[4] = measurements.WithAllBytes(0x44, false) - conf.Provider.GCP.Measurements[9] = measurements.WithAllBytes(0x11, false) - conf.Provider.GCP.Measurements[12] = measurements.WithAllBytes(0xcc, false) + conf.Provider.GCP.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce) + conf.Provider.GCP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce) + conf.Provider.GCP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce) case cloudprovider.QEMU: conf.AttestationVariant = oid.QEMUVTPM{}.String() - conf.Provider.QEMU.Measurements[4] = measurements.WithAllBytes(0x44, false) - conf.Provider.QEMU.Measurements[9] = measurements.WithAllBytes(0x11, false) - conf.Provider.QEMU.Measurements[12] = measurements.WithAllBytes(0xcc, false) + conf.Provider.QEMU.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce) + conf.Provider.QEMU.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce) + conf.Provider.QEMU.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce) } conf.RemoveProviderExcept(csp) diff --git a/cli/internal/helm/loader_test.go b/cli/internal/helm/loader_test.go index 2d5060cda..3dd6feaf3 100644 --- a/cli/internal/helm/loader_test.go +++ b/cli/internal/helm/loader_test.go @@ -396,7 +396,7 @@ func prepareGCPValues(values map[string]any) error { } m := measurements.M{ - 1: measurements.WithAllBytes(0xAA, false), + 1: measurements.WithAllBytes(0xAA, measurements.Enforce), } mJSON, err := json.Marshal(m) if err != nil { @@ -471,7 +471,7 @@ func prepareOpenStackValues(values map[string]any) error { if !ok { return errors.New("missing 'join-service' key") } - m := measurements.M{1: measurements.WithAllBytes(0xAA, false)} + m := measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)} mJSON, err := json.Marshal(m) if err != nil { return err @@ -506,7 +506,7 @@ func prepareQEMUValues(values map[string]any) error { if !ok { return errors.New("missing 'join-service' key") } - m := measurements.M{1: measurements.WithAllBytes(0xAA, false)} + m := measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)} mJSON, err := json.Marshal(m) if err != nil { return err diff --git a/internal/attestation/measurements/measurement-generator/generate.go b/internal/attestation/measurements/measurement-generator/generate.go index 0f8b5de39..068efc83f 100644 --- a/internal/attestation/measurements/measurement-generator/generate.go +++ b/internal/attestation/measurements/measurement-generator/generate.go @@ -226,7 +226,7 @@ func measurementsEntryKeyValueExpr(pcr uint32, measuremnt measurements.Measureme warnOnlyColon := warnOnlyKeyPos + 9 // 9 = len("WarnOnly") warnOnlyValuePos := warnOnlyColon + 2 // 2 = len(": ") var rbrace token.Pos - if measuremnt.WarnOnly { + if measuremnt.ValidationOpt { rbrace = warnOnlyValuePos + 9 // 9 = len("true") + padding } else { rbrace = warnOnlyValuePos + 10 // 10 = len("false") + padding @@ -250,7 +250,7 @@ func measurementsEntryKeyValueExpr(pcr uint32, measuremnt measurements.Measureme &ast.KeyValueExpr{ Key: &ast.Ident{NamePos: warnOnlyKeyPos, Name: "WarnOnly"}, Colon: warnOnlyColon, - Value: &ast.Ident{NamePos: warnOnlyValuePos, Name: strconv.FormatBool(measuremnt.WarnOnly)}, + Value: &ast.Ident{NamePos: warnOnlyValuePos, Name: strconv.FormatBool(bool(measuremnt.ValidationOpt))}, }, }, Rbrace: rbrace, diff --git a/internal/attestation/measurements/measurements.go b/internal/attestation/measurements/measurements.go index 4b6d9d188..859265940 100644 --- a/internal/attestation/measurements/measurements.go +++ b/internal/attestation/measurements/measurements.go @@ -131,7 +131,7 @@ func (m *M) EqualTo(other M) bool { if !bytes.Equal(v.Expected[:], otherExpected[:]) { return false } - if v.WarnOnly != other[k].WarnOnly { + if v.ValidationOpt != other[k].ValidationOpt { return false } } @@ -143,7 +143,7 @@ func (m *M) EqualTo(other M) bool { func (m *M) GetEnforced() []uint32 { var enforced []uint32 for idx, measurement := range *m { - if !measurement.WarnOnly { + if !measurement.ValidationOpt { enforced = append(enforced, idx) } } @@ -158,8 +158,8 @@ func (m *M) SetEnforced(enforced []uint32) error { // set all measurements to warn only for idx, measurement := range *m { newM[idx] = Measurement{ - Expected: measurement.Expected, - WarnOnly: true, + Expected: measurement.Expected, + ValidationOpt: WarnOnly, } } @@ -169,7 +169,7 @@ func (m *M) SetEnforced(enforced []uint32) error { if !ok { return fmt.Errorf("measurement %d not in list, but set to enforced", idx) } - measurement.WarnOnly = false + measurement.ValidationOpt = Enforce newM[idx] = measurement } @@ -181,10 +181,20 @@ func (m *M) SetEnforced(enforced []uint32) error { type Measurement struct { // Expected measurement value. Expected [32]byte `json:"expected" yaml:"expected"` - // WarnOnly if set to true, a mismatching measurement will only result in a warning. - WarnOnly bool `json:"warnOnly" yaml:"warnOnly"` + // ValidationOpt indicates how measurement mismatches should be handled. + ValidationOpt MeasurementValidationOption `json:"warnOnly" yaml:"warnOnly"` } +// MeasurementValidationOption indicates how measurement mismatches should be handled. +type MeasurementValidationOption bool + +const ( + // WarnOnly will only result in a warning in case of a mismatching measurement. + WarnOnly MeasurementValidationOption = true + // Enforce will result in an error in case of a mismatching measurement, and operation will be aborted. + Enforce MeasurementValidationOption = false +) + // UnmarshalJSON reads a Measurement either as json object, // or as a simple hex or base64 encoded string. func (m *Measurement) UnmarshalJSON(b []byte) error { @@ -210,7 +220,7 @@ func (m *Measurement) UnmarshalJSON(b []byte) error { func (m Measurement) MarshalJSON() ([]byte, error) { return json.Marshal(encodedMeasurement{ Expected: hex.EncodeToString(m.Expected[:]), - WarnOnly: m.WarnOnly, + WarnOnly: m.ValidationOpt, }) } @@ -239,7 +249,7 @@ func (m *Measurement) UnmarshalYAML(unmarshal func(any) error) error { func (m Measurement) MarshalYAML() (any, error) { return encodedMeasurement{ Expected: hex.EncodeToString(m.Expected[:]), - WarnOnly: m.WarnOnly, + WarnOnly: m.ValidationOpt, }, nil } @@ -264,24 +274,24 @@ func (m *Measurement) unmarshal(eM encodedMeasurement) error { } m.Expected = *(*[32]byte)(expected) - m.WarnOnly = eM.WarnOnly + m.ValidationOpt = eM.WarnOnly return nil } // WithAllBytes returns a measurement value where all 32 bytes are set to b. -func WithAllBytes(b byte, warnOnly bool) Measurement { +func WithAllBytes(b byte, validationOpt MeasurementValidationOption) Measurement { return Measurement{ - Expected: *(*[32]byte)(bytes.Repeat([]byte{b}, 32)), - WarnOnly: warnOnly, + Expected: *(*[32]byte)(bytes.Repeat([]byte{b}, 32)), + ValidationOpt: validationOpt, } } // PlaceHolderMeasurement returns a measurement with placeholder values for Expected. func PlaceHolderMeasurement() Measurement { return Measurement{ - Expected: *(*[32]byte)(bytes.Repeat([]byte{0x12, 0x34}, 16)), - WarnOnly: false, + Expected: *(*[32]byte)(bytes.Repeat([]byte{0x12, 0x34}, 16)), + ValidationOpt: Enforce, } } @@ -307,8 +317,8 @@ func getFromURL(ctx context.Context, client *http.Client, sourceURL *url.URL) ([ } type encodedMeasurement struct { - Expected string `json:"expected" yaml:"expected"` - WarnOnly bool `json:"warnOnly" yaml:"warnOnly"` + Expected string `json:"expected" yaml:"expected"` + WarnOnly MeasurementValidationOption `json:"warnOnly" yaml:"warnOnly"` } // mYamlContent is the Content of a yaml.Node encoding of an M. It implements sort.Interface. diff --git a/internal/attestation/measurements/measurements_enterprise.go b/internal/attestation/measurements/measurements_enterprise.go index adddf6504..23b862104 100644 --- a/internal/attestation/measurements/measurements_enterprise.go +++ b/internal/attestation/measurements/measurements_enterprise.go @@ -27,7 +27,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0xe2, 0xfe, 0x2d, 0xd9, 0xf9, 0x07, 0x85, 0x57, 0x79, 0x69, 0xd7, 0xa2, 0x01, 0x3e, 0x8c, 0x12, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 2: { Expected: [32]byte{ @@ -36,7 +36,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 3: { Expected: [32]byte{ @@ -45,7 +45,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 4: { Expected: [32]byte{ @@ -54,7 +54,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x50, 0x73, 0xd6, 0x64, 0xa0, 0x32, 0x2f, 0x73, 0xcd, 0x4b, 0x89, 0x79, 0x87, 0x2f, 0xeb, 0x74, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 5: { Expected: [32]byte{ @@ -63,7 +63,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x93, 0x07, 0x31, 0x38, 0x74, 0x38, 0x40, 0x95, 0x24, 0x8e, 0x6e, 0x66, 0x75, 0x99, 0x68, 0xde, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 6: { Expected: [32]byte{ @@ -72,7 +72,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 7: { Expected: [32]byte{ @@ -81,7 +81,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x43, 0xe1, 0x0b, 0xf0, 0x61, 0xeb, 0x7a, 0x76, 0xec, 0xca, 0x55, 0x09, 0xa2, 0x23, 0x89, 0x01, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 8: { Expected: [32]byte{ @@ -90,7 +90,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 9: { Expected: [32]byte{ @@ -99,7 +99,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0xa2, 0xdc, 0x95, 0xf9, 0x8e, 0xd7, 0x2d, 0x54, 0x47, 0xcc, 0x67, 0x5a, 0xf9, 0xbf, 0x06, 0x29, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 11: { Expected: [32]byte{ @@ -108,7 +108,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 12: { Expected: [32]byte{ @@ -117,7 +117,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0xfa, 0x7c, 0x9d, 0x16, 0x95, 0x2e, 0xed, 0x94, 0xaa, 0xbb, 0xf8, 0x59, 0x3e, 0x22, 0x76, 0x34, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 13: { Expected: [32]byte{ @@ -126,7 +126,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 14: { Expected: [32]byte{ @@ -135,7 +135,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x17, 0x20, 0xb5, 0xb8, 0x6c, 0xf1, 0x75, 0x3c, 0xad, 0x83, 0x0f, 0x95, 0xe7, 0x91, 0x92, 0x6f, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 15: { Expected: [32]byte{ @@ -144,7 +144,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }, - WarnOnly: false, + ValidationOpt: Enforce, }, } case cloudprovider.Azure: @@ -156,7 +156,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 2: { Expected: [32]byte{ @@ -165,7 +165,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 3: { Expected: [32]byte{ @@ -174,7 +174,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 4: { Expected: [32]byte{ @@ -183,7 +183,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x2b, 0x64, 0x5c, 0x67, 0x99, 0x3c, 0xe2, 0x0e, 0x87, 0xed, 0x98, 0x1b, 0xbf, 0xe0, 0x3a, 0xcb, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 5: { Expected: [32]byte{ @@ -192,7 +192,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x14, 0x13, 0x75, 0x7d, 0x98, 0x11, 0xcc, 0xa3, 0xe9, 0x29, 0x3d, 0x18, 0x5b, 0x11, 0x0c, 0xe7, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 7: { Expected: [32]byte{ @@ -201,7 +201,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x9c, 0xb5, 0x02, 0xf0, 0x15, 0x6e, 0x91, 0x55, 0x38, 0x04, 0x51, 0xee, 0xa1, 0xb3, 0xf0, 0xed, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 8: { Expected: [32]byte{ @@ -210,7 +210,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 9: { Expected: [32]byte{ @@ -219,7 +219,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x26, 0xc5, 0x4c, 0x52, 0x4f, 0xe4, 0xc2, 0x03, 0x24, 0x50, 0xe0, 0x10, 0x82, 0x89, 0xae, 0x9d, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 11: { Expected: [32]byte{ @@ -228,7 +228,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 12: { Expected: [32]byte{ @@ -237,7 +237,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0xa3, 0xa5, 0x93, 0x65, 0x46, 0x74, 0xeb, 0xf6, 0xa1, 0x2a, 0x79, 0xc3, 0x7c, 0xb7, 0x77, 0x45, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 13: { Expected: [32]byte{ @@ -246,7 +246,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 14: { Expected: [32]byte{ @@ -255,7 +255,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x17, 0x20, 0xb5, 0xb8, 0x6c, 0xf1, 0x75, 0x3c, 0xad, 0x83, 0x0f, 0x95, 0xe7, 0x91, 0x92, 0x6f, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 15: { Expected: [32]byte{ @@ -264,7 +264,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }, - WarnOnly: false, + ValidationOpt: Enforce, }, } case cloudprovider.GCP: @@ -276,7 +276,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x9e, 0xb6, 0x8c, 0x28, 0x87, 0x0e, 0x7d, 0xd5, 0xd1, 0xa1, 0x53, 0x58, 0x54, 0x32, 0x5e, 0x56, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 2: { Expected: [32]byte{ @@ -285,7 +285,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 3: { Expected: [32]byte{ @@ -294,7 +294,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 4: { Expected: [32]byte{ @@ -303,7 +303,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x35, 0xd7, 0xbb, 0x7b, 0x9a, 0xad, 0x31, 0x7d, 0x40, 0x1f, 0x2f, 0x80, 0xad, 0xce, 0xae, 0xab, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 5: { Expected: [32]byte{ @@ -312,7 +312,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0xdd, 0x14, 0xbd, 0x50, 0x22, 0xe8, 0xfc, 0x23, 0x0d, 0x09, 0x01, 0xf7, 0x2a, 0xe2, 0x9e, 0xea, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 6: { Expected: [32]byte{ @@ -321,7 +321,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 7: { Expected: [32]byte{ @@ -330,7 +330,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x8e, 0xeb, 0xfa, 0x01, 0x14, 0x3e, 0x4d, 0x88, 0x44, 0xe4, 0x0e, 0x06, 0x2e, 0x9b, 0x6c, 0xd5, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 8: { Expected: [32]byte{ @@ -339,7 +339,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 9: { Expected: [32]byte{ @@ -348,7 +348,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x4c, 0xd1, 0x2e, 0xf2, 0xe5, 0xa3, 0x6d, 0x3d, 0x81, 0x3e, 0x5b, 0x4b, 0x12, 0xf8, 0x87, 0xf3, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 11: { Expected: [32]byte{ @@ -357,7 +357,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 12: { Expected: [32]byte{ @@ -366,7 +366,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0xd3, 0xbf, 0xa2, 0x73, 0x9d, 0xdb, 0x3f, 0x1c, 0x91, 0x95, 0x87, 0x9e, 0x21, 0xd5, 0xfb, 0xb5, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 13: { Expected: [32]byte{ @@ -375,7 +375,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 14: { Expected: [32]byte{ @@ -384,7 +384,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x17, 0x20, 0xb5, 0xb8, 0x6c, 0xf1, 0x75, 0x3c, 0xad, 0x83, 0x0f, 0x95, 0xe7, 0x91, 0x92, 0x6f, }, - WarnOnly: true, + ValidationOpt: WarnOnly, }, 15: { Expected: [32]byte{ @@ -393,7 +393,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }, - WarnOnly: false, + ValidationOpt: Enforce, }, } case cloudprovider.QEMU: @@ -405,7 +405,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0xb8, 0x10, 0x5c, 0x4c, 0x00, 0xad, 0xf7, 0xb6, 0x48, 0xbf, 0x37, 0x61, 0x16, 0x85, 0xf0, 0x2f, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 8: { Expected: [32]byte{ @@ -414,7 +414,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 9: { Expected: [32]byte{ @@ -423,7 +423,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x35, 0x17, 0x0e, 0xfc, 0xd4, 0xfa, 0x68, 0x7d, 0x5b, 0xc9, 0x9b, 0xa7, 0x78, 0x46, 0x77, 0xe4, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 11: { Expected: [32]byte{ @@ -432,7 +432,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 12: { Expected: [32]byte{ @@ -441,7 +441,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x7c, 0x52, 0x5e, 0xe4, 0x9a, 0xb9, 0xe1, 0x24, 0x3d, 0x38, 0xd0, 0x03, 0x90, 0x53, 0x09, 0x44, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 13: { Expected: [32]byte{ @@ -450,7 +450,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }, - WarnOnly: false, + ValidationOpt: Enforce, }, 15: { Expected: [32]byte{ @@ -459,7 +459,7 @@ func DefaultsFor(provider cloudprovider.Provider) M { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }, - WarnOnly: false, + ValidationOpt: Enforce, }, } default: diff --git a/internal/attestation/measurements/measurements_oss.go b/internal/attestation/measurements/measurements_oss.go index fa2383e8e..2ef2934b2 100644 --- a/internal/attestation/measurements/measurements_oss.go +++ b/internal/attestation/measurements/measurements_oss.go @@ -16,42 +16,42 @@ func DefaultsFor(provider cloudprovider.Provider) M { case cloudprovider.AWS: return M{ 4: PlaceHolderMeasurement(), - 8: WithAllBytes(0x00, false), + 8: WithAllBytes(0x00, Enforce), 9: PlaceHolderMeasurement(), - 11: WithAllBytes(0x00, false), + 11: WithAllBytes(0x00, Enforce), 12: PlaceHolderMeasurement(), - 13: WithAllBytes(0x00, false), - uint32(PCRIndexClusterID): WithAllBytes(0x00, false), + 13: WithAllBytes(0x00, Enforce), + uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce), } case cloudprovider.Azure: return M{ 4: PlaceHolderMeasurement(), - 8: WithAllBytes(0x00, false), + 8: WithAllBytes(0x00, Enforce), 9: PlaceHolderMeasurement(), - 11: WithAllBytes(0x00, false), + 11: WithAllBytes(0x00, Enforce), 12: PlaceHolderMeasurement(), - 13: WithAllBytes(0x00, false), - uint32(PCRIndexClusterID): WithAllBytes(0x00, false), + 13: WithAllBytes(0x00, Enforce), + uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce), } case cloudprovider.GCP: return M{ 4: PlaceHolderMeasurement(), - 8: WithAllBytes(0x00, false), + 8: WithAllBytes(0x00, Enforce), 9: PlaceHolderMeasurement(), - 11: WithAllBytes(0x00, false), + 11: WithAllBytes(0x00, Enforce), 12: PlaceHolderMeasurement(), - 13: WithAllBytes(0x00, false), - uint32(PCRIndexClusterID): WithAllBytes(0x00, false), + 13: WithAllBytes(0x00, Enforce), + uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce), } case cloudprovider.QEMU: return M{ 4: PlaceHolderMeasurement(), - 8: WithAllBytes(0x00, false), + 8: WithAllBytes(0x00, Enforce), 9: PlaceHolderMeasurement(), - 11: WithAllBytes(0x00, false), + 11: WithAllBytes(0x00, Enforce), 12: PlaceHolderMeasurement(), - 13: WithAllBytes(0x00, false), - uint32(PCRIndexClusterID): WithAllBytes(0x00, false), + 13: WithAllBytes(0x00, Enforce), + uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce), } default: return nil diff --git a/internal/attestation/measurements/measurements_test.go b/internal/attestation/measurements/measurements_test.go index 61d4f2dba..bad67de38 100644 --- a/internal/attestation/measurements/measurements_test.go +++ b/internal/attestation/measurements/measurements_test.go @@ -37,8 +37,8 @@ func TestMarshal(t *testing.T) { }, "warn only": { m: Measurement{ - Expected: [32]byte{1, 2, 3, 4}, // implicitly padded with 0s - WarnOnly: true, + Expected: [32]byte{1, 2, 3, 4}, // implicitly padded with 0s + ValidationOpt: WarnOnly, }, wantYAML: "expected: \"0102030400000000000000000000000000000000000000000000000000000000\"\nwarnOnly: true", wantJSON: `{"expected":"0102030400000000000000000000000000000000000000000000000000000000","warnOnly":true}`, @@ -242,48 +242,48 @@ func TestMeasurementsCopyFrom(t *testing.T) { "add to empty": { current: M{}, newMeasurements: M{ - 1: WithAllBytes(0x00, true), - 2: WithAllBytes(0x01, true), - 3: WithAllBytes(0x02, true), + 1: WithAllBytes(0x00, WarnOnly), + 2: WithAllBytes(0x01, WarnOnly), + 3: WithAllBytes(0x02, WarnOnly), }, wantMeasurements: M{ - 1: WithAllBytes(0x00, true), - 2: WithAllBytes(0x01, true), - 3: WithAllBytes(0x02, true), + 1: WithAllBytes(0x00, WarnOnly), + 2: WithAllBytes(0x01, WarnOnly), + 3: WithAllBytes(0x02, WarnOnly), }, }, "keep existing": { current: M{ - 4: WithAllBytes(0x01, false), - 5: WithAllBytes(0x02, true), + 4: WithAllBytes(0x01, Enforce), + 5: WithAllBytes(0x02, WarnOnly), }, newMeasurements: M{ - 1: WithAllBytes(0x00, true), - 2: WithAllBytes(0x01, true), - 3: WithAllBytes(0x02, true), + 1: WithAllBytes(0x00, WarnOnly), + 2: WithAllBytes(0x01, WarnOnly), + 3: WithAllBytes(0x02, WarnOnly), }, wantMeasurements: M{ - 1: WithAllBytes(0x00, true), - 2: WithAllBytes(0x01, true), - 3: WithAllBytes(0x02, true), - 4: WithAllBytes(0x01, false), - 5: WithAllBytes(0x02, true), + 1: WithAllBytes(0x00, WarnOnly), + 2: WithAllBytes(0x01, WarnOnly), + 3: WithAllBytes(0x02, WarnOnly), + 4: WithAllBytes(0x01, Enforce), + 5: WithAllBytes(0x02, WarnOnly), }, }, "overwrite existing": { current: M{ - 2: WithAllBytes(0x04, false), - 3: WithAllBytes(0x05, false), + 2: WithAllBytes(0x04, Enforce), + 3: WithAllBytes(0x05, Enforce), }, newMeasurements: M{ - 1: WithAllBytes(0x00, true), - 2: WithAllBytes(0x01, true), - 3: WithAllBytes(0x02, true), + 1: WithAllBytes(0x00, WarnOnly), + 2: WithAllBytes(0x01, WarnOnly), + 3: WithAllBytes(0x02, WarnOnly), }, wantMeasurements: M{ - 1: WithAllBytes(0x00, true), - 2: WithAllBytes(0x01, true), - 3: WithAllBytes(0x02, true), + 1: WithAllBytes(0x00, WarnOnly), + 2: WithAllBytes(0x01, WarnOnly), + 3: WithAllBytes(0x02, WarnOnly), }, }, } @@ -318,7 +318,7 @@ func urlMustParse(raw string) *url.URL { } func TestMeasurementsFetchAndVerify(t *testing.T) { - // Cosign private key used to sign the measurements. + // Cosign private key used to sign the // Generated with: cosign generate-key-pair // Password left empty. // @@ -352,7 +352,7 @@ func TestMeasurementsFetchAndVerify(t *testing.T) { signature: "MEYCIQD1RR91pWPw1BMWXTSmTBHg/JtfKerbZNQ9PJTWDdW0sgIhANQbETJGb67qzQmMVmcq007VUFbHRMtYWKZeeyRf0gVa", signatureStatus: http.StatusOK, wantMeasurements: M{ - 0: WithAllBytes(0x00, false), + 0: WithAllBytes(0x00, Enforce), }, wantSHA: "c04e13c1312b6f5659303871d14bf49b05c99a6515548763b6322f60bbb61a24", }, @@ -363,7 +363,7 @@ func TestMeasurementsFetchAndVerify(t *testing.T) { signature: "MEUCIQC9WI2ijlQjBktYFctKpbnqkUTey3U9W99Jp1NTLi5AbQIgNZxxOtiawgTkWPXLoH9D2CxpEjxQrqLn/zWF6NoKxWQ=", signatureStatus: http.StatusOK, wantMeasurements: M{ - 0: WithAllBytes(0x00, false), + 0: WithAllBytes(0x00, Enforce), }, wantSHA: "648fcfd5d22e623a948ab2dd4eb334be2701d8f158231726084323003daab8d4", }, @@ -417,8 +417,8 @@ func TestMeasurementsFetchAndVerify(t *testing.T) { }, } - measurementsURL := urlMustParse("https://somesite.com/measurements.yaml") - signatureURL := urlMustParse("https://somesite.com/measurements.yaml.sig") + measurementsURL := urlMustParse("https://somesite.com/yaml") + signatureURL := urlMustParse("https://somesite.com/yaml.sig") for name, tc := range testCases { t.Run(name, func(t *testing.T) { @@ -473,15 +473,15 @@ func TestGetEnforced(t *testing.T) { }{ "only warnings": { input: M{ - 0: WithAllBytes(0x00, true), - 1: WithAllBytes(0x01, true), + 0: WithAllBytes(0x00, WarnOnly), + 1: WithAllBytes(0x01, WarnOnly), }, want: map[uint32]struct{}{}, }, "all enforced": { input: M{ - 0: WithAllBytes(0x00, false), - 1: WithAllBytes(0x01, false), + 0: WithAllBytes(0x00, Enforce), + 1: WithAllBytes(0x01, Enforce), }, want: map[uint32]struct{}{ 0: {}, @@ -490,9 +490,9 @@ func TestGetEnforced(t *testing.T) { }, "mixed": { input: M{ - 0: WithAllBytes(0x00, false), - 1: WithAllBytes(0x01, true), - 2: WithAllBytes(0x02, false), + 0: WithAllBytes(0x00, Enforce), + 1: WithAllBytes(0x01, WarnOnly), + 2: WithAllBytes(0x02, Enforce), }, want: map[uint32]struct{}{ 0: {}, @@ -524,56 +524,56 @@ func TestSetEnforced(t *testing.T) { }{ "no enforced measurements": { input: M{ - 0: WithAllBytes(0x00, false), - 1: WithAllBytes(0x01, false), + 0: WithAllBytes(0x00, Enforce), + 1: WithAllBytes(0x01, Enforce), }, enforced: []uint32{}, wantM: M{ - 0: WithAllBytes(0x00, true), - 1: WithAllBytes(0x01, true), + 0: WithAllBytes(0x00, WarnOnly), + 1: WithAllBytes(0x01, WarnOnly), }, }, "all enforced measurements": { input: M{ - 0: WithAllBytes(0x00, false), - 1: WithAllBytes(0x01, false), + 0: WithAllBytes(0x00, Enforce), + 1: WithAllBytes(0x01, Enforce), }, enforced: []uint32{0, 1}, wantM: M{ - 0: WithAllBytes(0x00, false), - 1: WithAllBytes(0x01, false), + 0: WithAllBytes(0x00, Enforce), + 1: WithAllBytes(0x01, Enforce), }, }, "mixed": { input: M{ - 0: WithAllBytes(0x00, false), - 1: WithAllBytes(0x01, false), - 2: WithAllBytes(0x02, false), - 3: WithAllBytes(0x03, false), + 0: WithAllBytes(0x00, Enforce), + 1: WithAllBytes(0x01, Enforce), + 2: WithAllBytes(0x02, Enforce), + 3: WithAllBytes(0x03, Enforce), }, enforced: []uint32{0, 2}, wantM: M{ - 0: WithAllBytes(0x00, false), - 1: WithAllBytes(0x01, true), - 2: WithAllBytes(0x02, false), - 3: WithAllBytes(0x03, true), + 0: WithAllBytes(0x00, Enforce), + 1: WithAllBytes(0x01, WarnOnly), + 2: WithAllBytes(0x02, Enforce), + 3: WithAllBytes(0x03, WarnOnly), }, }, "warn only to enforced": { input: M{ - 0: WithAllBytes(0x00, true), - 1: WithAllBytes(0x01, true), + 0: WithAllBytes(0x00, WarnOnly), + 1: WithAllBytes(0x01, WarnOnly), }, enforced: []uint32{0, 1}, wantM: M{ - 0: WithAllBytes(0x00, false), - 1: WithAllBytes(0x01, false), + 0: WithAllBytes(0x00, Enforce), + 1: WithAllBytes(0x01, Enforce), }, }, "more enforced than measurements": { input: M{ - 0: WithAllBytes(0x00, true), - 1: WithAllBytes(0x01, true), + 0: WithAllBytes(0x00, WarnOnly), + 1: WithAllBytes(0x01, WarnOnly), }, enforced: []uint32{0, 1, 2}, wantErr: true, @@ -598,55 +598,55 @@ func TestSetEnforced(t *testing.T) { func TestWithAllBytes(t *testing.T) { testCases := map[string]struct { b byte - warnOnly bool + warnOnly MeasurementValidationOption wantMeasurement Measurement }{ "0x00 warnOnly": { b: 0x00, warnOnly: true, wantMeasurement: Measurement{ - Expected: [32]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, - WarnOnly: true, + Expected: [32]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + ValidationOpt: WarnOnly, }, }, "0x00": { b: 0x00, warnOnly: false, wantMeasurement: Measurement{ - Expected: [32]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, - WarnOnly: false, + Expected: [32]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + ValidationOpt: Enforce, }, }, "0x01 warnOnly": { b: 0x01, warnOnly: true, wantMeasurement: Measurement{ - Expected: [32]byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}, - WarnOnly: true, + Expected: [32]byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}, + ValidationOpt: WarnOnly, }, }, "0x01": { b: 0x01, warnOnly: false, wantMeasurement: Measurement{ - Expected: [32]byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}, - WarnOnly: false, + Expected: [32]byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}, + ValidationOpt: Enforce, }, }, "0xFF warnOnly": { b: 0xFF, warnOnly: true, wantMeasurement: Measurement{ - Expected: [32]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, - WarnOnly: true, + Expected: [32]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, + ValidationOpt: WarnOnly, }, }, "0xFF": { b: 0xFF, warnOnly: false, wantMeasurement: Measurement{ - Expected: [32]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, - WarnOnly: false, + Expected: [32]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, + ValidationOpt: Enforce, }, }, } @@ -668,44 +668,44 @@ func TestEqualTo(t *testing.T) { }{ "same values": { given: M{ - 0: WithAllBytes(0x00, false), - 1: WithAllBytes(0xFF, false), + 0: WithAllBytes(0x00, Enforce), + 1: WithAllBytes(0xFF, Enforce), }, other: M{ - 0: WithAllBytes(0x00, false), - 1: WithAllBytes(0xFF, false), + 0: WithAllBytes(0x00, Enforce), + 1: WithAllBytes(0xFF, Enforce), }, wantEqual: true, }, "different number of elements": { given: M{ - 0: WithAllBytes(0x00, false), - 1: WithAllBytes(0xFF, false), + 0: WithAllBytes(0x00, Enforce), + 1: WithAllBytes(0xFF, Enforce), }, other: M{ - 0: WithAllBytes(0x00, false), + 0: WithAllBytes(0x00, Enforce), }, wantEqual: false, }, "different values": { given: M{ - 0: WithAllBytes(0x00, false), - 1: WithAllBytes(0xFF, false), + 0: WithAllBytes(0x00, Enforce), + 1: WithAllBytes(0xFF, Enforce), }, other: M{ - 0: WithAllBytes(0xFF, false), - 1: WithAllBytes(0x00, false), + 0: WithAllBytes(0xFF, Enforce), + 1: WithAllBytes(0x00, Enforce), }, wantEqual: false, }, "different warn settings": { given: M{ - 0: WithAllBytes(0x00, false), - 1: WithAllBytes(0xFF, false), + 0: WithAllBytes(0x00, Enforce), + 1: WithAllBytes(0xFF, Enforce), }, other: M{ - 0: WithAllBytes(0x00, false), - 1: WithAllBytes(0xFF, true), + 0: WithAllBytes(0x00, Enforce), + 1: WithAllBytes(0xFF, WarnOnly), }, wantEqual: false, }, diff --git a/internal/attestation/vtpm/attestation.go b/internal/attestation/vtpm/attestation.go index c3ab06015..fed14529a 100644 --- a/internal/attestation/vtpm/attestation.go +++ b/internal/attestation/vtpm/attestation.go @@ -227,7 +227,7 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) (userData []byte, e } for idx, pcr := range v.expected { if !bytes.Equal(pcr.Expected[:], attDoc.Attestation.Quotes[quoteIdx].Pcrs.Pcrs[idx]) { - if !pcr.WarnOnly { + if !pcr.ValidationOpt { return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx) } v.log.Warnf("Encountered untrusted PCR value at index %d", idx) diff --git a/internal/attestation/vtpm/attestation_test.go b/internal/attestation/vtpm/attestation_test.go index 14f844222..5dd64247e 100644 --- a/internal/attestation/vtpm/attestation_test.go +++ b/internal/attestation/vtpm/attestation_test.go @@ -69,9 +69,9 @@ func TestValidate(t *testing.T) { } testExpectedPCRs := measurements.M{ - 0: measurements.WithAllBytes(0x00, false), - 1: measurements.WithAllBytes(0x00, false), - uint32(measurements.PCRIndexClusterID): measurements.WithAllBytes(0x00, false), + 0: measurements.WithAllBytes(0x00, measurements.Enforce), + 1: measurements.WithAllBytes(0x00, measurements.Enforce), + uint32(measurements.PCRIndexClusterID): measurements.WithAllBytes(0x00, measurements.Enforce), } warnLog := &testAttestationLogger{} @@ -116,23 +116,23 @@ func TestValidate(t *testing.T) { require.Error(err) expectedPCRs := measurements.M{ - 0: measurements.WithAllBytes(0x00, true), - 1: measurements.WithAllBytes(0x00, true), + 0: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 1: measurements.WithAllBytes(0x00, measurements.WarnOnly), 2: measurements.Measurement{ - Expected: [32]byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20}, - WarnOnly: true, + Expected: [32]byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20}, + ValidationOpt: measurements.WarnOnly, }, 3: measurements.Measurement{ - Expected: [32]byte{0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40}, - WarnOnly: true, + Expected: [32]byte{0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40}, + ValidationOpt: measurements.WarnOnly, }, 4: measurements.Measurement{ - Expected: [32]byte{0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60}, - WarnOnly: true, + Expected: [32]byte{0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60}, + ValidationOpt: measurements.WarnOnly, }, 5: measurements.Measurement{ - Expected: [32]byte{0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80}, - WarnOnly: true, + Expected: [32]byte{0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80}, + ValidationOpt: measurements.WarnOnly, }, } warningValidator := NewValidator( @@ -200,8 +200,8 @@ func TestValidate(t *testing.T) { validator: NewValidator( measurements.M{ 0: measurements.Measurement{ - Expected: [32]byte{0xFF}, - WarnOnly: false, + Expected: [32]byte{0xFF}, + ValidationOpt: measurements.Enforce, }, }, fakeGetTrustedKey, diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 5d8ef3d2f..d7ee053de 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -130,7 +130,7 @@ func TestNewWithDefaultOptions(t *testing.T) { c.Provider.Azure.ResourceGroup = "test" c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity" c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e" - c.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, false)} + c.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, measurements.Enforce)} return c }(), envToSet: map[string]string{ @@ -151,7 +151,7 @@ func TestNewWithDefaultOptions(t *testing.T) { c.Provider.Azure.ClientSecretValue = "other-value" // < Note secret set in config, as well. c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity" c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e" - c.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, false)} + c.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, measurements.Enforce)} return c }(), envToSet: map[string]string{ @@ -246,7 +246,7 @@ func TestValidate(t *testing.T) { az.ClientSecretValue = "test-client-secret" cnf.Provider = ProviderConfig{} cnf.Provider.Azure = az - cnf.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, false)} + cnf.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, measurements.Enforce)} return cnf }(), }, @@ -273,7 +273,7 @@ func TestValidate(t *testing.T) { gcp.ServiceAccountKeyPath = "test-key-path" cnf.Provider = ProviderConfig{} cnf.Provider.GCP = gcp - cnf.Provider.GCP.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, false)} + cnf.Provider.GCP.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, measurements.Enforce)} return cnf }(), }, @@ -397,9 +397,9 @@ func TestConfigGeneratedDocsFresh(t *testing.T) { func TestConfig_UpdateMeasurements(t *testing.T) { assert := assert.New(t) newMeasurements := measurements.M{ - 1: measurements.WithAllBytes(0x00, false), - 2: measurements.WithAllBytes(0x01, false), - 3: measurements.WithAllBytes(0x02, false), + 1: measurements.WithAllBytes(0x00, measurements.Enforce), + 2: measurements.WithAllBytes(0x01, measurements.Enforce), + 3: measurements.WithAllBytes(0x02, measurements.Enforce), } { // AWS diff --git a/internal/watcher/validator_test.go b/internal/watcher/validator_test.go index bc3bd4d4a..d8755a034 100644 --- a/internal/watcher/validator_test.go +++ b/internal/watcher/validator_test.go @@ -77,7 +77,7 @@ func TestNewUpdateableValidator(t *testing.T) { if tc.writeFile { require.NoError(handler.WriteJSON( filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename), - measurements.M{11: measurements.WithAllBytes(0x00, false)}, + measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}, )) require.NoError(handler.WriteJSON( @@ -122,7 +122,7 @@ func TestUpdate(t *testing.T) { // write measurement config require.NoError(handler.WriteJSON( filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename), - measurements.M{11: measurements.WithAllBytes(0x00, false)}, + measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}, )) require.NoError(handler.WriteJSON( filepath.Join(constants.ServiceBasePath, constants.IDKeyConfigFilename), @@ -185,7 +185,7 @@ func TestOIDConcurrency(t *testing.T) { handler := file.NewHandler(afero.NewMemMapFs()) require.NoError(handler.WriteJSON( filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename), - measurements.M{11: measurements.WithAllBytes(0x00, false)}, + measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}, )) require.NoError(handler.WriteJSON( filepath.Join(constants.ServiceBasePath, constants.IDKeyConfigFilename), @@ -232,7 +232,7 @@ func TestUpdateConcurrency(t *testing.T) { } require.NoError(handler.WriteJSON( filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename), - measurements.M{11: measurements.WithAllBytes(0x00, false)}, + measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}, file.OptNone, )) require.NoError(handler.WriteJSON( diff --git a/measurement-reader/internal/tpm/tpm_test.go b/measurement-reader/internal/tpm/tpm_test.go index 3206b4b0e..d44ddcbe1 100644 --- a/measurement-reader/internal/tpm/tpm_test.go +++ b/measurement-reader/internal/tpm/tpm_test.go @@ -22,9 +22,9 @@ func TestSortMeasurements(t *testing.T) { }{ "pre sorted": { input: measurements.M{ - 0: measurements.WithAllBytes(0x11, false), - 1: measurements.WithAllBytes(0x22, false), - 2: measurements.WithAllBytes(0x33, false), + 0: measurements.WithAllBytes(0x11, measurements.Enforce), + 1: measurements.WithAllBytes(0x22, measurements.Enforce), + 2: measurements.WithAllBytes(0x33, measurements.Enforce), }, want: []sorted.Measurement{ { @@ -43,9 +43,9 @@ func TestSortMeasurements(t *testing.T) { }, "unsorted": { input: measurements.M{ - 1: measurements.WithAllBytes(0x22, false), - 0: measurements.WithAllBytes(0x11, false), - 2: measurements.WithAllBytes(0x33, false), + 1: measurements.WithAllBytes(0x22, measurements.Enforce), + 0: measurements.WithAllBytes(0x11, measurements.Enforce), + 2: measurements.WithAllBytes(0x33, measurements.Enforce), }, want: []sorted.Measurement{ {