Add qemu vTPM issuer and validator

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-10-01 01:36:09 -04:00 · 2022-04-21 16:27:34 +02:00 · 2022-04-21 16:27:34 +02:00 · 956ced6e3d
commit 956ced6e3d
parent f5aafd8178
5 changed files with 71 additions and 6 deletions
--- a/coordinator/attestation/azure/validator.go
+++ b/coordinator/attestation/azure/validator.go
@ -8,16 +8,13 @@ import (
 	"github.com/google/go-tpm/tpm2"
 )

-// PCRs are the expected PCR values for uninitialized Azure Constellation nodes.
-var PCRs = map[uint32][]byte{}
-
-// Validator for GCP confindetial VM attestation.
+// Validator for Azure confidential VM attestation.
 type Validator struct {
 	oid.Azure
 	*vtpm.Validator
 }

-// NewValidator initializes a new GCP validator with the provided PCR values.
+// NewValidator initializes a new Azure validator with the provided PCR values.
 func NewValidator(pcrs map[uint32][]byte) *Validator {
 	return &Validator{
 		Validator: vtpm.NewValidator(
--- a/coordinator/attestation/gcp/issuer.go
+++ b/coordinator/attestation/gcp/issuer.go
@ -12,7 +12,7 @@ import (
 	"github.com/google/go-tpm-tools/proto/attest"
 )

-// Issuer for GCP confindetial VM attestation.
+// Issuer for GCP confidential VM attestation.
 type Issuer struct {
 	oid.GCP
 	*vtpm.Issuer
--- a/coordinator/attestation/qemu/issuer.go
+++ b/coordinator/attestation/qemu/issuer.go
@ -0,0 +1,26 @@
+package qemu
+
+import (
+	"io"
+
+	"github.com/edgelesssys/constellation/coordinator/attestation/vtpm"
+	"github.com/edgelesssys/constellation/coordinator/oid"
+	tpmclient "github.com/google/go-tpm-tools/client"
+)
+
+// Issuer for qemu TPM attestation.
+type Issuer struct {
+	oid.QEMU
+	*vtpm.Issuer
+}
+
+// NewIssuer initializes a new Azure Issuer.
+func NewIssuer() *Issuer {
+	return &Issuer{
+		Issuer: vtpm.NewIssuer(
+			vtpm.OpenVTPM,
+			tpmclient.AttestationKeyRSA,
+			func(tpm io.ReadWriteCloser) ([]byte, error) { return nil, nil },
+		),
+	}
+}
--- a/coordinator/attestation/qemu/validator.go
+++ b/coordinator/attestation/qemu/validator.go
@ -0,0 +1,36 @@
+package qemu
+
+import (
+	"crypto"
+
+	"github.com/edgelesssys/constellation/coordinator/attestation/vtpm"
+	"github.com/edgelesssys/constellation/coordinator/oid"
+	"github.com/google/go-tpm/tpm2"
+)
+
+// Validator for QEMU VM attestation.
+type Validator struct {
+	oid.QEMU
+	*vtpm.Validator
+}
+
+// NewValidator initializes a new qemu validator with the provided PCR values.
+func NewValidator(pcrs map[uint32][]byte) *Validator {
+	return &Validator{
+		Validator: vtpm.NewValidator(
+			pcrs,
+			unconditionalTrust,
+			func(attestation vtpm.AttestationDocument) error { return nil },
+			vtpm.VerifyPKCS1v15,
+		),
+	}
+}
+
+// unconditionalTrust returns the given public key as the trusted attestation key.
+func unconditionalTrust(akPub, instanceInfo []byte) (crypto.PublicKey, error) {
+	pubArea, err := tpm2.DecodePublic(akPub)
+	if err != nil {
+		return nil, err
+	}
+	return pubArea.Key()
+}
--- a/coordinator/oid/oid.go
+++ b/coordinator/oid/oid.go
@ -35,6 +35,12 @@ func (Azure) OID() asn1.ObjectIdentifier {
 	return asn1.ObjectIdentifier{1, 3, 9900, 4}
 }

+type QEMU struct{}
+
+func (QEMU) OID() asn1.ObjectIdentifier {
+	return asn1.ObjectIdentifier{1, 3, 9900, 5}
+}
+
 // TODO: Remove once we no longer use non cvms.
 type GCPNonCVM struct{}