Remove GCP non CVMs

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

cli/cloud/cloudcmd/create.go

@@ -85,7 +85,6 @@ func (c *Creator) createGCP(ctx context.Context, cl gcpclient, config *config.Co
 		InstanceType:      insType,
 		StateDiskSizeGB:   *config.StateDiskSizeGB,
 		KubeEnv:           gcp.KubeEnv,
-		DisableCVM:        *config.Provider.GCP.DisableCVM,
 	}
 	if err := cl.CreateInstances(ctx, createInput); err != nil {
 		return state.ConstellationState{}, err

cli/cloud/cloudcmd/validators.go

@@ -93,7 +93,6 @@ func (v *Validators) updateValidators() {
 	case cloudprovider.GCP:
 		v.validators = []atls.Validator{
 			gcp.NewValidator(v.pcrs),
-			gcp.NewNonCVMValidator(map[uint32][]byte{}), // TODO: Remove once we no longer use non CVMs.
 		}
 	case cloudprovider.Azure:
 		v.validators = []atls.Validator{

cli/cloud/cloudcmd/validators_test.go

@@ -278,7 +278,6 @@ func TestValidatorsV(t *testing.T) {
 			pcrs:     newTestPCRs(),
 			wantVs: []atls.Validator{
 				gcp.NewValidator(newTestPCRs()),
-				gcp.NewNonCVMValidator(map[uint32][]byte{}), // TODO: remove when not longer needed.
 			},
 		},
 		"azure": {

cli/gcp/client/instances.go

@@ -37,7 +37,6 @@ func (c *Client) CreateInstances(ctx context.Context, input CreateInstancesInput
 		Zone:                         c.zone,
 		Region:                       c.region,
 		UID:                          c.uid,
-		DisableCVM:                   input.DisableCVM,
 	}
 	op, err := c.insertInstanceTemplate(ctx, nodeTemplateInput)
 	if err != nil {
@@ -58,7 +57,6 @@ func (c *Client) CreateInstances(ctx context.Context, input CreateInstancesInput
 		Zone:            c.zone,
 		Region:          c.region,
 		UID:             c.uid,
-		DisableCVM:      input.DisableCVM,
 	}
 	op, err = c.insertInstanceTemplate(ctx, coordinatorTemplateInput)
 	if err != nil {
@@ -293,7 +291,6 @@ type CreateInstancesInput struct {
 	InstanceType      string
 	StateDiskSizeGB   int
 	KubeEnv           string
-	DisableCVM        bool
 }
 
 type insertInstanceTemplateInput struct {
@@ -309,7 +306,6 @@ type insertInstanceTemplateInput struct {
 	Zone                         string
 	Region                       string
 	UID                          string
-	DisableCVM                   bool
 }
 
 func (i insertInstanceTemplateInput) insertInstanceTemplateRequest() *computepb.InsertInstanceTemplateRequest {
@@ -319,7 +315,7 @@ func (i insertInstanceTemplateInput) insertInstanceTemplateRequest() *computepb.
 			Name:        proto.String(i.Name),
 			Properties: &computepb.InstanceProperties{
 				ConfidentialInstanceConfig: &computepb.ConfidentialInstanceConfig{
-					EnableConfidentialCompute: proto.Bool(!i.DisableCVM),
+					EnableConfidentialCompute: proto.Bool(true),
 				},
 				Description: proto.String("This instance belongs to a Constellation."),
 				Disks: []*computepb.AttachedDisk{

coordinator/attestation/gcp/noncvm.go

@@ -1,91 +0,0 @@
-package gcp
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	compute "cloud.google.com/go/compute/apiv1"
-	"cloud.google.com/go/compute/metadata"
-	"github.com/edgelesssys/constellation/coordinator/attestation/vtpm"
-	"github.com/edgelesssys/constellation/coordinator/oid"
-	tpmclient "github.com/google/go-tpm-tools/client"
-	computepb "google.golang.org/genproto/googleapis/cloud/compute/v1"
-)
-
-// NonCVMValidator is a validator for regular GCP VMs with vTPM.
-// TODO: Remove once we no longer use non cvms.
-type NonCVMValidator struct {
-	oid.GCPNonCVM
-	*vtpm.Validator
-}
-
-// NewNonCVMValidator initializes a new non CVM GCP validator with the provided PCR values.
-// TODO: Remove once we no longer use non cvms.
-func NewNonCVMValidator(pcrs map[uint32][]byte) *NonCVMValidator {
-	return &NonCVMValidator{
-		Validator: vtpm.NewValidator(
-			pcrs,
-			trustedKeyFromGCEAPI(newInstanceClient),
-			func(attestation vtpm.AttestationDocument) error { return nil },
-			vtpm.VerifyPKCS1v15,
-		),
-	}
-}
-
-// NonCVNMIssuer for GCP confindetial VM attestation.
-// TODO: Remove once we no longer use non cvms.
-type NonCVMIssuer struct {
-	oid.GCPNonCVM
-	*vtpm.Issuer
-}
-
-// NewNonCVNMIssuer initializes a new GCP Issuer.
-// TODO: Remove once we no longer use non cvms.
-func NewNonCVMIssuer() *NonCVMIssuer {
-	return &NonCVMIssuer{
-		Issuer: vtpm.NewIssuer(
-			vtpm.OpenVTPM,
-			tpmclient.GceAttestationKeyRSA,
-			getGCEInstanceInfo(metadataClient{}),
-		),
-	}
-}
-
-// IsCVM returns true if the VM has confidential computing capabilities enabled.
-func IsCVM() (bool, error) {
-	project, err := metadata.ProjectID()
-	if err != nil {
-		return false, err
-	}
-	zone, err := metadata.Zone()
-	if err != nil {
-		return false, err
-	}
-	instance, err := metadata.InstanceName()
-	if err != nil {
-		return false, err
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-	defer cancel()
-	client, err := compute.NewInstancesRESTClient(ctx)
-	if err != nil {
-		return false, err
-	}
-	defer client.Close()
-	infos, err := client.Get(ctx, &computepb.GetInstanceRequest{
-		Instance: instance,
-		Project:  project,
-		Zone:     zone,
-	})
-	if err != nil {
-		return false, err
-	}
-
-	if infos.ConfidentialInstanceConfig == nil {
-		return false, fmt.Errorf("received empty confidential instance config")
-	}
-
-	return *infos.ConfidentialInstanceConfig.EnableConfidentialCompute, nil
-}

coordinator/cmd/coordinator/main.go

@@ -84,18 +84,9 @@ func main() {
 			log.Fatal(err)
 		}
 
-		// TODO: Remove once we no longer use non cvms
-		isCVM, err := gcp.IsCVM()
-		if err != nil {
-			log.Fatal(err)
-		}
-		if isCVM {
-			issuer = gcp.NewIssuer()
-			validator = gcp.NewValidator(pcrs)
-		} else {
-			issuer = gcp.NewNonCVMIssuer()
-			validator = gcp.NewNonCVMValidator(pcrs)
-		}
+		issuer = gcp.NewIssuer()
+		validator = gcp.NewValidator(pcrs)
+
 		kube = kubernetes.New(&k8sapi.KubernetesUtil{}, &k8sapi.CoreOSConfiguration{}, kubectl.New())
 		gcpClient, err := gcpcloud.NewClient(context.Background())
 		if err != nil {

coordinator/oid/oid.go

@@ -51,12 +51,3 @@ type QEMU struct{}
 func (QEMU) OID() asn1.ObjectIdentifier {
 	return asn1.ObjectIdentifier{1, 3, 9900, 5}
 }
-
-// GCPNonCVM returns the GCP OID for non CVMs.
-// TODO: Remove once we no longer use non cvms.
-type GCPNonCVM struct{}
-
-// OID returns the struct's object identifier.
-func (GCPNonCVM) OID() asn1.ObjectIdentifier {
-	return asn1.ObjectIdentifier{1, 3, 9900, 99}
-}

internal/config/config.go

@@ -191,8 +191,7 @@ func Default() *Config {
 					"roles/storage.admin",
 					"roles/iam.serviceAccountUser",
 				},
-				DisableCVM: proto.Bool(false),
-				PCRs:       pcrPtr(gcpPCRs),
+				PCRs: pcrPtr(gcpPCRs),
 			},
 		},
 	}
@@ -247,7 +246,6 @@ type GCPConfig struct {
 	VPCsInput           *gcpClient.VPCsInput     `json:"vpcsinput,omitempty"`
 	ServiceAccountRoles *[]string                `json:"serviceaccountroles,omitempty"`
 	PCRs                *map[uint32][]byte       `json:"pcrs,omitempty"`
-	DisableCVM          *bool                    `json:"disableCVM"`
 }
 
 func pcrPtr(pcrs map[uint32][]byte) *map[uint32][]byte {

util/pcr-reader/main.go

@@ -48,7 +48,6 @@ func main() {
 	if err := waiter.InitializeValidators([]atls.Validator{
 		azure.NewValidator(map[uint32][]byte{}),
 		gcp.NewValidator(map[uint32][]byte{}),
-		gcp.NewNonCVMValidator(map[uint32][]byte{}),
 	}); err != nil {
 		log.Fatal(err)
 	}
@@ -110,7 +109,7 @@ func getVerifyPeerCertificateFunc(attDoc *[]byte) func(rawCerts [][]byte, verifi
 		}
 
 		for _, ex := range cert.Extensions {
-			if ex.Id.Equal(oid.Azure{}.OID()) || ex.Id.Equal(oid.GCP{}.OID()) || ex.Id.Equal(oid.GCPNonCVM{}.OID()) {
+			if ex.Id.Equal(oid.Azure{}.OID()) || ex.Id.Equal(oid.GCP{}.OID()) {
 				if err := json.Unmarshal(ex.Value, attDoc); err != nil {
 					*attDoc = ex.Value
 				}