AB#2350: Configurably enforce idkeydigest on Azure

* Add join-config entry for "enforceIdKeyDigest" bool
* Add join-config entry for "idkeydigest"
* Initially filled with TPM value from bootstrapper
* Add config entries for idkeydigest and enforceIdKeyDigest
* Extend azure attestation validator to check idkeydigest,
if configured.
* Update unittests
* Add logger to NewValidator for all CSPs
* Add csp to Updateable type

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>

internal/watcher/validator.go

@@ -2,8 +2,10 @@ package watcher
 
 import (
 	"encoding/asn1"
+	"encoding/hex"
 	"fmt"
 	"path/filepath"
+	"strconv"
 	"sync"
 
 	"github.com/edgelesssys/constellation/internal/atls"
@@ -22,6 +24,7 @@ type Updatable struct {
 	mux          sync.Mutex
 	newValidator newValidatorFunc
 	fileHandler  file.Handler
+	csp          cloudprovider.Provider
 	atls.Validator
 }
 
@@ -30,11 +33,17 @@ func NewValidator(log *logger.Logger, csp string, fileHandler file.Handler) (*Up
 	var newValidator newValidatorFunc
 	switch cloudprovider.FromString(csp) {
 	case cloudprovider.Azure:
-		newValidator = func(m map[uint32][]byte, e []uint32) atls.Validator { return azure.NewValidator(m, e) }
+		newValidator = func(m map[uint32][]byte, e []uint32, idkeydigest []byte, enforceIdKeyDigest bool, log *logger.Logger) atls.Validator {
+			return azure.NewValidator(m, e, idkeydigest, enforceIdKeyDigest, log)
+		}
 	case cloudprovider.GCP:
-		newValidator = func(m map[uint32][]byte, e []uint32) atls.Validator { return gcp.NewValidator(m, e) }
+		newValidator = func(m map[uint32][]byte, e []uint32, _ []byte, _ bool, log *logger.Logger) atls.Validator {
+			return gcp.NewValidator(m, e, log)
+		}
 	case cloudprovider.QEMU:
-		newValidator = func(m map[uint32][]byte, e []uint32) atls.Validator { return qemu.NewValidator(m, e) }
+		newValidator = func(m map[uint32][]byte, e []uint32, _ []byte, _ bool, log *logger.Logger) atls.Validator {
+			return qemu.NewValidator(m, e, log)
+		}
 	default:
 		return nil, fmt.Errorf("unknown cloud service provider: %q", csp)
 	}
@@ -43,6 +52,7 @@ func NewValidator(log *logger.Logger, csp string, fileHandler file.Handler) (*Up
 		log:          log,
 		newValidator: newValidator,
 		fileHandler:  fileHandler,
+		csp:          cloudprovider.FromString(csp),
 	}
 
 	if err := u.Update(); err != nil {
@@ -82,10 +92,35 @@ func (u *Updatable) Update() error {
 	}
 	u.log.Debugf("Enforced PCRs: %v", enforced)
 
-	u.Validator = u.newValidator(measurements, enforced)
-	u.Validator.AddLogger(u.log)
+	var idkeydigest []byte
+	var enforceIdKeyDigest bool
+	if u.csp == cloudprovider.Azure {
+		u.log.Infof("Updating encforceIdKeyDigest value")
+		enforceRaw, err := u.fileHandler.Read(filepath.Join(constants.ServiceBasePath, constants.EnforceIdKeyDigestFilename))
+		if err != nil {
+			return err
+		}
+		enforceIdKeyDigest, err = strconv.ParseBool(string(enforceRaw))
+		if err != nil {
+			return fmt.Errorf("parsing content of EnforceIdKeyDigestFilename: %s: %w", enforceRaw, err)
+		}
+		u.log.Debugf("New encforceIdKeyDigest value: %v", enforceIdKeyDigest)
+
+		u.log.Infof("Updating expected idkeydigest")
+		idkeydigestRaw, err := u.fileHandler.Read(filepath.Join(constants.ServiceBasePath, constants.IdKeyDigestFilename))
+		if err != nil {
+			return err
+		}
+		idkeydigest, err = hex.DecodeString(string(idkeydigestRaw))
+		if err != nil {
+			return fmt.Errorf("parsing hexstring: %s: %w", idkeydigestRaw, err)
+		}
+		u.log.Debugf("New idkeydigest: %x", idkeydigest)
+	}
+
+	u.Validator = u.newValidator(measurements, enforced, idkeydigest, enforceIdKeyDigest, u.log)
 
 	return nil
 }
 
-type newValidatorFunc func(measurements map[uint32][]byte, enforcedPCRs []uint32) atls.Validator
+type newValidatorFunc func(measurements map[uint32][]byte, enforcedPCRs []uint32, idkeydigest []byte, enforceIdKeyDigest bool, log *logger.Logger) atls.Validator