attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257)

* Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2025-09-20 13:04:36 -04:00 · 2023-03-21 12:46:49 +01:00 · 2023-03-21 12:46:49 +01:00 · 5a0234b3f2
commit 5a0234b3f2
parent 9a9688583d
66 changed files with 1073 additions and 542 deletions
--- a/cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/configmap.yaml
+++ b/cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/configmap.yaml
@ -5,7 +5,6 @@ metadata:
  namespace: testNamespace
 data:
  measurements: "{\"1\":{\"expected\":\"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\",\"warnOnly\":false}}"
-  enforceIdKeyDigest: "true"
-  idkeydigests: "[\"baaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaad\", \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\"]"
+  idKeyConfig: "{\"idKeyDigests\":[\"baaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaad\",\"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\"],\"enforcementPolicy\":\"StrictChecking\",\"maaURL\":\"https://192.0.2.1:8080/maa\"}"
 binaryData:
  measurementSalt: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA