Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-08-06 14:04:17 -04:00
Code Issues Projects Releases Packages Wiki Activity

attestation: add MachineState to ValidateCVM

Browse source
This commit is contained in:
Thomas Tendyck 2023-03-06 09:15:52 +01:00 committed by Thomas Tendyck
parent 3471d73c6c
commit 2535073df8
10 changed files with 16 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

3
internal/attestation/aws/validator.go
View file

@ -18,6 +18,7 @@ import (
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements" "github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm" "github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
"github.com/edgelesssys/constellation/v2/internal/oid" "github.com/edgelesssys/constellation/v2/internal/oid"
"github.com/google/go-tpm-tools/proto/attest"
"github.com/google/go-tpm/tpm2" "github.com/google/go-tpm/tpm2"
) )
@ -54,7 +55,7 @@ func getTrustedKey(akPub []byte, instanceInfo []byte) (crypto.PublicKey, error)
} }
// tpmEnabled verifies if the virtual machine has the tpm2.0 feature enabled. // tpmEnabled verifies if the virtual machine has the tpm2.0 feature enabled.
func (v *Validator) tpmEnabled(attestation vtpm.AttestationDocument) error { func (v *Validator) tpmEnabled(attestation vtpm.AttestationDocument, _ *attest.MachineState) error {
// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-nitrotpm-support-on-ami.html // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-nitrotpm-support-on-ami.html
// 1. Get the vm's ami (from IdentiTyDocument.imageId) // 1. Get the vm's ami (from IdentiTyDocument.imageId)
// 2. Check the value of key "TpmSupport": {"Value": "v2.0"}" // 2. Check the value of key "TpmSupport": {"Value": "v2.0"}"

2
internal/attestation/aws/validator_test.go
View file

@ -108,7 +108,7 @@ func TestTpmEnabled(t *testing.T) {
}, },
} }
err := v.tpmEnabled(tc.attDoc) err := v.tpmEnabled(tc.attDoc, nil)
if tc.wantErr { if tc.wantErr {
assert.Error(err) assert.Error(err)
} else { } else {

3
internal/attestation/azure/snp/validator.go
View file

@ -24,6 +24,7 @@ import (
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm" "github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
internalCrypto "github.com/edgelesssys/constellation/v2/internal/crypto" internalCrypto "github.com/edgelesssys/constellation/v2/internal/crypto"
"github.com/edgelesssys/constellation/v2/internal/oid" "github.com/edgelesssys/constellation/v2/internal/oid"
"github.com/google/go-tpm-tools/proto/attest"
"github.com/google/go-tpm/tpm2" "github.com/google/go-tpm/tpm2"
) )
@ -55,7 +56,7 @@ func NewValidator(pcrs measurements.M, idKeyDigests idkeydigest.IDKeyDigests, en
} }
// validateCVM is a stub, since SEV-SNP attestation is already verified in trustedKeyFromSNP(). // validateCVM is a stub, since SEV-SNP attestation is already verified in trustedKeyFromSNP().
func validateCVM(attestation vtpm.AttestationDocument) error { func validateCVM(vtpm.AttestationDocument, *attest.MachineState) error {
return nil return nil
} }

23
internal/attestation/azure/snp/validator_test.go
View file

@ -307,28 +307,7 @@ func int32ToByte(val uint32) []byte {
} }
func TestValidateAzureCVM(t *testing.T) { func TestValidateAzureCVM(t *testing.T) {
testCases := map[string]struct { assert.NoError(t, validateCVM(vtpm.AttestationDocument{}, nil))
attDoc vtpm.AttestationDocument
wantErr bool
}{
"success": {
attDoc: vtpm.AttestationDocument{},
wantErr: false,
},
}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
err := validateCVM(tc.attDoc)
if tc.wantErr {
assert.Error(err)
} else {
assert.NoError(err)
}
})
}
} }
func TestNewSNPReportFromBytes(t *testing.T) { func TestNewSNPReportFromBytes(t *testing.T) {

3
internal/attestation/azure/trustedlaunch/validator.go
View file

@ -18,6 +18,7 @@ import (
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm" "github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
certutil "github.com/edgelesssys/constellation/v2/internal/crypto" certutil "github.com/edgelesssys/constellation/v2/internal/crypto"
"github.com/edgelesssys/constellation/v2/internal/oid" "github.com/edgelesssys/constellation/v2/internal/oid"
"github.com/google/go-tpm-tools/proto/attest"
"github.com/google/go-tpm/tpm2" "github.com/google/go-tpm/tpm2"
) )
@ -97,7 +98,7 @@ func (v *Validator) verifyAttestationKey(akPub, instanceInfo []byte) (crypto.Pub
} }
// validateVM returns nil. // validateVM returns nil.
func validateVM(attestation vtpm.AttestationDocument) error { func validateVM(vtpm.AttestationDocument, *attest.MachineState) error {
return nil return nil
} }

2
internal/attestation/gcp/validator.go
View file

@ -104,7 +104,7 @@ func trustedKeyFromGCEAPI(getClient func(ctx context.Context, opts ...option.Cli
// gceNonHostInfoEvent looks for the GCE Non-Host info event in an event log. // gceNonHostInfoEvent looks for the GCE Non-Host info event in an event log.
// Returns an error if the event is not found, or if the event is missing the required flag to mark the VM confidential. // Returns an error if the event is not found, or if the event is missing the required flag to mark the VM confidential.
func gceNonHostInfoEvent(attDoc vtpm.AttestationDocument) error { func gceNonHostInfoEvent(attDoc vtpm.AttestationDocument, _ *attest.MachineState) error {
if attDoc.Attestation == nil { if attDoc.Attestation == nil {
return errors.New("missing attestation in attestation document") return errors.New("missing attestation in attestation document")
} }

2
internal/attestation/gcp/validator_test.go
View file

@ -62,7 +62,7 @@ func TestGceNonHostInfoEvent(t *testing.T) {
for name, tc := range testCases { for name, tc := range testCases {
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
err := gceNonHostInfoEvent(tc.attDoc) err := gceNonHostInfoEvent(tc.attDoc, nil)
if tc.wantErr { if tc.wantErr {
assert.Error(err) assert.Error(err)
} else { } else {

3
internal/attestation/qemu/validator.go
View file

@ -12,6 +12,7 @@ import (
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements" "github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm" "github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
"github.com/edgelesssys/constellation/v2/internal/oid" "github.com/edgelesssys/constellation/v2/internal/oid"
"github.com/google/go-tpm-tools/proto/attest"
"github.com/google/go-tpm/tpm2" "github.com/google/go-tpm/tpm2"
) )
@ -27,7 +28,7 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator {
Validator: vtpm.NewValidator( Validator: vtpm.NewValidator(
pcrs, pcrs,
unconditionalTrust, unconditionalTrust,
func(attestation vtpm.AttestationDocument) error { return nil }, func(vtpm.AttestationDocument, *attest.MachineState) error { return nil },
log, log,
), ),
} }

4
internal/attestation/vtpm/attestation.go
View file

@ -61,7 +61,7 @@ type (
// GetInstanceInfo returns VM metdata. // GetInstanceInfo returns VM metdata.
GetInstanceInfo func(tpm io.ReadWriteCloser) ([]byte, error) GetInstanceInfo func(tpm io.ReadWriteCloser) ([]byte, error)
// ValidateCVM validates confidential computing capabilities of the instance issuing the attestation. // ValidateCVM validates confidential computing capabilities of the instance issuing the attestation.
ValidateCVM func(attestation AttestationDocument) error ValidateCVM func(attestation AttestationDocument, state *attest.MachineState) error
) )
// AttestationLogger is a logger used to print warnings and infos during attestation validation. // AttestationLogger is a logger used to print warnings and infos during attestation validation.
@ -199,7 +199,7 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) (userData []byte, e
} }
// Validate confidential computing capabilities of the VM // Validate confidential computing capabilities of the VM
if err := v.validateCVM(attDoc); err != nil { if err := v.validateCVM(attDoc, nil); err != nil {
return nil, fmt.Errorf("verifying VM confidential computing capabilities: %w", err) return nil, fmt.Errorf("verifying VM confidential computing capabilities: %w", err)
} }

4
internal/attestation/vtpm/attestation_test.go
View file

@ -57,7 +57,7 @@ func fakeGetInstanceInfo(tpm io.ReadWriteCloser) ([]byte, error) {
func TestValidate(t *testing.T) { func TestValidate(t *testing.T) {
require := require.New(t) require := require.New(t)
fakeValidateCVM := func(AttestationDocument) error { return nil } fakeValidateCVM := func(AttestationDocument, *attest.MachineState) error { return nil }
fakeGetTrustedKey := func(aKPub, instanceInfo []byte) (crypto.PublicKey, error) { fakeGetTrustedKey := func(aKPub, instanceInfo []byte) (crypto.PublicKey, error) {
pubArea, err := tpm2.DecodePublic(aKPub) pubArea, err := tpm2.DecodePublic(aKPub)
if err != nil { if err != nil {
@ -186,7 +186,7 @@ func TestValidate(t *testing.T) {
validator: NewValidator( validator: NewValidator(
testExpectedPCRs, testExpectedPCRs,
fakeGetTrustedKey, fakeGetTrustedKey,
func(attestation AttestationDocument) error { func(AttestationDocument, *attest.MachineState) error {
return errors.New("untrusted") return errors.New("untrusted")
}, },
warnLog), warnLog),