attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257)

* Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2025-08-03 12:36:09 -04:00 · 2023-03-21 12:46:49 +01:00 · 2023-03-21 12:46:49 +01:00 · 5a0234b3f2
commit 5a0234b3f2
parent 9a9688583d
66 changed files with 1073 additions and 542 deletions
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/templates/configmap.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/templates/configmap.yaml
@ -7,9 +7,7 @@ data:
  {{/* mustToJson is required so the json-strings passed from go are of type string in the rendered yaml. */}}
  measurements: {{ .Values.measurements | mustToJson }}
  {{- if eq .Values.csp "Azure" }}
-  {{/* ConfigMap.data is of type map[string]string. quote will not quote a quoted string. */}}
-  enforceIdKeyDigest: {{ .Values.enforceIdKeyDigest | quote }}
-  idkeydigests: {{ .Values.idkeydigests | mustToJson }}
+  idKeyConfig: {{ .Values.idKeyConfig | mustToJson }}
  {{- end }}
 binaryData:
  measurementSalt: {{ .Values.measurementSalt }}
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/values.schema.json
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/values.schema.json
@ -11,13 +11,13 @@
            "examples": ["{'1':{'expected':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','warnOnly':true},'15':{'expected':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=','warnOnly':true}}"]
        },
        "enforceIdKeyDigest": {
-            "description": "Whether or not idkeydigest should be enforced during attestation on azure.",
-            "type": "boolean"
+            "description": "ID Key Digest enforcement policy.",
+            "enum": ["StrictChecking", "MAAFallback", "WarnOnly"]
        },
-        "idkeydigests": {
-            "description": "List of expected idkeydigest values for Azure SNP attestation.",
+        "idKeyConfig": {
+            "description": "Configuration for validating the ID Key Digest of the SEV-SNP attestation.",
            "type": "string",
-            "examples": ["[\"57486a447ec0f1958002a22a06b7673b9fd27d11e1c6527498056054c5fa92d23c50f9de44072760fe2b6fb89740b696\", \"0356215882a825279a85b300b0b742931d113bf7e32dde2e50ffde7ec743ca491ecdd7f336dc28a6e0b2bb57af7a44a3\"]"]
+            "examples": ["{'EnforcementPolicy': 'MAAFallback', 'MAAURL': 'https://192.0.2.1:8080/maa', 'IDKeyDigests': ['57486a447ec0f1958002a22a06b7673b9fd27d11e1c6527498056054c5fa92d23c50f9de44072760fe2b6fb89740b696', '0356215882a825279a85b300b0b742931d113bf7e32dde2e50ffde7ec743ca491ecdd7f336dc28a6e0b2bb57af7a44a3'}"]
        },
        "image": {
            "description": "Container image to use for the spawned pods.",
@ -46,7 +46,7 @@
        "properties": { "csp": { "const": "azure" } },
        "required": ["csp"]
    },
-    "then": { "required": ["enforceIdKeyDigest", "idkeydigests"] },
+    "then": { "required": ["idKeyConfig"] },
    "title": "Values",
    "type": "object"
 }
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/values.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/values.yaml
@ -1,4 +1,7 @@
 csp: "gcp"
 attestationVariant: ""
+measurements: ""
+idKeyConfig: ""
+measurementSalt: ""
 joinServicePort: 9090
 joinServiceNodePort: 30090