mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-11 07:29:29 -05:00
measurements: Add length field for WithAllBytes
This commit is contained in:
Nils Hanke
Malte Poll
parent
fe3622d982
commit
9e987778e0
@ -18,37 +18,37 @@ import (
|
||||
)
|
||||
|
||||
func TestValidatorUpdateInitPCRs(t *testing.T) {
|
||||
zero := measurements.WithAllBytes(0x00, measurements.WarnOnly)
|
||||
one := measurements.WithAllBytes(0x11, measurements.WarnOnly)
|
||||
zero := measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength)
|
||||
one := measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength)
|
||||
one64 := base64.StdEncoding.EncodeToString(one.Expected[:])
|
||||
oneHash := sha256.Sum256(one.Expected[:])
|
||||
pcrZeroUpdatedOne := sha256.Sum256(append(zero.Expected[:], oneHash[:]...))
|
||||
newTestPCRs := func() measurements.M {
|
||||
return measurements.M{
|
||||
0: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
1: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
2: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
3: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
4: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
5: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
6: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
7: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
8: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
9: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
10: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
11: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
12: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
13: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
14: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
15: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
16: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
17: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
||||
18: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
||||
19: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
||||
20: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
||||
21: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
||||
22: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
||||
23: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
0: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
1: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
2: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
3: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
4: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
5: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
6: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
7: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
8: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
9: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
10: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
11: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
12: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
13: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
14: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
15: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
16: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
17: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
18: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
19: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
20: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
21: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
22: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
23: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -430,13 +430,13 @@ func TestAttestation(t *testing.T) {
|
||||
cfg := config.Default()
|
||||
cfg.Image = "image"
|
||||
cfg.RemoveProviderExcept(cloudprovider.QEMU)
|
||||
cfg.Attestation.QEMUVTPM.Measurements[0] = measurements.WithAllBytes(0x00, measurements.Enforce)
|
||||
cfg.Attestation.QEMUVTPM.Measurements[1] = measurements.WithAllBytes(0x11, measurements.Enforce)
|
||||
cfg.Attestation.QEMUVTPM.Measurements[2] = measurements.WithAllBytes(0x22, measurements.Enforce)
|
||||
cfg.Attestation.QEMUVTPM.Measurements[3] = measurements.WithAllBytes(0x33, measurements.Enforce)
|
||||
cfg.Attestation.QEMUVTPM.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
|
||||
cfg.Attestation.QEMUVTPM.Measurements[9] = measurements.WithAllBytes(0x99, measurements.Enforce)
|
||||
cfg.Attestation.QEMUVTPM.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
|
||||
cfg.Attestation.QEMUVTPM.Measurements[0] = measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||
cfg.Attestation.QEMUVTPM.Measurements[1] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||
cfg.Attestation.QEMUVTPM.Measurements[2] = measurements.WithAllBytes(0x22, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||
cfg.Attestation.QEMUVTPM.Measurements[3] = measurements.WithAllBytes(0x33, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||
cfg.Attestation.QEMUVTPM.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||
cfg.Attestation.QEMUVTPM.Measurements[9] = measurements.WithAllBytes(0x99, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||
cfg.Attestation.QEMUVTPM.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, cfg, file.OptNone))
|
||||
|
||||
newDialer := func(v atls.Validator) *dialer.Dialer {
|
||||
@ -537,21 +537,21 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs
|
||||
conf.Provider.Azure.ResourceGroup = "test-resource-group"
|
||||
conf.Provider.Azure.AppClientID = "01234567-0123-0123-0123-0123456789ab"
|
||||
conf.Provider.Azure.ClientSecretValue = "test-client-secret"
|
||||
conf.Attestation.AzureSEVSNP.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
|
||||
conf.Attestation.AzureSEVSNP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce)
|
||||
conf.Attestation.AzureSEVSNP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
|
||||
conf.Attestation.AzureSEVSNP.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||
conf.Attestation.AzureSEVSNP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||
conf.Attestation.AzureSEVSNP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||
case cloudprovider.GCP:
|
||||
conf.Provider.GCP.Region = "test-region"
|
||||
conf.Provider.GCP.Project = "test-project"
|
||||
conf.Provider.GCP.Zone = "test-zone"
|
||||
conf.Provider.GCP.ServiceAccountKeyPath = "test-key-path"
|
||||
conf.Attestation.GCPSEVES.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
|
||||
conf.Attestation.GCPSEVES.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce)
|
||||
conf.Attestation.GCPSEVES.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
|
||||
conf.Attestation.GCPSEVES.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||
conf.Attestation.GCPSEVES.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||
conf.Attestation.GCPSEVES.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||
case cloudprovider.QEMU:
|
||||
conf.Attestation.QEMUVTPM.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
|
||||
conf.Attestation.QEMUVTPM.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce)
|
||||
conf.Attestation.QEMUVTPM.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
|
||||
conf.Attestation.QEMUVTPM.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||
conf.Attestation.QEMUVTPM.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||
conf.Attestation.QEMUVTPM.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||
}
|
||||
|
||||
conf.RemoveProviderExcept(csp)
|
||||
|
||||
@ -21,6 +21,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/edgelesssys/constellation/v2/internal/versionsapi"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
@ -39,7 +40,7 @@ func TestBuildString(t *testing.T) {
|
||||
upgrade: versionUpgrade{
|
||||
newServices: "v2.5.0",
|
||||
newImages: map[string]measurements.M{
|
||||
"v2.5.0": measurements.DefaultsFor(cloudprovider.QEMU),
|
||||
"v2.5.0": measurements.DefaultsFor(variant.QEMUVTPM{}),
|
||||
},
|
||||
newKubernetes: []string{"v1.24.12", "v1.25.6"},
|
||||
newCLI: []string{"v2.5.0", "v2.6.0"},
|
||||
@ -236,7 +237,7 @@ func TestUpgradeCheck(t *testing.T) {
|
||||
supportedServicesVersions: "v2.5.0",
|
||||
supportedImages: []versionsapi.Version{v2_3},
|
||||
supportedImageVersions: map[string]measurements.M{
|
||||
"v2.3.0": measurements.DefaultsFor(cloudprovider.QEMU),
|
||||
"v2.3.0": measurements.DefaultsFor(variant.QEMUVTPM{}),
|
||||
},
|
||||
supportedK8sVersions: []string{"v1.24.5", "v1.24.12", "v1.25.6"},
|
||||
currentServicesVersions: "v2.4.0",
|
||||
|
||||
@ -64,7 +64,7 @@ func TestConstellationServices(t *testing.T) {
|
||||
config: &config.Config{
|
||||
Provider: config.ProviderConfig{AWS: &config.AWSConfig{}},
|
||||
Attestation: config.AttestationConfig{AWSNitroTPM: &config.AWSNitroTPM{
|
||||
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)},
|
||||
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength)},
|
||||
}},
|
||||
},
|
||||
valuesModifier: prepareAWSValues,
|
||||
@ -76,7 +76,7 @@ func TestConstellationServices(t *testing.T) {
|
||||
DeployCSIDriver: toPtr(true),
|
||||
}},
|
||||
Attestation: config.AttestationConfig{AzureSEVSNP: &config.AzureSEVSNP{
|
||||
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)},
|
||||
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength)},
|
||||
FirmwareSignerConfig: config.SNPFirmwareSignerConfig{
|
||||
AcceptedKeyDigests: idkeydigest.List{bytes.Repeat([]byte{0xAA}, 32)},
|
||||
EnforcementPolicy: idkeydigest.MAAFallback,
|
||||
@ -95,7 +95,7 @@ func TestConstellationServices(t *testing.T) {
|
||||
DeployCSIDriver: toPtr(true),
|
||||
}},
|
||||
Attestation: config.AttestationConfig{GCPSEVES: &config.GCPSEVES{
|
||||
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)},
|
||||
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength)},
|
||||
}},
|
||||
},
|
||||
valuesModifier: prepareGCPValues,
|
||||
@ -105,7 +105,7 @@ func TestConstellationServices(t *testing.T) {
|
||||
config: &config.Config{
|
||||
Provider: config.ProviderConfig{OpenStack: &config.OpenStackConfig{}},
|
||||
Attestation: config.AttestationConfig{QEMUVTPM: &config.QEMUVTPM{
|
||||
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)},
|
||||
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength)},
|
||||
}},
|
||||
},
|
||||
valuesModifier: prepareOpenStackValues,
|
||||
@ -115,7 +115,7 @@ func TestConstellationServices(t *testing.T) {
|
||||
config: &config.Config{
|
||||
Provider: config.ProviderConfig{QEMU: &config.QEMUConfig{}},
|
||||
Attestation: config.AttestationConfig{QEMUVTPM: &config.QEMUVTPM{
|
||||
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)},
|
||||
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength)},
|
||||
}},
|
||||
},
|
||||
valuesModifier: prepareQEMUValues,
|
||||
@ -525,7 +525,6 @@ func prepareOpenStackValues(values map[string]any) error {
|
||||
if !ok {
|
||||
return errors.New("missing 'join-service' key")
|
||||
}
|
||||
|
||||
joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
|
||||
|
||||
ccmVals, ok := values["ccm"].(map[string]any)
|
||||
@ -555,7 +554,6 @@ func prepareQEMUValues(values map[string]any) error {
|
||||
if !ok {
|
||||
return errors.New("missing 'join-service' key")
|
||||
}
|
||||
|
||||
joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
|
||||
|
||||
verificationVals, ok := values["verification-service"].(map[string]any)
|
||||
|
||||
@ -265,7 +265,7 @@ func TestUpdateMeasurements(t *testing.T) {
|
||||
},
|
||||
newConfig: &config.GCPSEVES{
|
||||
Measurements: measurements.M{
|
||||
0: measurements.WithAllBytes(0xBB, measurements.Enforce),
|
||||
0: measurements.WithAllBytes(0xBB, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
},
|
||||
},
|
||||
wantUpdate: true,
|
||||
@ -278,7 +278,7 @@ func TestUpdateMeasurements(t *testing.T) {
|
||||
},
|
||||
newConfig: &config.GCPSEVES{
|
||||
Measurements: measurements.M{
|
||||
0: measurements.WithAllBytes(0xAA, measurements.Enforce),
|
||||
0: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
},
|
||||
},
|
||||
},
|
||||
@ -290,7 +290,7 @@ func TestUpdateMeasurements(t *testing.T) {
|
||||
},
|
||||
newConfig: &config.GCPSEVES{
|
||||
Measurements: measurements.M{
|
||||
0: measurements.WithAllBytes(0xAA, measurements.WarnOnly),
|
||||
0: measurements.WithAllBytes(0xAA, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
},
|
||||
},
|
||||
wantUpdate: true,
|
||||
@ -303,7 +303,7 @@ func TestUpdateMeasurements(t *testing.T) {
|
||||
},
|
||||
newConfig: &config.GCPSEVES{
|
||||
Measurements: measurements.M{
|
||||
0: measurements.WithAllBytes(0xAA, measurements.Enforce),
|
||||
0: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
},
|
||||
},
|
||||
wantUpdate: true,
|
||||
@ -312,7 +312,7 @@ func TestUpdateMeasurements(t *testing.T) {
|
||||
updater: &stubStableClient{getErr: someErr},
|
||||
newConfig: &config.GCPSEVES{
|
||||
Measurements: measurements.M{
|
||||
0: measurements.WithAllBytes(0xBB, measurements.Enforce),
|
||||
0: measurements.WithAllBytes(0xBB, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
},
|
||||
},
|
||||
wantErr: true,
|
||||
@ -326,7 +326,7 @@ func TestUpdateMeasurements(t *testing.T) {
|
||||
},
|
||||
newConfig: &config.GCPSEVES{
|
||||
Measurements: measurements.M{
|
||||
0: measurements.WithAllBytes(0xBB, measurements.Enforce),
|
||||
0: measurements.WithAllBytes(0xBB, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
},
|
||||
},
|
||||
wantErr: true,
|
||||
|
||||
@ -35,6 +35,8 @@ import (
|
||||
// this tool is used to generate hardcoded measurements for the enterprise build.
|
||||
// Measurements are embedded in the constellation cli.
|
||||
|
||||
// TODO(v2.8 | AB#3130): Update tool to use variant.Variant instead of cloudprovider.Provider
|
||||
|
||||
func main() {
|
||||
defaultConf := config.Default()
|
||||
log.Printf("Generating measurements for %s\n", defaultConf.Image)
|
||||
|
||||
@ -325,10 +325,12 @@ func (m *Measurement) unmarshal(eM encodedMeasurement) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// WithAllBytes returns a measurement value where all 32 bytes are set to b.
|
||||
func WithAllBytes(b byte, validationOpt MeasurementValidationOption) Measurement {
|
||||
// WithAllBytes returns a measurement value where all bytes are set to b. Takes a dynamic length as input.
|
||||
// Expected are either 32 bytes (PCRMeasurementLength) or 48 bytes (TDXMeasurementLength).
|
||||
// Over inputs are possible in this function, but potentially rejected elsewhere.
|
||||
func WithAllBytes(b byte, validationOpt MeasurementValidationOption, len int) Measurement {
|
||||
return Measurement{
|
||||
Expected: bytes.Repeat([]byte{b}, 32),
|
||||
Expected: bytes.Repeat([]byte{b}, len),
|
||||
ValidationOpt: validationOpt,
|
||||
}
|
||||
}
|
||||
|
||||
@ -8,60 +8,60 @@ SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
package measurements
|
||||
|
||||
import "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
)
|
||||
|
||||
// DefaultsFor provides the default measurements for given cloud provider.
|
||||
func DefaultsFor(provider cloudprovider.Provider) M {
|
||||
switch provider {
|
||||
case cloudprovider.AWS:
|
||||
func DefaultsFor(attestationVariant variant.Variant) M {
|
||||
switch attestationVariant {
|
||||
case variant.AWSNitroTPM{}:
|
||||
return M{
|
||||
4: PlaceHolderMeasurement(),
|
||||
8: WithAllBytes(0x00, Enforce),
|
||||
8: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
9: PlaceHolderMeasurement(),
|
||||
11: WithAllBytes(0x00, Enforce),
|
||||
11: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
12: PlaceHolderMeasurement(),
|
||||
13: WithAllBytes(0x00, Enforce),
|
||||
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
|
||||
13: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
}
|
||||
case cloudprovider.Azure:
|
||||
case variant.AzureSEVSNP{}:
|
||||
return M{
|
||||
4: PlaceHolderMeasurement(),
|
||||
8: WithAllBytes(0x00, Enforce),
|
||||
8: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
9: PlaceHolderMeasurement(),
|
||||
11: WithAllBytes(0x00, Enforce),
|
||||
11: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
12: PlaceHolderMeasurement(),
|
||||
13: WithAllBytes(0x00, Enforce),
|
||||
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
|
||||
13: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
}
|
||||
case cloudprovider.GCP:
|
||||
case variant.GCPSEVES{}:
|
||||
return M{
|
||||
4: PlaceHolderMeasurement(),
|
||||
8: WithAllBytes(0x00, Enforce),
|
||||
8: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
9: PlaceHolderMeasurement(),
|
||||
11: WithAllBytes(0x00, Enforce),
|
||||
11: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
12: PlaceHolderMeasurement(),
|
||||
13: WithAllBytes(0x00, Enforce),
|
||||
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
|
||||
13: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
}
|
||||
case cloudprovider.QEMU:
|
||||
case variant.QEMUTDX{}:
|
||||
return M{
|
||||
4: PlaceHolderMeasurement(),
|
||||
8: WithAllBytes(0x00, Enforce),
|
||||
9: PlaceHolderMeasurement(),
|
||||
11: WithAllBytes(0x00, Enforce),
|
||||
12: PlaceHolderMeasurement(),
|
||||
13: WithAllBytes(0x00, Enforce),
|
||||
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
|
||||
0: PlaceHolderMeasurement(),
|
||||
1: PlaceHolderMeasurement(),
|
||||
2: PlaceHolderMeasurement(),
|
||||
3: PlaceHolderMeasurement(),
|
||||
4: PlaceHolderMeasurement(),
|
||||
}
|
||||
case cloudprovider.OpenStack:
|
||||
case variant.QEMUVTPM{}:
|
||||
return M{
|
||||
4: PlaceHolderMeasurement(),
|
||||
8: WithAllBytes(0x00, Enforce),
|
||||
8: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
9: PlaceHolderMeasurement(),
|
||||
11: WithAllBytes(0x00, Enforce),
|
||||
11: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
12: PlaceHolderMeasurement(),
|
||||
13: WithAllBytes(0x00, Enforce),
|
||||
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
|
||||
13: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
}
|
||||
default:
|
||||
return nil
|
||||
|
||||
@ -206,8 +206,8 @@ func TestEncodeM(t *testing.T) {
|
||||
}{
|
||||
"basic": {
|
||||
m: M{
|
||||
1: WithAllBytes(1, false),
|
||||
2: WithAllBytes(2, true),
|
||||
1: WithAllBytes(1, false, PCRMeasurementLength),
|
||||
2: WithAllBytes(2, WarnOnly, PCRMeasurementLength),
|
||||
},
|
||||
want: `1:
|
||||
expected: "0101010101010101010101010101010101010101010101010101010101010101"
|
||||
@ -219,10 +219,10 @@ func TestEncodeM(t *testing.T) {
|
||||
},
|
||||
"output is sorted": {
|
||||
m: M{
|
||||
3: WithAllBytes(0, false),
|
||||
1: WithAllBytes(0, false),
|
||||
11: WithAllBytes(0, false),
|
||||
2: WithAllBytes(0, false),
|
||||
3: WithAllBytes(0, false, PCRMeasurementLength),
|
||||
1: WithAllBytes(0, false, PCRMeasurementLength),
|
||||
11: WithAllBytes(0, false, PCRMeasurementLength),
|
||||
2: WithAllBytes(0, false, PCRMeasurementLength),
|
||||
},
|
||||
want: `1:
|
||||
expected: "0000000000000000000000000000000000000000000000000000000000000000"
|
||||
@ -261,48 +261,48 @@ func TestMeasurementsCopyFrom(t *testing.T) {
|
||||
"add to empty": {
|
||||
current: M{},
|
||||
newMeasurements: M{
|
||||
1: WithAllBytes(0x00, WarnOnly),
|
||||
2: WithAllBytes(0x01, WarnOnly),
|
||||
3: WithAllBytes(0x02, WarnOnly),
|
||||
1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||
2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||
3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength),
|
||||
},
|
||||
wantMeasurements: M{
|
||||
1: WithAllBytes(0x00, WarnOnly),
|
||||
2: WithAllBytes(0x01, WarnOnly),
|
||||
3: WithAllBytes(0x02, WarnOnly),
|
||||
1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||
2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||
3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength),
|
||||
},
|
||||
},
|
||||
"keep existing": {
|
||||
current: M{
|
||||
4: WithAllBytes(0x01, Enforce),
|
||||
5: WithAllBytes(0x02, WarnOnly),
|
||||
4: WithAllBytes(0x01, Enforce, PCRMeasurementLength),
|
||||
5: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength),
|
||||
},
|
||||
newMeasurements: M{
|
||||
1: WithAllBytes(0x00, WarnOnly),
|
||||
2: WithAllBytes(0x01, WarnOnly),
|
||||
3: WithAllBytes(0x02, WarnOnly),
|
||||
1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||
2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||
3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength),
|
||||
},
|
||||
wantMeasurements: M{
|
||||
1: WithAllBytes(0x00, WarnOnly),
|
||||
2: WithAllBytes(0x01, WarnOnly),
|
||||
3: WithAllBytes(0x02, WarnOnly),
|
||||
4: WithAllBytes(0x01, Enforce),
|
||||
5: WithAllBytes(0x02, WarnOnly),
|
||||
1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||
2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||
3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength),
|
||||
4: WithAllBytes(0x01, Enforce, PCRMeasurementLength),
|
||||
5: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength),
|
||||
},
|
||||
},
|
||||
"overwrite existing": {
|
||||
current: M{
|
||||
2: WithAllBytes(0x04, Enforce),
|
||||
3: WithAllBytes(0x05, Enforce),
|
||||
2: WithAllBytes(0x04, Enforce, PCRMeasurementLength),
|
||||
3: WithAllBytes(0x05, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
newMeasurements: M{
|
||||
1: WithAllBytes(0x00, WarnOnly),
|
||||
2: WithAllBytes(0x01, WarnOnly),
|
||||
3: WithAllBytes(0x02, WarnOnly),
|
||||
1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||
2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||
3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength),
|
||||
},
|
||||
wantMeasurements: M{
|
||||
1: WithAllBytes(0x00, WarnOnly),
|
||||
2: WithAllBytes(0x01, WarnOnly),
|
||||
3: WithAllBytes(0x02, WarnOnly),
|
||||
1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||
2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||
3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength),
|
||||
},
|
||||
},
|
||||
}
|
||||
@ -371,7 +371,7 @@ func TestMeasurementsFetchAndVerify(t *testing.T) {
|
||||
signature: "MEYCIQD1RR91pWPw1BMWXTSmTBHg/JtfKerbZNQ9PJTWDdW0sgIhANQbETJGb67qzQmMVmcq007VUFbHRMtYWKZeeyRf0gVa",
|
||||
signatureStatus: http.StatusOK,
|
||||
wantMeasurements: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
wantSHA: "c04e13c1312b6f5659303871d14bf49b05c99a6515548763b6322f60bbb61a24",
|
||||
},
|
||||
@ -382,7 +382,7 @@ func TestMeasurementsFetchAndVerify(t *testing.T) {
|
||||
signature: "MEUCIQC9WI2ijlQjBktYFctKpbnqkUTey3U9W99Jp1NTLi5AbQIgNZxxOtiawgTkWPXLoH9D2CxpEjxQrqLn/zWF6NoKxWQ=",
|
||||
signatureStatus: http.StatusOK,
|
||||
wantMeasurements: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
wantSHA: "648fcfd5d22e623a948ab2dd4eb334be2701d8f158231726084323003daab8d4",
|
||||
},
|
||||
@ -492,15 +492,15 @@ func TestGetEnforced(t *testing.T) {
|
||||
}{
|
||||
"only warnings": {
|
||||
input: M{
|
||||
0: WithAllBytes(0x00, WarnOnly),
|
||||
1: WithAllBytes(0x01, WarnOnly),
|
||||
0: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||
1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||
},
|
||||
want: map[uint32]struct{}{},
|
||||
},
|
||||
"all enforced": {
|
||||
input: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
1: WithAllBytes(0x01, Enforce),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
1: WithAllBytes(0x01, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
want: map[uint32]struct{}{
|
||||
0: {},
|
||||
@ -509,9 +509,9 @@ func TestGetEnforced(t *testing.T) {
|
||||
},
|
||||
"mixed": {
|
||||
input: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
1: WithAllBytes(0x01, WarnOnly),
|
||||
2: WithAllBytes(0x02, Enforce),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||
2: WithAllBytes(0x02, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
want: map[uint32]struct{}{
|
||||
0: {},
|
||||
@ -543,56 +543,56 @@ func TestSetEnforced(t *testing.T) {
|
||||
}{
|
||||
"no enforced measurements": {
|
||||
input: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
1: WithAllBytes(0x01, Enforce),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
1: WithAllBytes(0x01, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
enforced: []uint32{},
|
||||
wantM: M{
|
||||
0: WithAllBytes(0x00, WarnOnly),
|
||||
1: WithAllBytes(0x01, WarnOnly),
|
||||
0: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||
1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||
},
|
||||
},
|
||||
"all enforced measurements": {
|
||||
input: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
1: WithAllBytes(0x01, Enforce),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
1: WithAllBytes(0x01, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
enforced: []uint32{0, 1},
|
||||
wantM: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
1: WithAllBytes(0x01, Enforce),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
1: WithAllBytes(0x01, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
},
|
||||
"mixed": {
|
||||
input: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
1: WithAllBytes(0x01, Enforce),
|
||||
2: WithAllBytes(0x02, Enforce),
|
||||
3: WithAllBytes(0x03, Enforce),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
1: WithAllBytes(0x01, Enforce, PCRMeasurementLength),
|
||||
2: WithAllBytes(0x02, Enforce, PCRMeasurementLength),
|
||||
3: WithAllBytes(0x03, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
enforced: []uint32{0, 2},
|
||||
wantM: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
1: WithAllBytes(0x01, WarnOnly),
|
||||
2: WithAllBytes(0x02, Enforce),
|
||||
3: WithAllBytes(0x03, WarnOnly),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||
2: WithAllBytes(0x02, Enforce, PCRMeasurementLength),
|
||||
3: WithAllBytes(0x03, WarnOnly, PCRMeasurementLength),
|
||||
},
|
||||
},
|
||||
"warn only to enforced": {
|
||||
input: M{
|
||||
0: WithAllBytes(0x00, WarnOnly),
|
||||
1: WithAllBytes(0x01, WarnOnly),
|
||||
0: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||
1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||
},
|
||||
enforced: []uint32{0, 1},
|
||||
wantM: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
1: WithAllBytes(0x01, Enforce),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
1: WithAllBytes(0x01, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
},
|
||||
"more enforced than measurements": {
|
||||
input: M{
|
||||
0: WithAllBytes(0x00, WarnOnly),
|
||||
1: WithAllBytes(0x01, WarnOnly),
|
||||
0: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||
1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||
},
|
||||
enforced: []uint32{0, 1, 2},
|
||||
wantErr: true,
|
||||
@ -622,7 +622,7 @@ func TestWithAllBytes(t *testing.T) {
|
||||
}{
|
||||
"0x00 warnOnly": {
|
||||
b: 0x00,
|
||||
warnOnly: true,
|
||||
warnOnly: WarnOnly,
|
||||
wantMeasurement: Measurement{
|
||||
Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||
ValidationOpt: WarnOnly,
|
||||
@ -630,7 +630,7 @@ func TestWithAllBytes(t *testing.T) {
|
||||
},
|
||||
"0x00": {
|
||||
b: 0x00,
|
||||
warnOnly: false,
|
||||
warnOnly: Enforce,
|
||||
wantMeasurement: Measurement{
|
||||
Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||
ValidationOpt: Enforce,
|
||||
@ -638,7 +638,7 @@ func TestWithAllBytes(t *testing.T) {
|
||||
},
|
||||
"0x01 warnOnly": {
|
||||
b: 0x01,
|
||||
warnOnly: true,
|
||||
warnOnly: WarnOnly,
|
||||
wantMeasurement: Measurement{
|
||||
Expected: []byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
|
||||
ValidationOpt: WarnOnly,
|
||||
@ -646,7 +646,7 @@ func TestWithAllBytes(t *testing.T) {
|
||||
},
|
||||
"0x01": {
|
||||
b: 0x01,
|
||||
warnOnly: false,
|
||||
warnOnly: Enforce,
|
||||
wantMeasurement: Measurement{
|
||||
Expected: []byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
|
||||
ValidationOpt: Enforce,
|
||||
@ -654,7 +654,7 @@ func TestWithAllBytes(t *testing.T) {
|
||||
},
|
||||
"0xFF warnOnly": {
|
||||
b: 0xFF,
|
||||
warnOnly: true,
|
||||
warnOnly: WarnOnly,
|
||||
wantMeasurement: Measurement{
|
||||
Expected: []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
|
||||
ValidationOpt: WarnOnly,
|
||||
@ -662,7 +662,7 @@ func TestWithAllBytes(t *testing.T) {
|
||||
},
|
||||
"0xFF": {
|
||||
b: 0xFF,
|
||||
warnOnly: false,
|
||||
warnOnly: Enforce,
|
||||
wantMeasurement: Measurement{
|
||||
Expected: []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
|
||||
ValidationOpt: Enforce,
|
||||
@ -673,7 +673,7 @@ func TestWithAllBytes(t *testing.T) {
|
||||
for name, tc := range testCases {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
measurement := WithAllBytes(tc.b, tc.warnOnly)
|
||||
measurement := WithAllBytes(tc.b, tc.warnOnly, PCRMeasurementLength)
|
||||
assert.Equal(tc.wantMeasurement, measurement)
|
||||
})
|
||||
}
|
||||
@ -687,44 +687,44 @@ func TestEqualTo(t *testing.T) {
|
||||
}{
|
||||
"same values": {
|
||||
given: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
1: WithAllBytes(0xFF, Enforce),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
1: WithAllBytes(0xFF, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
other: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
1: WithAllBytes(0xFF, Enforce),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
1: WithAllBytes(0xFF, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
wantEqual: true,
|
||||
},
|
||||
"different number of elements": {
|
||||
given: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
1: WithAllBytes(0xFF, Enforce),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
1: WithAllBytes(0xFF, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
other: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
wantEqual: false,
|
||||
},
|
||||
"different values": {
|
||||
given: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
1: WithAllBytes(0xFF, Enforce),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
1: WithAllBytes(0xFF, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
other: M{
|
||||
0: WithAllBytes(0xFF, Enforce),
|
||||
1: WithAllBytes(0x00, Enforce),
|
||||
0: WithAllBytes(0xFF, Enforce, PCRMeasurementLength),
|
||||
1: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
wantEqual: false,
|
||||
},
|
||||
"different warn settings": {
|
||||
given: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
1: WithAllBytes(0xFF, Enforce),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
1: WithAllBytes(0xFF, Enforce, PCRMeasurementLength),
|
||||
},
|
||||
other: M{
|
||||
0: WithAllBytes(0x00, Enforce),
|
||||
1: WithAllBytes(0xFF, WarnOnly),
|
||||
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||
1: WithAllBytes(0xFF, WarnOnly, PCRMeasurementLength),
|
||||
},
|
||||
wantEqual: false,
|
||||
},
|
||||
|
||||
@ -70,9 +70,9 @@ func TestValidate(t *testing.T) {
|
||||
}
|
||||
|
||||
testExpectedPCRs := measurements.M{
|
||||
0: measurements.WithAllBytes(0x00, measurements.Enforce),
|
||||
1: measurements.WithAllBytes(0x00, measurements.Enforce),
|
||||
uint32(measurements.PCRIndexClusterID): measurements.WithAllBytes(0x00, measurements.Enforce),
|
||||
0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
1: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
uint32(measurements.PCRIndexClusterID): measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
}
|
||||
warnLog := &testAttestationLogger{}
|
||||
|
||||
@ -119,8 +119,8 @@ func TestValidate(t *testing.T) {
|
||||
require.Error(err)
|
||||
|
||||
expectedPCRs := measurements.M{
|
||||
0: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
1: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
||||
0: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
1: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||
2: measurements.Measurement{
|
||||
Expected: []byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20},
|
||||
ValidationOpt: measurements.WarnOnly,
|
||||
|
||||
@ -12,7 +12,7 @@ import (
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"gopkg.in/yaml.v3"
|
||||
@ -26,19 +26,22 @@ func TestUnmarshalAttestationConfig(t *testing.T) {
|
||||
cfg AttestationCfg
|
||||
}{
|
||||
"AWSNitroTPM": {
|
||||
cfg: &AWSNitroTPM{Measurements: measurements.DefaultsFor(cloudprovider.AWS)},
|
||||
cfg: &AWSNitroTPM{Measurements: measurements.DefaultsFor(variant.AWSNitroTPM{})},
|
||||
},
|
||||
"AzureSEVSNP": {
|
||||
cfg: DefaultForAzureSEVSNP(),
|
||||
},
|
||||
"AzureTrustedLaunch": {
|
||||
cfg: &AzureTrustedLaunch{Measurements: measurements.DefaultsFor(cloudprovider.Azure)},
|
||||
cfg: &AzureTrustedLaunch{Measurements: measurements.DefaultsFor(variant.AzureTrustedLaunch{})},
|
||||
},
|
||||
"GCPSEVES": {
|
||||
cfg: &GCPSEVES{Measurements: measurements.DefaultsFor(cloudprovider.GCP)},
|
||||
cfg: &GCPSEVES{Measurements: measurements.DefaultsFor(variant.GCPSEVES{})},
|
||||
},
|
||||
"QEMUVTPM": {
|
||||
cfg: &QEMUVTPM{Measurements: measurements.DefaultsFor(cloudprovider.QEMU)},
|
||||
cfg: &QEMUVTPM{Measurements: measurements.DefaultsFor(variant.QEMUVTPM{})},
|
||||
},
|
||||
"QEMUTDX": {
|
||||
cfg: &QEMUTDX{Measurements: measurements.DefaultsFor(variant.QEMUTDX{})},
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
@ -344,11 +344,11 @@ func Default() *Config {
|
||||
},
|
||||
},
|
||||
Attestation: AttestationConfig{
|
||||
AWSNitroTPM: &AWSNitroTPM{Measurements: measurements.DefaultsFor(cloudprovider.AWS)},
|
||||
AWSNitroTPM: &AWSNitroTPM{Measurements: measurements.DefaultsFor(variant.AWSNitroTPM{})},
|
||||
AzureSEVSNP: DefaultForAzureSEVSNP(),
|
||||
AzureTrustedLaunch: &AzureTrustedLaunch{Measurements: measurements.DefaultsFor(cloudprovider.Azure)},
|
||||
GCPSEVES: &GCPSEVES{Measurements: measurements.DefaultsFor(cloudprovider.GCP)},
|
||||
QEMUVTPM: &QEMUVTPM{Measurements: measurements.DefaultsFor(cloudprovider.QEMU)},
|
||||
AzureTrustedLaunch: &AzureTrustedLaunch{Measurements: measurements.DefaultsFor(variant.AzureTrustedLaunch{})},
|
||||
GCPSEVES: &GCPSEVES{Measurements: measurements.DefaultsFor(variant.GCPSEVES{})},
|
||||
QEMUVTPM: &QEMUVTPM{Measurements: measurements.DefaultsFor(variant.QEMUVTPM{})},
|
||||
},
|
||||
}
|
||||
}
|
||||
@ -727,7 +727,7 @@ type AzureSEVSNP struct {
|
||||
// TODO(AB#3042): replace with dynamic lookup for configurable values.
|
||||
func DefaultForAzureSEVSNP() *AzureSEVSNP {
|
||||
return &AzureSEVSNP{
|
||||
Measurements: measurements.DefaultsFor(cloudprovider.Azure),
|
||||
Measurements: measurements.DefaultsFor(variant.AzureSEVSNP{}),
|
||||
BootloaderVersion: 2,
|
||||
TEEVersion: 0,
|
||||
SNPVersion: 6,
|
||||
|
||||
@ -130,7 +130,7 @@ func TestNewWithDefaultOptions(t *testing.T) {
|
||||
c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity"
|
||||
c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e"
|
||||
c.Attestation.AzureSEVSNP.Measurements = measurements.M{
|
||||
0: measurements.WithAllBytes(0x00, measurements.Enforce),
|
||||
0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
}
|
||||
return c
|
||||
}(),
|
||||
@ -152,7 +152,7 @@ func TestNewWithDefaultOptions(t *testing.T) {
|
||||
c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity"
|
||||
c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e"
|
||||
c.Attestation.AzureSEVSNP.Measurements = measurements.M{
|
||||
0: measurements.WithAllBytes(0x00, measurements.Enforce),
|
||||
0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
}
|
||||
return c
|
||||
}(),
|
||||
@ -253,7 +253,7 @@ func TestValidate(t *testing.T) {
|
||||
cnf.Provider = ProviderConfig{}
|
||||
cnf.Provider.Azure = az
|
||||
cnf.Attestation.AzureSEVSNP.Measurements = measurements.M{
|
||||
0: measurements.WithAllBytes(0x00, measurements.Enforce),
|
||||
0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
}
|
||||
return cnf
|
||||
}(),
|
||||
@ -280,7 +280,7 @@ func TestValidate(t *testing.T) {
|
||||
cnf.Provider = ProviderConfig{}
|
||||
cnf.Provider.GCP = gcp
|
||||
cnf.Attestation.GCPSEVES.Measurements = measurements.M{
|
||||
0: measurements.WithAllBytes(0x00, measurements.Enforce),
|
||||
0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
}
|
||||
return cnf
|
||||
}(),
|
||||
@ -404,9 +404,9 @@ func TestConfigGeneratedDocsFresh(t *testing.T) {
|
||||
func TestConfig_UpdateMeasurements(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
newMeasurements := measurements.M{
|
||||
1: measurements.WithAllBytes(0x00, measurements.Enforce),
|
||||
2: measurements.WithAllBytes(0x01, measurements.Enforce),
|
||||
3: measurements.WithAllBytes(0x02, measurements.Enforce),
|
||||
1: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
2: measurements.WithAllBytes(0x01, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
3: measurements.WithAllBytes(0x02, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
}
|
||||
|
||||
{ // AWS
|
||||
|
||||
@ -49,11 +49,11 @@ func TestNewUpdateableValidator(t *testing.T) {
|
||||
},
|
||||
"gcp": {
|
||||
variant: variant.GCPSEVES{},
|
||||
config: &config.GCPSEVES{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}},
|
||||
config: &config.GCPSEVES{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}},
|
||||
},
|
||||
"qemu": {
|
||||
variant: variant.QEMUVTPM{},
|
||||
config: &config.QEMUVTPM{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}},
|
||||
config: &config.QEMUVTPM{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}},
|
||||
},
|
||||
"no file": {
|
||||
variant: variant.AzureSEVSNP{},
|
||||
@ -61,7 +61,7 @@ func TestNewUpdateableValidator(t *testing.T) {
|
||||
},
|
||||
"invalid provider": {
|
||||
variant: fakeOID{1, 3, 9900, 9999, 9999},
|
||||
config: &config.GCPSEVES{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}},
|
||||
config: &config.GCPSEVES{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}},
|
||||
wantErr: true,
|
||||
},
|
||||
}
|
||||
@ -112,7 +112,7 @@ func TestUpdate(t *testing.T) {
|
||||
// write measurement config
|
||||
require.NoError(handler.WriteJSON(
|
||||
filepath.Join(constants.ServiceBasePath, constants.AttestationConfigFilename),
|
||||
&config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}},
|
||||
&config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}},
|
||||
))
|
||||
|
||||
// call update once to initialize the server's validator
|
||||
@ -156,7 +156,7 @@ func TestOIDConcurrency(t *testing.T) {
|
||||
handler := file.NewHandler(afero.NewMemMapFs())
|
||||
require.NoError(handler.WriteJSON(
|
||||
filepath.Join(constants.ServiceBasePath, constants.AttestationConfigFilename),
|
||||
&config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}},
|
||||
&config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}},
|
||||
))
|
||||
|
||||
// create server
|
||||
@ -196,7 +196,7 @@ func TestUpdateConcurrency(t *testing.T) {
|
||||
}
|
||||
require.NoError(handler.WriteJSON(
|
||||
filepath.Join(constants.ServiceBasePath, constants.AttestationConfigFilename),
|
||||
&config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}},
|
||||
&config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}},
|
||||
file.OptNone,
|
||||
))
|
||||
|
||||
|
||||
@ -35,7 +35,7 @@ func main() {
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to read TPM measurements")
|
||||
}
|
||||
case oid.QEMUTDX{}:
|
||||
case variant.QEMUTDX{}:
|
||||
m, err = tdx.Measurements()
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to read Intel TDX measurements")
|
||||
|
||||
@ -23,9 +23,9 @@ func TestSortMeasurements(t *testing.T) {
|
||||
"pre sorted TPM": {
|
||||
measurementType: TPM,
|
||||
input: measurements.M{
|
||||
0: measurements.WithAllBytes(0x11, measurements.Enforce),
|
||||
1: measurements.WithAllBytes(0x22, measurements.Enforce),
|
||||
2: measurements.WithAllBytes(0x33, measurements.Enforce),
|
||||
0: measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
1: measurements.WithAllBytes(0x22, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
2: measurements.WithAllBytes(0x33, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
},
|
||||
want: []Measurement{
|
||||
{
|
||||
@ -45,9 +45,9 @@ func TestSortMeasurements(t *testing.T) {
|
||||
"unsorted TPM": {
|
||||
measurementType: TPM,
|
||||
input: measurements.M{
|
||||
1: measurements.WithAllBytes(0x22, measurements.Enforce),
|
||||
0: measurements.WithAllBytes(0x11, measurements.Enforce),
|
||||
2: measurements.WithAllBytes(0x33, measurements.Enforce),
|
||||
1: measurements.WithAllBytes(0x22, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
0: measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
2: measurements.WithAllBytes(0x33, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||
},
|
||||
want: []Measurement{
|
||||
{
|
||||
@ -67,44 +67,44 @@ func TestSortMeasurements(t *testing.T) {
|
||||
"pre sorted TDX": {
|
||||
measurementType: TDX,
|
||||
input: measurements.M{
|
||||
0: measurements.WithAllBytes(0x11, false),
|
||||
1: measurements.WithAllBytes(0x22, false),
|
||||
2: measurements.WithAllBytes(0x33, false),
|
||||
0: measurements.WithAllBytes(0x11, measurements.Enforce, measurements.TDXMeasurementLength),
|
||||
1: measurements.WithAllBytes(0x22, measurements.Enforce, measurements.TDXMeasurementLength),
|
||||
2: measurements.WithAllBytes(0x33, measurements.Enforce, measurements.TDXMeasurementLength),
|
||||
},
|
||||
want: []Measurement{
|
||||
{
|
||||
Index: "MRTD",
|
||||
Value: bytes.Repeat([]byte{0x11}, 32),
|
||||
Value: bytes.Repeat([]byte{0x11}, 48),
|
||||
},
|
||||
{
|
||||
Index: "RTMR[0]",
|
||||
Value: bytes.Repeat([]byte{0x22}, 32),
|
||||
Value: bytes.Repeat([]byte{0x22}, 48),
|
||||
},
|
||||
{
|
||||
Index: "RTMR[1]",
|
||||
Value: bytes.Repeat([]byte{0x33}, 32),
|
||||
Value: bytes.Repeat([]byte{0x33}, 48),
|
||||
},
|
||||
},
|
||||
},
|
||||
"unsorted TDX": {
|
||||
measurementType: TDX,
|
||||
input: measurements.M{
|
||||
1: measurements.WithAllBytes(0x22, false),
|
||||
0: measurements.WithAllBytes(0x11, false),
|
||||
2: measurements.WithAllBytes(0x33, false),
|
||||
1: measurements.WithAllBytes(0x22, measurements.Enforce, measurements.TDXMeasurementLength),
|
||||
0: measurements.WithAllBytes(0x11, measurements.Enforce, measurements.TDXMeasurementLength),
|
||||
2: measurements.WithAllBytes(0x33, measurements.Enforce, measurements.TDXMeasurementLength),
|
||||
},
|
||||
want: []Measurement{
|
||||
{
|
||||
Index: "MRTD",
|
||||
Value: bytes.Repeat([]byte{0x11}, 32),
|
||||
Value: bytes.Repeat([]byte{0x11}, 48),
|
||||
},
|
||||
{
|
||||
Index: "RTMR[0]",
|
||||
Value: bytes.Repeat([]byte{0x22}, 32),
|
||||
Value: bytes.Repeat([]byte{0x22}, 48),
|
||||
},
|
||||
{
|
||||
Index: "RTMR[1]",
|
||||
Value: bytes.Repeat([]byte{0x33}, 32),
|
||||
Value: bytes.Repeat([]byte{0x33}, 48),
|
||||
},
|
||||
},
|
||||
},
|
||||
|
||||
Loading…
Reference in New Issue
Block a user