Rebase fixes

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-08-03 20:44:14 -04:00 · 2023-05-04 10:51:28 +02:00 · 2023-05-04 10:51:28 +02:00 · 1d5af5f0f4
commit 1d5af5f0f4
parent 63d938d9a4
12 changed files with 197 additions and 116 deletions
--- a/internal/config/attestation.go
+++ b/internal/config/attestation.go
@ -41,6 +41,8 @@ func UnmarshalAttestationConfig(data []byte, attestVariant variant.Variant) (Att
 		return unmarshalTypedConfig[*GCPSEVES](data)
 	case variant.QEMUVTPM{}:
 		return unmarshalTypedConfig[*QEMUVTPM](data)
+	case variant.QEMUTDX{}:
+		return unmarshalTypedConfig[*QEMUTDX](data)
 	case variant.Dummy{}:
 		return unmarshalTypedConfig[*DummyCfg](data)
 	default:
--- a/internal/config/attestation_test.go
+++ b/internal/config/attestation_test.go
@ -12,6 +12,7 @@ import (
 	"testing"

 	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
+	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/variant"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@ -26,22 +27,22 @@ func TestUnmarshalAttestationConfig(t *testing.T) {
 		cfg AttestationCfg
 	}{
 		"AWSNitroTPM": {
-			cfg: &AWSNitroTPM{Measurements: measurements.DefaultsFor(variant.AWSNitroTPM{})},
+			cfg: &AWSNitroTPM{Measurements: measurements.DefaultsFor(cloudprovider.AWS, variant.AWSNitroTPM{})},
 		},
 		"AzureSEVSNP": {
 			cfg: DefaultForAzureSEVSNP(),
 		},
 		"AzureTrustedLaunch": {
-			cfg: &AzureTrustedLaunch{Measurements: measurements.DefaultsFor(variant.AzureTrustedLaunch{})},
+			cfg: &AzureTrustedLaunch{Measurements: measurements.DefaultsFor(cloudprovider.Azure, variant.AzureTrustedLaunch{})},
 		},
 		"GCPSEVES": {
-			cfg: &GCPSEVES{Measurements: measurements.DefaultsFor(variant.GCPSEVES{})},
+			cfg: &GCPSEVES{Measurements: measurements.DefaultsFor(cloudprovider.GCP, variant.GCPSEVES{})},
 		},
 		"QEMUVTPM": {
-			cfg: &QEMUVTPM{Measurements: measurements.DefaultsFor(variant.QEMUVTPM{})},
+			cfg: &QEMUVTPM{Measurements: measurements.DefaultsFor(cloudprovider.QEMU, variant.QEMUVTPM{})},
 		},
 		"QEMUTDX": {
-			cfg: &QEMUTDX{Measurements: measurements.DefaultsFor(variant.QEMUTDX{})},
+			cfg: &QEMUTDX{Measurements: measurements.DefaultsFor(cloudprovider.QEMU, variant.QEMUTDX{})},
 		},
 	}

--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -287,6 +287,9 @@ type AttestationConfig struct {
 	//   GCP SEV-ES attestation.
 	GCPSEVES *GCPSEVES `yaml:"gcpSEVES,omitempty" validate:"omitempty,dive"`
 	// description: |
+	//   QEMU tdx attestation.
+	QEMUTDX *QEMUTDX `yaml:"qemuTDX,omitempty" validate:"omitempty,dive"`
+	// description: |
 	//   QEMU vTPM attestation.
 	QEMUVTPM *QEMUVTPM `yaml:"qemuVTPM,omitempty" validate:"omitempty,dive"`
 }
@ -343,12 +346,18 @@ func Default() *Config {
 				NVRAM:                 "production",
 			},
 		},
+		// TODO(malt3): remove default attestation config as soon as one-to-one mapping is no longer possible.
+		// Some problematic pairings:
+		// OpenStack uses qemu-vtpm as attestation variant
+		// QEMU uses qemu-vtpm as attestation variant
+		// AWS uses aws-nitro-tpm as attestation variant
+		// AWS will have aws-sev-snp as attestation variant
 		Attestation: AttestationConfig{
-			AWSNitroTPM:        &AWSNitroTPM{Measurements: measurements.DefaultsFor(variant.AWSNitroTPM{})},
+			AWSNitroTPM:        &AWSNitroTPM{Measurements: measurements.DefaultsFor(cloudprovider.AWS, variant.AWSNitroTPM{})},
 			AzureSEVSNP:        DefaultForAzureSEVSNP(),
-			AzureTrustedLaunch: &AzureTrustedLaunch{Measurements: measurements.DefaultsFor(variant.AzureTrustedLaunch{})},
-			GCPSEVES:           &GCPSEVES{Measurements: measurements.DefaultsFor(variant.GCPSEVES{})},
-			QEMUVTPM:           &QEMUVTPM{Measurements: measurements.DefaultsFor(variant.QEMUVTPM{})},
+			AzureTrustedLaunch: &AzureTrustedLaunch{Measurements: measurements.DefaultsFor(cloudprovider.Azure, variant.AzureTrustedLaunch{})},
+			GCPSEVES:           &GCPSEVES{Measurements: measurements.DefaultsFor(cloudprovider.GCP, variant.GCPSEVES{})},
+			QEMUVTPM:           &QEMUVTPM{Measurements: measurements.DefaultsFor(cloudprovider.QEMU, variant.QEMUVTPM{})},
 		},
 	}
 }
@ -727,7 +736,7 @@ type AzureSEVSNP struct {
 // TODO(AB#3042): replace with dynamic lookup for configurable values.
 func DefaultForAzureSEVSNP() *AzureSEVSNP {
 	return &AzureSEVSNP{
-		Measurements:      measurements.DefaultsFor(variant.AzureSEVSNP{}),
+		Measurements:      measurements.DefaultsFor(cloudprovider.Azure, variant.AzureSEVSNP{}),
 		BootloaderVersion: 2,
 		TEEVersion:        0,
 		SNPVersion:        6,
--- a/internal/config/config_doc.go
+++ b/internal/config/config_doc.go
@ -25,6 +25,7 @@ var (
 	AzureTrustedLaunchDoc      encoder.Doc
 	GCPSEVESDoc                encoder.Doc
 	QEMUVTPMDoc                encoder.Doc
+	QEMUTDXDoc                 encoder.Doc
 )

 func init() {
@ -423,7 +424,7 @@ func init() {
 			FieldName: "attestation",
 		},
 	}
-	AttestationConfigDoc.Fields = make([]encoder.Doc, 5)
+	AttestationConfigDoc.Fields = make([]encoder.Doc, 6)
 	AttestationConfigDoc.Fields[0].Name = "awsNitroTPM"
 	AttestationConfigDoc.Fields[0].Type = "AWSNitroTPM"
 	AttestationConfigDoc.Fields[0].Note = ""
@ -444,11 +445,16 @@ func init() {
 	AttestationConfigDoc.Fields[3].Note = ""
 	AttestationConfigDoc.Fields[3].Description = "GCP SEV-ES attestation."
 	AttestationConfigDoc.Fields[3].Comments[encoder.LineComment] = "GCP SEV-ES attestation."
-	AttestationConfigDoc.Fields[4].Name = "qemuVTPM"
-	AttestationConfigDoc.Fields[4].Type = "QEMUVTPM"
+	AttestationConfigDoc.Fields[4].Name = "qemuTDX"
+	AttestationConfigDoc.Fields[4].Type = "QEMUTDX"
 	AttestationConfigDoc.Fields[4].Note = ""
-	AttestationConfigDoc.Fields[4].Description = "QEMU vTPM attestation."
-	AttestationConfigDoc.Fields[4].Comments[encoder.LineComment] = "QEMU vTPM attestation."
+	AttestationConfigDoc.Fields[4].Description = "QEMU tdx attestation."
+	AttestationConfigDoc.Fields[4].Comments[encoder.LineComment] = "QEMU tdx attestation."
+	AttestationConfigDoc.Fields[5].Name = "qemuVTPM"
+	AttestationConfigDoc.Fields[5].Type = "QEMUVTPM"
+	AttestationConfigDoc.Fields[5].Note = ""
+	AttestationConfigDoc.Fields[5].Description = "QEMU vTPM attestation."
+	AttestationConfigDoc.Fields[5].Comments[encoder.LineComment] = "QEMU vTPM attestation."

 	AWSNitroTPMDoc.Type = "AWSNitroTPM"
 	AWSNitroTPMDoc.Comments[encoder.LineComment] = "AWSNitroTPM is the configuration for AWS Nitro TPM attestation."
@ -585,6 +591,22 @@ func init() {
 	QEMUVTPMDoc.Fields[0].Note = ""
 	QEMUVTPMDoc.Fields[0].Description = "Expected TPM measurements."
 	QEMUVTPMDoc.Fields[0].Comments[encoder.LineComment] = "Expected TPM measurements."
+
+	QEMUTDXDoc.Type = "QEMUTDX"
+	QEMUTDXDoc.Comments[encoder.LineComment] = "QEMUTDX is the configuration for QEMU TDX attestation."
+	QEMUTDXDoc.Description = "QEMUTDX is the configuration for QEMU TDX attestation."
+	QEMUTDXDoc.AppearsIn = []encoder.Appearance{
+		{
+			TypeName:  "AttestationConfig",
+			FieldName: "qemuTDX",
+		},
+	}
+	QEMUTDXDoc.Fields = make([]encoder.Doc, 1)
+	QEMUTDXDoc.Fields[0].Name = "measurements"
+	QEMUTDXDoc.Fields[0].Type = "M"
+	QEMUTDXDoc.Fields[0].Note = ""
+	QEMUTDXDoc.Fields[0].Description = "Expected TDX measurements."
+	QEMUTDXDoc.Fields[0].Comments[encoder.LineComment] = "Expected TDX measurements."
 }

 func (_ Config) Doc() *encoder.Doc {
@ -643,6 +665,10 @@ func (_ QEMUVTPM) Doc() *encoder.Doc {
 	return &QEMUVTPMDoc
 }

+func (_ QEMUTDX) Doc() *encoder.Doc {
+	return &QEMUTDXDoc
+}
+
 // GetConfigurationDoc returns documentation for the file ./config_doc.go.
 func GetConfigurationDoc() *encoder.FileDoc {
 	return &encoder.FileDoc{
@ -663,6 +689,7 @@ func GetConfigurationDoc() *encoder.FileDoc {
 			&AzureTrustedLaunchDoc,
 			&GCPSEVESDoc,
 			&QEMUVTPMDoc,
+			&QEMUTDXDoc,
 		},
 	}
 }
--- a/internal/config/validation.go
+++ b/internal/config/validation.go
@ -377,10 +377,12 @@ func translateContainsPlaceholderError(ut ut.Translator, fe validator.FieldError

 func getPlaceholderEntries(m measurements.M) []uint32 {
 	var placeholders []uint32
-	placeholder := measurements.PlaceHolderMeasurement()
+	placeholderTDX := measurements.PlaceHolderMeasurement(measurements.TDXMeasurementLength)
+	placeholderTPM := measurements.PlaceHolderMeasurement(measurements.PCRMeasurementLength)

 	for idx, measurement := range m {
-		if bytes.Equal(measurement.Expected[:], placeholder.Expected[:]) {
+		if bytes.Equal(measurement.Expected, placeholderTDX.Expected) ||
+			bytes.Equal(measurement.Expected, placeholderTPM.Expected) {
 			placeholders = append(placeholders, idx)
 		}
 	}