Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-09-27 20:10:51 -04:00
Code Issues Projects Releases Packages Wiki Activity

attestation: validate GCP machine state

Browse source
This commit is contained in:
Thomas Tendyck 2023-03-06 09:17:08 +01:00 committed by Thomas Tendyck
parent 2535073df8
commit 0a344e4cf6
3 changed files with 44 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

15
internal/attestation/vtpm/attestation.go
View file

@ -198,23 +198,24 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) (userData []byte, e
return nil, fmt.Errorf("validating attestation public key: %w", err)
}
// Validate confidential computing capabilities of the VM
if err := v.validateCVM(attDoc, nil); err != nil {
return nil, fmt.Errorf("verifying VM confidential computing capabilities: %w", err)
}
// Verify the TPM attestation
if _, err := tpmServer.VerifyAttestation(
state, err := tpmServer.VerifyAttestation(
attDoc.Attestation,
tpmServer.VerifyOpts{
Nonce: makeExtraData(attDoc.UserData, nonce),
TrustedAKs: []crypto.PublicKey{aKP},
AllowSHA1: false,
},
); err != nil {
)
if err != nil {
return nil, fmt.Errorf("verifying attestation document: %w", err)
}
// Validate confidential computing capabilities of the VM
if err := v.validateCVM(attDoc, state); err != nil {
return nil, fmt.Errorf("verifying VM confidential computing capabilities: %w", err)
}
// Verify PCRs
quoteIdx, err := GetSHA256QuoteIndex(attDoc.Attestation.Quotes)
if err != nil {