Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-02-26 01:31:26 -05:00
Code Issues Packages Projects Releases Wiki Activity

Move PCR indices for owner ID and cluster ID

Browse Source
This commit is contained in:
Malte Poll 2022-10-13 12:34:32 +02:00 committed by Malte Poll
parent a901759725
commit 3b6ee703f5
5 changed files with 40 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
cli/internal/cloudcmd/validators_test.go
View File

@ -208,6 +208,17 @@ func TestValidatorUpdateInitPCRs(t *testing.T) {
10: zero, 10: zero,
11: zero, 11: zero,
12: zero, 12: zero,
13: zero,
14: zero,
15: zero,
16: zero,
17: one,
18: one,
19: one,
20: one,
21: one,
22: one,
23: zero,
} }
} }
@ -298,7 +309,11 @@ func TestValidatorUpdateInitPCRs(t *testing.T) {
assert.Equal(pcrZeroUpdatedOne[:], pcr) assert.Equal(pcrZeroUpdatedOne[:], pcr)
default: default:
assert.Equal(zero, validators.pcrs[uint32(i)]) if i >= 17 && i <= 22 {
assert.Equal(one, validators.pcrs[uint32(i)])
} else {
assert.Equal(zero, validators.pcrs[uint32(i)])
}
} }
} }
}) })

4
cli/internal/cmd/init_test.go
View File

@ -394,6 +394,9 @@ func TestAttestation(t *testing.T) {
cfg.Provider.QEMU.Measurements[1] = []byte("11111111111111111111111111111111") cfg.Provider.QEMU.Measurements[1] = []byte("11111111111111111111111111111111")
cfg.Provider.QEMU.Measurements[2] = []byte("22222222222222222222222222222222") cfg.Provider.QEMU.Measurements[2] = []byte("22222222222222222222222222222222")
cfg.Provider.QEMU.Measurements[3] = []byte("33333333333333333333333333333333") cfg.Provider.QEMU.Measurements[3] = []byte("33333333333333333333333333333333")
cfg.Provider.QEMU.Measurements[4] = []byte("44444444444444444444444444444444")
cfg.Provider.QEMU.Measurements[8] = []byte("88888888888888888888888888888888")
cfg.Provider.QEMU.Measurements[9] = []byte("99999999999999999999999999999999")
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, cfg, file.OptNone)) require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, cfg, file.OptNone))
ctx := context.Background() ctx := context.Background()
@ -484,6 +487,7 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs
conf.Provider.GCP.Measurements[9] = []byte("11111111111111111111111111111111") conf.Provider.GCP.Measurements[9] = []byte("11111111111111111111111111111111")
case cloudprovider.QEMU: case cloudprovider.QEMU:
conf.Provider.QEMU.Image = "some/image/location" conf.Provider.QEMU.Image = "some/image/location"
conf.Provider.QEMU.Measurements[4] = []byte("44444444444444444444444444444444")
conf.Provider.QEMU.Measurements[8] = []byte("00000000000000000000000000000000") conf.Provider.QEMU.Measurements[8] = []byte("00000000000000000000000000000000")
conf.Provider.QEMU.Measurements[9] = []byte("11111111111111111111111111111111") conf.Provider.QEMU.Measurements[9] = []byte("11111111111111111111111111111111")
} }

9
internal/attestation/vtpm/initialize.go
View File

@ -14,12 +14,13 @@ import (
) )
const ( const (
// PCRIndexOwnerID is a PCR we extend to mark the node as initialized.
// The value used to extend is derived from Constellation's master key.
PCRIndexOwnerID = tpmutil.Handle(11)
// PCRIndexClusterID is a PCR we extend to mark the node as initialized. // PCRIndexClusterID is a PCR we extend to mark the node as initialized.
// The value used to extend is a random generated 32 Byte value. // The value used to extend is a random generated 32 Byte value.
PCRIndexClusterID = tpmutil.Handle(12) PCRIndexClusterID = tpmutil.Handle(15)
// PCRIndexOwnerID is a PCR we extend to mark the node as initialized.
// The value used to extend is derived from Constellation's master key.
// TODO: move to stable, non-debug PCR before use.
PCRIndexOwnerID = tpmutil.Handle(16)
) )
// MarkNodeAsBootstrapped marks a node as initialized by extending PCRs. // MarkNodeAsBootstrapped marks a node as initialized by extending PCRs.

4
internal/config/config.go
View File

@ -231,7 +231,7 @@ func Default() *Config {
InstanceType: "Standard_DC4as_v5", InstanceType: "Standard_DC4as_v5",
StateDiskType: "Premium_LRS", StateDiskType: "Premium_LRS",
Measurements: copyPCRMap(azurePCRs), Measurements: copyPCRMap(azurePCRs),
EnforcedMeasurements: []uint32{4, 8, 9, 11, 12}, EnforcedMeasurements: []uint32{4, 8, 9, 11, 12, 13, 15},
IDKeyDigest: "57486a447ec0f1958002a22a06b7673b9fd27d11e1c6527498056054c5fa92d23c50f9de44072760fe2b6fb89740b696", IDKeyDigest: "57486a447ec0f1958002a22a06b7673b9fd27d11e1c6527498056054c5fa92d23c50f9de44072760fe2b6fb89740b696",
EnforceIDKeyDigest: func() *bool { b := true; return &b }(), EnforceIDKeyDigest: func() *bool { b := true; return &b }(),
ConfidentialVM: func() *bool { b := true; return &b }(), ConfidentialVM: func() *bool { b := true; return &b }(),
@ -246,7 +246,7 @@ func Default() *Config {
StateDiskType: "pd-ssd", StateDiskType: "pd-ssd",
ServiceAccountKeyPath: "", ServiceAccountKeyPath: "",
Measurements: copyPCRMap(gcpPCRs), Measurements: copyPCRMap(gcpPCRs),
EnforcedMeasurements: []uint32{0, 4, 8, 9, 11, 12}, EnforcedMeasurements: []uint32{0, 4, 8, 9, 11, 12, 13, 15},
}, },
QEMU: &QEMUConfig{ QEMU: &QEMUConfig{
ImageFormat: "qcow2", ImageFormat: "qcow2",

19
internal/config/measurements.go
View File

@ -25,22 +25,29 @@ import (
type Measurements map[uint32][]byte type Measurements map[uint32][]byte
var ( var (
zero = []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
// gcpPCRs are the PCR values for a GCP Constellation node that are initially set in a generated config file. // gcpPCRs are the PCR values for a GCP Constellation node that are initially set in a generated config file.
gcpPCRs = Measurements{ gcpPCRs = Measurements{
0: {0x0F, 0x35, 0xC2, 0x14, 0x60, 0x8D, 0x93, 0xC7, 0xA6, 0xE6, 0x8A, 0xE7, 0x35, 0x9B, 0x4A, 0x8B, 0xE5, 0xA0, 0xE9, 0x9E, 0xEA, 0x91, 0x07, 0xEC, 0xE4, 0x27, 0xC4, 0xDE, 0xA4, 0xE4, 0x39, 0xCF}, 0: {0x0F, 0x35, 0xC2, 0x14, 0x60, 0x8D, 0x93, 0xC7, 0xA6, 0xE6, 0x8A, 0xE7, 0x35, 0x9B, 0x4A, 0x8B, 0xE5, 0xA0, 0xE9, 0x9E, 0xEA, 0x91, 0x07, 0xEC, 0xE4, 0x27, 0xC4, 0xDE, 0xA4, 0xE4, 0x39, 0xCF},
uint32(vtpm.PCRIndexOwnerID): {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 11: zero,
uint32(vtpm.PCRIndexClusterID): {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 12: zero,
13: zero,
uint32(vtpm.PCRIndexClusterID): zero,
} }
// azurePCRs are the PCR values for an Azure Constellation node that are initially set in a generated config file. // azurePCRs are the PCR values for an Azure Constellation node that are initially set in a generated config file.
azurePCRs = Measurements{ azurePCRs = Measurements{
uint32(vtpm.PCRIndexOwnerID): {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 11: zero,
uint32(vtpm.PCRIndexClusterID): {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 12: zero,
13: zero,
uint32(vtpm.PCRIndexClusterID): zero,
} }
qemuPCRs = Measurements{ qemuPCRs = Measurements{
uint32(vtpm.PCRIndexOwnerID): {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 11: zero,
uint32(vtpm.PCRIndexClusterID): {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 12: zero,
13: zero,
uint32(vtpm.PCRIndexClusterID): zero,
} }
) )