attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257)

* Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2025-09-18 20:14:48 -04:00 · 2023-03-21 12:46:49 +01:00 · 2023-03-21 12:46:49 +01:00 · 5a0234b3f2
commit 5a0234b3f2
parent 9a9688583d
66 changed files with 1073 additions and 542 deletions
--- a/internal/attestation/gcp/issuer.go
+++ b/internal/attestation/gcp/issuer.go
@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 package gcp

 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"io"
@ -37,12 +38,12 @@ func NewIssuer(log vtpm.AttestationLogger) *Issuer {
 }

 // getGCEInstanceInfo fetches VM metadata used for attestation.
-func getGCEInstanceInfo(client gcpMetadataClient) func(io.ReadWriteCloser) ([]byte, error) {
+func getGCEInstanceInfo(client gcpMetadataClient) func(context.Context, io.ReadWriteCloser, []byte) ([]byte, error) {
 	// Ideally we would want to use the endorsement public key certificate
 	// However, this is not available on GCE instances
 	// Workaround: Provide ShieldedVM instance info
 	// The attestating party can request the VMs signing key using Google's API
-	return func(io.ReadWriteCloser) ([]byte, error) {
+	return func(context.Context, io.ReadWriteCloser, []byte) ([]byte, error) {
 		projectID, err := client.projectID()
 		if err != nil {
 			return nil, errors.New("unable to fetch projectID")