mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 15:09:39 -05:00
api: for Azure attestationconfigapi use TCB values from SNP report instead of MAA token (#2429)
This commit is contained in:
parent
0c89f57ac5
commit
5819a11d25
20
.github/actions/e2e_verify/action.yml
vendored
20
.github/actions/e2e_verify/action.yml
vendored
@ -66,18 +66,14 @@ runs:
|
||||
forwarderPID=$!
|
||||
sleep 5
|
||||
|
||||
verifyOut=$(constellation verify --cluster-id "${clusterID}" --force --node-endpoint localhost:9090)
|
||||
|
||||
kill $forwarderPID
|
||||
|
||||
if [[ ${{ inputs.cloudProvider }} != "azure" ]]; then
|
||||
continue
|
||||
if [[ ${{ inputs.cloudProvider }} == "azure" ]]; then
|
||||
echo "Extracting Azure TCB versions for API update"
|
||||
constellation verify --cluster-id "${clusterID}" --force --node-endpoint localhost:9090 -o json > "snp-report-${node}.json"
|
||||
else
|
||||
constellation verify --cluster-id "${clusterID}" --force --node-endpoint localhost:9090
|
||||
fi
|
||||
|
||||
echo "Extracting TCB versions for API update"
|
||||
startMAAToken="Microsoft Azure Attestation Token:"
|
||||
endMAAToken="Verification OK"
|
||||
sed -n "/${startMAAToken}/,/${endMAAToken}/ { /${startMAAToken}/d; /${endMAAToken}/d; p }" <<< "${verifyOut}" > "maa-claims-${node}.json"
|
||||
kill $forwarderPID
|
||||
done
|
||||
|
||||
- name: Login to AWS
|
||||
@ -94,8 +90,8 @@ runs:
|
||||
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
|
||||
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
|
||||
run: |
|
||||
for file in $(ls maa-claims-*.json); do
|
||||
for file in $(ls snp-report-*.json); do
|
||||
path=$(realpath "${file}")
|
||||
cat "${path}"
|
||||
bazel run //internal/api/attestationconfigapi/cli -- --maa-claims-path "${path}"
|
||||
bazel run //internal/api/attestationconfigapi/cli -- --snp-report-path "${path}"
|
||||
done
|
||||
|
@ -2480,8 +2480,9 @@ def go_dependencies():
|
||||
build_file_generation = "on",
|
||||
build_file_proto_mode = "disable_global",
|
||||
importpath = "github.com/google/go-sev-guest",
|
||||
sum = "h1:XlvpFmmyMGvXmCIBTScYt7AX3ClvW8gfFN3SBCRVuKY=",
|
||||
version = "v0.9.1",
|
||||
replace = "github.com/google/go-sev-guest",
|
||||
sum = "h1:6o4Z/vQqNUH+cEagfx1Ez5ElK70iZulEXZwmLnRo44I=",
|
||||
version = "v0.0.0-20230928233922-2dcbba0a4b9d",
|
||||
)
|
||||
go_repository(
|
||||
name = "com_github_google_go_tdx_guest",
|
||||
|
@ -712,18 +712,26 @@ func newCertificates(certTypeName string, cert []byte, log debugLog) (certs []ve
|
||||
if err != nil {
|
||||
return certs, fmt.Errorf("parsing VCEK certificate extensions: %w", err)
|
||||
}
|
||||
certPEM := pem.EncodeToMemory(&pem.Block{
|
||||
Type: "CERTIFICATE",
|
||||
Bytes: cert.Raw,
|
||||
})
|
||||
certs = append(certs, verify.Certificate{
|
||||
Certificate: cert,
|
||||
CertTypeName: certTypeName,
|
||||
StructVersion: vcekExts.StructVersion,
|
||||
ProductName: vcekExts.ProductName,
|
||||
TCBVersion: newTCBVersion(vcekExts.TCBVersion),
|
||||
HardwareID: vcekExts.HWID,
|
||||
CertificatePEM: string(certPEM),
|
||||
CertTypeName: certTypeName,
|
||||
StructVersion: vcekExts.StructVersion,
|
||||
ProductName: vcekExts.ProductName,
|
||||
TCBVersion: newTCBVersion(vcekExts.TCBVersion),
|
||||
HardwareID: vcekExts.HWID,
|
||||
})
|
||||
} else {
|
||||
certPEM := pem.EncodeToMemory(&pem.Block{
|
||||
Type: "CERTIFICATE",
|
||||
Bytes: cert.Raw,
|
||||
})
|
||||
certs = append(certs, verify.Certificate{
|
||||
Certificate: cert,
|
||||
CertTypeName: certTypeName,
|
||||
CertificatePEM: string(certPEM),
|
||||
CertTypeName: certTypeName,
|
||||
})
|
||||
}
|
||||
i++
|
||||
@ -783,7 +791,7 @@ func newSNPReport(reportBytes []byte) (res verify.SNPReport, err error) {
|
||||
SignerInfo: verify.SignerInfo{
|
||||
AuthorKey: signerInfo.AuthorKeyEn,
|
||||
MaskChipKey: signerInfo.MaskChipKey,
|
||||
SigningKey: signerInfo.SigningKey,
|
||||
SigningKey: signerInfo.SigningKey.String(),
|
||||
},
|
||||
ReportData: report.ReportData,
|
||||
Measurement: report.Measurement,
|
||||
|
1
go.mod
1
go.mod
@ -33,6 +33,7 @@ replace (
|
||||
|
||||
replace (
|
||||
github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/v2/api => ./operators/constellation-node-operator/api
|
||||
github.com/google/go-sev-guest => github.com/google/go-sev-guest v0.0.0-20230928233922-2dcbba0a4b9d
|
||||
github.com/google/go-tpm => github.com/thomasten/go-tpm v0.0.0-20230629092004-f43f8e2a59eb
|
||||
github.com/google/go-tpm-tools => github.com/msanft/go-tpm-tools v0.0.0-20231009082622-266280269413
|
||||
github.com/martinjungblut/go-cryptsetup => github.com/daniel-weisse/go-cryptsetup v0.0.0-20230705150314-d8c07bd1723c
|
||||
|
4
go.sum
4
go.sum
@ -574,8 +574,8 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
|
||||
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||
github.com/google/go-containerregistry v0.15.2 h1:MMkSh+tjSdnmJZO7ljvEqV1DjfekB6VUEAZgy3a+TQE=
|
||||
github.com/google/go-containerregistry v0.15.2/go.mod h1:wWK+LnOv4jXMM23IT/F1wdYftGWGr47Is8CG+pmHK1Q=
|
||||
github.com/google/go-sev-guest v0.9.1 h1:XlvpFmmyMGvXmCIBTScYt7AX3ClvW8gfFN3SBCRVuKY=
|
||||
github.com/google/go-sev-guest v0.9.1/go.mod h1:hc1R4R6f8+NcJwITs0L90fYWTsBpd1Ix+Gur15sqHDs=
|
||||
github.com/google/go-sev-guest v0.0.0-20230928233922-2dcbba0a4b9d h1:6o4Z/vQqNUH+cEagfx1Ez5ElK70iZulEXZwmLnRo44I=
|
||||
github.com/google/go-sev-guest v0.0.0-20230928233922-2dcbba0a4b9d/go.mod h1:hc1R4R6f8+NcJwITs0L90fYWTsBpd1Ix+Gur15sqHDs=
|
||||
github.com/google/go-tdx-guest v0.2.2 h1:MgHcWLCEHVpqR0LXxtgJq2uG0oNNszV8+5XYtKs7+Yg=
|
||||
github.com/google/go-tdx-guest v0.2.2/go.mod h1:a8EIh1l5x7jmIrrOuH//xWn6y4Sk4yupwmMcJE006RI=
|
||||
github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus=
|
||||
|
@ -19,11 +19,14 @@ go_library(
|
||||
deps = [
|
||||
"//internal/api/attestationconfigapi",
|
||||
"//internal/constants",
|
||||
"//internal/file",
|
||||
"//internal/logger",
|
||||
"//internal/staticupload",
|
||||
"//internal/verify",
|
||||
"@com_github_aws_aws_sdk_go//aws",
|
||||
"@com_github_aws_aws_sdk_go_v2_service_s3//:s3",
|
||||
"@com_github_aws_aws_sdk_go_v2_service_s3//types",
|
||||
"@com_github_spf13_afero//:afero",
|
||||
"@com_github_spf13_cobra//:cobra",
|
||||
"@org_uber_go_zap//:zap",
|
||||
],
|
||||
@ -31,9 +34,13 @@ go_library(
|
||||
|
||||
go_test(
|
||||
name = "cli_test",
|
||||
srcs = ["delete_test.go"],
|
||||
srcs = [
|
||||
"delete_test.go",
|
||||
"main_test.go",
|
||||
],
|
||||
embed = [":cli_lib"],
|
||||
deps = [
|
||||
"//internal/verify",
|
||||
"@com_github_stretchr_testify//assert",
|
||||
"@com_github_stretchr_testify//require",
|
||||
],
|
||||
|
@ -73,12 +73,12 @@ func runDelete(cmd *cobra.Command, _ []string) (retErr error) {
|
||||
if err != nil {
|
||||
return fmt.Errorf("getting testing flag: %w", err)
|
||||
}
|
||||
_, distribution := getEnvironment(testing)
|
||||
apiCfg := getAPIEnvironment(testing)
|
||||
|
||||
cfg := staticupload.Config{
|
||||
Bucket: bucket,
|
||||
Region: region,
|
||||
DistributionID: distribution,
|
||||
DistributionID: apiCfg.distribution,
|
||||
}
|
||||
client, clientClose, err := attestationconfigapi.NewClient(cmd.Context(), cfg,
|
||||
[]byte(cosignPwd), []byte(privateKey), false, 1, log)
|
||||
@ -113,13 +113,13 @@ func runRecursiveDelete(cmd *cobra.Command, _ []string) (retErr error) {
|
||||
if err != nil {
|
||||
return fmt.Errorf("getting testing flag: %w", err)
|
||||
}
|
||||
_, distribution := getEnvironment(testing)
|
||||
apiCfg := getAPIEnvironment(testing)
|
||||
|
||||
log := logger.New(logger.PlainLog, zap.DebugLevel).Named("attestationconfigapi")
|
||||
client, closeFn, err := staticupload.New(cmd.Context(), staticupload.Config{
|
||||
Bucket: bucket,
|
||||
Region: region,
|
||||
DistributionID: distribution,
|
||||
DistributionID: apiCfg.distribution,
|
||||
}, log)
|
||||
if err != nil {
|
||||
return fmt.Errorf("create static upload client: %w", err)
|
||||
|
@ -31,53 +31,95 @@ registerExitHandler "rm -rf $tmpdir"
|
||||
${configapi_cli} delete recursive --region "$region" --bucket "$bucket"
|
||||
|
||||
# the high version numbers ensure that it's newer than the current latest value
|
||||
readonly current_claim_path="$tmpdir/currentMaaClaim.json"
|
||||
cat << EOF > "$current_claim_path"
|
||||
readonly current_report_path="$tmpdir/currentSnpReport.json"
|
||||
cat << EOF > "$current_report_path"
|
||||
{
|
||||
"x-ms-isolation-tee": {
|
||||
"x-ms-sevsnpvm-tee-svn": 1,
|
||||
"x-ms-sevsnpvm-snpfw-svn": 1,
|
||||
"x-ms-sevsnpvm-microcode-svn": 1,
|
||||
"x-ms-sevsnpvm-bootloader-svn": 1
|
||||
"snp_report": {
|
||||
"reported_tcb": {
|
||||
"bootloader": 1,
|
||||
"tee": 1,
|
||||
"snp": 1,
|
||||
"microcode": 1
|
||||
},
|
||||
"committed_tcb": {
|
||||
"bootloader": 1,
|
||||
"tee": 1,
|
||||
"snp": 1,
|
||||
"microcode": 1
|
||||
},
|
||||
"launch_tcb": {
|
||||
"bootloader": 1,
|
||||
"tee": 1,
|
||||
"snp": 1,
|
||||
"microcode": 1
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
# upload a fake latest version for the fetcher
|
||||
${configapi_cli} --force --maa-claims-path "$current_claim_path" --upload-date "2000-01-01-01-01" --region "$region" --bucket "$bucket"
|
||||
${configapi_cli} --force --snp-report-path "$current_report_path" --upload-date "2000-01-01-01-01" --region "$region" --bucket "$bucket"
|
||||
|
||||
# the high version numbers ensure that it's newer than the current latest value
|
||||
readonly claim_path="$tmpdir/maaClaim.json"
|
||||
cat << EOF > "$claim_path"
|
||||
readonly report_path="$tmpdir/snpReport.json"
|
||||
cat << EOF > "$report_path"
|
||||
{
|
||||
"x-ms-isolation-tee": {
|
||||
"x-ms-sevsnpvm-tee-svn": 255,
|
||||
"x-ms-sevsnpvm-snpfw-svn": 255,
|
||||
"x-ms-sevsnpvm-microcode-svn": 255,
|
||||
"x-ms-sevsnpvm-bootloader-svn": 255
|
||||
"snp_report": {
|
||||
"reported_tcb": {
|
||||
"bootloader": 255,
|
||||
"tee": 255,
|
||||
"snp": 255,
|
||||
"microcode": 255
|
||||
},
|
||||
"committed_tcb": {
|
||||
"bootloader": 255,
|
||||
"tee": 255,
|
||||
"snp": 255,
|
||||
"microcode": 255
|
||||
},
|
||||
"launch_tcb": {
|
||||
"bootloader": 255,
|
||||
"tee": 255,
|
||||
"snp": 255,
|
||||
"microcode": 255
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
# has an older version
|
||||
readonly older_claim_path="$tmpdir/maaClaimOld.json"
|
||||
cat << EOF > "$older_claim_path"
|
||||
readonly older_report_path="$tmpdir/snpReportOld.json"
|
||||
cat << EOF > "$older_report_path"
|
||||
{
|
||||
"x-ms-isolation-tee": {
|
||||
"x-ms-sevsnpvm-tee-svn": 255,
|
||||
"x-ms-sevsnpvm-snpfw-svn": 255,
|
||||
"x-ms-sevsnpvm-microcode-svn": 254,
|
||||
"x-ms-sevsnpvm-bootloader-svn": 255
|
||||
"snp_report": {
|
||||
"reported_tcb": {
|
||||
"bootloader": 255,
|
||||
"tee": 255,
|
||||
"snp": 255,
|
||||
"microcode": 254
|
||||
},
|
||||
"committed_tcb": {
|
||||
"bootloader": 255,
|
||||
"tee": 255,
|
||||
"snp": 255,
|
||||
"microcode": 254
|
||||
},
|
||||
"launch_tcb": {
|
||||
"bootloader": 255,
|
||||
"tee": 255,
|
||||
"snp": 255,
|
||||
"microcode": 254
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
# report 3 versions with different dates to fill the reporter cache
|
||||
readonly date_oldest="2023-02-01-03-04"
|
||||
${configapi_cli} --maa-claims-path "$older_claim_path" --upload-date "$date_oldest" --region "$region" --bucket "$bucket" --cache-window-size 3
|
||||
${configapi_cli} --snp-report-path "$older_report_path" --upload-date "$date_oldest" --region "$region" --bucket "$bucket" --cache-window-size 3
|
||||
readonly date_older="2023-02-02-03-04"
|
||||
${configapi_cli} --maa-claims-path "$older_claim_path" --upload-date "$date_older" --region "$region" --bucket "$bucket" --cache-window-size 3
|
||||
${configapi_cli} --snp-report-path "$older_report_path" --upload-date "$date_older" --region "$region" --bucket "$bucket" --cache-window-size 3
|
||||
readonly date="2023-02-03-03-04"
|
||||
${configapi_cli} --maa-claims-path "$claim_path" --upload-date "$date" --region "$region" --bucket "$bucket" --cache-window-size 3
|
||||
${configapi_cli} --snp-report-path "$report_path" --upload-date "$date" --region "$region" --bucket "$bucket" --cache-window-size 3
|
||||
|
||||
# expect that $date_oldest is served as latest version
|
||||
baseurl="https://d33dzgxuwsgbpw.cloudfront.net/constellation/v1/attestation/azure-sev-snp"
|
||||
|
@ -15,7 +15,6 @@ Any version update is then pushed to the API.
|
||||
package main
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
@ -23,11 +22,13 @@ import (
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/internal/staticupload"
|
||||
"go.uber.org/zap"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/verify"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/spf13/cobra"
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
|
||||
const (
|
||||
@ -67,7 +68,7 @@ func newRootCmd() *cobra.Command {
|
||||
PreRunE: envCheck,
|
||||
RunE: runCmd,
|
||||
}
|
||||
rootCmd.Flags().StringP("maa-claims-path", "t", "", "File path to a json file containing the MAA claims.")
|
||||
rootCmd.Flags().StringP("snp-report-path", "t", "", "File path to a file containing the Constellation verify output.")
|
||||
rootCmd.Flags().StringP("upload-date", "d", "", "upload a version with this date as version name.")
|
||||
rootCmd.Flags().BoolP("force", "f", false, "Use force to manually push a new latest version."+
|
||||
" The version gets saved to the cache but the version selection logic is skipped.")
|
||||
@ -75,7 +76,7 @@ func newRootCmd() *cobra.Command {
|
||||
rootCmd.PersistentFlags().StringP("region", "r", awsRegion, "region of the targeted bucket.")
|
||||
rootCmd.PersistentFlags().StringP("bucket", "b", awsBucket, "bucket targeted by all operations.")
|
||||
rootCmd.PersistentFlags().Bool("testing", false, "upload to S3 test bucket.")
|
||||
must(rootCmd.MarkFlagRequired("maa-claims-path"))
|
||||
must(rootCmd.MarkFlagRequired("snp-report-path"))
|
||||
rootCmd.AddCommand(newDeleteCmd())
|
||||
return rootCmd
|
||||
}
|
||||
@ -104,17 +105,20 @@ func runCmd(cmd *cobra.Command, _ []string) (retErr error) {
|
||||
DistributionID: flags.distribution,
|
||||
}
|
||||
|
||||
log.Infof("Reading MAA claims from file: %s", flags.maaFilePath)
|
||||
maaClaimsBytes, err := os.ReadFile(flags.maaFilePath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("reading MAA claims file: %w", err)
|
||||
log.Infof("Reading SNP report from file: %s", flags.snpReportPath)
|
||||
|
||||
fs := file.NewHandler(afero.NewOsFs())
|
||||
var report verify.Report
|
||||
if err := fs.ReadJSON(flags.snpReportPath, &report); err != nil {
|
||||
return fmt.Errorf("reading snp report: %w", err)
|
||||
}
|
||||
var maaTCB maaTokenTCBClaims
|
||||
if err = json.Unmarshal(maaClaimsBytes, &maaTCB); err != nil {
|
||||
return fmt.Errorf("unmarshalling MAA claims file: %w", err)
|
||||
snpReport := report.SNPReport
|
||||
if !allEqual(snpReport.LaunchTCB, snpReport.CommittedTCB, snpReport.ReportedTCB) {
|
||||
return fmt.Errorf("TCB versions are not equal: \nLaunchTCB:%+v\nCommitted TCB:%+v\nReportedTCB:%+v",
|
||||
snpReport.LaunchTCB, snpReport.CommittedTCB, snpReport.ReportedTCB)
|
||||
}
|
||||
inputVersion := maaTCB.ToAzureSEVSNPVersion()
|
||||
log.Infof("Input version: %+v", inputVersion)
|
||||
inputVersion := convertTCBVersionToAzureVersion(snpReport.LaunchTCB)
|
||||
log.Infof("Input report: %+v", inputVersion)
|
||||
|
||||
client, clientClose, err := attestationconfigapi.NewClient(ctx, cfg,
|
||||
[]byte(cosignPwd), []byte(privateKey), false, flags.cacheWindowSize, log)
|
||||
@ -129,7 +133,7 @@ func runCmd(cmd *cobra.Command, _ []string) (retErr error) {
|
||||
return fmt.Errorf("creating client: %w", err)
|
||||
}
|
||||
|
||||
latestAPIVersionAPI, err := attestationconfigapi.NewFetcherWithCustomCDNAndCosignKey(flags.url, constants.CosignPublicKeyDev).FetchAzureSEVSNPVersionLatest(ctx)
|
||||
latestAPIVersionAPI, err := attestationconfigapi.NewFetcherWithCustomCDNAndCosignKey(flags.url, flags.cosignPublicKey).FetchAzureSEVSNPVersionLatest(ctx)
|
||||
if err != nil {
|
||||
if errors.Is(err, attestationconfigapi.ErrNoVersionsFound) {
|
||||
log.Infof("No versions found in API, but assuming that we are uploading the first version.")
|
||||
@ -148,9 +152,34 @@ func runCmd(cmd *cobra.Command, _ []string) (retErr error) {
|
||||
return nil
|
||||
}
|
||||
|
||||
func allEqual(args ...verify.TCBVersion) bool {
|
||||
if len(args) < 2 {
|
||||
return true
|
||||
}
|
||||
|
||||
firstArg := args[0]
|
||||
for _, arg := range args[1:] {
|
||||
if arg != firstArg {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
func convertTCBVersionToAzureVersion(tcb verify.TCBVersion) attestationconfigapi.AzureSEVSNPVersion {
|
||||
return attestationconfigapi.AzureSEVSNPVersion{
|
||||
Bootloader: tcb.Bootloader,
|
||||
TEE: tcb.TEE,
|
||||
SNP: tcb.SNP,
|
||||
Microcode: tcb.Microcode,
|
||||
}
|
||||
}
|
||||
|
||||
type config struct {
|
||||
maaFilePath string
|
||||
snpReportPath string
|
||||
uploadDate time.Time
|
||||
cosignPublicKey string
|
||||
region string
|
||||
bucket string
|
||||
distribution string
|
||||
@ -160,7 +189,7 @@ type config struct {
|
||||
}
|
||||
|
||||
func parseCliFlags(cmd *cobra.Command) (config, error) {
|
||||
maaFilePath, err := cmd.Flags().GetString("maa-claims-path")
|
||||
snpReportFilePath, err := cmd.Flags().GetString("snp-report-path")
|
||||
if err != nil {
|
||||
return config{}, fmt.Errorf("getting maa claims path: %w", err)
|
||||
}
|
||||
@ -191,7 +220,7 @@ func parseCliFlags(cmd *cobra.Command) (config, error) {
|
||||
if err != nil {
|
||||
return config{}, fmt.Errorf("getting testing flag: %w", err)
|
||||
}
|
||||
url, distribution := getEnvironment(testing)
|
||||
apiCfg := getAPIEnvironment(testing)
|
||||
|
||||
force, err := cmd.Flags().GetBool("force")
|
||||
if err != nil {
|
||||
@ -203,41 +232,29 @@ func parseCliFlags(cmd *cobra.Command) (config, error) {
|
||||
return config{}, fmt.Errorf("getting cache window size: %w", err)
|
||||
}
|
||||
return config{
|
||||
maaFilePath: maaFilePath,
|
||||
snpReportPath: snpReportFilePath,
|
||||
uploadDate: uploadDate,
|
||||
cosignPublicKey: apiCfg.cosignPublicKey,
|
||||
region: region,
|
||||
bucket: bucket,
|
||||
url: url,
|
||||
distribution: distribution,
|
||||
url: apiCfg.url,
|
||||
distribution: apiCfg.distribution,
|
||||
force: force,
|
||||
cacheWindowSize: cacheWindowSize,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func getEnvironment(testing bool) (url string, distributionID string) {
|
||||
type apiConfig struct {
|
||||
url string
|
||||
distribution string
|
||||
cosignPublicKey string
|
||||
}
|
||||
|
||||
func getAPIEnvironment(testing bool) apiConfig {
|
||||
if testing {
|
||||
return "https://d33dzgxuwsgbpw.cloudfront.net", "ETZGUP1CWRC2P"
|
||||
}
|
||||
return constants.CDNRepositoryURL, constants.CDNDefaultDistributionID
|
||||
}
|
||||
|
||||
// maaTokenTCBClaims describes the TCB information in a MAA token.
|
||||
type maaTokenTCBClaims struct {
|
||||
IsolationTEE struct {
|
||||
TEESvn uint8 `json:"x-ms-sevsnpvm-tee-svn"`
|
||||
SNPFwSvn uint8 `json:"x-ms-sevsnpvm-snpfw-svn"`
|
||||
MicrocodeSvn uint8 `json:"x-ms-sevsnpvm-microcode-svn"`
|
||||
BootloaderSvn uint8 `json:"x-ms-sevsnpvm-bootloader-svn"`
|
||||
} `json:"x-ms-isolation-tee"`
|
||||
}
|
||||
|
||||
func (c maaTokenTCBClaims) ToAzureSEVSNPVersion() attestationconfigapi.AzureSEVSNPVersion {
|
||||
return attestationconfigapi.AzureSEVSNPVersion{
|
||||
TEE: c.IsolationTEE.TEESvn,
|
||||
SNP: c.IsolationTEE.SNPFwSvn,
|
||||
Microcode: c.IsolationTEE.MicrocodeSvn,
|
||||
Bootloader: c.IsolationTEE.BootloaderSvn,
|
||||
return apiConfig{url: "https://d33dzgxuwsgbpw.cloudfront.net", distribution: "ETZGUP1CWRC2P", cosignPublicKey: constants.CosignPublicKeyDev}
|
||||
}
|
||||
return apiConfig{url: constants.CDNRepositoryURL, distribution: constants.CDNDefaultDistributionID, cosignPublicKey: constants.CosignPublicKeyReleases}
|
||||
}
|
||||
|
||||
func must(err error) {
|
||||
|
32
internal/api/attestationconfigapi/cli/main_test.go
Normal file
32
internal/api/attestationconfigapi/cli/main_test.go
Normal file
@ -0,0 +1,32 @@
|
||||
/*
|
||||
Copyright (c) Edgeless Systems GmbH
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
package main
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/verify"
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func TestAllEqual(t *testing.T) {
|
||||
// Test case 1: One input arg
|
||||
assert.True(t, allEqual(verify.TCBVersion{Bootloader: 1, Microcode: 2, SNP: 3, TEE: 4}), "Expected allEqual to return true for one input arg, but got false")
|
||||
|
||||
// Test case 2: Three input args that are equal
|
||||
assert.True(t, allEqual(
|
||||
verify.TCBVersion{Bootloader: 1, Microcode: 2, SNP: 3, TEE: 4},
|
||||
verify.TCBVersion{Bootloader: 1, Microcode: 2, SNP: 3, TEE: 4},
|
||||
verify.TCBVersion{Bootloader: 1, Microcode: 2, SNP: 3, TEE: 4},
|
||||
), "Expected allEqual to return true for three equal input args, but got false")
|
||||
|
||||
// Test case 3: Three input args where second and third element are different
|
||||
assert.False(t, allEqual(
|
||||
verify.TCBVersion{Bootloader: 2, Microcode: 2, SNP: 3, TEE: 4},
|
||||
verify.TCBVersion{Bootloader: 2, Microcode: 2, SNP: 3, TEE: 4},
|
||||
verify.TCBVersion{Bootloader: 2, Microcode: 3, SNP: 3, TEE: 4},
|
||||
), "Expected allEqual to return false for three input args with different second and third elements, but got true")
|
||||
}
|
@ -13,9 +13,6 @@ the attestationconfigapi upload tool through JSON serialization.
|
||||
package verify
|
||||
|
||||
import (
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
)
|
||||
|
||||
@ -29,12 +26,12 @@ type Report struct {
|
||||
|
||||
// Certificate contains the certificate data and additional information.
|
||||
type Certificate struct {
|
||||
*x509.Certificate `json:"certificate"`
|
||||
CertTypeName string `json:"cert_type_name"`
|
||||
StructVersion uint8 `json:"struct_version"`
|
||||
ProductName string `json:"product_name"`
|
||||
HardwareID []byte `json:"hardware_id"`
|
||||
TCBVersion TCBVersion `json:"tcb_version"`
|
||||
CertificatePEM string `json:"certificate"`
|
||||
CertTypeName string `json:"cert_type_name"`
|
||||
StructVersion uint8 `json:"struct_version"`
|
||||
ProductName string `json:"product_name"`
|
||||
HardwareID []byte `json:"hardware_id"`
|
||||
TCBVersion TCBVersion `json:"tcb_version"`
|
||||
}
|
||||
|
||||
// TCBVersion contains the TCB version data.
|
||||
@ -57,9 +54,9 @@ type PlatformInfo struct {
|
||||
|
||||
// SignerInfo contains the signer information.
|
||||
type SignerInfo struct {
|
||||
AuthorKey bool `json:"author_key_en"`
|
||||
MaskChipKey bool `json:"mask_chip_key"`
|
||||
SigningKey fmt.Stringer `json:"signing_key"`
|
||||
AuthorKey bool `json:"author_key_en"`
|
||||
MaskChipKey bool `json:"mask_chip_key"`
|
||||
SigningKey string `json:"signing_key"`
|
||||
}
|
||||
|
||||
// SNPReport contains the SNP report data.
|
||||
|
Loading…
Reference in New Issue
Block a user