Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-07-27 09:15:22 -04:00
Code Issues Projects Releases Packages Wiki Activity

AB#2333: Add AMD SNP-based attestation

Browse source 
Currently only available on Azure CVMs.

* Get the public attestation key from the TPM.
* Get the snp report from the TPM.
* Get the VCEK and ASK certificate from the metadata api.
* Verify VCEK using hardcoded root key (ARK)
* Verify SNP report using VCEK
* Verify HCLAkPub using SNP report by comparing
AK with runtimeData
* Extend unittest

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Otto Bittner 2022-08-19 12:26:29 +02:00
parent 0a3a4e9c7f
commit 7c5556864b
9 changed files with 663 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

5
bootstrapper/internal/kubernetes/k8sapi/util.go
View file

@ -489,8 +489,7 @@ func (k *KubernetesUtil) createSignedKubeletCert(nodeName string, ips []net.IP)
if err != nil {
return err
}
parentCertPEM, _ := pem.Decode(parentCertRaw)
parentCert, err := x509.ParseCertificate(parentCertPEM.Bytes)
parentCert, err := crypto.PemToX509Cert(parentCertRaw)
if err != nil {
return err
}
@ -513,7 +512,7 @@ func (k *KubernetesUtil) createSignedKubeletCert(nodeName string, ips []net.IP)
case "PRIVATE KEY":
parentKey, err = x509.ParsePKCS8PrivateKey(parentKeyPEM.Bytes)
default:
err = fmt.Errorf("unsupported key type %q", parentCertPEM.Type)
err = fmt.Errorf("unsupported key type %q", parentKeyPEM.Type)
}
if err != nil {
return err