config: add attestation variant (#1413)

* Add attestation type to config (optional for now) * Get attestation variant from config in CLI * Set attestation variant for Constellation services in helm deployments * Remove AzureCVM variable from helm deployments --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-06-19 03:39:32 -04:00 · 2023-03-14 11:46:27 +01:00 · 2023-03-14 11:46:27 +01:00 · 6ea5588bdc
commit 6ea5588bdc
parent 8679988b6c
44 changed files with 379 additions and 383 deletions
--- a/cli/internal/cloudcmd/validators.go
+++ b/cli/internal/cloudcmd/validators.go
@ -14,46 +14,40 @@ import (
 	"fmt"

 	"github.com/edgelesssys/constellation/v2/internal/atls"
-	"github.com/edgelesssys/constellation/v2/internal/attestation/aws"
-	"github.com/edgelesssys/constellation/v2/internal/attestation/azure/snp"
-	"github.com/edgelesssys/constellation/v2/internal/attestation/azure/trustedlaunch"
-	"github.com/edgelesssys/constellation/v2/internal/attestation/gcp"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/choose"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
-	"github.com/edgelesssys/constellation/v2/internal/attestation/qemu"
-	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/config"
+	"github.com/edgelesssys/constellation/v2/internal/oid"
 	"github.com/spf13/cobra"
 )

 // Validator validates Platform Configuration Registers (PCRs).
 type Validator struct {
-	provider           cloudprovider.Provider
+	attestationVariant oid.Getter
 	pcrs               measurements.M
 	idkeydigests       idkeydigest.IDKeyDigests
 	enforceIDKeyDigest bool
-	azureCVM           bool
 	validator          atls.Validator
 	log                debugLog
 }

 // NewValidator creates a new Validator.
-func NewValidator(provider cloudprovider.Provider, conf *config.Config, log debugLog) (*Validator, error) {
+func NewValidator(conf *config.Config, log debugLog) (*Validator, error) {
 	v := Validator{log: log}
-	if provider == cloudprovider.Unknown {
-		return nil, errors.New("unknown cloud provider")
+	variant, err := oid.FromString(conf.AttestationVariant)
+	if err != nil {
+		return nil, fmt.Errorf("parsing attestation variant: %w", err)
 	}
-	v.provider = provider
+	v.attestationVariant = variant // valid variant
+
 	if err := v.setPCRs(conf); err != nil {
 		return nil, err
 	}

-	if v.provider == cloudprovider.Azure {
-		v.azureCVM = *conf.Provider.Azure.ConfidentialVM
-		if v.azureCVM {
-			v.enforceIDKeyDigest = *conf.Provider.Azure.EnforceIDKeyDigest
-			v.idkeydigests = conf.Provider.Azure.IDKeyDigest
-		}
+	if v.attestationVariant.OID().Equal(oid.AzureSEVSNP{}.OID()) {
+		v.enforceIDKeyDigest = conf.EnforcesIDKeyDigest()
+		v.idkeydigests = conf.IDKeyDigests()
 	}

 	return &v, nil
@ -100,26 +94,26 @@ func (v *Validator) updatePCR(pcrIndex uint32, encoded string) error {
 }

 func (v *Validator) setPCRs(config *config.Config) error {
-	switch v.provider {
-	case cloudprovider.AWS:
+	switch v.attestationVariant {
+	case oid.AWSNitroTPM{}:
 		awsPCRs := config.Provider.AWS.Measurements
 		if len(awsPCRs) == 0 {
 			return errors.New("no expected measurement provided")
 		}
 		v.pcrs = awsPCRs
-	case cloudprovider.Azure:
+	case oid.AzureSEVSNP{}, oid.AzureTrustedLaunch{}:
 		azurePCRs := config.Provider.Azure.Measurements
 		if len(azurePCRs) == 0 {
 			return errors.New("no expected measurement provided")
 		}
 		v.pcrs = azurePCRs
-	case cloudprovider.GCP:
+	case oid.GCPSEVES{}:
 		gcpPCRs := config.Provider.GCP.Measurements
 		if len(gcpPCRs) == 0 {
 			return errors.New("no expected measurement provided")
 		}
 		v.pcrs = gcpPCRs
-	case cloudprovider.QEMU:
+	case oid.QEMUVTPM{}:
 		qemuPCRs := config.Provider.QEMU.Measurements
 		if len(qemuPCRs) == 0 {
 			return errors.New("no expected measurement provided")
@ -142,20 +136,9 @@ func (v *Validator) PCRS() measurements.M {

 func (v *Validator) updateValidator(cmd *cobra.Command) {
 	log := warnLogger{cmd: cmd, log: v.log}
-	switch v.provider {
-	case cloudprovider.GCP:
-		v.validator = gcp.NewValidator(v.pcrs, log)
-	case cloudprovider.Azure:
-		if v.azureCVM {
-			v.validator = snp.NewValidator(v.pcrs, v.idkeydigests, v.enforceIDKeyDigest, log)
-		} else {
-			v.validator = trustedlaunch.NewValidator(v.pcrs, log)
-		}
-	case cloudprovider.AWS:
-		v.validator = aws.NewValidator(v.pcrs, log)
-	case cloudprovider.QEMU:
-		v.validator = qemu.NewValidator(v.pcrs, log)
-	}
+
+	// Use of a valid variant has been check in NewValidator so we may drop the error
+	v.validator, _ = choose.Validator(v.attestationVariant, v.pcrs, v.idkeydigests, v.enforceIDKeyDigest, log)
 }

 // warnLogger implements logging of warnings for validators.