mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-08-03 20:44:14 -04:00
AB#2386: TrustedLaunch support for azure attestation
* There are now two attestation packages on azure. The issuer on the server side is created base on successfully querying the idkeydigest from the TPM. Fallback on err: Trusted Launch. * The bootstrapper's issuer choice is validated by the CLI's validator, which is created based on the local config. * Add "azureCVM" field to new "internal-config" cm. This field is populated by the bootstrapper. * Group attestation OIDs by CSP (#42) * Bootstrapper now uses IssuerWrapper type to pass the issuer (and some context info) to the initserver. * Introduce VMType package akin to cloudprovider. Used by IssuerWrapper. * Extend unittests. * Remove CSP specific attestation integration tests Co-authored-by: <dw@edgeless.systems> Signed-off-by: Otto Bittner <cobittner@posteo.net>
This commit is contained in:
parent
4bfb98d35a
commit
405db3286e
33 changed files with 749 additions and 431 deletions
|
@ -14,7 +14,8 @@ import (
|
|||
"fmt"
|
||||
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/azure"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/azure/snp"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/azure/trustedlaunch"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/gcp"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/qemu"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||
|
@ -29,6 +30,7 @@ type Validator struct {
|
|||
enforcedPCRs []uint32
|
||||
idkeydigest []byte
|
||||
enforceIdKeyDigest bool
|
||||
azureCVM bool
|
||||
validator atls.Validator
|
||||
}
|
||||
|
||||
|
@ -43,12 +45,15 @@ func NewValidator(provider cloudprovider.Provider, config *config.Config) (*Vali
|
|||
}
|
||||
|
||||
if v.provider == cloudprovider.Azure {
|
||||
idkeydigest, err := hex.DecodeString(config.Provider.Azure.IdKeyDigest)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("bad config: decoding idkeydigest from config: %w", err)
|
||||
v.azureCVM = *config.Provider.Azure.ConfidentialVM
|
||||
if v.azureCVM {
|
||||
idkeydigest, err := hex.DecodeString(config.Provider.Azure.IdKeyDigest)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("bad config: decoding idkeydigest from config: %w", err)
|
||||
}
|
||||
v.enforceIdKeyDigest = *config.Provider.Azure.EnforceIdKeyDigest
|
||||
v.idkeydigest = idkeydigest
|
||||
}
|
||||
v.enforceIdKeyDigest = *config.Provider.Azure.EnforceIdKeyDigest
|
||||
v.idkeydigest = idkeydigest
|
||||
}
|
||||
|
||||
return &v, nil
|
||||
|
@ -140,7 +145,11 @@ func (v *Validator) updateValidator(cmd *cobra.Command) {
|
|||
case cloudprovider.GCP:
|
||||
v.validator = gcp.NewValidator(v.pcrs, v.enforcedPCRs, log)
|
||||
case cloudprovider.Azure:
|
||||
v.validator = azure.NewValidator(v.pcrs, v.enforcedPCRs, v.idkeydigest, v.enforceIdKeyDigest, log)
|
||||
if v.azureCVM {
|
||||
v.validator = snp.NewValidator(v.pcrs, v.enforcedPCRs, v.idkeydigest, v.enforceIdKeyDigest, log)
|
||||
} else {
|
||||
v.validator = trustedlaunch.NewValidator(v.pcrs, v.enforcedPCRs, log)
|
||||
}
|
||||
case cloudprovider.QEMU:
|
||||
v.validator = qemu.NewValidator(v.pcrs, v.enforcedPCRs, log)
|
||||
}
|
||||
|
|
|
@ -12,7 +12,8 @@ import (
|
|||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/azure"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/azure/snp"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/azure/trustedlaunch"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/gcp"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/qemu"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||
|
@ -40,15 +41,22 @@ func TestNewValidator(t *testing.T) {
|
|||
pcrs map[uint32][]byte
|
||||
enforceIdKeyDigest bool
|
||||
idkeydigest string
|
||||
azureCVM bool
|
||||
wantErr bool
|
||||
}{
|
||||
"gcp": {
|
||||
provider: cloudprovider.GCP,
|
||||
pcrs: testPCRs,
|
||||
},
|
||||
"azure": {
|
||||
"azure cvm": {
|
||||
provider: cloudprovider.Azure,
|
||||
pcrs: testPCRs,
|
||||
azureCVM: true,
|
||||
},
|
||||
"azure trusted launch": {
|
||||
provider: cloudprovider.Azure,
|
||||
pcrs: testPCRs,
|
||||
azureCVM: false,
|
||||
},
|
||||
"qemu": {
|
||||
provider: cloudprovider.QEMU,
|
||||
|
@ -80,6 +88,7 @@ func TestNewValidator(t *testing.T) {
|
|||
pcrs: testPCRs,
|
||||
idkeydigest: "41414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414",
|
||||
enforceIdKeyDigest: true,
|
||||
azureCVM: true,
|
||||
wantErr: true,
|
||||
},
|
||||
}
|
||||
|
@ -95,7 +104,7 @@ func TestNewValidator(t *testing.T) {
|
|||
}
|
||||
if tc.provider == cloudprovider.Azure {
|
||||
measurements := config.Measurements(tc.pcrs)
|
||||
conf.Provider.Azure = &config.AzureConfig{Measurements: measurements, EnforceIdKeyDigest: &tc.enforceIdKeyDigest, IdKeyDigest: tc.idkeydigest}
|
||||
conf.Provider.Azure = &config.AzureConfig{Measurements: measurements, EnforceIdKeyDigest: &tc.enforceIdKeyDigest, IdKeyDigest: tc.idkeydigest, ConfidentialVM: &tc.azureCVM}
|
||||
}
|
||||
if tc.provider == cloudprovider.QEMU {
|
||||
measurements := config.Measurements(tc.pcrs)
|
||||
|
@ -140,16 +149,23 @@ func TestValidatorV(t *testing.T) {
|
|||
provider cloudprovider.Provider
|
||||
pcrs map[uint32][]byte
|
||||
wantVs atls.Validator
|
||||
azureCVM bool
|
||||
}{
|
||||
"gcp": {
|
||||
provider: cloudprovider.GCP,
|
||||
pcrs: newTestPCRs(),
|
||||
wantVs: gcp.NewValidator(newTestPCRs(), nil, nil),
|
||||
},
|
||||
"azure": {
|
||||
"azure cvm": {
|
||||
provider: cloudprovider.Azure,
|
||||
pcrs: newTestPCRs(),
|
||||
wantVs: azure.NewValidator(newTestPCRs(), nil, nil, false, nil),
|
||||
wantVs: snp.NewValidator(newTestPCRs(), nil, nil, false, nil),
|
||||
azureCVM: true,
|
||||
},
|
||||
"azure trusted launch": {
|
||||
provider: cloudprovider.Azure,
|
||||
pcrs: newTestPCRs(),
|
||||
wantVs: trustedlaunch.NewValidator(newTestPCRs(), nil, nil),
|
||||
},
|
||||
"qemu": {
|
||||
provider: cloudprovider.QEMU,
|
||||
|
@ -162,7 +178,7 @@ func TestValidatorV(t *testing.T) {
|
|||
t.Run(name, func(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
|
||||
validators := &Validator{provider: tc.provider, pcrs: tc.pcrs}
|
||||
validators := &Validator{provider: tc.provider, pcrs: tc.pcrs, azureCVM: tc.azureCVM}
|
||||
|
||||
resultValidator := validators.V(&cobra.Command{})
|
||||
|
||||
|
|
|
@ -73,6 +73,9 @@ func create(cmd *cobra.Command, creator cloudCreator, fileHandler file.Handler,
|
|||
|
||||
if config.IsAzureNonCVM() {
|
||||
cmd.Println("Disabling Confidential VMs is insecure. Use only for evaluation purposes.")
|
||||
if config.EnforcesIdKeyDigest() {
|
||||
cmd.Println("Your config asks for enforcing the idkeydigest. This is only available on Confidential VMs. It will not be enforced.")
|
||||
}
|
||||
}
|
||||
|
||||
var instanceType string
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue