Support SEV-SNP on GCP (#3011)

* terraform: enable creation of SEV-SNP VMs on GCP * variant: add SEV-SNP attestation variant * config: add SEV-SNP config options for GCP * measurements: add GCP SEV-SNP measurements * gcp: separate package for SEV-ES * attestation: add GCP SEV-SNP attestation logic * gcp: factor out common logic * choose: add GCP SEV-SNP * cli: add TF variable passthrough for GCP SEV-SNP variables * cli: support GCP SEV-SNP for `constellation verify` * Adjust usage of GCP SEV-SNP throughout codebase * ci: add GCP SEV-SNP * terraform-provider: support GCP SEV-SNP * docs: add GCP SEV-SNP reference * linter fixes * gcp: only run test with TPM simulator * gcp: remove nonsense test * Update cli/internal/cmd/verify.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update docs/docs/overview/clouds.md Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com> * linter fixes * terraform_provider: correctly pass down CC technology * config: mark attestationconfigapi as unimplemented * gcp: fix comments and typos * snp: use nonce and PK hash in SNP report * snp: ensure we never use ARK supplied by Issuer (#3025) * Make sure SNP ARK is always loaded from config, or fetched from AMD KDS * GCP: Set validator `reportData` correctly --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * attestationconfigapi: add GCP to uploading * snp: use correct cert Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * terraform-provider: enable fetching of attestation config values for GCP SEV-SNP * linter fixes --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2025-09-18 03:54:37 -04:00 · 2024-04-16 18:13:47 +02:00 · 2024-04-16 18:13:47 +02:00 · 913b09aeb8
commit 913b09aeb8
parent 485ebb151e
90 changed files with 1623 additions and 552 deletions
--- a/internal/attestation/snp/snp_test.go
+++ b/internal/attestation/snp/snp_test.go
@ -149,12 +149,24 @@ func TestAttestationWithCerts(t *testing.T) {
 		wantErr       bool
 	}{
 		"success": {
+			report:        defaultReport,
+			idkeydigest:   "57e229e0ffe5fa92d0faddff6cae0e61c926fc9ef9afd20a8b8cfcf7129db9338cbe5bf3f6987733a2bf65d06dc38fc1",
+			reportSigner:  testdata.AzureThimVCEK,
+			certChain:     testdata.CertChain,
+			fallbackCerts: CertificateChain{ark: testdataArk},
+			expectedArk:   testdataArk,
+			expectedAsk:   testdataAsk,
+			getter:        newStubHTTPSGetter(&urlResponseMatcher{}, nil),
+		},
+		"ark only in pre-fetched cert-chain": {
 			report:       defaultReport,
 			idkeydigest:  "57e229e0ffe5fa92d0faddff6cae0e61c926fc9ef9afd20a8b8cfcf7129db9338cbe5bf3f6987733a2bf65d06dc38fc1",
 			reportSigner: testdata.AzureThimVCEK,
 			certChain:    testdata.CertChain,
 			expectedArk:  testdataArk,
 			expectedAsk:  testdataAsk,
+			getter:       newStubHTTPSGetter(nil, assert.AnError),
+			wantErr:      true,
 		},
 		"vlek success": {
 			report:       vlekReport,
@ -173,9 +185,10 @@ func TestAttestationWithCerts(t *testing.T) {
 			),
 		},
 		"retrieve vcek": {
-			report:      defaultReport,
-			idkeydigest: "57e229e0ffe5fa92d0faddff6cae0e61c926fc9ef9afd20a8b8cfcf7129db9338cbe5bf3f6987733a2bf65d06dc38fc1",
-			certChain:   testdata.CertChain,
+			report:        defaultReport,
+			idkeydigest:   "57e229e0ffe5fa92d0faddff6cae0e61c926fc9ef9afd20a8b8cfcf7129db9338cbe5bf3f6987733a2bf65d06dc38fc1",
+			certChain:     testdata.CertChain,
+			fallbackCerts: CertificateChain{ark: testdataArk},
 			getter: newStubHTTPSGetter(
 				&urlResponseMatcher{
 					vcekResponse:    testdata.AmdKdsVCEK,
@ -205,25 +218,9 @@ func TestAttestationWithCerts(t *testing.T) {
 			idkeydigest:   "57e229e0ffe5fa92d0faddff6cae0e61c926fc9ef9afd20a8b8cfcf7129db9338cbe5bf3f6987733a2bf65d06dc38fc1",
 			reportSigner:  testdata.AzureThimVCEK,
 			fallbackCerts: NewCertificateChain(exampleCert, exampleCert),
-			getter: newStubHTTPSGetter(
-				&urlResponseMatcher{},
-				nil,
-			),
-			expectedArk: exampleCert,
-			expectedAsk: exampleCert,
-		},
-		"use certchain with fallback certs": {
-			report:        defaultReport,
-			idkeydigest:   "57e229e0ffe5fa92d0faddff6cae0e61c926fc9ef9afd20a8b8cfcf7129db9338cbe5bf3f6987733a2bf65d06dc38fc1",
-			certChain:     testdata.CertChain,
-			reportSigner:  testdata.AzureThimVCEK,
-			fallbackCerts: NewCertificateChain(&x509.Certificate{}, &x509.Certificate{}),
-			getter: newStubHTTPSGetter(
-				&urlResponseMatcher{},
-				nil,
-			),
-			expectedArk: testdataArk,
-			expectedAsk: testdataAsk,
+			getter:        newStubHTTPSGetter(&urlResponseMatcher{}, nil),
+			expectedArk:   exampleCert,
+			expectedAsk:   exampleCert,
 		},
 		"retrieve vcek and certchain": {
 			report:      defaultReport,
@ -242,10 +239,12 @@ func TestAttestationWithCerts(t *testing.T) {
 		},
 		"report too short": {
 			report:  defaultReport[:len(defaultReport)-100],
+			getter:  newStubHTTPSGetter(nil, assert.AnError),
 			wantErr: true,
 		},
 		"corrupted report": {
 			report:  defaultReport[10 : len(defaultReport)-10],
+			getter:  newStubHTTPSGetter(nil, assert.AnError),
 			wantErr: true,
 		},
 		"certificate fetch error": {