From 67be4016f5df7674896217b1e94688701d46d8ad Mon Sep 17 00:00:00 2001 From: Malte Poll Date: Mon, 9 Jan 2023 10:04:13 +0100 Subject: [PATCH] ci: generate signed measurements for QEMU --- .github/workflows/generate-measurements.yml | 39 ++++++++++++++++++--- image/measured-boot/pcr-stable.json | 16 ++++++--- image/measured-boot/precalculate_pcr_12.sh | 4 ++- image/measured-boot/precalculate_pcr_4.sh | 4 ++- image/measured-boot/precalculate_pcr_9.sh | 4 ++- 5 files changed, 55 insertions(+), 12 deletions(-) diff --git a/.github/workflows/generate-measurements.yml b/.github/workflows/generate-measurements.yml index f09b00020..5ef02a98f 100644 --- a/.github/workflows/generate-measurements.yml +++ b/.github/workflows/generate-measurements.yml @@ -53,7 +53,7 @@ jobs: strategy: fail-fast: false matrix: - provider: ["aws", "azure", "gcp"] + provider: ["aws", "azure", "gcp", "qemu"] permissions: id-token: write contents: read @@ -112,6 +112,7 @@ jobs: echo "res_group_name=$name" >> "$GITHUB_OUTPUT" - name: Create Cluster in E2E Test environment + if: matrix.provider != 'qemu' id: create_cluster uses: ./.github/actions/e2e_test with: @@ -132,6 +133,7 @@ jobs: test: "nop" - name: Fetch PCRs from running cluster + if: matrix.provider != 'qemu' run: | KUBECONFIG="${PWD}/constellation-admin.conf" kubectl rollout status ds/verification-service -n kube-system --timeout=3m CONSTELL_IP=$(jq -r ".ip" constellation-id.json) @@ -189,6 +191,33 @@ jobs: env: CSP: ${{ matrix.provider }} + - name: Set PCRs for QEMU + if: matrix.provider == 'qemu' + env: + ref: ${{ steps.extract.outputs.ref }} + stream: ${{ steps.extract.outputs.stream }} + version: ${{ steps.extract.outputs.version }} + run: | + path="constellation/v1/ref/${ref}/stream/${stream}/${version}/image/csp/${{ matrix.provider }}/measurements.image.json" + mkdir -p "${{ github.workspace }}/generated-measurements" + wget -O ${{ github.workspace }}/generated-measurements/measurements.image.json "https://cdn.confidential.cloud/${path}" + jq '.measurements' < ${{ github.workspace }}/generated-measurements/measurements.image.json | jq '{"measurements": .}' > ${{ github.workspace }}/generated-measurements/measurements.json + cat "${{ github.workspace }}/generated-measurements/measurements.json" + yq ' + .csp = "QEMU" | + .image = "${{ steps.extract.outputs.version }}" | + .measurements.4.warnOnly = false | + .measurements.8.warnOnly = false | + .measurements.9.warnOnly = false | + .measurements.11.warnOnly = false | + .measurements.12.warnOnly = false | + .measurements.13.warnOnly = false | + .measurements.15.warnOnly = false | + .measurements.15.expected = "0000000000000000000000000000000000000000000000000000000000000000"' \ + -I 0 -o json -i "${{ github.workspace }}/generated-measurements/measurements.json" + mv "${{ github.workspace }}/generated-measurements/measurements.json" "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json" + shell: bash + - name: Upload measurements as artifact uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: @@ -196,7 +225,7 @@ jobs: path: "${{ github.workspace }}/generated-measurements" - name: Always terminate cluster - if: always() + if: always() && matrix.provider != 'qemu' continue-on-error: true uses: ./.github/actions/constellation_destroy with: @@ -220,7 +249,7 @@ jobs: strategy: fail-fast: false matrix: - provider: ["aws", "azure", "gcp"] + provider: ["aws", "azure", "gcp", "qemu"] steps: - name: Check out repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 @@ -270,7 +299,7 @@ jobs: strategy: fail-fast: false matrix: - provider: ["aws", "azure", "gcp"] + provider: ["aws", "azure", "gcp", "qemu"] permissions: id-token: write contents: read @@ -324,7 +353,7 @@ jobs: strategy: fail-fast: false matrix: - provider: ["aws", "azure", "gcp"] + provider: ["aws", "azure", "gcp", "qemu"] permissions: id-token: write contents: read diff --git a/image/measured-boot/pcr-stable.json b/image/measured-boot/pcr-stable.json index a135153cd..5530ceabc 100755 --- a/image/measured-boot/pcr-stable.json +++ b/image/measured-boot/pcr-stable.json @@ -1,8 +1,16 @@ { "measurements": { - "8": "0000000000000000000000000000000000000000000000000000000000000000", - "11": "0000000000000000000000000000000000000000000000000000000000000000", - "13": "0000000000000000000000000000000000000000000000000000000000000000", - "15": "0000000000000000000000000000000000000000000000000000000000000000" + "8": { + "expected": "0000000000000000000000000000000000000000000000000000000000000000" + }, + "11": { + "expected": "0000000000000000000000000000000000000000000000000000000000000000" + }, + "13": { + "expected": "0000000000000000000000000000000000000000000000000000000000000000" + }, + "15": { + "expected": "0000000000000000000000000000000000000000000000000000000000000000" + } } } diff --git a/image/measured-boot/precalculate_pcr_12.sh b/image/measured-boot/precalculate_pcr_12.sh index d39372942..6f0d02b68 100755 --- a/image/measured-boot/precalculate_pcr_12.sh +++ b/image/measured-boot/precalculate_pcr_12.sh @@ -35,7 +35,9 @@ write_output() { cat > "${out}" << EOF { "measurements": { - "12": "${expected_pcr_12}" + "12": { + "expected": "${expected_pcr_12}" + } }, "cmdline": "${cmdline}", "cmdline-sha256": "${cmdline_hash}" diff --git a/image/measured-boot/precalculate_pcr_4.sh b/image/measured-boot/precalculate_pcr_4.sh index b5afa7a2d..c2e04535c 100755 --- a/image/measured-boot/precalculate_pcr_4.sh +++ b/image/measured-boot/precalculate_pcr_4.sh @@ -23,7 +23,9 @@ write_output() { cat > "${out}" << EOF { "measurements": { - "4": "${expected_pcr_4}" + "4": { + "expected": "${expected_pcr_4}" + } }, "efistages": [ { diff --git a/image/measured-boot/precalculate_pcr_9.sh b/image/measured-boot/precalculate_pcr_9.sh index 19dcf6cf1..c0ad8a869 100755 --- a/image/measured-boot/precalculate_pcr_9.sh +++ b/image/measured-boot/precalculate_pcr_9.sh @@ -28,7 +28,9 @@ write_output() { cat > "${out}" << EOF { "measurements": { - "9": "${expected_pcr_9}" + "9": { + "expected": "${expected_pcr_9}" + } }, "initrd-sha256": "${initrd_hash}" }