From 4813fcfdb65a404250514d75f90ff1da13cc8ea9 Mon Sep 17 00:00:00 2001 From: Otto Bittner Date: Wed, 8 Nov 2023 13:54:18 +0100 Subject: [PATCH] config: fetch latest AWS TCB values --- internal/config/attestation.go | 2 +- internal/config/aws.go | 39 +++++++++++++++++++++++++++++++++- internal/config/config.go | 6 ++++++ 3 files changed, 45 insertions(+), 2 deletions(-) diff --git a/internal/config/attestation.go b/internal/config/attestation.go index a80d069db..7821a63b5 100644 --- a/internal/config/attestation.go +++ b/internal/config/attestation.go @@ -68,7 +68,7 @@ func unmarshalTypedConfig[T AttestationCfg](data []byte) (AttestationCfg, error) // Certificate is a wrapper around x509.Certificate allowing custom marshaling. type Certificate x509.Certificate -// Equal returns true if the certificates are equal. +// Equal returns true if the embedded Raw values are equal. func (c Certificate) Equal(other Certificate) bool { return bytes.Equal(c.Raw, other.Raw) } diff --git a/internal/config/aws.go b/internal/config/aws.go index 01a0843ce..65fa0001c 100644 --- a/internal/config/aws.go +++ b/internal/config/aws.go @@ -6,8 +6,11 @@ SPDX-License-Identifier: AGPL-3.0-only package config import ( + "bytes" + "context" "fmt" + "github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi" "github.com/edgelesssys/constellation/v2/internal/attestation/measurements" "github.com/edgelesssys/constellation/v2/internal/attestation/variant" "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" @@ -47,7 +50,41 @@ func (c AWSSEVSNP) EqualTo(other AttestationCfg) (bool, error) { return false, fmt.Errorf("cannot compare %T with %T", c, other) } - return c.Measurements.EqualTo(otherCfg.Measurements), nil + measurementsEqual := c.Measurements.EqualTo(otherCfg.Measurements) + bootloaderEqual := c.BootloaderVersion == otherCfg.BootloaderVersion + teeEqual := c.TEEVersion == otherCfg.TEEVersion + snpEqual := c.SNPVersion == otherCfg.SNPVersion + microcodeEqual := c.MicrocodeVersion == otherCfg.MicrocodeVersion + rootKeyEqual := bytes.Equal(c.AMDRootKey.Raw, otherCfg.AMDRootKey.Raw) + signingKeyEqual := bytes.Equal(c.AMDSigningKey.Raw, otherCfg.AMDSigningKey.Raw) + + return measurementsEqual && bootloaderEqual && teeEqual && snpEqual && microcodeEqual && rootKeyEqual && signingKeyEqual, nil +} + +// FetchAndSetLatestVersionNumbers fetches the latest version numbers from the configapi and sets them. +func (c *AWSSEVSNP) FetchAndSetLatestVersionNumbers(ctx context.Context, fetcher attestationconfigapi.Fetcher) error { + versions, err := fetcher.FetchSEVSNPVersionLatest(ctx, variant.AWSSEVSNP{}) + if err != nil { + return err + } + // set number and keep isLatest flag + c.mergeWithLatestVersion(versions.SEVSNPVersion) + return nil +} + +func (c *AWSSEVSNP) mergeWithLatestVersion(latest attestationconfigapi.SEVSNPVersion) { + if c.BootloaderVersion.WantLatest { + c.BootloaderVersion.Value = latest.Bootloader + } + if c.TEEVersion.WantLatest { + c.TEEVersion.Value = latest.TEE + } + if c.SNPVersion.WantLatest { + c.SNPVersion.Value = latest.SNP + } + if c.MicrocodeVersion.WantLatest { + c.MicrocodeVersion.Value = latest.Microcode + } } // GetVariant returns aws-nitro-tpm as the variant. diff --git a/internal/config/config.go b/internal/config/config.go index 976bd86b1..96af3578d 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -463,6 +463,12 @@ func New(fileHandler file.Handler, name string, fetcher attestationconfigapi.Fet } } + if aws := c.Attestation.AWSSEVSNP; aws != nil { + if err := aws.FetchAndSetLatestVersionNumbers(context.Background(), fetcher); err != nil { + return c, err + } + } + // Read secrets from env-vars. clientSecretValue := os.Getenv(constants.EnvVarAzureClientSecretValue) if clientSecretValue != "" && c.Provider.Azure != nil {