attestation: print ordered measurement verification warnings and errors (#2237)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-08-07 06:22:17 -04:00 · 2023-08-16 10:45:54 +02:00 · 2023-08-16 10:45:54 +02:00 · 103817a4a5
commit 103817a4a5
parent 78fa921746
5 changed files with 184 additions and 25 deletions
--- a/internal/attestation/vtpm/attestation_test.go
+++ b/internal/attestation/vtpm/attestation_test.go
@ -80,7 +80,7 @@ func TestValidate(t *testing.T) {
 	defer tpmCloser.Close()

 	issuer := NewIssuer(tpmOpen, tpmclient.AttestationKeyRSA, fakeGetInstanceInfo, logger.NewTest(t))
-	validator := NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, nil)
+	validator := NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, logger.NewTest(t))

 	nonce := []byte{1, 2, 3, 4}
 	challenge := []byte("Constellation")
@ -206,6 +206,10 @@ func TestValidate(t *testing.T) {
 						Expected:      []byte{0xFF},
 						ValidationOpt: measurements.Enforce,
 					},
+					1: measurements.Measurement{
+						Expected:      []byte{0xFF},
+						ValidationOpt: measurements.Enforce,
+					},
 				},
 				fakeGetTrustedKey,
 				fakeValidateCVM,
@ -214,6 +218,25 @@ func TestValidate(t *testing.T) {
 			nonce:   nonce,
 			wantErr: true,
 		},
+		"untrusted WarnOnly PCRs": {
+			validator: NewValidator(
+				measurements.M{
+					0: measurements.Measurement{
+						Expected:      []byte{0xFF},
+						ValidationOpt: measurements.WarnOnly,
+					},
+					1: measurements.Measurement{
+						Expected:      []byte{0xFF},
+						ValidationOpt: measurements.WarnOnly,
+					},
+				},
+				fakeGetTrustedKey,
+				fakeValidateCVM,
+				logger.NewTest(t)),
+			attDoc:  mustMarshalAttestation(attDoc, require),
+			nonce:   nonce,
+			wantErr: false,
+		},
 		"no sha256 quote": {
 			validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog),
 			attDoc: mustMarshalAttestation(AttestationDocument{