AB#2386: TrustedLaunch support for azure attestation

* There are now two attestation packages on azure. The issuer on the server side is created base on successfully querying the idkeydigest from the TPM. Fallback on err: Trusted Launch. * The bootstrapper's issuer choice is validated by the CLI's validator, which is created based on the local config. * Add "azureCVM" field to new "internal-config" cm. This field is populated by the bootstrapper. * Group attestation OIDs by CSP (#42) * Bootstrapper now uses IssuerWrapper type to pass the issuer (and some context info) to the initserver. * Introduce VMType package akin to cloudprovider. Used by IssuerWrapper. * Extend unittests. * Remove CSP specific attestation integration tests Co-authored-by: <dw@edgeless.systems> Signed-off-by: Otto Bittner <cobittner@posteo.net>
2025-05-02 22:34:56 -04:00 · 2022-08-31 20:10:49 +02:00 · 2022-08-31 20:10:49 +02:00 · 405db3286e
commit 405db3286e
parent 4bfb98d35a
33 changed files with 749 additions and 431 deletions
--- a/cli/internal/cloudcmd/validators.go
+++ b/cli/internal/cloudcmd/validators.go
@ -14,7 +14,8 @@ import (
 	"fmt"

 	"github.com/edgelesssys/constellation/internal/atls"
-	"github.com/edgelesssys/constellation/internal/attestation/azure"
+	"github.com/edgelesssys/constellation/internal/attestation/azure/snp"
+	"github.com/edgelesssys/constellation/internal/attestation/azure/trustedlaunch"
 	"github.com/edgelesssys/constellation/internal/attestation/gcp"
 	"github.com/edgelesssys/constellation/internal/attestation/qemu"
 	"github.com/edgelesssys/constellation/internal/attestation/vtpm"
@ -29,6 +30,7 @@ type Validator struct {
 	enforcedPCRs       []uint32
 	idkeydigest        []byte
 	enforceIdKeyDigest bool
+	azureCVM           bool
 	validator          atls.Validator
 }

@ -43,12 +45,15 @@ func NewValidator(provider cloudprovider.Provider, config *config.Config) (*Vali
 	}

 	if v.provider == cloudprovider.Azure {
-		idkeydigest, err := hex.DecodeString(config.Provider.Azure.IdKeyDigest)
-		if err != nil {
-			return nil, fmt.Errorf("bad config: decoding idkeydigest from config: %w", err)
+		v.azureCVM = *config.Provider.Azure.ConfidentialVM
+		if v.azureCVM {
+			idkeydigest, err := hex.DecodeString(config.Provider.Azure.IdKeyDigest)
+			if err != nil {
+				return nil, fmt.Errorf("bad config: decoding idkeydigest from config: %w", err)
+			}
+			v.enforceIdKeyDigest = *config.Provider.Azure.EnforceIdKeyDigest
+			v.idkeydigest = idkeydigest
 		}
-		v.enforceIdKeyDigest = *config.Provider.Azure.EnforceIdKeyDigest
-		v.idkeydigest = idkeydigest
 	}

 	return &v, nil
@ -140,7 +145,11 @@ func (v *Validator) updateValidator(cmd *cobra.Command) {
 	case cloudprovider.GCP:
 		v.validator = gcp.NewValidator(v.pcrs, v.enforcedPCRs, log)
 	case cloudprovider.Azure:
-		v.validator = azure.NewValidator(v.pcrs, v.enforcedPCRs, v.idkeydigest, v.enforceIdKeyDigest, log)
+		if v.azureCVM {
+			v.validator = snp.NewValidator(v.pcrs, v.enforcedPCRs, v.idkeydigest, v.enforceIdKeyDigest, log)
+		} else {
+			v.validator = trustedlaunch.NewValidator(v.pcrs, v.enforcedPCRs, log)
+		}
 	case cloudprovider.QEMU:
 		v.validator = qemu.NewValidator(v.pcrs, v.enforcedPCRs, log)
 	}