mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-11-24 13:53:26 -05:00
measurements: refactor validation option (#1462)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
Paul Meyer
GitHub
parent
1ab40b7ca6
commit
02fc3dc635
17 changed files with 290 additions and 281 deletions
|
|
@ -272,7 +272,9 @@ func (u *Upgrader) updateMeasurements(ctx context.Context, newMeasurements measu
|
|||
|
||||
// don't allow potential security downgrades by setting the warnOnly flag to true
|
||||
for k, newM := range newMeasurements {
|
||||
if currentM, ok := currentMeasurements[k]; ok && !currentM.WarnOnly && newM.WarnOnly {
|
||||
if currentM, ok := currentMeasurements[k]; ok &&
|
||||
currentM.ValidationOpt != measurements.WarnOnly &&
|
||||
newM.ValidationOpt == measurements.WarnOnly {
|
||||
return fmt.Errorf("setting enforced measurement %d to warn only: not allowed", k)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -218,7 +218,7 @@ func TestUpdateMeasurements(t *testing.T) {
|
|||
},
|
||||
},
|
||||
newMeasurements: measurements.M{
|
||||
0: measurements.WithAllBytes(0xBB, false),
|
||||
0: measurements.WithAllBytes(0xBB, measurements.Enforce),
|
||||
},
|
||||
wantUpdate: true,
|
||||
},
|
||||
|
|
@ -231,7 +231,7 @@ func TestUpdateMeasurements(t *testing.T) {
|
|||
},
|
||||
},
|
||||
newMeasurements: measurements.M{
|
||||
0: measurements.WithAllBytes(0xAA, false),
|
||||
0: measurements.WithAllBytes(0xAA, measurements.Enforce),
|
||||
},
|
||||
},
|
||||
"trying to set warnOnly to true results in error": {
|
||||
|
|
@ -243,7 +243,7 @@ func TestUpdateMeasurements(t *testing.T) {
|
|||
},
|
||||
},
|
||||
newMeasurements: measurements.M{
|
||||
0: measurements.WithAllBytes(0xAA, true),
|
||||
0: measurements.WithAllBytes(0xAA, measurements.WarnOnly),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
|
|
@ -256,7 +256,7 @@ func TestUpdateMeasurements(t *testing.T) {
|
|||
},
|
||||
},
|
||||
newMeasurements: measurements.M{
|
||||
0: measurements.WithAllBytes(0xAA, false),
|
||||
0: measurements.WithAllBytes(0xAA, measurements.Enforce),
|
||||
},
|
||||
wantUpdate: true,
|
||||
},
|
||||
|
|
|
|||
|
|
@ -89,8 +89,8 @@ func (v *Validator) updatePCR(pcrIndex uint32, encoded string) error {
|
|||
oldExpected := v.pcrs[pcrIndex].Expected
|
||||
expectedPcr := sha256.Sum256(append(oldExpected[:], hashedInput[:]...))
|
||||
v.pcrs[pcrIndex] = measurements.Measurement{
|
||||
Expected: expectedPcr,
|
||||
WarnOnly: v.pcrs[pcrIndex].WarnOnly,
|
||||
Expected: expectedPcr,
|
||||
ValidationOpt: v.pcrs[pcrIndex].ValidationOpt,
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,12 +29,12 @@ import (
|
|||
|
||||
func TestNewValidator(t *testing.T) {
|
||||
testPCRs := measurements.M{
|
||||
0: measurements.WithAllBytes(0x00, false),
|
||||
1: measurements.WithAllBytes(0xFF, false),
|
||||
2: measurements.WithAllBytes(0x00, false),
|
||||
3: measurements.WithAllBytes(0xFF, false),
|
||||
4: measurements.WithAllBytes(0x00, false),
|
||||
5: measurements.WithAllBytes(0x00, false),
|
||||
0: measurements.WithAllBytes(0x00, measurements.Enforce),
|
||||
1: measurements.WithAllBytes(0xFF, measurements.Enforce),
|
||||
2: measurements.WithAllBytes(0x00, measurements.Enforce),
|
||||
3: measurements.WithAllBytes(0xFF, measurements.Enforce),
|
||||
4: measurements.WithAllBytes(0x00, measurements.Enforce),
|
||||
5: measurements.WithAllBytes(0x00, measurements.Enforce),
|
||||
}
|
||||
|
||||
testCases := map[string]struct {
|
||||
|
|
@ -139,19 +139,19 @@ func TestNewValidator(t *testing.T) {
|
|||
func TestValidatorV(t *testing.T) {
|
||||
newTestPCRs := func() measurements.M {
|
||||
return measurements.M{
|
||||
0: measurements.WithAllBytes(0x00, true),
|
||||
1: measurements.WithAllBytes(0x00, true),
|
||||
2: measurements.WithAllBytes(0x00, true),
|
||||
3: measurements.WithAllBytes(0x00, true),
|
||||
4: measurements.WithAllBytes(0x00, true),
|
||||
5: measurements.WithAllBytes(0x00, true),
|
||||
6: measurements.WithAllBytes(0x00, true),
|
||||
7: measurements.WithAllBytes(0x00, true),
|
||||
8: measurements.WithAllBytes(0x00, true),
|
||||
9: measurements.WithAllBytes(0x00, true),
|
||||
10: measurements.WithAllBytes(0x00, true),
|
||||
11: measurements.WithAllBytes(0x00, true),
|
||||
12: measurements.WithAllBytes(0x00, true),
|
||||
0: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
1: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
2: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
3: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
4: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
5: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
6: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
7: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
8: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
9: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
10: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
11: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
12: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -200,37 +200,37 @@ func TestValidatorV(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestValidatorUpdateInitPCRs(t *testing.T) {
|
||||
zero := measurements.WithAllBytes(0x00, true)
|
||||
one := measurements.WithAllBytes(0x11, true)
|
||||
zero := measurements.WithAllBytes(0x00, measurements.WarnOnly)
|
||||
one := measurements.WithAllBytes(0x11, measurements.WarnOnly)
|
||||
one64 := base64.StdEncoding.EncodeToString(one.Expected[:])
|
||||
oneHash := sha256.Sum256(one.Expected[:])
|
||||
pcrZeroUpdatedOne := sha256.Sum256(append(zero.Expected[:], oneHash[:]...))
|
||||
newTestPCRs := func() measurements.M {
|
||||
return measurements.M{
|
||||
0: measurements.WithAllBytes(0x00, true),
|
||||
1: measurements.WithAllBytes(0x00, true),
|
||||
2: measurements.WithAllBytes(0x00, true),
|
||||
3: measurements.WithAllBytes(0x00, true),
|
||||
4: measurements.WithAllBytes(0x00, true),
|
||||
5: measurements.WithAllBytes(0x00, true),
|
||||
6: measurements.WithAllBytes(0x00, true),
|
||||
7: measurements.WithAllBytes(0x00, true),
|
||||
8: measurements.WithAllBytes(0x00, true),
|
||||
9: measurements.WithAllBytes(0x00, true),
|
||||
10: measurements.WithAllBytes(0x00, true),
|
||||
11: measurements.WithAllBytes(0x00, true),
|
||||
12: measurements.WithAllBytes(0x00, true),
|
||||
13: measurements.WithAllBytes(0x00, true),
|
||||
14: measurements.WithAllBytes(0x00, true),
|
||||
15: measurements.WithAllBytes(0x00, true),
|
||||
16: measurements.WithAllBytes(0x00, true),
|
||||
17: measurements.WithAllBytes(0x11, true),
|
||||
18: measurements.WithAllBytes(0x11, true),
|
||||
19: measurements.WithAllBytes(0x11, true),
|
||||
20: measurements.WithAllBytes(0x11, true),
|
||||
21: measurements.WithAllBytes(0x11, true),
|
||||
22: measurements.WithAllBytes(0x11, true),
|
||||
23: measurements.WithAllBytes(0x00, true),
|
||||
0: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
1: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
2: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
3: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
4: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
5: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
6: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
7: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
8: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
9: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
10: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
11: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
12: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
13: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
14: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
15: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
16: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
17: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
||||
18: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
||||
19: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
||||
20: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
||||
21: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
||||
22: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
||||
23: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -335,8 +335,8 @@ func TestValidatorUpdateInitPCRs(t *testing.T) {
|
|||
func TestUpdatePCR(t *testing.T) {
|
||||
emptyMap := measurements.M{}
|
||||
defaultMap := measurements.M{
|
||||
0: measurements.WithAllBytes(0xAA, false),
|
||||
1: measurements.WithAllBytes(0xBB, false),
|
||||
0: measurements.WithAllBytes(0xAA, measurements.Enforce),
|
||||
1: measurements.WithAllBytes(0xBB, measurements.Enforce),
|
||||
}
|
||||
|
||||
testCases := map[string]struct {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue