Support SEV-SNP on GCP (#3011)

* terraform: enable creation of SEV-SNP VMs on GCP * variant: add SEV-SNP attestation variant * config: add SEV-SNP config options for GCP * measurements: add GCP SEV-SNP measurements * gcp: separate package for SEV-ES * attestation: add GCP SEV-SNP attestation logic * gcp: factor out common logic * choose: add GCP SEV-SNP * cli: add TF variable passthrough for GCP SEV-SNP variables * cli: support GCP SEV-SNP for `constellation verify` * Adjust usage of GCP SEV-SNP throughout codebase * ci: add GCP SEV-SNP * terraform-provider: support GCP SEV-SNP * docs: add GCP SEV-SNP reference * linter fixes * gcp: only run test with TPM simulator * gcp: remove nonsense test * Update cli/internal/cmd/verify.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update docs/docs/overview/clouds.md Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com> * linter fixes * terraform_provider: correctly pass down CC technology * config: mark attestationconfigapi as unimplemented * gcp: fix comments and typos * snp: use nonce and PK hash in SNP report * snp: ensure we never use ARK supplied by Issuer (#3025) * Make sure SNP ARK is always loaded from config, or fetched from AMD KDS * GCP: Set validator `reportData` correctly --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * attestationconfigapi: add GCP to uploading * snp: use correct cert Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * terraform-provider: enable fetching of attestation config values for GCP SEV-SNP * linter fixes --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2025-12-15 08:05:19 -05:00 · 2024-04-16 18:13:47 +02:00 · 2024-04-16 18:13:47 +02:00 · 913b09aeb8
commit 913b09aeb8
parent 485ebb151e
90 changed files with 1623 additions and 552 deletions
--- a/internal/api/attestationconfigapi/cli/BUILD.bazel
+++ b/internal/api/attestationconfigapi/cli/BUILD.bazel
@ -10,8 +10,6 @@ go_binary(
 go_library(
    name = "cli_lib",
    srcs = [
-        "aws.go",
-        "azure.go",
        "delete.go",
        "main.go",
        "upload.go",
@ -28,7 +26,7 @@ go_library(
        "//internal/logger",
        "//internal/staticupload",
        "//internal/verify",
-        "@com_github_aws_aws_sdk_go//aws",
+        "@com_github_aws_aws_sdk_go_v2//aws",
        "@com_github_aws_aws_sdk_go_v2_service_s3//:s3",
        "@com_github_aws_aws_sdk_go_v2_service_s3//types",
        "@com_github_spf13_afero//:afero",
--- a/internal/api/attestationconfigapi/cli/aws.go
+++ b/internal/api/attestationconfigapi/cli/aws.go
@ -1,24 +0,0 @@
-/*
-Copyright (c) Edgeless Systems GmbH
-
-SPDX-License-Identifier: AGPL-3.0-only
-*/
-
-package main
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
-	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
-	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
-)
-
-func deleteAWS(ctx context.Context, client *attestationconfigapi.Client, cfg deleteConfig) error {
-	if cfg.provider != cloudprovider.AWS || cfg.kind != snpReport {
-		return fmt.Errorf("provider %s and kind %s not supported", cfg.provider, cfg.kind)
-	}
-
-	return client.DeleteSEVSNPVersion(ctx, variant.AWSSEVSNP{}, cfg.version)
-}
--- a/internal/api/attestationconfigapi/cli/azure.go
+++ b/internal/api/attestationconfigapi/cli/azure.go
@ -1,61 +0,0 @@
-/*
-Copyright (c) Edgeless Systems GmbH
-
-SPDX-License-Identifier: AGPL-3.0-only
-*/
-
-package main
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/aws/aws-sdk-go-v2/service/s3"
-	s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
-	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
-	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
-	"github.com/edgelesssys/constellation/v2/internal/staticupload"
-)
-
-func deleteAzure(ctx context.Context, client *attestationconfigapi.Client, cfg deleteConfig) error {
-	if cfg.provider != cloudprovider.Azure && cfg.kind != snpReport {
-		return fmt.Errorf("provider %s and kind %s not supported", cfg.provider, cfg.kind)
-	}
-
-	return client.DeleteSEVSNPVersion(ctx, variant.AzureSEVSNP{}, cfg.version)
-}
-
-func deleteRecursive(ctx context.Context, path string, client *staticupload.Client, cfg deleteConfig) error {
-	resp, err := client.ListObjectsV2(ctx, &s3.ListObjectsV2Input{
-		Bucket: aws.String(cfg.bucket),
-		Prefix: aws.String(path),
-	})
-	if err != nil {
-		return err
-	}
-
-	// Delete all objects in the path.
-	objIDs := make([]s3types.ObjectIdentifier, len(resp.Contents))
-	for i, obj := range resp.Contents {
-		objIDs[i] = s3types.ObjectIdentifier{Key: obj.Key}
-	}
-	if len(objIDs) > 0 {
-		_, err = client.DeleteObjects(ctx, &s3.DeleteObjectsInput{
-			Bucket: aws.String(cfg.bucket),
-			Delete: &s3types.Delete{
-				Objects: objIDs,
-				Quiet:   toPtr(true),
-			},
-		})
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func toPtr[T any](v T) *T {
-	return &v
-}
--- a/internal/api/attestationconfigapi/cli/delete.go
+++ b/internal/api/attestationconfigapi/cli/delete.go
@ -6,11 +6,15 @@ SPDX-License-Identifier: AGPL-3.0-only
 package main

 import (
+	"context"
 	"errors"
 	"fmt"
 	"log/slog"
 	"path"

+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
@ -22,7 +26,7 @@ import (
 // newDeleteCmd creates the delete command.
 func newDeleteCmd() *cobra.Command {
 	cmd := &cobra.Command{
-		Use:     "delete {azure|aws} {snp-report|guest-firmware} <version>",
+		Use:     "delete {aws|azure|gcp} {snp-report|guest-firmware} <version>",
 		Short:   "Delete an object from the attestationconfig API",
 		Long:    "Delete a specific object version from the config api. <version> is the name of the object to delete (without .json suffix)",
 		Example: "COSIGN_PASSWORD=$CPW COSIGN_PRIVATE_KEY=$CKEY cli delete azure snp-report 1.0.0",
@ -32,7 +36,7 @@ func newDeleteCmd() *cobra.Command {
 	}

 	recursivelyCmd := &cobra.Command{
-		Use:     "recursive {azure|aws}",
+		Use:     "recursive {aws|azure|gcp}",
 		Short:   "delete all objects from the API path constellation/v1/attestation/<csp>",
 		Long:    "Delete all objects from the API path constellation/v1/attestation/<csp>",
 		Example: "COSIGN_PASSWORD=$CPW COSIGN_PRIVATE_KEY=$CKEY cli delete recursive azure",
@ -72,9 +76,11 @@ func runDelete(cmd *cobra.Command, args []string) (retErr error) {

 	switch deleteCfg.provider {
 	case cloudprovider.AWS:
-		return deleteAWS(cmd.Context(), client, deleteCfg)
+		return deleteEntry(cmd.Context(), variant.AWSSEVSNP{}, client, deleteCfg)
 	case cloudprovider.Azure:
-		return deleteAzure(cmd.Context(), client, deleteCfg)
+		return deleteEntry(cmd.Context(), variant.AzureSEVSNP{}, client, deleteCfg)
+	case cloudprovider.GCP:
+		return deleteEntry(cmd.Context(), variant.GCPSEVSNP{}, client, deleteCfg)
 	default:
 		return fmt.Errorf("unsupported cloud provider: %s", deleteCfg.provider)
 	}
@ -111,11 +117,13 @@ func runRecursiveDelete(cmd *cobra.Command, args []string) (retErr error) {
 		deletePath = path.Join(attestationconfigapi.AttestationURLPath, variant.AWSSEVSNP{}.String())
 	case cloudprovider.Azure:
 		deletePath = path.Join(attestationconfigapi.AttestationURLPath, variant.AzureSEVSNP{}.String())
+	case cloudprovider.GCP:
+		deletePath = path.Join(attestationconfigapi.AttestationURLPath, variant.GCPSEVSNP{}.String())
 	default:
 		return fmt.Errorf("unsupported cloud provider: %s", deleteCfg.provider)
 	}

-	return deleteRecursive(cmd.Context(), deletePath, client, deleteCfg)
+	return deleteEntryRecursive(cmd.Context(), deletePath, client, deleteCfg)
 }

 type deleteConfig struct {
@ -161,3 +169,44 @@ func newDeleteConfig(cmd *cobra.Command, args [3]string) (deleteConfig, error) {
 		cosignPublicKey: apiCfg.cosignPublicKey,
 	}, nil
 }
+
+func deleteEntry(ctx context.Context, attvar variant.Variant, client *attestationconfigapi.Client, cfg deleteConfig) error {
+	if cfg.kind != snpReport {
+		return fmt.Errorf("kind %s not supported", cfg.kind)
+	}
+
+	return client.DeleteSEVSNPVersion(ctx, attvar, cfg.version)
+}
+
+func deleteEntryRecursive(ctx context.Context, path string, client *staticupload.Client, cfg deleteConfig) error {
+	resp, err := client.ListObjectsV2(ctx, &s3.ListObjectsV2Input{
+		Bucket: aws.String(cfg.bucket),
+		Prefix: aws.String(path),
+	})
+	if err != nil {
+		return err
+	}
+
+	// Delete all objects in the path.
+	objIDs := make([]s3types.ObjectIdentifier, len(resp.Contents))
+	for i, obj := range resp.Contents {
+		objIDs[i] = s3types.ObjectIdentifier{Key: obj.Key}
+	}
+	if len(objIDs) > 0 {
+		_, err = client.DeleteObjects(ctx, &s3.DeleteObjectsInput{
+			Bucket: aws.String(cfg.bucket),
+			Delete: &s3types.Delete{
+				Objects: objIDs,
+				Quiet:   toPtr(true),
+			},
+		})
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func toPtr[T any](v T) *T {
+	return &v
+}
--- a/internal/api/attestationconfigapi/cli/e2e/test.sh.in
+++ b/internal/api/attestationconfigapi/cli/e2e/test.sh.in
@ -26,6 +26,9 @@ function variant() {
  elif [[ $1 == "azure" ]]; then
    echo "azure-sev-snp"
    return 0
+  elif [[ $1 == "gcp" ]]; then
+    echo "gcp-sev-snp"
+    return 0
  else
    echo "Unknown CSP: $1"
    exit 1
--- a/internal/api/attestationconfigapi/cli/upload.go
+++ b/internal/api/attestationconfigapi/cli/upload.go
@ -26,7 +26,7 @@ import (

 func newUploadCmd() *cobra.Command {
 	uploadCmd := &cobra.Command{
-		Use:   "upload {azure|aws} {snp-report|guest-firmware} <path>",
+		Use:   "upload {aws|azure|gcp} {snp-report|guest-firmware} <path>",
 		Short: "Upload an object to the attestationconfig API",

 		Long: fmt.Sprintf("Upload a new object to the attestationconfig API. For snp-reports the new object is added to a cache folder first."+
@ -92,17 +92,19 @@ func runUpload(cmd *cobra.Command, args []string) (retErr error) {
 		return fmt.Errorf("creating client: %w", err)
 	}

-	var attesation variant.Variant
+	var attestation variant.Variant
 	switch uploadCfg.provider {
 	case cloudprovider.AWS:
-		attesation = variant.AWSSEVSNP{}
+		attestation = variant.AWSSEVSNP{}
 	case cloudprovider.Azure:
-		attesation = variant.AzureSEVSNP{}
+		attestation = variant.AzureSEVSNP{}
+	case cloudprovider.GCP:
+		attestation = variant.GCPSEVSNP{}
 	default:
 		return fmt.Errorf("unsupported cloud provider: %s", uploadCfg.provider)
 	}

-	return uploadReport(ctx, attesation, client, uploadCfg, file.NewHandler(afero.NewOsFs()), log)
+	return uploadReport(ctx, attestation, client, uploadCfg, file.NewHandler(afero.NewOsFs()), log)
 }

 func uploadReport(ctx context.Context,