Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-05-06 16:25:21 -04:00
Code Issues Projects Releases Packages Wiki Activity

measurements: refactor validation option (#1462)

Browse source 
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
Paul Meyer 2023-03-22 06:47:39 -04:00 committed by GitHub
parent 1ab40b7ca6
commit 02fc3dc635
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
17 changed files with 290 additions and 281 deletions
Download patch file Download diff file Expand all files Collapse all files

5
bootstrapper/cmd/bootstrapper/main.go
View file

@ -173,10 +173,7 @@ func main() {
case cloudprovider.OpenStack: case cloudprovider.OpenStack:
// TODO(malt3): add OpenStack TPM support // TODO(malt3): add OpenStack TPM support
measurements := measurements.M{ measurements := measurements.M{
15: measurements.Measurement{ 15: measurements.WithAllBytes(0x0, measurements.WarnOnly),
Expected: [32]byte{0x0000000000000000000000000000000000000000000000000000000000000000},
WarnOnly: true,
},
} }
cloudLogger = &logging.NopLogger{} cloudLogger = &logging.NopLogger{}

4
cli/internal/cloudcmd/upgrade.go
View file

@ -272,7 +272,9 @@ func (u *Upgrader) updateMeasurements(ctx context.Context, newMeasurements measu
// don't allow potential security downgrades by setting the warnOnly flag to true // don't allow potential security downgrades by setting the warnOnly flag to true
for k, newM := range newMeasurements { for k, newM := range newMeasurements {
if currentM, ok := currentMeasurements[k]; ok && !currentM.WarnOnly && newM.WarnOnly { if currentM, ok := currentMeasurements[k]; ok &&
currentM.ValidationOpt != measurements.WarnOnly &&
newM.ValidationOpt == measurements.WarnOnly {
return fmt.Errorf("setting enforced measurement %d to warn only: not allowed", k) return fmt.Errorf("setting enforced measurement %d to warn only: not allowed", k)
} }
} }

8
cli/internal/cloudcmd/upgrade_test.go
View file

@ -218,7 +218,7 @@ func TestUpdateMeasurements(t *testing.T) {
}, },
}, },
newMeasurements: measurements.M{ newMeasurements: measurements.M{
0: measurements.WithAllBytes(0xBB, false), 0: measurements.WithAllBytes(0xBB, measurements.Enforce),
}, },
wantUpdate: true, wantUpdate: true,
}, },
@ -231,7 +231,7 @@ func TestUpdateMeasurements(t *testing.T) {
}, },
}, },
newMeasurements: measurements.M{ newMeasurements: measurements.M{
0: measurements.WithAllBytes(0xAA, false), 0: measurements.WithAllBytes(0xAA, measurements.Enforce),
}, },
}, },
"trying to set warnOnly to true results in error": { "trying to set warnOnly to true results in error": {
@ -243,7 +243,7 @@ func TestUpdateMeasurements(t *testing.T) {
}, },
}, },
newMeasurements: measurements.M{ newMeasurements: measurements.M{
0: measurements.WithAllBytes(0xAA, true), 0: measurements.WithAllBytes(0xAA, measurements.WarnOnly),
}, },
wantErr: true, wantErr: true,
}, },
@ -256,7 +256,7 @@ func TestUpdateMeasurements(t *testing.T) {
}, },
}, },
newMeasurements: measurements.M{ newMeasurements: measurements.M{
0: measurements.WithAllBytes(0xAA, false), 0: measurements.WithAllBytes(0xAA, measurements.Enforce),
}, },
wantUpdate: true, wantUpdate: true,
}, },

4
cli/internal/cloudcmd/validators.go
View file

@ -89,8 +89,8 @@ func (v *Validator) updatePCR(pcrIndex uint32, encoded string) error {
oldExpected := v.pcrs[pcrIndex].Expected oldExpected := v.pcrs[pcrIndex].Expected
expectedPcr := sha256.Sum256(append(oldExpected[:], hashedInput[:]...)) expectedPcr := sha256.Sum256(append(oldExpected[:], hashedInput[:]...))
v.pcrs[pcrIndex] = measurements.Measurement{ v.pcrs[pcrIndex] = measurements.Measurement{
Expected: expectedPcr, Expected: expectedPcr,
WarnOnly: v.pcrs[pcrIndex].WarnOnly, ValidationOpt: v.pcrs[pcrIndex].ValidationOpt,
} }
return nil return nil
} }

94
cli/internal/cloudcmd/validators_test.go
View file

@ -29,12 +29,12 @@ import (
func TestNewValidator(t *testing.T) { func TestNewValidator(t *testing.T) {
testPCRs := measurements.M{ testPCRs := measurements.M{
0: measurements.WithAllBytes(0x00, false), 0: measurements.WithAllBytes(0x00, measurements.Enforce),
1: measurements.WithAllBytes(0xFF, false), 1: measurements.WithAllBytes(0xFF, measurements.Enforce),
2: measurements.WithAllBytes(0x00, false), 2: measurements.WithAllBytes(0x00, measurements.Enforce),
3: measurements.WithAllBytes(0xFF, false), 3: measurements.WithAllBytes(0xFF, measurements.Enforce),
4: measurements.WithAllBytes(0x00, false), 4: measurements.WithAllBytes(0x00, measurements.Enforce),
5: measurements.WithAllBytes(0x00, false), 5: measurements.WithAllBytes(0x00, measurements.Enforce),
} }
testCases := map[string]struct { testCases := map[string]struct {
@ -139,19 +139,19 @@ func TestNewValidator(t *testing.T) {
func TestValidatorV(t *testing.T) { func TestValidatorV(t *testing.T) {
newTestPCRs := func() measurements.M { newTestPCRs := func() measurements.M {
return measurements.M{ return measurements.M{
0: measurements.WithAllBytes(0x00, true), 0: measurements.WithAllBytes(0x00, measurements.WarnOnly),
1: measurements.WithAllBytes(0x00, true), 1: measurements.WithAllBytes(0x00, measurements.WarnOnly),
2: measurements.WithAllBytes(0x00, true), 2: measurements.WithAllBytes(0x00, measurements.WarnOnly),
3: measurements.WithAllBytes(0x00, true), 3: measurements.WithAllBytes(0x00, measurements.WarnOnly),
4: measurements.WithAllBytes(0x00, true), 4: measurements.WithAllBytes(0x00, measurements.WarnOnly),
5: measurements.WithAllBytes(0x00, true), 5: measurements.WithAllBytes(0x00, measurements.WarnOnly),
6: measurements.WithAllBytes(0x00, true), 6: measurements.WithAllBytes(0x00, measurements.WarnOnly),
7: measurements.WithAllBytes(0x00, true), 7: measurements.WithAllBytes(0x00, measurements.WarnOnly),
8: measurements.WithAllBytes(0x00, true), 8: measurements.WithAllBytes(0x00, measurements.WarnOnly),
9: measurements.WithAllBytes(0x00, true), 9: measurements.WithAllBytes(0x00, measurements.WarnOnly),
10: measurements.WithAllBytes(0x00, true), 10: measurements.WithAllBytes(0x00, measurements.WarnOnly),
11: measurements.WithAllBytes(0x00, true), 11: measurements.WithAllBytes(0x00, measurements.WarnOnly),
12: measurements.WithAllBytes(0x00, true), 12: measurements.WithAllBytes(0x00, measurements.WarnOnly),
} }
} }
@ -200,37 +200,37 @@ func TestValidatorV(t *testing.T) {
} }
func TestValidatorUpdateInitPCRs(t *testing.T) { func TestValidatorUpdateInitPCRs(t *testing.T) {
zero := measurements.WithAllBytes(0x00, true) zero := measurements.WithAllBytes(0x00, measurements.WarnOnly)
one := measurements.WithAllBytes(0x11, true) one := measurements.WithAllBytes(0x11, measurements.WarnOnly)
one64 := base64.StdEncoding.EncodeToString(one.Expected[:]) one64 := base64.StdEncoding.EncodeToString(one.Expected[:])
oneHash := sha256.Sum256(one.Expected[:]) oneHash := sha256.Sum256(one.Expected[:])
pcrZeroUpdatedOne := sha256.Sum256(append(zero.Expected[:], oneHash[:]...)) pcrZeroUpdatedOne := sha256.Sum256(append(zero.Expected[:], oneHash[:]...))
newTestPCRs := func() measurements.M { newTestPCRs := func() measurements.M {
return measurements.M{ return measurements.M{
0: measurements.WithAllBytes(0x00, true), 0: measurements.WithAllBytes(0x00, measurements.WarnOnly),
1: measurements.WithAllBytes(0x00, true), 1: measurements.WithAllBytes(0x00, measurements.WarnOnly),
2: measurements.WithAllBytes(0x00, true), 2: measurements.WithAllBytes(0x00, measurements.WarnOnly),
3: measurements.WithAllBytes(0x00, true), 3: measurements.WithAllBytes(0x00, measurements.WarnOnly),
4: measurements.WithAllBytes(0x00, true), 4: measurements.WithAllBytes(0x00, measurements.WarnOnly),
5: measurements.WithAllBytes(0x00, true), 5: measurements.WithAllBytes(0x00, measurements.WarnOnly),
6: measurements.WithAllBytes(0x00, true), 6: measurements.WithAllBytes(0x00, measurements.WarnOnly),
7: measurements.WithAllBytes(0x00, true), 7: measurements.WithAllBytes(0x00, measurements.WarnOnly),
8: measurements.WithAllBytes(0x00, true), 8: measurements.WithAllBytes(0x00, measurements.WarnOnly),
9: measurements.WithAllBytes(0x00, true), 9: measurements.WithAllBytes(0x00, measurements.WarnOnly),
10: measurements.WithAllBytes(0x00, true), 10: measurements.WithAllBytes(0x00, measurements.WarnOnly),
11: measurements.WithAllBytes(0x00, true), 11: measurements.WithAllBytes(0x00, measurements.WarnOnly),
12: measurements.WithAllBytes(0x00, true), 12: measurements.WithAllBytes(0x00, measurements.WarnOnly),
13: measurements.WithAllBytes(0x00, true), 13: measurements.WithAllBytes(0x00, measurements.WarnOnly),
14: measurements.WithAllBytes(0x00, true), 14: measurements.WithAllBytes(0x00, measurements.WarnOnly),
15: measurements.WithAllBytes(0x00, true), 15: measurements.WithAllBytes(0x00, measurements.WarnOnly),
16: measurements.WithAllBytes(0x00, true), 16: measurements.WithAllBytes(0x00, measurements.WarnOnly),
17: measurements.WithAllBytes(0x11, true), 17: measurements.WithAllBytes(0x11, measurements.WarnOnly),
18: measurements.WithAllBytes(0x11, true), 18: measurements.WithAllBytes(0x11, measurements.WarnOnly),
19: measurements.WithAllBytes(0x11, true), 19: measurements.WithAllBytes(0x11, measurements.WarnOnly),
20: measurements.WithAllBytes(0x11, true), 20: measurements.WithAllBytes(0x11, measurements.WarnOnly),
21: measurements.WithAllBytes(0x11, true), 21: measurements.WithAllBytes(0x11, measurements.WarnOnly),
22: measurements.WithAllBytes(0x11, true), 22: measurements.WithAllBytes(0x11, measurements.WarnOnly),
23: measurements.WithAllBytes(0x00, true), 23: measurements.WithAllBytes(0x00, measurements.WarnOnly),
} }
} }
@ -335,8 +335,8 @@ func TestValidatorUpdateInitPCRs(t *testing.T) {
func TestUpdatePCR(t *testing.T) { func TestUpdatePCR(t *testing.T) {
emptyMap := measurements.M{} emptyMap := measurements.M{}
defaultMap := measurements.M{ defaultMap := measurements.M{
0: measurements.WithAllBytes(0xAA, false), 0: measurements.WithAllBytes(0xAA, measurements.Enforce),
1: measurements.WithAllBytes(0xBB, false), 1: measurements.WithAllBytes(0xBB, measurements.Enforce),
} }
testCases := map[string]struct { testCases := map[string]struct {

32
cli/internal/cmd/init_test.go
View file

@ -438,13 +438,13 @@ func TestAttestation(t *testing.T) {
cfg.Image = "image" cfg.Image = "image"
cfg.AttestationVariant = oid.QEMUVTPM{}.String() cfg.AttestationVariant = oid.QEMUVTPM{}.String()
cfg.RemoveProviderExcept(cloudprovider.QEMU) cfg.RemoveProviderExcept(cloudprovider.QEMU)
cfg.Provider.QEMU.Measurements[0] = measurements.WithAllBytes(0x00, false) cfg.Provider.QEMU.Measurements[0] = measurements.WithAllBytes(0x00, measurements.Enforce)
cfg.Provider.QEMU.Measurements[1] = measurements.WithAllBytes(0x11, false) cfg.Provider.QEMU.Measurements[1] = measurements.WithAllBytes(0x11, measurements.Enforce)
cfg.Provider.QEMU.Measurements[2] = measurements.WithAllBytes(0x22, false) cfg.Provider.QEMU.Measurements[2] = measurements.WithAllBytes(0x22, measurements.Enforce)
cfg.Provider.QEMU.Measurements[3] = measurements.WithAllBytes(0x33, false) cfg.Provider.QEMU.Measurements[3] = measurements.WithAllBytes(0x33, measurements.Enforce)
cfg.Provider.QEMU.Measurements[4] = measurements.WithAllBytes(0x44, false) cfg.Provider.QEMU.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
cfg.Provider.QEMU.Measurements[9] = measurements.WithAllBytes(0x99, false) cfg.Provider.QEMU.Measurements[9] = measurements.WithAllBytes(0x99, measurements.Enforce)
cfg.Provider.QEMU.Measurements[12] = measurements.WithAllBytes(0xcc, false) cfg.Provider.QEMU.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, cfg, file.OptNone)) require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, cfg, file.OptNone))
ctx := context.Background() ctx := context.Background()
@ -538,23 +538,23 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs
conf.Provider.Azure.ResourceGroup = "test-resource-group" conf.Provider.Azure.ResourceGroup = "test-resource-group"
conf.Provider.Azure.AppClientID = "01234567-0123-0123-0123-0123456789ab" conf.Provider.Azure.AppClientID = "01234567-0123-0123-0123-0123456789ab"
conf.Provider.Azure.ClientSecretValue = "test-client-secret" conf.Provider.Azure.ClientSecretValue = "test-client-secret"
conf.Provider.Azure.Measurements[4] = measurements.WithAllBytes(0x44, false) conf.Provider.Azure.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
conf.Provider.Azure.Measurements[9] = measurements.WithAllBytes(0x11, false) conf.Provider.Azure.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce)
conf.Provider.Azure.Measurements[12] = measurements.WithAllBytes(0xcc, false) conf.Provider.Azure.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
case cloudprovider.GCP: case cloudprovider.GCP:
conf.AttestationVariant = oid.GCPSEVES{}.String() conf.AttestationVariant = oid.GCPSEVES{}.String()
conf.Provider.GCP.Region = "test-region" conf.Provider.GCP.Region = "test-region"
conf.Provider.GCP.Project = "test-project" conf.Provider.GCP.Project = "test-project"
conf.Provider.GCP.Zone = "test-zone" conf.Provider.GCP.Zone = "test-zone"
conf.Provider.GCP.ServiceAccountKeyPath = "test-key-path" conf.Provider.GCP.ServiceAccountKeyPath = "test-key-path"
conf.Provider.GCP.Measurements[4] = measurements.WithAllBytes(0x44, false) conf.Provider.GCP.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
conf.Provider.GCP.Measurements[9] = measurements.WithAllBytes(0x11, false) conf.Provider.GCP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce)
conf.Provider.GCP.Measurements[12] = measurements.WithAllBytes(0xcc, false) conf.Provider.GCP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
case cloudprovider.QEMU: case cloudprovider.QEMU:
conf.AttestationVariant = oid.QEMUVTPM{}.String() conf.AttestationVariant = oid.QEMUVTPM{}.String()
conf.Provider.QEMU.Measurements[4] = measurements.WithAllBytes(0x44, false) conf.Provider.QEMU.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
conf.Provider.QEMU.Measurements[9] = measurements.WithAllBytes(0x11, false) conf.Provider.QEMU.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce)
conf.Provider.QEMU.Measurements[12] = measurements.WithAllBytes(0xcc, false) conf.Provider.QEMU.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
} }
conf.RemoveProviderExcept(csp) conf.RemoveProviderExcept(csp)

6
cli/internal/helm/loader_test.go
View file

@ -396,7 +396,7 @@ func prepareGCPValues(values map[string]any) error {
} }
m := measurements.M{ m := measurements.M{
1: measurements.WithAllBytes(0xAA, false), 1: measurements.WithAllBytes(0xAA, measurements.Enforce),
} }
mJSON, err := json.Marshal(m) mJSON, err := json.Marshal(m)
if err != nil { if err != nil {
@ -471,7 +471,7 @@ func prepareOpenStackValues(values map[string]any) error {
if !ok { if !ok {
return errors.New("missing 'join-service' key") return errors.New("missing 'join-service' key")
} }
m := measurements.M{1: measurements.WithAllBytes(0xAA, false)} m := measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)}
mJSON, err := json.Marshal(m) mJSON, err := json.Marshal(m)
if err != nil { if err != nil {
return err return err
@ -506,7 +506,7 @@ func prepareQEMUValues(values map[string]any) error {
if !ok { if !ok {
return errors.New("missing 'join-service' key") return errors.New("missing 'join-service' key")
} }
m := measurements.M{1: measurements.WithAllBytes(0xAA, false)} m := measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)}
mJSON, err := json.Marshal(m) mJSON, err := json.Marshal(m)
if err != nil { if err != nil {
return err return err

4
internal/attestation/measurements/measurement-generator/generate.go
View file

@ -226,7 +226,7 @@ func measurementsEntryKeyValueExpr(pcr uint32, measuremnt measurements.Measureme
warnOnlyColon := warnOnlyKeyPos + 9 // 9 = len("WarnOnly") warnOnlyColon := warnOnlyKeyPos + 9 // 9 = len("WarnOnly")
warnOnlyValuePos := warnOnlyColon + 2 // 2 = len(": ") warnOnlyValuePos := warnOnlyColon + 2 // 2 = len(": ")
var rbrace token.Pos var rbrace token.Pos
if measuremnt.WarnOnly { if measuremnt.ValidationOpt {
rbrace = warnOnlyValuePos + 9 // 9 = len("true") + padding rbrace = warnOnlyValuePos + 9 // 9 = len("true") + padding
} else { } else {
rbrace = warnOnlyValuePos + 10 // 10 = len("false") + padding rbrace = warnOnlyValuePos + 10 // 10 = len("false") + padding
@ -250,7 +250,7 @@ func measurementsEntryKeyValueExpr(pcr uint32, measuremnt measurements.Measureme
&ast.KeyValueExpr{ &ast.KeyValueExpr{
Key: &ast.Ident{NamePos: warnOnlyKeyPos, Name: "WarnOnly"}, Key: &ast.Ident{NamePos: warnOnlyKeyPos, Name: "WarnOnly"},
Colon: warnOnlyColon, Colon: warnOnlyColon,
Value: &ast.Ident{NamePos: warnOnlyValuePos, Name: strconv.FormatBool(measuremnt.WarnOnly)}, Value: &ast.Ident{NamePos: warnOnlyValuePos, Name: strconv.FormatBool(bool(measuremnt.ValidationOpt))},
}, },
}, },
Rbrace: rbrace, Rbrace: rbrace,

44
internal/attestation/measurements/measurements.go
View file

@ -131,7 +131,7 @@ func (m *M) EqualTo(other M) bool {
if !bytes.Equal(v.Expected[:], otherExpected[:]) { if !bytes.Equal(v.Expected[:], otherExpected[:]) {
return false return false
} }
if v.WarnOnly != other[k].WarnOnly { if v.ValidationOpt != other[k].ValidationOpt {
return false return false
} }
} }
@ -143,7 +143,7 @@ func (m *M) EqualTo(other M) bool {
func (m *M) GetEnforced() []uint32 { func (m *M) GetEnforced() []uint32 {
var enforced []uint32 var enforced []uint32
for idx, measurement := range *m { for idx, measurement := range *m {
if !measurement.WarnOnly { if !measurement.ValidationOpt {
enforced = append(enforced, idx) enforced = append(enforced, idx)
} }
} }
@ -158,8 +158,8 @@ func (m *M) SetEnforced(enforced []uint32) error {
// set all measurements to warn only // set all measurements to warn only
for idx, measurement := range *m { for idx, measurement := range *m {
newM[idx] = Measurement{ newM[idx] = Measurement{
Expected: measurement.Expected, Expected: measurement.Expected,
WarnOnly: true, ValidationOpt: WarnOnly,
} }
} }
@ -169,7 +169,7 @@ func (m *M) SetEnforced(enforced []uint32) error {
if !ok { if !ok {
return fmt.Errorf("measurement %d not in list, but set to enforced", idx) return fmt.Errorf("measurement %d not in list, but set to enforced", idx)
} }
measurement.WarnOnly = false measurement.ValidationOpt = Enforce
newM[idx] = measurement newM[idx] = measurement
} }
@ -181,10 +181,20 @@ func (m *M) SetEnforced(enforced []uint32) error {
type Measurement struct { type Measurement struct {
// Expected measurement value. // Expected measurement value.
Expected [32]byte `json:"expected" yaml:"expected"` Expected [32]byte `json:"expected" yaml:"expected"`
// WarnOnly if set to true, a mismatching measurement will only result in a warning. // ValidationOpt indicates how measurement mismatches should be handled.
WarnOnly bool `json:"warnOnly" yaml:"warnOnly"` ValidationOpt MeasurementValidationOption `json:"warnOnly" yaml:"warnOnly"`
} }
// MeasurementValidationOption indicates how measurement mismatches should be handled.
type MeasurementValidationOption bool
const (
// WarnOnly will only result in a warning in case of a mismatching measurement.
WarnOnly MeasurementValidationOption = true
// Enforce will result in an error in case of a mismatching measurement, and operation will be aborted.
Enforce MeasurementValidationOption = false
)
// UnmarshalJSON reads a Measurement either as json object, // UnmarshalJSON reads a Measurement either as json object,
// or as a simple hex or base64 encoded string. // or as a simple hex or base64 encoded string.
func (m *Measurement) UnmarshalJSON(b []byte) error { func (m *Measurement) UnmarshalJSON(b []byte) error {
@ -210,7 +220,7 @@ func (m *Measurement) UnmarshalJSON(b []byte) error {
func (m Measurement) MarshalJSON() ([]byte, error) { func (m Measurement) MarshalJSON() ([]byte, error) {
return json.Marshal(encodedMeasurement{ return json.Marshal(encodedMeasurement{
Expected: hex.EncodeToString(m.Expected[:]), Expected: hex.EncodeToString(m.Expected[:]),
WarnOnly: m.WarnOnly, WarnOnly: m.ValidationOpt,
}) })
} }
@ -239,7 +249,7 @@ func (m *Measurement) UnmarshalYAML(unmarshal func(any) error) error {
func (m Measurement) MarshalYAML() (any, error) { func (m Measurement) MarshalYAML() (any, error) {
return encodedMeasurement{ return encodedMeasurement{
Expected: hex.EncodeToString(m.Expected[:]), Expected: hex.EncodeToString(m.Expected[:]),
WarnOnly: m.WarnOnly, WarnOnly: m.ValidationOpt,
}, nil }, nil
} }
@ -264,24 +274,24 @@ func (m *Measurement) unmarshal(eM encodedMeasurement) error {
} }
m.Expected = *(*[32]byte)(expected) m.Expected = *(*[32]byte)(expected)
m.WarnOnly = eM.WarnOnly m.ValidationOpt = eM.WarnOnly
return nil return nil
} }
// WithAllBytes returns a measurement value where all 32 bytes are set to b. // WithAllBytes returns a measurement value where all 32 bytes are set to b.
func WithAllBytes(b byte, warnOnly bool) Measurement { func WithAllBytes(b byte, validationOpt MeasurementValidationOption) Measurement {
return Measurement{ return Measurement{
Expected: *(*[32]byte)(bytes.Repeat([]byte{b}, 32)), Expected: *(*[32]byte)(bytes.Repeat([]byte{b}, 32)),
WarnOnly: warnOnly, ValidationOpt: validationOpt,
} }
} }
// PlaceHolderMeasurement returns a measurement with placeholder values for Expected. // PlaceHolderMeasurement returns a measurement with placeholder values for Expected.
func PlaceHolderMeasurement() Measurement { func PlaceHolderMeasurement() Measurement {
return Measurement{ return Measurement{
Expected: *(*[32]byte)(bytes.Repeat([]byte{0x12, 0x34}, 16)), Expected: *(*[32]byte)(bytes.Repeat([]byte{0x12, 0x34}, 16)),
WarnOnly: false, ValidationOpt: Enforce,
} }
} }
@ -307,8 +317,8 @@ func getFromURL(ctx context.Context, client *http.Client, sourceURL *url.URL) ([
} }
type encodedMeasurement struct { type encodedMeasurement struct {
Expected string `json:"expected" yaml:"expected"` Expected string `json:"expected" yaml:"expected"`
WarnOnly bool `json:"warnOnly" yaml:"warnOnly"` WarnOnly MeasurementValidationOption `json:"warnOnly" yaml:"warnOnly"`
} }
// mYamlContent is the Content of a yaml.Node encoding of an M. It implements sort.Interface. // mYamlContent is the Content of a yaml.Node encoding of an M. It implements sort.Interface.

96
internal/attestation/measurements/measurements_enterprise.go
View file

@ -27,7 +27,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xe2, 0xfe, 0x2d, 0xd9, 0xf9, 0x07, 0x85, 0x57, 0xe2, 0xfe, 0x2d, 0xd9, 0xf9, 0x07, 0x85, 0x57,
0x79, 0x69, 0xd7, 0xa2, 0x01, 0x3e, 0x8c, 0x12, 0x79, 0x69, 0xd7, 0xa2, 0x01, 0x3e, 0x8c, 0x12,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
2: { 2: {
Expected: [32]byte{ Expected: [32]byte{
@ -36,7 +36,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
3: { 3: {
Expected: [32]byte{ Expected: [32]byte{
@ -45,7 +45,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
4: { 4: {
Expected: [32]byte{ Expected: [32]byte{
@ -54,7 +54,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x50, 0x73, 0xd6, 0x64, 0xa0, 0x32, 0x2f, 0x73, 0x50, 0x73, 0xd6, 0x64, 0xa0, 0x32, 0x2f, 0x73,
0xcd, 0x4b, 0x89, 0x79, 0x87, 0x2f, 0xeb, 0x74, 0xcd, 0x4b, 0x89, 0x79, 0x87, 0x2f, 0xeb, 0x74,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
5: { 5: {
Expected: [32]byte{ Expected: [32]byte{
@ -63,7 +63,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x93, 0x07, 0x31, 0x38, 0x74, 0x38, 0x40, 0x95, 0x93, 0x07, 0x31, 0x38, 0x74, 0x38, 0x40, 0x95,
0x24, 0x8e, 0x6e, 0x66, 0x75, 0x99, 0x68, 0xde, 0x24, 0x8e, 0x6e, 0x66, 0x75, 0x99, 0x68, 0xde,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
6: { 6: {
Expected: [32]byte{ Expected: [32]byte{
@ -72,7 +72,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
7: { 7: {
Expected: [32]byte{ Expected: [32]byte{
@ -81,7 +81,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x43, 0xe1, 0x0b, 0xf0, 0x61, 0xeb, 0x7a, 0x76, 0x43, 0xe1, 0x0b, 0xf0, 0x61, 0xeb, 0x7a, 0x76,
0xec, 0xca, 0x55, 0x09, 0xa2, 0x23, 0x89, 0x01, 0xec, 0xca, 0x55, 0x09, 0xa2, 0x23, 0x89, 0x01,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
8: { 8: {
Expected: [32]byte{ Expected: [32]byte{
@ -90,7 +90,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
9: { 9: {
Expected: [32]byte{ Expected: [32]byte{
@ -99,7 +99,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xa2, 0xdc, 0x95, 0xf9, 0x8e, 0xd7, 0x2d, 0x54, 0xa2, 0xdc, 0x95, 0xf9, 0x8e, 0xd7, 0x2d, 0x54,
0x47, 0xcc, 0x67, 0x5a, 0xf9, 0xbf, 0x06, 0x29, 0x47, 0xcc, 0x67, 0x5a, 0xf9, 0xbf, 0x06, 0x29,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
11: { 11: {
Expected: [32]byte{ Expected: [32]byte{
@ -108,7 +108,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
12: { 12: {
Expected: [32]byte{ Expected: [32]byte{
@ -117,7 +117,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xfa, 0x7c, 0x9d, 0x16, 0x95, 0x2e, 0xed, 0x94, 0xfa, 0x7c, 0x9d, 0x16, 0x95, 0x2e, 0xed, 0x94,
0xaa, 0xbb, 0xf8, 0x59, 0x3e, 0x22, 0x76, 0x34, 0xaa, 0xbb, 0xf8, 0x59, 0x3e, 0x22, 0x76, 0x34,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
13: { 13: {
Expected: [32]byte{ Expected: [32]byte{
@ -126,7 +126,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
14: { 14: {
Expected: [32]byte{ Expected: [32]byte{
@ -135,7 +135,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x17, 0x20, 0xb5, 0xb8, 0x6c, 0xf1, 0x75, 0x3c, 0x17, 0x20, 0xb5, 0xb8, 0x6c, 0xf1, 0x75, 0x3c,
0xad, 0x83, 0x0f, 0x95, 0xe7, 0x91, 0x92, 0x6f, 0xad, 0x83, 0x0f, 0x95, 0xe7, 0x91, 0x92, 0x6f,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
15: { 15: {
Expected: [32]byte{ Expected: [32]byte{
@ -144,7 +144,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
} }
case cloudprovider.Azure: case cloudprovider.Azure:
@ -156,7 +156,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
2: { 2: {
Expected: [32]byte{ Expected: [32]byte{
@ -165,7 +165,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
3: { 3: {
Expected: [32]byte{ Expected: [32]byte{
@ -174,7 +174,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
4: { 4: {
Expected: [32]byte{ Expected: [32]byte{
@ -183,7 +183,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x2b, 0x64, 0x5c, 0x67, 0x99, 0x3c, 0xe2, 0x0e, 0x2b, 0x64, 0x5c, 0x67, 0x99, 0x3c, 0xe2, 0x0e,
0x87, 0xed, 0x98, 0x1b, 0xbf, 0xe0, 0x3a, 0xcb, 0x87, 0xed, 0x98, 0x1b, 0xbf, 0xe0, 0x3a, 0xcb,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
5: { 5: {
Expected: [32]byte{ Expected: [32]byte{
@ -192,7 +192,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x14, 0x13, 0x75, 0x7d, 0x98, 0x11, 0xcc, 0xa3, 0x14, 0x13, 0x75, 0x7d, 0x98, 0x11, 0xcc, 0xa3,
0xe9, 0x29, 0x3d, 0x18, 0x5b, 0x11, 0x0c, 0xe7, 0xe9, 0x29, 0x3d, 0x18, 0x5b, 0x11, 0x0c, 0xe7,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
7: { 7: {
Expected: [32]byte{ Expected: [32]byte{
@ -201,7 +201,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x9c, 0xb5, 0x02, 0xf0, 0x15, 0x6e, 0x91, 0x55, 0x9c, 0xb5, 0x02, 0xf0, 0x15, 0x6e, 0x91, 0x55,
0x38, 0x04, 0x51, 0xee, 0xa1, 0xb3, 0xf0, 0xed, 0x38, 0x04, 0x51, 0xee, 0xa1, 0xb3, 0xf0, 0xed,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
8: { 8: {
Expected: [32]byte{ Expected: [32]byte{
@ -210,7 +210,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
9: { 9: {
Expected: [32]byte{ Expected: [32]byte{
@ -219,7 +219,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x26, 0xc5, 0x4c, 0x52, 0x4f, 0xe4, 0xc2, 0x03, 0x26, 0xc5, 0x4c, 0x52, 0x4f, 0xe4, 0xc2, 0x03,
0x24, 0x50, 0xe0, 0x10, 0x82, 0x89, 0xae, 0x9d, 0x24, 0x50, 0xe0, 0x10, 0x82, 0x89, 0xae, 0x9d,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
11: { 11: {
Expected: [32]byte{ Expected: [32]byte{
@ -228,7 +228,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
12: { 12: {
Expected: [32]byte{ Expected: [32]byte{
@ -237,7 +237,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xa3, 0xa5, 0x93, 0x65, 0x46, 0x74, 0xeb, 0xf6, 0xa3, 0xa5, 0x93, 0x65, 0x46, 0x74, 0xeb, 0xf6,
0xa1, 0x2a, 0x79, 0xc3, 0x7c, 0xb7, 0x77, 0x45, 0xa1, 0x2a, 0x79, 0xc3, 0x7c, 0xb7, 0x77, 0x45,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
13: { 13: {
Expected: [32]byte{ Expected: [32]byte{
@ -246,7 +246,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
14: { 14: {
Expected: [32]byte{ Expected: [32]byte{
@ -255,7 +255,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x17, 0x20, 0xb5, 0xb8, 0x6c, 0xf1, 0x75, 0x3c, 0x17, 0x20, 0xb5, 0xb8, 0x6c, 0xf1, 0x75, 0x3c,
0xad, 0x83, 0x0f, 0x95, 0xe7, 0x91, 0x92, 0x6f, 0xad, 0x83, 0x0f, 0x95, 0xe7, 0x91, 0x92, 0x6f,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
15: { 15: {
Expected: [32]byte{ Expected: [32]byte{
@ -264,7 +264,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
} }
case cloudprovider.GCP: case cloudprovider.GCP:
@ -276,7 +276,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x9e, 0xb6, 0x8c, 0x28, 0x87, 0x0e, 0x7d, 0xd5, 0x9e, 0xb6, 0x8c, 0x28, 0x87, 0x0e, 0x7d, 0xd5,
0xd1, 0xa1, 0x53, 0x58, 0x54, 0x32, 0x5e, 0x56, 0xd1, 0xa1, 0x53, 0x58, 0x54, 0x32, 0x5e, 0x56,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
2: { 2: {
Expected: [32]byte{ Expected: [32]byte{
@ -285,7 +285,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
3: { 3: {
Expected: [32]byte{ Expected: [32]byte{
@ -294,7 +294,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
4: { 4: {
Expected: [32]byte{ Expected: [32]byte{
@ -303,7 +303,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x35, 0xd7, 0xbb, 0x7b, 0x9a, 0xad, 0x31, 0x7d, 0x35, 0xd7, 0xbb, 0x7b, 0x9a, 0xad, 0x31, 0x7d,
0x40, 0x1f, 0x2f, 0x80, 0xad, 0xce, 0xae, 0xab, 0x40, 0x1f, 0x2f, 0x80, 0xad, 0xce, 0xae, 0xab,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
5: { 5: {
Expected: [32]byte{ Expected: [32]byte{
@ -312,7 +312,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xdd, 0x14, 0xbd, 0x50, 0x22, 0xe8, 0xfc, 0x23, 0xdd, 0x14, 0xbd, 0x50, 0x22, 0xe8, 0xfc, 0x23,
0x0d, 0x09, 0x01, 0xf7, 0x2a, 0xe2, 0x9e, 0xea, 0x0d, 0x09, 0x01, 0xf7, 0x2a, 0xe2, 0x9e, 0xea,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
6: { 6: {
Expected: [32]byte{ Expected: [32]byte{
@ -321,7 +321,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a,
0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
7: { 7: {
Expected: [32]byte{ Expected: [32]byte{
@ -330,7 +330,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x8e, 0xeb, 0xfa, 0x01, 0x14, 0x3e, 0x4d, 0x88, 0x8e, 0xeb, 0xfa, 0x01, 0x14, 0x3e, 0x4d, 0x88,
0x44, 0xe4, 0x0e, 0x06, 0x2e, 0x9b, 0x6c, 0xd5, 0x44, 0xe4, 0x0e, 0x06, 0x2e, 0x9b, 0x6c, 0xd5,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
8: { 8: {
Expected: [32]byte{ Expected: [32]byte{
@ -339,7 +339,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
9: { 9: {
Expected: [32]byte{ Expected: [32]byte{
@ -348,7 +348,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x4c, 0xd1, 0x2e, 0xf2, 0xe5, 0xa3, 0x6d, 0x3d, 0x4c, 0xd1, 0x2e, 0xf2, 0xe5, 0xa3, 0x6d, 0x3d,
0x81, 0x3e, 0x5b, 0x4b, 0x12, 0xf8, 0x87, 0xf3, 0x81, 0x3e, 0x5b, 0x4b, 0x12, 0xf8, 0x87, 0xf3,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
11: { 11: {
Expected: [32]byte{ Expected: [32]byte{
@ -357,7 +357,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
12: { 12: {
Expected: [32]byte{ Expected: [32]byte{
@ -366,7 +366,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xd3, 0xbf, 0xa2, 0x73, 0x9d, 0xdb, 0x3f, 0x1c, 0xd3, 0xbf, 0xa2, 0x73, 0x9d, 0xdb, 0x3f, 0x1c,
0x91, 0x95, 0x87, 0x9e, 0x21, 0xd5, 0xfb, 0xb5, 0x91, 0x95, 0x87, 0x9e, 0x21, 0xd5, 0xfb, 0xb5,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
13: { 13: {
Expected: [32]byte{ Expected: [32]byte{
@ -375,7 +375,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
14: { 14: {
Expected: [32]byte{ Expected: [32]byte{
@ -384,7 +384,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x17, 0x20, 0xb5, 0xb8, 0x6c, 0xf1, 0x75, 0x3c, 0x17, 0x20, 0xb5, 0xb8, 0x6c, 0xf1, 0x75, 0x3c,
0xad, 0x83, 0x0f, 0x95, 0xe7, 0x91, 0x92, 0x6f, 0xad, 0x83, 0x0f, 0x95, 0xe7, 0x91, 0x92, 0x6f,
}, },
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
15: { 15: {
Expected: [32]byte{ Expected: [32]byte{
@ -393,7 +393,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
} }
case cloudprovider.QEMU: case cloudprovider.QEMU:
@ -405,7 +405,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0xb8, 0x10, 0x5c, 0x4c, 0x00, 0xad, 0xf7, 0xb6, 0xb8, 0x10, 0x5c, 0x4c, 0x00, 0xad, 0xf7, 0xb6,
0x48, 0xbf, 0x37, 0x61, 0x16, 0x85, 0xf0, 0x2f, 0x48, 0xbf, 0x37, 0x61, 0x16, 0x85, 0xf0, 0x2f,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
8: { 8: {
Expected: [32]byte{ Expected: [32]byte{
@ -414,7 +414,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
9: { 9: {
Expected: [32]byte{ Expected: [32]byte{
@ -423,7 +423,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x35, 0x17, 0x0e, 0xfc, 0xd4, 0xfa, 0x68, 0x7d, 0x35, 0x17, 0x0e, 0xfc, 0xd4, 0xfa, 0x68, 0x7d,
0x5b, 0xc9, 0x9b, 0xa7, 0x78, 0x46, 0x77, 0xe4, 0x5b, 0xc9, 0x9b, 0xa7, 0x78, 0x46, 0x77, 0xe4,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
11: { 11: {
Expected: [32]byte{ Expected: [32]byte{
@ -432,7 +432,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
12: { 12: {
Expected: [32]byte{ Expected: [32]byte{
@ -441,7 +441,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x7c, 0x52, 0x5e, 0xe4, 0x9a, 0xb9, 0xe1, 0x24, 0x7c, 0x52, 0x5e, 0xe4, 0x9a, 0xb9, 0xe1, 0x24,
0x3d, 0x38, 0xd0, 0x03, 0x90, 0x53, 0x09, 0x44, 0x3d, 0x38, 0xd0, 0x03, 0x90, 0x53, 0x09, 0x44,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
13: { 13: {
Expected: [32]byte{ Expected: [32]byte{
@ -450,7 +450,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
15: { 15: {
Expected: [32]byte{ Expected: [32]byte{
@ -459,7 +459,7 @@ func DefaultsFor(provider cloudprovider.Provider) M {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}, },
WarnOnly: false, ValidationOpt: Enforce,
}, },
} }
default: default:

32
internal/attestation/measurements/measurements_oss.go
View file

@ -16,42 +16,42 @@ func DefaultsFor(provider cloudprovider.Provider) M {
case cloudprovider.AWS: case cloudprovider.AWS:
return M{ return M{
4: PlaceHolderMeasurement(), 4: PlaceHolderMeasurement(),
8: WithAllBytes(0x00, false), 8: WithAllBytes(0x00, Enforce),
9: PlaceHolderMeasurement(), 9: PlaceHolderMeasurement(),
11: WithAllBytes(0x00, false), 11: WithAllBytes(0x00, Enforce),
12: PlaceHolderMeasurement(), 12: PlaceHolderMeasurement(),
13: WithAllBytes(0x00, false), 13: WithAllBytes(0x00, Enforce),
uint32(PCRIndexClusterID): WithAllBytes(0x00, false), uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
} }
case cloudprovider.Azure: case cloudprovider.Azure:
return M{ return M{
4: PlaceHolderMeasurement(), 4: PlaceHolderMeasurement(),
8: WithAllBytes(0x00, false), 8: WithAllBytes(0x00, Enforce),
9: PlaceHolderMeasurement(), 9: PlaceHolderMeasurement(),
11: WithAllBytes(0x00, false), 11: WithAllBytes(0x00, Enforce),
12: PlaceHolderMeasurement(), 12: PlaceHolderMeasurement(),
13: WithAllBytes(0x00, false), 13: WithAllBytes(0x00, Enforce),
uint32(PCRIndexClusterID): WithAllBytes(0x00, false), uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
} }
case cloudprovider.GCP: case cloudprovider.GCP:
return M{ return M{
4: PlaceHolderMeasurement(), 4: PlaceHolderMeasurement(),
8: WithAllBytes(0x00, false), 8: WithAllBytes(0x00, Enforce),
9: PlaceHolderMeasurement(), 9: PlaceHolderMeasurement(),
11: WithAllBytes(0x00, false), 11: WithAllBytes(0x00, Enforce),
12: PlaceHolderMeasurement(), 12: PlaceHolderMeasurement(),
13: WithAllBytes(0x00, false), 13: WithAllBytes(0x00, Enforce),
uint32(PCRIndexClusterID): WithAllBytes(0x00, false), uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
} }
case cloudprovider.QEMU: case cloudprovider.QEMU:
return M{ return M{
4: PlaceHolderMeasurement(), 4: PlaceHolderMeasurement(),
8: WithAllBytes(0x00, false), 8: WithAllBytes(0x00, Enforce),
9: PlaceHolderMeasurement(), 9: PlaceHolderMeasurement(),
11: WithAllBytes(0x00, false), 11: WithAllBytes(0x00, Enforce),
12: PlaceHolderMeasurement(), 12: PlaceHolderMeasurement(),
13: WithAllBytes(0x00, false), 13: WithAllBytes(0x00, Enforce),
uint32(PCRIndexClusterID): WithAllBytes(0x00, false), uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
} }
default: default:
return nil return nil

176
internal/attestation/measurements/measurements_test.go
View file

@ -37,8 +37,8 @@ func TestMarshal(t *testing.T) {
}, },
"warn only": { "warn only": {
m: Measurement{ m: Measurement{
Expected: [32]byte{1, 2, 3, 4}, // implicitly padded with 0s Expected: [32]byte{1, 2, 3, 4}, // implicitly padded with 0s
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
wantYAML: "expected: \"0102030400000000000000000000000000000000000000000000000000000000\"\nwarnOnly: true", wantYAML: "expected: \"0102030400000000000000000000000000000000000000000000000000000000\"\nwarnOnly: true",
wantJSON: `{"expected":"0102030400000000000000000000000000000000000000000000000000000000","warnOnly":true}`, wantJSON: `{"expected":"0102030400000000000000000000000000000000000000000000000000000000","warnOnly":true}`,
@ -242,48 +242,48 @@ func TestMeasurementsCopyFrom(t *testing.T) {
"add to empty": { "add to empty": {
current: M{}, current: M{},
newMeasurements: M{ newMeasurements: M{
1: WithAllBytes(0x00, true), 1: WithAllBytes(0x00, WarnOnly),
2: WithAllBytes(0x01, true), 2: WithAllBytes(0x01, WarnOnly),
3: WithAllBytes(0x02, true), 3: WithAllBytes(0x02, WarnOnly),
}, },
wantMeasurements: M{ wantMeasurements: M{
1: WithAllBytes(0x00, true), 1: WithAllBytes(0x00, WarnOnly),
2: WithAllBytes(0x01, true), 2: WithAllBytes(0x01, WarnOnly),
3: WithAllBytes(0x02, true), 3: WithAllBytes(0x02, WarnOnly),
}, },
}, },
"keep existing": { "keep existing": {
current: M{ current: M{
4: WithAllBytes(0x01, false), 4: WithAllBytes(0x01, Enforce),
5: WithAllBytes(0x02, true), 5: WithAllBytes(0x02, WarnOnly),
}, },
newMeasurements: M{ newMeasurements: M{
1: WithAllBytes(0x00, true), 1: WithAllBytes(0x00, WarnOnly),
2: WithAllBytes(0x01, true), 2: WithAllBytes(0x01, WarnOnly),
3: WithAllBytes(0x02, true), 3: WithAllBytes(0x02, WarnOnly),
}, },
wantMeasurements: M{ wantMeasurements: M{
1: WithAllBytes(0x00, true), 1: WithAllBytes(0x00, WarnOnly),
2: WithAllBytes(0x01, true), 2: WithAllBytes(0x01, WarnOnly),
3: WithAllBytes(0x02, true), 3: WithAllBytes(0x02, WarnOnly),
4: WithAllBytes(0x01, false), 4: WithAllBytes(0x01, Enforce),
5: WithAllBytes(0x02, true), 5: WithAllBytes(0x02, WarnOnly),
}, },
}, },
"overwrite existing": { "overwrite existing": {
current: M{ current: M{
2: WithAllBytes(0x04, false), 2: WithAllBytes(0x04, Enforce),
3: WithAllBytes(0x05, false), 3: WithAllBytes(0x05, Enforce),
}, },
newMeasurements: M{ newMeasurements: M{
1: WithAllBytes(0x00, true), 1: WithAllBytes(0x00, WarnOnly),
2: WithAllBytes(0x01, true), 2: WithAllBytes(0x01, WarnOnly),
3: WithAllBytes(0x02, true), 3: WithAllBytes(0x02, WarnOnly),
}, },
wantMeasurements: M{ wantMeasurements: M{
1: WithAllBytes(0x00, true), 1: WithAllBytes(0x00, WarnOnly),
2: WithAllBytes(0x01, true), 2: WithAllBytes(0x01, WarnOnly),
3: WithAllBytes(0x02, true), 3: WithAllBytes(0x02, WarnOnly),
}, },
}, },
} }
@ -318,7 +318,7 @@ func urlMustParse(raw string) *url.URL {
} }
func TestMeasurementsFetchAndVerify(t *testing.T) { func TestMeasurementsFetchAndVerify(t *testing.T) {
// Cosign private key used to sign the measurements. // Cosign private key used to sign the
// Generated with: cosign generate-key-pair // Generated with: cosign generate-key-pair
// Password left empty. // Password left empty.
// //
@ -352,7 +352,7 @@ func TestMeasurementsFetchAndVerify(t *testing.T) {
signature: "MEYCIQD1RR91pWPw1BMWXTSmTBHg/JtfKerbZNQ9PJTWDdW0sgIhANQbETJGb67qzQmMVmcq007VUFbHRMtYWKZeeyRf0gVa", signature: "MEYCIQD1RR91pWPw1BMWXTSmTBHg/JtfKerbZNQ9PJTWDdW0sgIhANQbETJGb67qzQmMVmcq007VUFbHRMtYWKZeeyRf0gVa",
signatureStatus: http.StatusOK, signatureStatus: http.StatusOK,
wantMeasurements: M{ wantMeasurements: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
}, },
wantSHA: "c04e13c1312b6f5659303871d14bf49b05c99a6515548763b6322f60bbb61a24", wantSHA: "c04e13c1312b6f5659303871d14bf49b05c99a6515548763b6322f60bbb61a24",
}, },
@ -363,7 +363,7 @@ func TestMeasurementsFetchAndVerify(t *testing.T) {
signature: "MEUCIQC9WI2ijlQjBktYFctKpbnqkUTey3U9W99Jp1NTLi5AbQIgNZxxOtiawgTkWPXLoH9D2CxpEjxQrqLn/zWF6NoKxWQ=", signature: "MEUCIQC9WI2ijlQjBktYFctKpbnqkUTey3U9W99Jp1NTLi5AbQIgNZxxOtiawgTkWPXLoH9D2CxpEjxQrqLn/zWF6NoKxWQ=",
signatureStatus: http.StatusOK, signatureStatus: http.StatusOK,
wantMeasurements: M{ wantMeasurements: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
}, },
wantSHA: "648fcfd5d22e623a948ab2dd4eb334be2701d8f158231726084323003daab8d4", wantSHA: "648fcfd5d22e623a948ab2dd4eb334be2701d8f158231726084323003daab8d4",
}, },
@ -417,8 +417,8 @@ func TestMeasurementsFetchAndVerify(t *testing.T) {
}, },
} }
measurementsURL := urlMustParse("https://somesite.com/measurements.yaml") measurementsURL := urlMustParse("https://somesite.com/yaml")
signatureURL := urlMustParse("https://somesite.com/measurements.yaml.sig") signatureURL := urlMustParse("https://somesite.com/yaml.sig")
for name, tc := range testCases { for name, tc := range testCases {
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
@ -473,15 +473,15 @@ func TestGetEnforced(t *testing.T) {
}{ }{
"only warnings": { "only warnings": {
input: M{ input: M{
0: WithAllBytes(0x00, true), 0: WithAllBytes(0x00, WarnOnly),
1: WithAllBytes(0x01, true), 1: WithAllBytes(0x01, WarnOnly),
}, },
want: map[uint32]struct{}{}, want: map[uint32]struct{}{},
}, },
"all enforced": { "all enforced": {
input: M{ input: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0x01, false), 1: WithAllBytes(0x01, Enforce),
}, },
want: map[uint32]struct{}{ want: map[uint32]struct{}{
0: {}, 0: {},
@ -490,9 +490,9 @@ func TestGetEnforced(t *testing.T) {
}, },
"mixed": { "mixed": {
input: M{ input: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0x01, true), 1: WithAllBytes(0x01, WarnOnly),
2: WithAllBytes(0x02, false), 2: WithAllBytes(0x02, Enforce),
}, },
want: map[uint32]struct{}{ want: map[uint32]struct{}{
0: {}, 0: {},
@ -524,56 +524,56 @@ func TestSetEnforced(t *testing.T) {
}{ }{
"no enforced measurements": { "no enforced measurements": {
input: M{ input: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0x01, false), 1: WithAllBytes(0x01, Enforce),
}, },
enforced: []uint32{}, enforced: []uint32{},
wantM: M{ wantM: M{
0: WithAllBytes(0x00, true), 0: WithAllBytes(0x00, WarnOnly),
1: WithAllBytes(0x01, true), 1: WithAllBytes(0x01, WarnOnly),
}, },
}, },
"all enforced measurements": { "all enforced measurements": {
input: M{ input: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0x01, false), 1: WithAllBytes(0x01, Enforce),
}, },
enforced: []uint32{0, 1}, enforced: []uint32{0, 1},
wantM: M{ wantM: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0x01, false), 1: WithAllBytes(0x01, Enforce),
}, },
}, },
"mixed": { "mixed": {
input: M{ input: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0x01, false), 1: WithAllBytes(0x01, Enforce),
2: WithAllBytes(0x02, false), 2: WithAllBytes(0x02, Enforce),
3: WithAllBytes(0x03, false), 3: WithAllBytes(0x03, Enforce),
}, },
enforced: []uint32{0, 2}, enforced: []uint32{0, 2},
wantM: M{ wantM: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0x01, true), 1: WithAllBytes(0x01, WarnOnly),
2: WithAllBytes(0x02, false), 2: WithAllBytes(0x02, Enforce),
3: WithAllBytes(0x03, true), 3: WithAllBytes(0x03, WarnOnly),
}, },
}, },
"warn only to enforced": { "warn only to enforced": {
input: M{ input: M{
0: WithAllBytes(0x00, true), 0: WithAllBytes(0x00, WarnOnly),
1: WithAllBytes(0x01, true), 1: WithAllBytes(0x01, WarnOnly),
}, },
enforced: []uint32{0, 1}, enforced: []uint32{0, 1},
wantM: M{ wantM: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0x01, false), 1: WithAllBytes(0x01, Enforce),
}, },
}, },
"more enforced than measurements": { "more enforced than measurements": {
input: M{ input: M{
0: WithAllBytes(0x00, true), 0: WithAllBytes(0x00, WarnOnly),
1: WithAllBytes(0x01, true), 1: WithAllBytes(0x01, WarnOnly),
}, },
enforced: []uint32{0, 1, 2}, enforced: []uint32{0, 1, 2},
wantErr: true, wantErr: true,
@ -598,55 +598,55 @@ func TestSetEnforced(t *testing.T) {
func TestWithAllBytes(t *testing.T) { func TestWithAllBytes(t *testing.T) {
testCases := map[string]struct { testCases := map[string]struct {
b byte b byte
warnOnly bool warnOnly MeasurementValidationOption
wantMeasurement Measurement wantMeasurement Measurement
}{ }{
"0x00 warnOnly": { "0x00 warnOnly": {
b: 0x00, b: 0x00,
warnOnly: true, warnOnly: true,
wantMeasurement: Measurement{ wantMeasurement: Measurement{
Expected: [32]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, Expected: [32]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
}, },
"0x00": { "0x00": {
b: 0x00, b: 0x00,
warnOnly: false, warnOnly: false,
wantMeasurement: Measurement{ wantMeasurement: Measurement{
Expected: [32]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, Expected: [32]byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
WarnOnly: false, ValidationOpt: Enforce,
}, },
}, },
"0x01 warnOnly": { "0x01 warnOnly": {
b: 0x01, b: 0x01,
warnOnly: true, warnOnly: true,
wantMeasurement: Measurement{ wantMeasurement: Measurement{
Expected: [32]byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}, Expected: [32]byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
}, },
"0x01": { "0x01": {
b: 0x01, b: 0x01,
warnOnly: false, warnOnly: false,
wantMeasurement: Measurement{ wantMeasurement: Measurement{
Expected: [32]byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}, Expected: [32]byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
WarnOnly: false, ValidationOpt: Enforce,
}, },
}, },
"0xFF warnOnly": { "0xFF warnOnly": {
b: 0xFF, b: 0xFF,
warnOnly: true, warnOnly: true,
wantMeasurement: Measurement{ wantMeasurement: Measurement{
Expected: [32]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, Expected: [32]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
WarnOnly: true, ValidationOpt: WarnOnly,
}, },
}, },
"0xFF": { "0xFF": {
b: 0xFF, b: 0xFF,
warnOnly: false, warnOnly: false,
wantMeasurement: Measurement{ wantMeasurement: Measurement{
Expected: [32]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, Expected: [32]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
WarnOnly: false, ValidationOpt: Enforce,
}, },
}, },
} }
@ -668,44 +668,44 @@ func TestEqualTo(t *testing.T) {
}{ }{
"same values": { "same values": {
given: M{ given: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0xFF, false), 1: WithAllBytes(0xFF, Enforce),
}, },
other: M{ other: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0xFF, false), 1: WithAllBytes(0xFF, Enforce),
}, },
wantEqual: true, wantEqual: true,
}, },
"different number of elements": { "different number of elements": {
given: M{ given: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0xFF, false), 1: WithAllBytes(0xFF, Enforce),
}, },
other: M{ other: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
}, },
wantEqual: false, wantEqual: false,
}, },
"different values": { "different values": {
given: M{ given: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0xFF, false), 1: WithAllBytes(0xFF, Enforce),
}, },
other: M{ other: M{
0: WithAllBytes(0xFF, false), 0: WithAllBytes(0xFF, Enforce),
1: WithAllBytes(0x00, false), 1: WithAllBytes(0x00, Enforce),
}, },
wantEqual: false, wantEqual: false,
}, },
"different warn settings": { "different warn settings": {
given: M{ given: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0xFF, false), 1: WithAllBytes(0xFF, Enforce),
}, },
other: M{ other: M{
0: WithAllBytes(0x00, false), 0: WithAllBytes(0x00, Enforce),
1: WithAllBytes(0xFF, true), 1: WithAllBytes(0xFF, WarnOnly),
}, },
wantEqual: false, wantEqual: false,
}, },

2
internal/attestation/vtpm/attestation.go
View file

@ -227,7 +227,7 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) (userData []byte, e
} }
for idx, pcr := range v.expected { for idx, pcr := range v.expected {
if !bytes.Equal(pcr.Expected[:], attDoc.Attestation.Quotes[quoteIdx].Pcrs.Pcrs[idx]) { if !bytes.Equal(pcr.Expected[:], attDoc.Attestation.Quotes[quoteIdx].Pcrs.Pcrs[idx]) {
if !pcr.WarnOnly { if !pcr.ValidationOpt {
return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx) return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx)
} }
v.log.Warnf("Encountered untrusted PCR value at index %d", idx) v.log.Warnf("Encountered untrusted PCR value at index %d", idx)

30
internal/attestation/vtpm/attestation_test.go
View file

@ -69,9 +69,9 @@ func TestValidate(t *testing.T) {
} }
testExpectedPCRs := measurements.M{ testExpectedPCRs := measurements.M{
0: measurements.WithAllBytes(0x00, false), 0: measurements.WithAllBytes(0x00, measurements.Enforce),
1: measurements.WithAllBytes(0x00, false), 1: measurements.WithAllBytes(0x00, measurements.Enforce),
uint32(measurements.PCRIndexClusterID): measurements.WithAllBytes(0x00, false), uint32(measurements.PCRIndexClusterID): measurements.WithAllBytes(0x00, measurements.Enforce),
} }
warnLog := &testAttestationLogger{} warnLog := &testAttestationLogger{}
@ -116,23 +116,23 @@ func TestValidate(t *testing.T) {
require.Error(err) require.Error(err)
expectedPCRs := measurements.M{ expectedPCRs := measurements.M{
0: measurements.WithAllBytes(0x00, true), 0: measurements.WithAllBytes(0x00, measurements.WarnOnly),
1: measurements.WithAllBytes(0x00, true), 1: measurements.WithAllBytes(0x00, measurements.WarnOnly),
2: measurements.Measurement{ 2: measurements.Measurement{
Expected: [32]byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20}, Expected: [32]byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20},
WarnOnly: true, ValidationOpt: measurements.WarnOnly,
}, },
3: measurements.Measurement{ 3: measurements.Measurement{
Expected: [32]byte{0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40}, Expected: [32]byte{0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40},
WarnOnly: true, ValidationOpt: measurements.WarnOnly,
}, },
4: measurements.Measurement{ 4: measurements.Measurement{
Expected: [32]byte{0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60}, Expected: [32]byte{0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60},
WarnOnly: true, ValidationOpt: measurements.WarnOnly,
}, },
5: measurements.Measurement{ 5: measurements.Measurement{
Expected: [32]byte{0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80}, Expected: [32]byte{0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80},
WarnOnly: true, ValidationOpt: measurements.WarnOnly,
}, },
} }
warningValidator := NewValidator( warningValidator := NewValidator(
@ -200,8 +200,8 @@ func TestValidate(t *testing.T) {
validator: NewValidator( validator: NewValidator(
measurements.M{ measurements.M{
0: measurements.Measurement{ 0: measurements.Measurement{
Expected: [32]byte{0xFF}, Expected: [32]byte{0xFF},
WarnOnly: false, ValidationOpt: measurements.Enforce,
}, },
}, },
fakeGetTrustedKey, fakeGetTrustedKey,

14
internal/config/config_test.go
View file

@ -130,7 +130,7 @@ func TestNewWithDefaultOptions(t *testing.T) {
c.Provider.Azure.ResourceGroup = "test" c.Provider.Azure.ResourceGroup = "test"
c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity" c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity"
c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e" c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e"
c.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, false)} c.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, measurements.Enforce)}
return c return c
}(), }(),
envToSet: map[string]string{ envToSet: map[string]string{
@ -151,7 +151,7 @@ func TestNewWithDefaultOptions(t *testing.T) {
c.Provider.Azure.ClientSecretValue = "other-value" // < Note secret set in config, as well. c.Provider.Azure.ClientSecretValue = "other-value" // < Note secret set in config, as well.
c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity" c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity"
c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e" c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e"
c.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, false)} c.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, measurements.Enforce)}
return c return c
}(), }(),
envToSet: map[string]string{ envToSet: map[string]string{
@ -246,7 +246,7 @@ func TestValidate(t *testing.T) {
az.ClientSecretValue = "test-client-secret" az.ClientSecretValue = "test-client-secret"
cnf.Provider = ProviderConfig{} cnf.Provider = ProviderConfig{}
cnf.Provider.Azure = az cnf.Provider.Azure = az
cnf.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, false)} cnf.Provider.Azure.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, measurements.Enforce)}
return cnf return cnf
}(), }(),
}, },
@ -273,7 +273,7 @@ func TestValidate(t *testing.T) {
gcp.ServiceAccountKeyPath = "test-key-path" gcp.ServiceAccountKeyPath = "test-key-path"
cnf.Provider = ProviderConfig{} cnf.Provider = ProviderConfig{}
cnf.Provider.GCP = gcp cnf.Provider.GCP = gcp
cnf.Provider.GCP.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, false)} cnf.Provider.GCP.Measurements = measurements.M{15: measurements.WithAllBytes(0x00, measurements.Enforce)}
return cnf return cnf
}(), }(),
}, },
@ -397,9 +397,9 @@ func TestConfigGeneratedDocsFresh(t *testing.T) {
func TestConfig_UpdateMeasurements(t *testing.T) { func TestConfig_UpdateMeasurements(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
newMeasurements := measurements.M{ newMeasurements := measurements.M{
1: measurements.WithAllBytes(0x00, false), 1: measurements.WithAllBytes(0x00, measurements.Enforce),
2: measurements.WithAllBytes(0x01, false), 2: measurements.WithAllBytes(0x01, measurements.Enforce),
3: measurements.WithAllBytes(0x02, false), 3: measurements.WithAllBytes(0x02, measurements.Enforce),
} }
{ // AWS { // AWS

8
internal/watcher/validator_test.go
View file

@ -77,7 +77,7 @@ func TestNewUpdateableValidator(t *testing.T) {
if tc.writeFile { if tc.writeFile {
require.NoError(handler.WriteJSON( require.NoError(handler.WriteJSON(
filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename), filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename),
measurements.M{11: measurements.WithAllBytes(0x00, false)}, measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)},
)) ))
require.NoError(handler.WriteJSON( require.NoError(handler.WriteJSON(
@ -122,7 +122,7 @@ func TestUpdate(t *testing.T) {
// write measurement config // write measurement config
require.NoError(handler.WriteJSON( require.NoError(handler.WriteJSON(
filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename), filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename),
measurements.M{11: measurements.WithAllBytes(0x00, false)}, measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)},
)) ))
require.NoError(handler.WriteJSON( require.NoError(handler.WriteJSON(
filepath.Join(constants.ServiceBasePath, constants.IDKeyConfigFilename), filepath.Join(constants.ServiceBasePath, constants.IDKeyConfigFilename),
@ -185,7 +185,7 @@ func TestOIDConcurrency(t *testing.T) {
handler := file.NewHandler(afero.NewMemMapFs()) handler := file.NewHandler(afero.NewMemMapFs())
require.NoError(handler.WriteJSON( require.NoError(handler.WriteJSON(
filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename), filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename),
measurements.M{11: measurements.WithAllBytes(0x00, false)}, measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)},
)) ))
require.NoError(handler.WriteJSON( require.NoError(handler.WriteJSON(
filepath.Join(constants.ServiceBasePath, constants.IDKeyConfigFilename), filepath.Join(constants.ServiceBasePath, constants.IDKeyConfigFilename),
@ -232,7 +232,7 @@ func TestUpdateConcurrency(t *testing.T) {
} }
require.NoError(handler.WriteJSON( require.NoError(handler.WriteJSON(
filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename), filepath.Join(constants.ServiceBasePath, constants.MeasurementsFilename),
measurements.M{11: measurements.WithAllBytes(0x00, false)}, measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)},
file.OptNone, file.OptNone,
)) ))
require.NoError(handler.WriteJSON( require.NoError(handler.WriteJSON(

12
measurement-reader/internal/tpm/tpm_test.go
View file

@ -22,9 +22,9 @@ func TestSortMeasurements(t *testing.T) {
}{ }{
"pre sorted": { "pre sorted": {
input: measurements.M{ input: measurements.M{
0: measurements.WithAllBytes(0x11, false), 0: measurements.WithAllBytes(0x11, measurements.Enforce),
1: measurements.WithAllBytes(0x22, false), 1: measurements.WithAllBytes(0x22, measurements.Enforce),
2: measurements.WithAllBytes(0x33, false), 2: measurements.WithAllBytes(0x33, measurements.Enforce),
}, },
want: []sorted.Measurement{ want: []sorted.Measurement{
{ {
@ -43,9 +43,9 @@ func TestSortMeasurements(t *testing.T) {
}, },
"unsorted": { "unsorted": {
input: measurements.M{ input: measurements.M{
1: measurements.WithAllBytes(0x22, false), 1: measurements.WithAllBytes(0x22, measurements.Enforce),
0: measurements.WithAllBytes(0x11, false), 0: measurements.WithAllBytes(0x11, measurements.Enforce),
2: measurements.WithAllBytes(0x33, false), 2: measurements.WithAllBytes(0x33, measurements.Enforce),
}, },
want: []sorted.Measurement{ want: []sorted.Measurement{
{ {