Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-10-21 15:06:45 -04:00
Code Issues Projects Releases Packages Wiki Activity

AB#2386: TrustedLaunch support for azure attestation

Browse source 
* There are now two attestation packages on azure.
The issuer on the server side is created base on successfully
querying the idkeydigest from the TPM. Fallback on err: Trusted Launch.
* The bootstrapper's issuer choice is validated by the CLI's validator,
which is created based on the local config.
* Add "azureCVM" field to new "internal-config" cm.
This field is populated by the bootstrapper.
* Group attestation OIDs by CSP (#42)
* Bootstrapper now uses IssuerWrapper type to pass
the issuer (and some context info) to the initserver.
* Introduce VMType package akin to cloudprovider. Used by
IssuerWrapper.
* Extend unittests.
* Remove CSP specific attestation integration tests

Co-authored-by: <dw@edgeless.systems>
Signed-off-by: Otto Bittner <cobittner@posteo.net>
This commit is contained in:
Otto Bittner 2022-08-31 20:10:49 +02:00
parent 4bfb98d35a
commit 405db3286e
33 changed files with 749 additions and 431 deletions
Download patch file Download diff file Expand all files Collapse all files

19
internal/watcher/validator.go
View file

@ -15,7 +15,8 @@ import (
"sync"
"github.com/edgelesssys/constellation/internal/atls"
"github.com/edgelesssys/constellation/internal/attestation/azure"
"github.com/edgelesssys/constellation/internal/attestation/azure/snp"
"github.com/edgelesssys/constellation/internal/attestation/azure/trustedlaunch"
"github.com/edgelesssys/constellation/internal/attestation/gcp"
"github.com/edgelesssys/constellation/internal/attestation/qemu"
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
@ -31,16 +32,23 @@ type Updatable struct {
newValidator newValidatorFunc
fileHandler file.Handler
csp cloudprovider.Provider
azureCVM bool
atls.Validator
}
// NewValidator initializes a new updatable validator.
func NewValidator(log *logger.Logger, csp string, fileHandler file.Handler) (*Updatable, error) {
func NewValidator(log *logger.Logger, csp string, fileHandler file.Handler, azureCVM bool) (*Updatable, error) {
var newValidator newValidatorFunc
switch cloudprovider.FromString(csp) {
case cloudprovider.Azure:
newValidator = func(m map[uint32][]byte, e []uint32, idkeydigest []byte, enforceIdKeyDigest bool, log *logger.Logger) atls.Validator {
return azure.NewValidator(m, e, idkeydigest, enforceIdKeyDigest, log)
if azureCVM {
newValidator = func(m map[uint32][]byte, e []uint32, idkeydigest []byte, enforceIdKeyDigest bool, log *logger.Logger) atls.Validator {
return snp.NewValidator(m, e, idkeydigest, enforceIdKeyDigest, log)
}
} else {
newValidator = func(m map[uint32][]byte, e []uint32, idkeydigest []byte, enforceIdKeyDigest bool, log *logger.Logger) atls.Validator {
return trustedlaunch.NewValidator(m, e, log)
}
}
case cloudprovider.GCP:
newValidator = func(m map[uint32][]byte, e []uint32, _ []byte, _ bool, log *logger.Logger) atls.Validator {
@ -59,6 +67,7 @@ func NewValidator(log *logger.Logger, csp string, fileHandler file.Handler) (*Up
newValidator: newValidator,
fileHandler: fileHandler,
csp: cloudprovider.FromString(csp),
azureCVM: azureCVM,
}
if err := u.Update(); err != nil {
@ -100,7 +109,7 @@ func (u *Updatable) Update() error {
var idkeydigest []byte
var enforceIdKeyDigest bool
if u.csp == cloudprovider.Azure {
if u.csp == cloudprovider.Azure && u.azureCVM {
u.log.Infof("Updating encforceIdKeyDigest value")
enforceRaw, err := u.fileHandler.Read(filepath.Join(constants.ServiceBasePath, constants.EnforceIdKeyDigestFilename))
if err != nil {