attestation: create issuer based on kernel cmd line (#1355)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-10-05 23:28:34 -04:00 · 2023-03-09 09:47:28 +01:00 · 2023-03-09 09:47:28 +01:00 · 5bad5f768b
commit 5bad5f768b
parent 80ff380859
7 changed files with 209 additions and 56 deletions
--- a/internal/attestation/azure/azure.go
+++ b/internal/attestation/azure/azure.go
@ -18,19 +18,3 @@ Constellation supports multiple attestation technologies on Azure.
    Basic TPM attestation.
 */
 package azure
-
-import (
-	"github.com/edgelesssys/constellation/v2/internal/atls"
-	"github.com/edgelesssys/constellation/v2/internal/attestation/azure/snp"
-	"github.com/edgelesssys/constellation/v2/internal/attestation/azure/trustedlaunch"
-	"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
-)
-
-// NewIssuer returns an SNP issuer if it can successfully read the idkeydigest from the TPM.
-// Otherwise returns a Trusted Launch issuer.
-func NewIssuer(log vtpm.AttestationLogger) atls.Issuer {
-	if _, err := snp.GetIDKeyDigest(vtpm.OpenVTPM); err == nil {
-		return snp.NewIssuer(log)
-	}
-	return trustedlaunch.NewIssuer(log)
-}
--- a/internal/attestation/choose/choose.go
+++ b/internal/attestation/choose/choose.go
@ -0,0 +1,66 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package choose
+
+import (
+	"fmt"
+
+	"github.com/edgelesssys/constellation/v2/internal/atls"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/aws"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/azure/snp"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/azure/trustedlaunch"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/gcp"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/qemu"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
+	"github.com/edgelesssys/constellation/v2/internal/oid"
+)
+
+// Issuer returns the issuer for the given variant.
+func Issuer(variant oid.Getter, log vtpm.AttestationLogger) (atls.Issuer, error) {
+	switch variant {
+	case oid.AWSNitroTPM{}:
+		return aws.NewIssuer(log), nil
+	case oid.AzureTrustedLaunch{}:
+		return trustedlaunch.NewIssuer(log), nil
+	case oid.AzureSEVSNP{}:
+		return snp.NewIssuer(log), nil
+	case oid.GCPSEVES{}:
+		return gcp.NewIssuer(log), nil
+	case oid.QEMUVTPM{}:
+		return qemu.NewIssuer(log), nil
+	case oid.Dummy{}:
+		return atls.NewFakeIssuer(oid.Dummy{}), nil
+	default:
+		return nil, fmt.Errorf("unknown attestation variant: %s", variant)
+	}
+}
+
+// Validator returns the validator for the given variant.
+func Validator(
+	variant oid.Getter, measurements measurements.M,
+	idKeyDigest idkeydigest.IDKeyDigests, enfoceIDKeyDigest bool,
+	log vtpm.AttestationLogger,
+) (atls.Validator, error) {
+	switch variant {
+	case oid.AWSNitroTPM{}:
+		return aws.NewValidator(measurements, log), nil
+	case oid.AzureTrustedLaunch{}:
+		return trustedlaunch.NewValidator(measurements, log), nil
+	case oid.AzureSEVSNP{}:
+		return snp.NewValidator(measurements, idKeyDigest, enfoceIDKeyDigest, log), nil
+	case oid.GCPSEVES{}:
+		return gcp.NewValidator(measurements, log), nil
+	case oid.QEMUVTPM{}:
+		return qemu.NewValidator(measurements, log), nil
+	case oid.Dummy{}:
+		return atls.NewFakeValidator(oid.Dummy{}), nil
+	default:
+		return nil, fmt.Errorf("unknown attestation variant: %s", variant)
+	}
+}
--- a/internal/attestation/choose/choose_test.go
+++ b/internal/attestation/choose/choose_test.go
@ -0,0 +1,114 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package choose
+
+import (
+	"encoding/asn1"
+	"testing"
+
+	"github.com/edgelesssys/constellation/v2/internal/oid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestIssuer(t *testing.T) {
+	testCases := map[string]struct {
+		variant oid.Getter
+		wantErr bool
+	}{
+		"aws-nitro-tpm": {
+			variant: oid.AWSNitroTPM{},
+		},
+		"azure-sev-snp": {
+			variant: oid.AzureSEVSNP{},
+		},
+		"azure-trusted-launch": {
+			variant: oid.AzureTrustedLaunch{},
+		},
+		"gcp-sev-es": {
+			variant: oid.GCPSEVES{},
+		},
+		"qemu-vtpm": {
+			variant: oid.QEMUVTPM{},
+		},
+		"dummy": {
+			variant: oid.Dummy{},
+		},
+		"unknown": {
+			variant: unknownVariant{},
+			wantErr: true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			require := require.New(t)
+
+			issuer, err := Issuer(tc.variant, nil)
+
+			if tc.wantErr {
+				assert.Error(err)
+				return
+			}
+			require.NoError(err)
+			assert.True(issuer.OID().Equal(tc.variant.OID()))
+		})
+	}
+}
+
+func TestValidator(t *testing.T) {
+	testCases := map[string]struct {
+		variant oid.Getter
+		wantErr bool
+	}{
+		"aws-nitro-tpm": {
+			variant: oid.AWSNitroTPM{},
+		},
+		"azure-sev-snp": {
+			variant: oid.AzureSEVSNP{},
+		},
+		"azure-trusted-launch": {
+			variant: oid.AzureTrustedLaunch{},
+		},
+		"gcp-sev-es": {
+			variant: oid.GCPSEVES{},
+		},
+		"qemu-vtpm": {
+			variant: oid.QEMUVTPM{},
+		},
+		"dummy": {
+			variant: oid.Dummy{},
+		},
+		"unknown": {
+			variant: unknownVariant{},
+			wantErr: true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			require := require.New(t)
+
+			validator, err := Validator(tc.variant, nil, nil, false, nil)
+
+			if tc.wantErr {
+				assert.Error(err)
+				return
+			}
+			require.NoError(err)
+			assert.True(validator.OID().Equal(tc.variant.OID()))
+		})
+	}
+}
+
+type unknownVariant struct{}
+
+func (unknownVariant) OID() asn1.ObjectIdentifier {
+	return asn1.ObjectIdentifier{1, 3, 9900, 9999, 9999}
+}