mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
config: move all config types into file config.go (#1878)
docgen only includes doc comments from one single file in it's output. Therefore all config types need to be located in config.go
This commit is contained in:
parent
439359ffbc
commit
06cd750345
@ -6,14 +6,12 @@ go_library(
|
||||
srcs = [
|
||||
"attestation.go",
|
||||
"attestationversion.go",
|
||||
"azure.go",
|
||||
"config.go",
|
||||
"config_doc.go",
|
||||
# keep
|
||||
"image_enterprise.go",
|
||||
# keep
|
||||
"image_oss.go",
|
||||
"qemu.go",
|
||||
"validation.go",
|
||||
],
|
||||
importpath = "github.com/edgelesssys/constellation/v2/internal/config",
|
||||
|
@ -1,146 +0,0 @@
|
||||
/*
|
||||
Copyright (c) Edgeless Systems GmbH
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
|
||||
package config
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
configapi "github.com/edgelesssys/constellation/v2/internal/api/attestationconfig"
|
||||
attestationconfigfetcher "github.com/edgelesssys/constellation/v2/internal/api/attestationconfig/fetcher"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
)
|
||||
|
||||
// AzureSEVSNP is the configuration for Azure SEV-SNP attestation.
|
||||
type AzureSEVSNP struct {
|
||||
// description: |
|
||||
// Expected TPM measurements.
|
||||
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
||||
// description: |
|
||||
// Lowest acceptable bootloader version.
|
||||
BootloaderVersion AttestationVersion `json:"bootloaderVersion" yaml:"bootloaderVersion"`
|
||||
// description: |
|
||||
// Lowest acceptable TEE version.
|
||||
TEEVersion AttestationVersion `json:"teeVersion" yaml:"teeVersion"`
|
||||
// description: |
|
||||
// Lowest acceptable SEV-SNP version.
|
||||
SNPVersion AttestationVersion `json:"snpVersion" yaml:"snpVersion"`
|
||||
// description: |
|
||||
// Lowest acceptable microcode version.
|
||||
MicrocodeVersion AttestationVersion `json:"microcodeVersion" yaml:"microcodeVersion"`
|
||||
// description: |
|
||||
// Configuration for validating the firmware signature.
|
||||
FirmwareSignerConfig SNPFirmwareSignerConfig `json:"firmwareSignerConfig" yaml:"firmwareSignerConfig"`
|
||||
// description: |
|
||||
// AMD Root Key certificate used to verify the SEV-SNP certificate chain.
|
||||
AMDRootKey Certificate `json:"amdRootKey" yaml:"amdRootKey"`
|
||||
}
|
||||
|
||||
// DefaultForAzureSEVSNP returns the default configuration for Azure SEV-SNP attestation.
|
||||
// Version numbers have placeholder values and the latest available values can be fetched using [AzureSEVSNP.FetchAndSetLatestVersionNumbers].
|
||||
func DefaultForAzureSEVSNP() *AzureSEVSNP {
|
||||
return &AzureSEVSNP{
|
||||
Measurements: measurements.DefaultsFor(cloudprovider.Azure, variant.AzureSEVSNP{}),
|
||||
BootloaderVersion: NewLatestPlaceholderVersion(),
|
||||
TEEVersion: NewLatestPlaceholderVersion(),
|
||||
SNPVersion: NewLatestPlaceholderVersion(),
|
||||
MicrocodeVersion: NewLatestPlaceholderVersion(),
|
||||
FirmwareSignerConfig: SNPFirmwareSignerConfig{
|
||||
AcceptedKeyDigests: idkeydigest.DefaultList(),
|
||||
EnforcementPolicy: idkeydigest.MAAFallback,
|
||||
},
|
||||
// AMD root key. Received from the AMD Key Distribution System API (KDS).
|
||||
AMDRootKey: mustParsePEM(`-----BEGIN CERTIFICATE-----\nMIIGYzCCBBKgAwIBAgIDAQAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC\nBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS\nBgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg\nQ2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp\nY2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTcyMzA1WhcNNDUxMDIy\nMTcyMzA1WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS\nBgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j\nZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLU1pbGFuMIICIjANBgkqhkiG\n9w0BAQEFAAOCAg8AMIICCgKCAgEA0Ld52RJOdeiJlqK2JdsVmD7FktuotWwX1fNg\nW41XY9Xz1HEhSUmhLz9Cu9DHRlvgJSNxbeYYsnJfvyjx1MfU0V5tkKiU1EesNFta\n1kTA0szNisdYc9isqk7mXT5+KfGRbfc4V/9zRIcE8jlHN61S1ju8X93+6dxDUrG2\nSzxqJ4BhqyYmUDruPXJSX4vUc01P7j98MpqOS95rORdGHeI52Naz5m2B+O+vjsC0\n60d37jY9LFeuOP4Meri8qgfi2S5kKqg/aF6aPtuAZQVR7u3KFYXP59XmJgtcog05\ngmI0T/OitLhuzVvpZcLph0odh/1IPXqx3+MnjD97A7fXpqGd/y8KxX7jksTEzAOg\nbKAeam3lm+3yKIcTYMlsRMXPcjNbIvmsBykD//xSniusuHBkgnlENEWx1UcbQQrs\n+gVDkuVPhsnzIRNgYvM48Y+7LGiJYnrmE8xcrexekBxrva2V9TJQqnN3Q53kt5vi\nQi3+gCfmkwC0F0tirIZbLkXPrPwzZ0M9eNxhIySb2npJfgnqz55I0u33wh4r0ZNQ\neTGfw03MBUtyuzGesGkcw+loqMaq1qR4tjGbPYxCvpCq7+OgpCCoMNit2uLo9M18\nfHz10lOMT8nWAUvRZFzteXCm+7PHdYPlmQwUw3LvenJ/ILXoQPHfbkH0CyPfhl1j\nWhJFZasCAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSFrBrRQ/fI\nrFXUxR1BSKvVeErUUzAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG\nKWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvTWlsYW4vY3JsMEYGCSqG\nSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI\nAWUDBAICBQCiAwIBMKMDAgEBA4ICAQC6m0kDp6zv4Ojfgy+zleehsx6ol0ocgVel\nETobpx+EuCsqVFRPK1jZ1sp/lyd9+0fQ0r66n7kagRk4Ca39g66WGTJMeJdqYriw\nSTjjDCKVPSesWXYPVAyDhmP5n2v+BYipZWhpvqpaiO+EGK5IBP+578QeW/sSokrK\ndHaLAxG2LhZxj9aF73fqC7OAJZ5aPonw4RE299FVarh1Tx2eT3wSgkDgutCTB1Yq\nzT5DuwvAe+co2CIVIzMDamYuSFjPN0BCgojl7V+bTou7dMsqIu/TW/rPCX9/EUcp\nKGKqPQ3P+N9r1hjEFY1plBg93t53OOo49GNI+V1zvXPLI6xIFVsh+mto2RtgEX/e\npmMKTNN6psW88qg7c1hTWtN6MbRuQ0vm+O+/2tKBF2h8THb94OvvHHoFDpbCELlq\nHnIYhxy0YKXGyaW1NjfULxrrmxVW4wcn5E8GddmvNa6yYm8scJagEi13mhGu4Jqh\n3QU3sf8iUSUr09xQDwHtOQUVIqx4maBZPBtSMf+qUDtjXSSq8lfWcd8bLr9mdsUn\nJZJ0+tuPMKmBnSH860llKk+VpVQsgqbzDIvOLvD6W1Umq25boxCYJ+TuBoa4s+HH\nCViAvgT9kf/rBq1d+ivj6skkHxuzcxbk1xv6ZGxrteJxVH7KlX7YRdZ6eARKwLe4\nAFZEAwoKCQ==\n-----END CERTIFICATE-----\n`),
|
||||
}
|
||||
}
|
||||
|
||||
// GetVariant returns azure-sev-snp as the variant.
|
||||
func (AzureSEVSNP) GetVariant() variant.Variant {
|
||||
return variant.AzureSEVSNP{}
|
||||
}
|
||||
|
||||
// GetMeasurements returns the measurements used for attestation.
|
||||
func (c AzureSEVSNP) GetMeasurements() measurements.M {
|
||||
return c.Measurements
|
||||
}
|
||||
|
||||
// SetMeasurements updates a config's measurements using the given measurements.
|
||||
func (c *AzureSEVSNP) SetMeasurements(m measurements.M) {
|
||||
c.Measurements = m
|
||||
}
|
||||
|
||||
// EqualTo returns true if the config is equal to the given config.
|
||||
func (c AzureSEVSNP) EqualTo(old AttestationCfg) (bool, error) {
|
||||
otherCfg, ok := old.(*AzureSEVSNP)
|
||||
if !ok {
|
||||
return false, fmt.Errorf("cannot compare %T with %T", c, old)
|
||||
}
|
||||
|
||||
firmwareSignerCfgEqual := c.FirmwareSignerConfig.EqualTo(otherCfg.FirmwareSignerConfig)
|
||||
measurementsEqual := c.Measurements.EqualTo(otherCfg.Measurements)
|
||||
bootloaderEqual := c.BootloaderVersion == otherCfg.BootloaderVersion
|
||||
teeEqual := c.TEEVersion == otherCfg.TEEVersion
|
||||
snpEqual := c.SNPVersion == otherCfg.SNPVersion
|
||||
microcodeEqual := c.MicrocodeVersion == otherCfg.MicrocodeVersion
|
||||
rootKeyEqual := bytes.Equal(c.AMDRootKey.Raw, otherCfg.AMDRootKey.Raw)
|
||||
|
||||
return firmwareSignerCfgEqual && measurementsEqual && bootloaderEqual && teeEqual && snpEqual && microcodeEqual && rootKeyEqual, nil
|
||||
}
|
||||
|
||||
// FetchAndSetLatestVersionNumbers fetches the latest version numbers from the configapi and sets them.
|
||||
func (c *AzureSEVSNP) FetchAndSetLatestVersionNumbers(fetcher attestationconfigfetcher.AttestationConfigAPIFetcher) error {
|
||||
versions, err := fetcher.FetchAzureSEVSNPVersionLatest(context.Background())
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// set number and keep isLatest flag
|
||||
c.mergeVersionNumbers(versions.AzureSEVSNPVersion)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *AzureSEVSNP) mergeVersionNumbers(versions configapi.AzureSEVSNPVersion) {
|
||||
c.BootloaderVersion.Value = versions.Bootloader
|
||||
c.TEEVersion.Value = versions.TEE
|
||||
c.SNPVersion.Value = versions.SNP
|
||||
c.MicrocodeVersion.Value = versions.Microcode
|
||||
}
|
||||
|
||||
// AzureTrustedLaunch is the configuration for Azure Trusted Launch attestation.
|
||||
type AzureTrustedLaunch struct {
|
||||
// description: |
|
||||
// Expected TPM measurements.
|
||||
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
||||
}
|
||||
|
||||
// GetVariant returns azure-trusted-launch as the variant.
|
||||
func (AzureTrustedLaunch) GetVariant() variant.Variant {
|
||||
return variant.AzureTrustedLaunch{}
|
||||
}
|
||||
|
||||
// GetMeasurements returns the measurements used for attestation.
|
||||
func (c AzureTrustedLaunch) GetMeasurements() measurements.M {
|
||||
return c.Measurements
|
||||
}
|
||||
|
||||
// SetMeasurements updates a config's measurements using the given measurements.
|
||||
func (c *AzureTrustedLaunch) SetMeasurements(m measurements.M) {
|
||||
c.Measurements = m
|
||||
}
|
||||
|
||||
// EqualTo returns true if the config is equal to the given config.
|
||||
func (c AzureTrustedLaunch) EqualTo(other AttestationCfg) (bool, error) {
|
||||
otherCfg, ok := other.(*AzureTrustedLaunch)
|
||||
if !ok {
|
||||
return false, fmt.Errorf("cannot compare %T with %T", c, other)
|
||||
}
|
||||
return c.Measurements.EqualTo(otherCfg.Measurements), nil
|
||||
}
|
@ -19,6 +19,8 @@ All config relevant definitions, parsing and validation functions should go here
|
||||
package config
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io/fs"
|
||||
@ -31,6 +33,7 @@ import (
|
||||
"github.com/go-playground/validator/v10"
|
||||
en_translations "github.com/go-playground/validator/v10/translations/en"
|
||||
|
||||
configapi "github.com/edgelesssys/constellation/v2/internal/api/attestationconfig"
|
||||
attestationconfigfetcher "github.com/edgelesssys/constellation/v2/internal/api/attestationconfig/fetcher"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
@ -831,3 +834,190 @@ func (c GCPSEVES) EqualTo(other AttestationCfg) (bool, error) {
|
||||
func toPtr[T any](v T) *T {
|
||||
return &v
|
||||
}
|
||||
|
||||
// QEMUVTPM is the configuration for QEMU vTPM attestation.
|
||||
type QEMUVTPM struct {
|
||||
// description: |
|
||||
// Expected TPM measurements.
|
||||
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
||||
}
|
||||
|
||||
// GetVariant returns qemu-vtpm as the variant.
|
||||
func (QEMUVTPM) GetVariant() variant.Variant {
|
||||
return variant.QEMUVTPM{}
|
||||
}
|
||||
|
||||
// GetMeasurements returns the measurements used for attestation.
|
||||
func (c QEMUVTPM) GetMeasurements() measurements.M {
|
||||
return c.Measurements
|
||||
}
|
||||
|
||||
// SetMeasurements updates a config's measurements using the given measurements.
|
||||
func (c *QEMUVTPM) SetMeasurements(m measurements.M) {
|
||||
c.Measurements = m
|
||||
}
|
||||
|
||||
// EqualTo returns true if the config is equal to the given config.
|
||||
func (c QEMUVTPM) EqualTo(other AttestationCfg) (bool, error) {
|
||||
otherCfg, ok := other.(*QEMUVTPM)
|
||||
if !ok {
|
||||
return false, fmt.Errorf("cannot compare %T with %T", c, other)
|
||||
}
|
||||
return c.Measurements.EqualTo(otherCfg.Measurements), nil
|
||||
}
|
||||
|
||||
// QEMUTDX is the configuration for QEMU TDX attestation.
|
||||
type QEMUTDX struct {
|
||||
// description: |
|
||||
// Expected TDX measurements.
|
||||
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
||||
}
|
||||
|
||||
// GetVariant returns qemu-tdx as the variant.
|
||||
func (QEMUTDX) GetVariant() variant.Variant {
|
||||
return variant.QEMUTDX{}
|
||||
}
|
||||
|
||||
// GetMeasurements returns the measurements used for attestation.
|
||||
func (c QEMUTDX) GetMeasurements() measurements.M {
|
||||
return c.Measurements
|
||||
}
|
||||
|
||||
// SetMeasurements updates a config's measurements using the given measurements.
|
||||
func (c *QEMUTDX) SetMeasurements(m measurements.M) {
|
||||
c.Measurements = m
|
||||
}
|
||||
|
||||
// EqualTo returns true if the config is equal to the given config.
|
||||
func (c QEMUTDX) EqualTo(other AttestationCfg) (bool, error) {
|
||||
otherCfg, ok := other.(*QEMUTDX)
|
||||
if !ok {
|
||||
return false, fmt.Errorf("cannot compare %T with %T", c, other)
|
||||
}
|
||||
return c.Measurements.EqualTo(otherCfg.Measurements), nil
|
||||
}
|
||||
|
||||
// AzureSEVSNP is the configuration for Azure SEV-SNP attestation.
|
||||
type AzureSEVSNP struct {
|
||||
// description: |
|
||||
// Expected TPM measurements.
|
||||
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
||||
// description: |
|
||||
// Lowest acceptable bootloader version.
|
||||
BootloaderVersion AttestationVersion `json:"bootloaderVersion" yaml:"bootloaderVersion"`
|
||||
// description: |
|
||||
// Lowest acceptable TEE version.
|
||||
TEEVersion AttestationVersion `json:"teeVersion" yaml:"teeVersion"`
|
||||
// description: |
|
||||
// Lowest acceptable SEV-SNP version.
|
||||
SNPVersion AttestationVersion `json:"snpVersion" yaml:"snpVersion"`
|
||||
// description: |
|
||||
// Lowest acceptable microcode version.
|
||||
MicrocodeVersion AttestationVersion `json:"microcodeVersion" yaml:"microcodeVersion"`
|
||||
// description: |
|
||||
// Configuration for validating the firmware signature.
|
||||
FirmwareSignerConfig SNPFirmwareSignerConfig `json:"firmwareSignerConfig" yaml:"firmwareSignerConfig"`
|
||||
// description: |
|
||||
// AMD Root Key certificate used to verify the SEV-SNP certificate chain.
|
||||
AMDRootKey Certificate `json:"amdRootKey" yaml:"amdRootKey"`
|
||||
}
|
||||
|
||||
// DefaultForAzureSEVSNP returns the default configuration for Azure SEV-SNP attestation.
|
||||
// Version numbers have placeholder values and the latest available values can be fetched using [AzureSEVSNP.FetchAndSetLatestVersionNumbers].
|
||||
func DefaultForAzureSEVSNP() *AzureSEVSNP {
|
||||
return &AzureSEVSNP{
|
||||
Measurements: measurements.DefaultsFor(cloudprovider.Azure, variant.AzureSEVSNP{}),
|
||||
BootloaderVersion: NewLatestPlaceholderVersion(),
|
||||
TEEVersion: NewLatestPlaceholderVersion(),
|
||||
SNPVersion: NewLatestPlaceholderVersion(),
|
||||
MicrocodeVersion: NewLatestPlaceholderVersion(),
|
||||
FirmwareSignerConfig: SNPFirmwareSignerConfig{
|
||||
AcceptedKeyDigests: idkeydigest.DefaultList(),
|
||||
EnforcementPolicy: idkeydigest.MAAFallback,
|
||||
},
|
||||
// AMD root key. Received from the AMD Key Distribution System API (KDS).
|
||||
AMDRootKey: mustParsePEM(`-----BEGIN CERTIFICATE-----\nMIIGYzCCBBKgAwIBAgIDAQAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC\nBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS\nBgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg\nQ2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp\nY2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTcyMzA1WhcNNDUxMDIy\nMTcyMzA1WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS\nBgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j\nZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLU1pbGFuMIICIjANBgkqhkiG\n9w0BAQEFAAOCAg8AMIICCgKCAgEA0Ld52RJOdeiJlqK2JdsVmD7FktuotWwX1fNg\nW41XY9Xz1HEhSUmhLz9Cu9DHRlvgJSNxbeYYsnJfvyjx1MfU0V5tkKiU1EesNFta\n1kTA0szNisdYc9isqk7mXT5+KfGRbfc4V/9zRIcE8jlHN61S1ju8X93+6dxDUrG2\nSzxqJ4BhqyYmUDruPXJSX4vUc01P7j98MpqOS95rORdGHeI52Naz5m2B+O+vjsC0\n60d37jY9LFeuOP4Meri8qgfi2S5kKqg/aF6aPtuAZQVR7u3KFYXP59XmJgtcog05\ngmI0T/OitLhuzVvpZcLph0odh/1IPXqx3+MnjD97A7fXpqGd/y8KxX7jksTEzAOg\nbKAeam3lm+3yKIcTYMlsRMXPcjNbIvmsBykD//xSniusuHBkgnlENEWx1UcbQQrs\n+gVDkuVPhsnzIRNgYvM48Y+7LGiJYnrmE8xcrexekBxrva2V9TJQqnN3Q53kt5vi\nQi3+gCfmkwC0F0tirIZbLkXPrPwzZ0M9eNxhIySb2npJfgnqz55I0u33wh4r0ZNQ\neTGfw03MBUtyuzGesGkcw+loqMaq1qR4tjGbPYxCvpCq7+OgpCCoMNit2uLo9M18\nfHz10lOMT8nWAUvRZFzteXCm+7PHdYPlmQwUw3LvenJ/ILXoQPHfbkH0CyPfhl1j\nWhJFZasCAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSFrBrRQ/fI\nrFXUxR1BSKvVeErUUzAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG\nKWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvTWlsYW4vY3JsMEYGCSqG\nSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI\nAWUDBAICBQCiAwIBMKMDAgEBA4ICAQC6m0kDp6zv4Ojfgy+zleehsx6ol0ocgVel\nETobpx+EuCsqVFRPK1jZ1sp/lyd9+0fQ0r66n7kagRk4Ca39g66WGTJMeJdqYriw\nSTjjDCKVPSesWXYPVAyDhmP5n2v+BYipZWhpvqpaiO+EGK5IBP+578QeW/sSokrK\ndHaLAxG2LhZxj9aF73fqC7OAJZ5aPonw4RE299FVarh1Tx2eT3wSgkDgutCTB1Yq\nzT5DuwvAe+co2CIVIzMDamYuSFjPN0BCgojl7V+bTou7dMsqIu/TW/rPCX9/EUcp\nKGKqPQ3P+N9r1hjEFY1plBg93t53OOo49GNI+V1zvXPLI6xIFVsh+mto2RtgEX/e\npmMKTNN6psW88qg7c1hTWtN6MbRuQ0vm+O+/2tKBF2h8THb94OvvHHoFDpbCELlq\nHnIYhxy0YKXGyaW1NjfULxrrmxVW4wcn5E8GddmvNa6yYm8scJagEi13mhGu4Jqh\n3QU3sf8iUSUr09xQDwHtOQUVIqx4maBZPBtSMf+qUDtjXSSq8lfWcd8bLr9mdsUn\nJZJ0+tuPMKmBnSH860llKk+VpVQsgqbzDIvOLvD6W1Umq25boxCYJ+TuBoa4s+HH\nCViAvgT9kf/rBq1d+ivj6skkHxuzcxbk1xv6ZGxrteJxVH7KlX7YRdZ6eARKwLe4\nAFZEAwoKCQ==\n-----END CERTIFICATE-----\n`),
|
||||
}
|
||||
}
|
||||
|
||||
// GetVariant returns azure-sev-snp as the variant.
|
||||
func (AzureSEVSNP) GetVariant() variant.Variant {
|
||||
return variant.AzureSEVSNP{}
|
||||
}
|
||||
|
||||
// GetMeasurements returns the measurements used for attestation.
|
||||
func (c AzureSEVSNP) GetMeasurements() measurements.M {
|
||||
return c.Measurements
|
||||
}
|
||||
|
||||
// SetMeasurements updates a config's measurements using the given measurements.
|
||||
func (c *AzureSEVSNP) SetMeasurements(m measurements.M) {
|
||||
c.Measurements = m
|
||||
}
|
||||
|
||||
// EqualTo returns true if the config is equal to the given config.
|
||||
func (c AzureSEVSNP) EqualTo(old AttestationCfg) (bool, error) {
|
||||
otherCfg, ok := old.(*AzureSEVSNP)
|
||||
if !ok {
|
||||
return false, fmt.Errorf("cannot compare %T with %T", c, old)
|
||||
}
|
||||
|
||||
firmwareSignerCfgEqual := c.FirmwareSignerConfig.EqualTo(otherCfg.FirmwareSignerConfig)
|
||||
measurementsEqual := c.Measurements.EqualTo(otherCfg.Measurements)
|
||||
bootloaderEqual := c.BootloaderVersion == otherCfg.BootloaderVersion
|
||||
teeEqual := c.TEEVersion == otherCfg.TEEVersion
|
||||
snpEqual := c.SNPVersion == otherCfg.SNPVersion
|
||||
microcodeEqual := c.MicrocodeVersion == otherCfg.MicrocodeVersion
|
||||
rootKeyEqual := bytes.Equal(c.AMDRootKey.Raw, otherCfg.AMDRootKey.Raw)
|
||||
|
||||
return firmwareSignerCfgEqual && measurementsEqual && bootloaderEqual && teeEqual && snpEqual && microcodeEqual && rootKeyEqual, nil
|
||||
}
|
||||
|
||||
// FetchAndSetLatestVersionNumbers fetches the latest version numbers from the configapi and sets them.
|
||||
func (c *AzureSEVSNP) FetchAndSetLatestVersionNumbers(fetcher attestationconfigfetcher.AttestationConfigAPIFetcher) error {
|
||||
versions, err := fetcher.FetchAzureSEVSNPVersionLatest(context.Background())
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// set number and keep isLatest flag
|
||||
c.mergeVersionNumbers(versions.AzureSEVSNPVersion)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *AzureSEVSNP) mergeVersionNumbers(versions configapi.AzureSEVSNPVersion) {
|
||||
c.BootloaderVersion.Value = versions.Bootloader
|
||||
c.TEEVersion.Value = versions.TEE
|
||||
c.SNPVersion.Value = versions.SNP
|
||||
c.MicrocodeVersion.Value = versions.Microcode
|
||||
}
|
||||
|
||||
// AzureTrustedLaunch is the configuration for Azure Trusted Launch attestation.
|
||||
type AzureTrustedLaunch struct {
|
||||
// description: |
|
||||
// Expected TPM measurements.
|
||||
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
||||
}
|
||||
|
||||
// GetVariant returns azure-trusted-launch as the variant.
|
||||
func (AzureTrustedLaunch) GetVariant() variant.Variant {
|
||||
return variant.AzureTrustedLaunch{}
|
||||
}
|
||||
|
||||
// GetMeasurements returns the measurements used for attestation.
|
||||
func (c AzureTrustedLaunch) GetMeasurements() measurements.M {
|
||||
return c.Measurements
|
||||
}
|
||||
|
||||
// SetMeasurements updates a config's measurements using the given measurements.
|
||||
func (c *AzureTrustedLaunch) SetMeasurements(m measurements.M) {
|
||||
c.Measurements = m
|
||||
}
|
||||
|
||||
// EqualTo returns true if the config is equal to the given config.
|
||||
func (c AzureTrustedLaunch) EqualTo(other AttestationCfg) (bool, error) {
|
||||
otherCfg, ok := other.(*AzureTrustedLaunch)
|
||||
if !ok {
|
||||
return false, fmt.Errorf("cannot compare %T with %T", c, other)
|
||||
}
|
||||
return c.Measurements.EqualTo(otherCfg.Measurements), nil
|
||||
}
|
||||
|
@ -22,6 +22,10 @@ var (
|
||||
AWSNitroTPMDoc encoder.Doc
|
||||
SNPFirmwareSignerConfigDoc encoder.Doc
|
||||
GCPSEVESDoc encoder.Doc
|
||||
QEMUVTPMDoc encoder.Doc
|
||||
QEMUTDXDoc encoder.Doc
|
||||
AzureSEVSNPDoc encoder.Doc
|
||||
AzureTrustedLaunchDoc encoder.Doc
|
||||
)
|
||||
|
||||
func init() {
|
||||
@ -476,6 +480,12 @@ func init() {
|
||||
SNPFirmwareSignerConfigDoc.Type = "SNPFirmwareSignerConfig"
|
||||
SNPFirmwareSignerConfigDoc.Comments[encoder.LineComment] = "SNPFirmwareSignerConfig is the configuration for validating the firmware signer."
|
||||
SNPFirmwareSignerConfigDoc.Description = "SNPFirmwareSignerConfig is the configuration for validating the firmware signer."
|
||||
SNPFirmwareSignerConfigDoc.AppearsIn = []encoder.Appearance{
|
||||
{
|
||||
TypeName: "AzureSEVSNP",
|
||||
FieldName: "firmwareSignerConfig",
|
||||
},
|
||||
}
|
||||
SNPFirmwareSignerConfigDoc.Fields = make([]encoder.Doc, 3)
|
||||
SNPFirmwareSignerConfigDoc.Fields[0].Name = "acceptedKeyDigests"
|
||||
SNPFirmwareSignerConfigDoc.Fields[0].Type = "List"
|
||||
@ -508,6 +518,100 @@ func init() {
|
||||
GCPSEVESDoc.Fields[0].Note = ""
|
||||
GCPSEVESDoc.Fields[0].Description = "Expected TPM measurements."
|
||||
GCPSEVESDoc.Fields[0].Comments[encoder.LineComment] = "Expected TPM measurements."
|
||||
|
||||
QEMUVTPMDoc.Type = "QEMUVTPM"
|
||||
QEMUVTPMDoc.Comments[encoder.LineComment] = "QEMUVTPM is the configuration for QEMU vTPM attestation."
|
||||
QEMUVTPMDoc.Description = "QEMUVTPM is the configuration for QEMU vTPM attestation."
|
||||
QEMUVTPMDoc.AppearsIn = []encoder.Appearance{
|
||||
{
|
||||
TypeName: "AttestationConfig",
|
||||
FieldName: "qemuVTPM",
|
||||
},
|
||||
}
|
||||
QEMUVTPMDoc.Fields = make([]encoder.Doc, 1)
|
||||
QEMUVTPMDoc.Fields[0].Name = "measurements"
|
||||
QEMUVTPMDoc.Fields[0].Type = "M"
|
||||
QEMUVTPMDoc.Fields[0].Note = ""
|
||||
QEMUVTPMDoc.Fields[0].Description = "Expected TPM measurements."
|
||||
QEMUVTPMDoc.Fields[0].Comments[encoder.LineComment] = "Expected TPM measurements."
|
||||
|
||||
QEMUTDXDoc.Type = "QEMUTDX"
|
||||
QEMUTDXDoc.Comments[encoder.LineComment] = "QEMUTDX is the configuration for QEMU TDX attestation."
|
||||
QEMUTDXDoc.Description = "QEMUTDX is the configuration for QEMU TDX attestation."
|
||||
QEMUTDXDoc.AppearsIn = []encoder.Appearance{
|
||||
{
|
||||
TypeName: "AttestationConfig",
|
||||
FieldName: "qemuTDX",
|
||||
},
|
||||
}
|
||||
QEMUTDXDoc.Fields = make([]encoder.Doc, 1)
|
||||
QEMUTDXDoc.Fields[0].Name = "measurements"
|
||||
QEMUTDXDoc.Fields[0].Type = "M"
|
||||
QEMUTDXDoc.Fields[0].Note = ""
|
||||
QEMUTDXDoc.Fields[0].Description = "Expected TDX measurements."
|
||||
QEMUTDXDoc.Fields[0].Comments[encoder.LineComment] = "Expected TDX measurements."
|
||||
|
||||
AzureSEVSNPDoc.Type = "AzureSEVSNP"
|
||||
AzureSEVSNPDoc.Comments[encoder.LineComment] = "AzureSEVSNP is the configuration for Azure SEV-SNP attestation."
|
||||
AzureSEVSNPDoc.Description = "AzureSEVSNP is the configuration for Azure SEV-SNP attestation."
|
||||
AzureSEVSNPDoc.AppearsIn = []encoder.Appearance{
|
||||
{
|
||||
TypeName: "AttestationConfig",
|
||||
FieldName: "azureSEVSNP",
|
||||
},
|
||||
}
|
||||
AzureSEVSNPDoc.Fields = make([]encoder.Doc, 7)
|
||||
AzureSEVSNPDoc.Fields[0].Name = "measurements"
|
||||
AzureSEVSNPDoc.Fields[0].Type = "M"
|
||||
AzureSEVSNPDoc.Fields[0].Note = ""
|
||||
AzureSEVSNPDoc.Fields[0].Description = "Expected TPM measurements."
|
||||
AzureSEVSNPDoc.Fields[0].Comments[encoder.LineComment] = "Expected TPM measurements."
|
||||
AzureSEVSNPDoc.Fields[1].Name = "bootloaderVersion"
|
||||
AzureSEVSNPDoc.Fields[1].Type = "AttestationVersion"
|
||||
AzureSEVSNPDoc.Fields[1].Note = ""
|
||||
AzureSEVSNPDoc.Fields[1].Description = "Lowest acceptable bootloader version."
|
||||
AzureSEVSNPDoc.Fields[1].Comments[encoder.LineComment] = "Lowest acceptable bootloader version."
|
||||
AzureSEVSNPDoc.Fields[2].Name = "teeVersion"
|
||||
AzureSEVSNPDoc.Fields[2].Type = "AttestationVersion"
|
||||
AzureSEVSNPDoc.Fields[2].Note = ""
|
||||
AzureSEVSNPDoc.Fields[2].Description = "Lowest acceptable TEE version."
|
||||
AzureSEVSNPDoc.Fields[2].Comments[encoder.LineComment] = "Lowest acceptable TEE version."
|
||||
AzureSEVSNPDoc.Fields[3].Name = "snpVersion"
|
||||
AzureSEVSNPDoc.Fields[3].Type = "AttestationVersion"
|
||||
AzureSEVSNPDoc.Fields[3].Note = ""
|
||||
AzureSEVSNPDoc.Fields[3].Description = "Lowest acceptable SEV-SNP version."
|
||||
AzureSEVSNPDoc.Fields[3].Comments[encoder.LineComment] = "Lowest acceptable SEV-SNP version."
|
||||
AzureSEVSNPDoc.Fields[4].Name = "microcodeVersion"
|
||||
AzureSEVSNPDoc.Fields[4].Type = "AttestationVersion"
|
||||
AzureSEVSNPDoc.Fields[4].Note = ""
|
||||
AzureSEVSNPDoc.Fields[4].Description = "Lowest acceptable microcode version."
|
||||
AzureSEVSNPDoc.Fields[4].Comments[encoder.LineComment] = "Lowest acceptable microcode version."
|
||||
AzureSEVSNPDoc.Fields[5].Name = "firmwareSignerConfig"
|
||||
AzureSEVSNPDoc.Fields[5].Type = "SNPFirmwareSignerConfig"
|
||||
AzureSEVSNPDoc.Fields[5].Note = ""
|
||||
AzureSEVSNPDoc.Fields[5].Description = "Configuration for validating the firmware signature."
|
||||
AzureSEVSNPDoc.Fields[5].Comments[encoder.LineComment] = "Configuration for validating the firmware signature."
|
||||
AzureSEVSNPDoc.Fields[6].Name = "amdRootKey"
|
||||
AzureSEVSNPDoc.Fields[6].Type = "Certificate"
|
||||
AzureSEVSNPDoc.Fields[6].Note = ""
|
||||
AzureSEVSNPDoc.Fields[6].Description = "AMD Root Key certificate used to verify the SEV-SNP certificate chain."
|
||||
AzureSEVSNPDoc.Fields[6].Comments[encoder.LineComment] = "AMD Root Key certificate used to verify the SEV-SNP certificate chain."
|
||||
|
||||
AzureTrustedLaunchDoc.Type = "AzureTrustedLaunch"
|
||||
AzureTrustedLaunchDoc.Comments[encoder.LineComment] = "AzureTrustedLaunch is the configuration for Azure Trusted Launch attestation."
|
||||
AzureTrustedLaunchDoc.Description = "AzureTrustedLaunch is the configuration for Azure Trusted Launch attestation."
|
||||
AzureTrustedLaunchDoc.AppearsIn = []encoder.Appearance{
|
||||
{
|
||||
TypeName: "AttestationConfig",
|
||||
FieldName: "azureTrustedLaunch",
|
||||
},
|
||||
}
|
||||
AzureTrustedLaunchDoc.Fields = make([]encoder.Doc, 1)
|
||||
AzureTrustedLaunchDoc.Fields[0].Name = "measurements"
|
||||
AzureTrustedLaunchDoc.Fields[0].Type = "M"
|
||||
AzureTrustedLaunchDoc.Fields[0].Note = ""
|
||||
AzureTrustedLaunchDoc.Fields[0].Description = "Expected TPM measurements."
|
||||
AzureTrustedLaunchDoc.Fields[0].Comments[encoder.LineComment] = "Expected TPM measurements."
|
||||
}
|
||||
|
||||
func (_ Config) Doc() *encoder.Doc {
|
||||
@ -554,6 +658,22 @@ func (_ GCPSEVES) Doc() *encoder.Doc {
|
||||
return &GCPSEVESDoc
|
||||
}
|
||||
|
||||
func (_ QEMUVTPM) Doc() *encoder.Doc {
|
||||
return &QEMUVTPMDoc
|
||||
}
|
||||
|
||||
func (_ QEMUTDX) Doc() *encoder.Doc {
|
||||
return &QEMUTDXDoc
|
||||
}
|
||||
|
||||
func (_ AzureSEVSNP) Doc() *encoder.Doc {
|
||||
return &AzureSEVSNPDoc
|
||||
}
|
||||
|
||||
func (_ AzureTrustedLaunch) Doc() *encoder.Doc {
|
||||
return &AzureTrustedLaunchDoc
|
||||
}
|
||||
|
||||
// GetConfigurationDoc returns documentation for the file ./config_doc.go.
|
||||
func GetConfigurationDoc() *encoder.FileDoc {
|
||||
return &encoder.FileDoc{
|
||||
@ -571,6 +691,10 @@ func GetConfigurationDoc() *encoder.FileDoc {
|
||||
&AWSNitroTPMDoc,
|
||||
&SNPFirmwareSignerConfigDoc,
|
||||
&GCPSEVESDoc,
|
||||
&QEMUVTPMDoc,
|
||||
&QEMUTDXDoc,
|
||||
&AzureSEVSNPDoc,
|
||||
&AzureTrustedLaunchDoc,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
@ -1,76 +0,0 @@
|
||||
/*
|
||||
Copyright (c) Edgeless Systems GmbH
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
|
||||
package config
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
)
|
||||
|
||||
// QEMUVTPM is the configuration for QEMU vTPM attestation.
|
||||
type QEMUVTPM struct {
|
||||
// description: |
|
||||
// Expected TPM measurements.
|
||||
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
||||
}
|
||||
|
||||
// GetVariant returns qemu-vtpm as the variant.
|
||||
func (QEMUVTPM) GetVariant() variant.Variant {
|
||||
return variant.QEMUVTPM{}
|
||||
}
|
||||
|
||||
// GetMeasurements returns the measurements used for attestation.
|
||||
func (c QEMUVTPM) GetMeasurements() measurements.M {
|
||||
return c.Measurements
|
||||
}
|
||||
|
||||
// SetMeasurements updates a config's measurements using the given measurements.
|
||||
func (c *QEMUVTPM) SetMeasurements(m measurements.M) {
|
||||
c.Measurements = m
|
||||
}
|
||||
|
||||
// EqualTo returns true if the config is equal to the given config.
|
||||
func (c QEMUVTPM) EqualTo(other AttestationCfg) (bool, error) {
|
||||
otherCfg, ok := other.(*QEMUVTPM)
|
||||
if !ok {
|
||||
return false, fmt.Errorf("cannot compare %T with %T", c, other)
|
||||
}
|
||||
return c.Measurements.EqualTo(otherCfg.Measurements), nil
|
||||
}
|
||||
|
||||
// QEMUTDX is the configuration for QEMU TDX attestation.
|
||||
type QEMUTDX struct {
|
||||
// description: |
|
||||
// Expected TDX measurements.
|
||||
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
||||
}
|
||||
|
||||
// GetVariant returns qemu-tdx as the variant.
|
||||
func (QEMUTDX) GetVariant() variant.Variant {
|
||||
return variant.QEMUTDX{}
|
||||
}
|
||||
|
||||
// GetMeasurements returns the measurements used for attestation.
|
||||
func (c QEMUTDX) GetMeasurements() measurements.M {
|
||||
return c.Measurements
|
||||
}
|
||||
|
||||
// SetMeasurements updates a config's measurements using the given measurements.
|
||||
func (c *QEMUTDX) SetMeasurements(m measurements.M) {
|
||||
c.Measurements = m
|
||||
}
|
||||
|
||||
// EqualTo returns true if the config is equal to the given config.
|
||||
func (c QEMUTDX) EqualTo(other AttestationCfg) (bool, error) {
|
||||
otherCfg, ok := other.(*QEMUTDX)
|
||||
if !ok {
|
||||
return false, fmt.Errorf("cannot compare %T with %T", c, other)
|
||||
}
|
||||
return c.Measurements.EqualTo(otherCfg.Measurements), nil
|
||||
}
|
Loading…
Reference in New Issue
Block a user