mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
attestation: codegen for hardcoded measurements in go
This commit is contained in:
Malte Poll
Malte Poll
parent
3077dd4f27
commit
75fb61e001
@ -0,0 +1,305 @@
|
||||
/*
|
||||
Copyright (c) Edgeless Systems GmbH
|
||||
SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"go/ast"
|
||||
"go/parser"
|
||||
"go/printer"
|
||||
"go/token"
|
||||
"log"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"os"
|
||||
"path"
|
||||
"sort"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/sigstore"
|
||||
"github.com/edgelesssys/constellation/v2/internal/versionsapi"
|
||||
"golang.org/x/tools/go/ast/astutil"
|
||||
)
|
||||
|
||||
// this tool is used to generate hardcoded measurements for the enterprise build.
|
||||
// Measurements are embedded in the constellation cli.
|
||||
|
||||
func main() {
|
||||
defaultConf := config.Default()
|
||||
log.Printf("Generating measurements for %s\n", defaultConf.Image)
|
||||
|
||||
const filePath = "./measurements_enterprise.go"
|
||||
|
||||
ctx := context.Background()
|
||||
fset := token.NewFileSet()
|
||||
file, err := parser.ParseFile(fset, filePath, nil, parser.ParseComments)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
rekor, err := sigstore.NewRekor()
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
var returnStmtCtr int
|
||||
|
||||
newFile := astutil.Apply(file, func(cursor *astutil.Cursor) bool {
|
||||
n := cursor.Node()
|
||||
|
||||
// find all switch cases for the CSPs of the form:
|
||||
// switch provider {
|
||||
// case cloudprovider.XYZ:
|
||||
// return M{...}
|
||||
|
||||
if clause, ok := n.(*ast.CaseClause); ok && len(clause.List) > 0 && len(clause.Body) > 0 {
|
||||
sel, ok := clause.List[0].(*ast.SelectorExpr)
|
||||
if !ok {
|
||||
return true
|
||||
}
|
||||
returnStmt, ok := clause.Body[0].(*ast.ReturnStmt)
|
||||
if !ok || len(returnStmt.Results) == 0 {
|
||||
return true
|
||||
}
|
||||
|
||||
provider := cloudprovider.FromString(sel.Sel.Name)
|
||||
if provider == cloudprovider.Unknown {
|
||||
log.Fatalf("unknown provider %s", sel.Sel.Name)
|
||||
}
|
||||
log.Println("Found", provider)
|
||||
returnStmtCtr++
|
||||
// retrieve and validate measurements for the given CSP and image
|
||||
measuremnts := mustGetMeasurements(ctx, rekor, []byte(constants.CosignPublicKey), http.DefaultClient, provider, defaultConf.Image)
|
||||
// replace the return statement with a composite literal containing the validated measurements
|
||||
returnStmt.Results[0] = measurementsCompositeLiteral(measuremnts, returnStmt.Return+7)
|
||||
}
|
||||
return true
|
||||
}, nil,
|
||||
)
|
||||
|
||||
if returnStmtCtr == 0 {
|
||||
log.Fatal("no measurements updated")
|
||||
}
|
||||
|
||||
var buf bytes.Buffer
|
||||
printConfig := printer.Config{Mode: printer.UseSpaces | printer.TabIndent, Tabwidth: 8}
|
||||
|
||||
if err = printConfig.Fprint(&buf, fset, newFile); err != nil {
|
||||
log.Fatalf("error formatting file %s: %s", filePath, err)
|
||||
}
|
||||
if err := os.WriteFile(filePath, buf.Bytes(), 0o644); err != nil {
|
||||
log.Fatalf("error writing file %s: %s", filePath, err)
|
||||
}
|
||||
log.Println("Successfully generated hashes.")
|
||||
}
|
||||
|
||||
// mustGetMeasurements fetches the measurements for the given image and CSP and verifies them.
|
||||
func mustGetMeasurements(ctx context.Context, verifier rekorVerifier, cosignPublicKey []byte, client *http.Client, provider cloudprovider.Provider, image string) measurements.M {
|
||||
measurementsURL, err := measurementURL(provider, image, "measurements.json")
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
signatureURL, err := measurementURL(provider, image, "measurements.json.sig")
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
log.Println("Fetching measurements from", measurementsURL, "and signature from", signatureURL)
|
||||
var fetchedMeasurements measurements.M
|
||||
hash, err := fetchedMeasurements.FetchAndVerify(
|
||||
ctx, client,
|
||||
measurementsURL,
|
||||
signatureURL,
|
||||
cosignPublicKey,
|
||||
measurements.WithMetadata{
|
||||
CSP: provider,
|
||||
Image: image,
|
||||
},
|
||||
)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
if err := verifyWithRekor(ctx, verifier, hash); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
return fetchedMeasurements
|
||||
}
|
||||
|
||||
// measurementURL returns the URL for the measurements file for the given image and CSP.
|
||||
func measurementURL(provider cloudprovider.Provider, image, file string) (*url.URL, error) {
|
||||
version, err := versionsapi.NewVersionFromShortPath(image, versionsapi.VersionKindImage)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("parsing image name: %w", err)
|
||||
}
|
||||
|
||||
return url.Parse(
|
||||
version.ArtifactURL() + path.Join("/image", "csp", strings.ToLower(provider.String()), file),
|
||||
)
|
||||
}
|
||||
|
||||
// verifyWithRekor verifies that the given hash is present in rekor and is valid.
|
||||
func verifyWithRekor(ctx context.Context, verifier rekorVerifier, hash string) error {
|
||||
uuids, err := verifier.SearchByHash(ctx, hash)
|
||||
if err != nil {
|
||||
return fmt.Errorf("searching Rekor for hash: %w", err)
|
||||
}
|
||||
|
||||
if len(uuids) == 0 {
|
||||
return fmt.Errorf("no matching entries in Rekor")
|
||||
}
|
||||
|
||||
// We expect the first entry in Rekor to be our original entry.
|
||||
// SHA256 should ensure there is no entry with the same hash.
|
||||
// Any subsequent hashes are treated as potential attacks and are ignored.
|
||||
// Attacks on Rekor will be monitored from other backend services.
|
||||
artifactUUID := uuids[0]
|
||||
|
||||
return verifier.VerifyEntry(
|
||||
ctx, artifactUUID,
|
||||
base64.StdEncoding.EncodeToString([]byte(constants.CosignPublicKey)),
|
||||
)
|
||||
}
|
||||
|
||||
// byteArrayCompositeLit returns a *ast.CompositeLit representing a byte array literal.
|
||||
// The returned literal is of the form:
|
||||
// [32]byte{ 0x01, 0x02, 0x03, ... }.
|
||||
func byteArrayCompositeLit(hex [32]byte, pos token.Pos) *ast.CompositeLit {
|
||||
var elts []ast.Expr
|
||||
// calculate the absolute byte offsets of the elements
|
||||
// given the starting position
|
||||
curPos := pos + 16 // 16 = len("[32]byte{") + padding
|
||||
// create list of byte literals
|
||||
for i, b := range hex {
|
||||
elts = append(elts, &ast.BasicLit{
|
||||
ValuePos: curPos,
|
||||
Kind: token.INT,
|
||||
Value: fmt.Sprintf("0x%02x", b),
|
||||
})
|
||||
if (i+1)%8 == 0 {
|
||||
curPos += 11 // line break
|
||||
} else {
|
||||
curPos += 6 // 6 = len("0x00, ")
|
||||
}
|
||||
}
|
||||
// create the composite literal
|
||||
// containing the byte literals as part of an [32]byte array
|
||||
return &ast.CompositeLit{
|
||||
Type: &ast.ArrayType{
|
||||
Lbrack: pos,
|
||||
Len: ast.NewIdent("32"),
|
||||
Elt: ast.NewIdent("byte"),
|
||||
},
|
||||
Lbrace: pos + 8, // 8 = len("[32]byte")
|
||||
Elts: elts,
|
||||
Rbrace: pos + 223, // 223 = len("[32]byte{0x00, 0x01, ...}") - 1
|
||||
}
|
||||
}
|
||||
|
||||
// measurementsEntryKeyValueExpr returns a *ast.KeyValueExpr representing a measurements.Measurement entry.
|
||||
// The returned expression is of the form:
|
||||
//
|
||||
// 0: {
|
||||
// Expected: [32]byte{ 0x01, 0x02, 0x03, ... },
|
||||
// WarnOnly: false,
|
||||
// },
|
||||
func measurementsEntryKeyValueExpr(pcr uint32, measuremnt measurements.Measurement, pos token.Pos) (*ast.KeyValueExpr, token.Pos) {
|
||||
// calculate the absolute byte offsets of the elements
|
||||
// given the starting position
|
||||
key := fmt.Sprintf("%d", pcr)
|
||||
keyLen := len(key)
|
||||
colon := pos + token.Pos(keyLen) // len(key)
|
||||
valuePos := colon + 2 // 2 = len(": ")
|
||||
expectedKeyPos := valuePos + 5 // 5 = padding + newline
|
||||
expectedColon := expectedKeyPos + 8 // 8 = len("Expected")
|
||||
expectedValuePos := expectedColon + 2 // 2 = len(": ")
|
||||
warnOnlyKeyPos := expectedColon + 1 + byteArrayCompositeLitWidth // 1 = space
|
||||
warnOnlyColon := warnOnlyKeyPos + 9 // 9 = len("WarnOnly")
|
||||
warnOnlyValuePos := warnOnlyColon + 2 // 2 = len(": ")
|
||||
var rbrace token.Pos
|
||||
if measuremnt.WarnOnly {
|
||||
rbrace = warnOnlyValuePos + 9 // 9 = len("true") + padding
|
||||
} else {
|
||||
rbrace = warnOnlyValuePos + 10 // 10 = len("false") + padding
|
||||
}
|
||||
|
||||
return &ast.KeyValueExpr{
|
||||
Key: &ast.BasicLit{
|
||||
ValuePos: pos,
|
||||
Kind: token.INT,
|
||||
Value: key,
|
||||
},
|
||||
Colon: colon,
|
||||
Value: &ast.CompositeLit{
|
||||
Lbrace: valuePos,
|
||||
Elts: []ast.Expr{
|
||||
&ast.KeyValueExpr{
|
||||
Key: &ast.Ident{NamePos: expectedKeyPos, Name: "Expected"},
|
||||
Colon: expectedColon,
|
||||
Value: byteArrayCompositeLit(measuremnt.Expected, expectedValuePos),
|
||||
},
|
||||
&ast.KeyValueExpr{
|
||||
Key: &ast.Ident{NamePos: warnOnlyKeyPos, Name: "WarnOnly"},
|
||||
Colon: warnOnlyColon,
|
||||
Value: &ast.Ident{NamePos: warnOnlyValuePos, Name: strconv.FormatBool(measuremnt.WarnOnly)},
|
||||
},
|
||||
},
|
||||
Rbrace: rbrace,
|
||||
},
|
||||
}, rbrace + 1 // 1 = len(",")
|
||||
}
|
||||
|
||||
// measurementsCompositeLiteral returns a *ast.CompositeLit representing a measurements.M literal.
|
||||
// The returned literal is of the form:
|
||||
//
|
||||
// M{
|
||||
// 0: {
|
||||
// Expected: [32]byte{ 0x01, 0x02, 0x03, ... },
|
||||
// WarnOnly: false,
|
||||
// },
|
||||
// 1: {
|
||||
// Expected: [32]byte{ 0x01, 0x02, 0x03, ... },
|
||||
// WarnOnly: false,
|
||||
// },
|
||||
// ...
|
||||
// }
|
||||
func measurementsCompositeLiteral(measurements measurements.M, pos token.Pos) *ast.CompositeLit {
|
||||
lbrace := pos + 1 // 1 = len("M")
|
||||
var elts []ast.Expr
|
||||
pcrs := make([]uint32, 0, len(measurements))
|
||||
for pcr := range measurements {
|
||||
pcrs = append(pcrs, pcr)
|
||||
}
|
||||
sort.Slice(pcrs, func(i, j int) bool { return pcrs[i] < pcrs[j] })
|
||||
entryPos := lbrace + 5 // 5 = padding + newline
|
||||
for _, pcr := range pcrs {
|
||||
kvExpr, newEntryPos := measurementsEntryKeyValueExpr(pcr, measurements[pcr], entryPos)
|
||||
elts = append(elts, kvExpr)
|
||||
entryPos = newEntryPos + 4 // 4 = padding + newline
|
||||
}
|
||||
return &ast.CompositeLit{
|
||||
Lbrace: lbrace,
|
||||
Type: &ast.Ident{
|
||||
NamePos: pos,
|
||||
Name: "M",
|
||||
},
|
||||
Elts: elts,
|
||||
Rbrace: entryPos - 1, // -1 = closing brace is not indented
|
||||
}
|
||||
}
|
||||
|
||||
const byteArrayCompositeLitWidth = 235
|
||||
|
||||
type rekorVerifier interface {
|
||||
SearchByHash(context.Context, string) ([]string, error)
|
||||
VerifyEntry(context.Context, string, string) error
|
||||
}
|
||||
@ -0,0 +1,17 @@
|
||||
/*
|
||||
Copyright (c) Edgeless Systems GmbH
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"go.uber.org/goleak"
|
||||
)
|
||||
|
||||
func TestMain(m *testing.M) {
|
||||
goleak.VerifyTestMain(m)
|
||||
}
|
||||
@ -10,6 +10,11 @@ package measurements
|
||||
|
||||
import "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
|
||||
// Regenerate the measurements by running go generate.
|
||||
// The enterprise build tag is required to validate the measurements using production
|
||||
// sigstore certificates.
|
||||
//go:generate go run -tags enterprise measurement-generator/generate.go
|
||||
|
||||
// DefaultsFor provides the default measurements for given cloud provider.
|
||||
func DefaultsFor(provider cloudprovider.Provider) M {
|
||||
switch provider {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user