attestation: add awsSEVSNP as new variant (#1900)

* variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic.
2025-12-09 21:16:52 -05:00 · 2023-06-09 15:41:02 +02:00 · 2023-06-09 15:41:02 +02:00 · 8f21972aec
commit 8f21972aec
parent 947d0cb20a
110 changed files with 993 additions and 215 deletions
--- a/cli/internal/cloudcmd/BUILD.bazel
+++ b/cli/internal/cloudcmd/BUILD.bazel
@ -23,12 +23,12 @@ go_library(
        "//internal/atls",
        "//internal/attestation/choose",
        "//internal/attestation/measurements",
+        "//internal/attestation/variant",
        "//internal/cloud/cloudprovider",
        "//internal/cloud/gcpshared",
        "//internal/config",
        "//internal/constants",
        "//internal/imagefetcher",
-        "//internal/variant",
        "@com_github_azure_azure_sdk_for_go//profiles/latest/attestation/attestation",
        "@com_github_azure_azure_sdk_for_go_sdk_azcore//policy",
        "@com_github_azure_azure_sdk_for_go_sdk_azidentity//:azidentity",
@ -53,10 +53,10 @@ go_test(
        "//cli/internal/iamid",
        "//cli/internal/terraform",
        "//internal/attestation/measurements",
+        "//internal/attestation/variant",
        "//internal/cloud/cloudprovider",
        "//internal/cloud/gcpshared",
        "//internal/config",
-        "//internal/variant",
        "@com_github_hashicorp_terraform_json//:terraform-json",
        "@com_github_stretchr_testify//assert",
        "@com_github_stretchr_testify//require",
--- a/cli/internal/cloudcmd/clients.go
+++ b/cli/internal/cloudcmd/clients.go
@ -11,8 +11,8 @@ import (
 	"io"

 	"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
-	"github.com/edgelesssys/constellation/v2/internal/variant"
 	tfjson "github.com/hashicorp/terraform-json"
 )

--- a/cli/internal/cloudcmd/clients_test.go
+++ b/cli/internal/cloudcmd/clients_test.go
@ -12,8 +12,8 @@ import (
 	"testing"

 	"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
-	"github.com/edgelesssys/constellation/v2/internal/variant"
 	tfjson "github.com/hashicorp/terraform-json"

 	"go.uber.org/goleak"
--- a/cli/internal/cloudcmd/create.go
+++ b/cli/internal/cloudcmd/create.go
@ -21,11 +21,11 @@ import (
 	"github.com/edgelesssys/constellation/v2/cli/internal/clusterid"
 	"github.com/edgelesssys/constellation/v2/cli/internal/libvirt"
 	"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/edgelesssys/constellation/v2/internal/imagefetcher"
-	"github.com/edgelesssys/constellation/v2/internal/variant"
 )

 // Creator creates cloud resources.
@ -143,6 +143,7 @@ func (c *Creator) createAWS(ctx context.Context, cl terraformClient, opts Create
 		IAMProfileControlPlane: opts.Config.Provider.AWS.IAMProfileControlPlane,
 		IAMProfileWorkerNodes:  opts.Config.Provider.AWS.IAMProfileWorkerNodes,
 		Debug:                  opts.Config.IsDebugCluster(),
+		EnableSNP:              opts.Config.GetAttestationConfig().GetVariant().Equal(variant.AWSSEVSNP{}),
 	}

 	if err := cl.PrepareWorkspace(path.Join("terraform", strings.ToLower(cloudprovider.AWS.String())), &vars); err != nil {
--- a/cli/internal/cloudcmd/validators.go
+++ b/cli/internal/cloudcmd/validators.go
@ -16,8 +16,8 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/atls"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/choose"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/config"
-	"github.com/edgelesssys/constellation/v2/internal/variant"
 	"github.com/spf13/cobra"
 )

@ -31,7 +31,7 @@ func UpdateInitMeasurements(config config.AttestationCfg, ownerID, clusterID str
 	m := config.GetMeasurements()

 	switch config.GetVariant() {
-	case variant.AWSNitroTPM{}, variant.AzureTrustedLaunch{}, variant.AzureSEVSNP{}, variant.GCPSEVES{}, variant.QEMUVTPM{}:
+	case variant.AWSNitroTPM{}, variant.AWSSEVSNP{}, variant.AzureTrustedLaunch{}, variant.AzureSEVSNP{}, variant.GCPSEVES{}, variant.QEMUVTPM{}:
 		if err := updateMeasurementTPM(m, uint32(measurements.PCRIndexOwnerID), ownerID); err != nil {
 			return err
 		}