attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257)

* Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2025-05-03 23:04:53 -04:00 · 2023-03-21 12:46:49 +01:00 · 2023-03-21 12:46:49 +01:00 · 5a0234b3f2
commit 5a0234b3f2
parent 9a9688583d
66 changed files with 1073 additions and 542 deletions
--- a/cli/internal/cloudcmd/validators_test.go
+++ b/cli/internal/cloudcmd/validators_test.go
@ -110,7 +110,7 @@ func TestNewValidator(t *testing.T) {
 					Azure: &config.AzureConfig{
 						Measurements:       testPCRs,
 						IDKeyDigest:        idkeydigest.IDKeyDigests{[]byte("414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141")},
-						EnforceIDKeyDigest: &[]bool{true}[0],
+						EnforceIDKeyDigest: idkeydigest.StrictChecking,
 					},
 				},
 			},
@ -121,7 +121,7 @@ func TestNewValidator(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			assert := assert.New(t)

-			validators, err := NewValidator(tc.config, logger.NewTest(t))
+			validators, err := NewValidator(tc.config, "https://192.0.2.1:8080/maa", logger.NewTest(t))

 			if tc.wantErr {
 				assert.Error(err)
@ -168,7 +168,11 @@ func TestValidatorV(t *testing.T) {
 		"azure cvm": {
 			variant: oid.AzureSEVSNP{},
 			pcrs:    newTestPCRs(),
-			wantVs:  snp.NewValidator(newTestPCRs(), idkeydigest.IDKeyDigests{}, false, nil),
+			wantVs: snp.NewValidator(
+				newTestPCRs(),
+				idkeydigest.Config{IDKeyDigests: idkeydigest.IDKeyDigests{}, EnforcementPolicy: idkeydigest.WarnOnly},
+				nil,
+			),
 		},
 		"azure trusted launch": {
 			variant: oid.AzureTrustedLaunch{},