From 5f14a82de473e739c8cccf3c94610a71994cfde1 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Wed, 10 Apr 2024 13:40:11 +0200 Subject: [PATCH] gcp: fix comments and typos --- .github/actions/constellation_create/action.yml | 1 + internal/attestation/gcp/es/es.go | 2 +- internal/attestation/gcp/gcp.go | 2 +- internal/attestation/gcp/snp/issuer.go | 4 ++-- internal/attestation/gcp/snp/snp.go | 8 +++----- internal/attestation/gcp/snp/validator.go | 2 +- internal/attestation/vtpm/attestation.go | 2 +- internal/config/gcp.go | 1 + 8 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index d84505916..7e149fc18 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -164,6 +164,7 @@ runs: shell: bash run: | echo "Creating cluster using config:" + cat constellation-conf.yaml sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts' || true - name: Constellation create (CLI) diff --git a/internal/attestation/gcp/es/es.go b/internal/attestation/gcp/es/es.go index b5951b9e5..7a6dfe446 100644 --- a/internal/attestation/gcp/es/es.go +++ b/internal/attestation/gcp/es/es.go @@ -5,7 +5,7 @@ SPDX-License-Identifier: AGPL-3.0-only */ /* -# GCP SEV-ES Attestation +# GCP SEV-ES attestation Google offers [confidential VMs], utilizing AMD SEV-ES to provide memory encryption. diff --git a/internal/attestation/gcp/gcp.go b/internal/attestation/gcp/gcp.go index b9a9a4ac5..113222dda 100644 --- a/internal/attestation/gcp/gcp.go +++ b/internal/attestation/gcp/gcp.go @@ -5,6 +5,6 @@ SPDX-License-Identifier: AGPL-3.0-only */ /* -# Google Cloud Platform Attestation +# Google Cloud Platform attestation */ package gcp diff --git a/internal/attestation/gcp/snp/issuer.go b/internal/attestation/gcp/snp/issuer.go index 951253e77..e54d870d7 100644 --- a/internal/attestation/gcp/snp/issuer.go +++ b/internal/attestation/gcp/snp/issuer.go @@ -85,7 +85,7 @@ func getInstanceInfo(_ context.Context, tpm io.ReadWriteCloser, _ []byte) ([]byt vcek, err := pemEncodedVCEK(certs) if err != nil { - return nil, fmt.Errorf("parsing vlek: %w", err) + return nil, fmt.Errorf("parsing vcek: %w", err) } gceInstanceInfo, err := gceInstanceInfo() @@ -145,7 +145,7 @@ func pemEncodedVCEK(certs []byte) ([]byte, error) { return nil, fmt.Errorf("getting VCEK certificate: %w", err) } - // An optional check for certificate well-formedness. vlekRaw == cert.Raw. + // An optional check for certificate well-formedness. vcekRaw == cert.Raw. cert, err := x509.ParseCertificate(vcekRaw) if err != nil { return nil, fmt.Errorf("parsing certificate: %w", err) diff --git a/internal/attestation/gcp/snp/snp.go b/internal/attestation/gcp/snp/snp.go index f81a6df2c..ede60f205 100644 --- a/internal/attestation/gcp/snp/snp.go +++ b/internal/attestation/gcp/snp/snp.go @@ -5,7 +5,7 @@ SPDX-License-Identifier: AGPL-3.0-only */ /* -# GCP SEV-SNP Attestation +# GCP SEV-SNP attestation Google offers [confidential VMs], utilizing AMD SEV-SNP to provide memory encryption. @@ -36,9 +36,7 @@ public key provided by Google's API corresponding to the project ID, zone, insta Without a certificate signing the authenticity of any endorsement keys we have no way of establishing a chain of trust. Instead, we have to rely on Google's API to provide us with the public key of the vTPM's endorsement key. -[GCP Confidential VMs]: https://cloud.google.com/compute/confidential-vm/docs/about-cvm -[GCP Virtual Trusted Platform Module (vTPM)]: https://cloud.google.com/security/shielded-cloud/shielded-vm#vtpm -[GCP Monitoring docs]: https://cloud.google.com/compute/confidential-vm/docs/monitoring -[AMD SEV-SNP whitepaper]: https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf#page=7 +[confidential VMs]: https://cloud.google.com/compute/confidential-vm/docs/about-cvm +[virtual Trusted Platform Module (vTPM)]: https://cloud.google.com/security/shielded-cloud/shielded-vm#vtpm */ package snp diff --git a/internal/attestation/gcp/snp/validator.go b/internal/attestation/gcp/snp/validator.go index 32466a54f..dba4ab0fa 100644 --- a/internal/attestation/gcp/snp/validator.go +++ b/internal/attestation/gcp/snp/validator.go @@ -49,7 +49,7 @@ type Validator struct { func NewValidator(cfg *config.GCPSEVSNP, log attestation.Logger) (*Validator, error) { getGCEKey, err := gcp.TrustedKeyGetter(variant.GCPSEVSNP{}, gcp.NewRESTClient) if err != nil { - return nil, fmt.Errorf("create trusted key getter: %v", err) + return nil, fmt.Errorf("creating trusted key getter: %w", err) } v := &Validator{ diff --git a/internal/attestation/vtpm/attestation.go b/internal/attestation/vtpm/attestation.go index f0e233f5d..364ab1163 100644 --- a/internal/attestation/vtpm/attestation.go +++ b/internal/attestation/vtpm/attestation.go @@ -125,7 +125,6 @@ func (i *Issuer) Issue(ctx context.Context, userData []byte, nonce []byte) (res } defer aK.Close() - // Create an attestation using the loaded key extraData := attestation.MakeExtraData(userData, nonce) // Fetch instance info of the VM @@ -136,6 +135,7 @@ func (i *Issuer) Issue(ctx context.Context, userData []byte, nonce []byte) (res tpmNonce := makeTpmNonce(instanceInfo, extraData) + // Create an attestation using the loaded key tpmAttestation, err := aK.Attest(tpmClient.AttestOpts{Nonce: tpmNonce[:]}) if err != nil { return nil, fmt.Errorf("creating attestation: %w", err) diff --git a/internal/config/gcp.go b/internal/config/gcp.go index c90342c73..b4cc590c6 100644 --- a/internal/config/gcp.go +++ b/internal/config/gcp.go @@ -2,6 +2,7 @@ Copyright (c) Edgeless Systems GmbH SPDX-License-Identifier: AGPL-3.0-only */ + package config import (