From 9e987778e0b55840a79527d80d3eea914ee1745e Mon Sep 17 00:00:00 2001 From: Nils Hanke Date: Fri, 10 Mar 2023 11:33:06 +0100 Subject: [PATCH] measurements: Add length field for WithAllBytes --- cli/internal/cloudcmd/validators_test.go | 52 +++--- cli/internal/cmd/init_test.go | 32 ++-- cli/internal/cmd/upgradecheck_test.go | 5 +- cli/internal/helm/loader_test.go | 12 +- cli/internal/kubernetes/upgrade_test.go | 12 +- .../measurement-generator/generate.go | 2 + .../attestation/measurements/measurements.go | 8 +- .../measurements/measurements_oss.go | 62 +++---- .../measurements/measurements_test.go | 166 +++++++++--------- internal/attestation/vtpm/attestation_test.go | 10 +- internal/config/attestation_test.go | 13 +- internal/config/config.go | 10 +- internal/config/config_test.go | 14 +- internal/watcher/validator_test.go | 12 +- measurement-reader/cmd/main.go | 2 +- .../internal/sorted/sorted_test.go | 36 ++-- 16 files changed, 227 insertions(+), 221 deletions(-) diff --git a/cli/internal/cloudcmd/validators_test.go b/cli/internal/cloudcmd/validators_test.go index f0003f998..42f78bc04 100644 --- a/cli/internal/cloudcmd/validators_test.go +++ b/cli/internal/cloudcmd/validators_test.go @@ -18,37 +18,37 @@ import ( ) func TestValidatorUpdateInitPCRs(t *testing.T) { - zero := measurements.WithAllBytes(0x00, measurements.WarnOnly) - one := measurements.WithAllBytes(0x11, measurements.WarnOnly) + zero := measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength) + one := measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength) one64 := base64.StdEncoding.EncodeToString(one.Expected[:]) oneHash := sha256.Sum256(one.Expected[:]) pcrZeroUpdatedOne := sha256.Sum256(append(zero.Expected[:], oneHash[:]...)) newTestPCRs := func() measurements.M { return measurements.M{ - 0: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 1: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 2: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 3: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 4: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 5: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 6: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 7: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 8: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 9: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 10: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 11: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 12: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 13: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 14: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 15: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 16: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 17: measurements.WithAllBytes(0x11, measurements.WarnOnly), - 18: measurements.WithAllBytes(0x11, measurements.WarnOnly), - 19: measurements.WithAllBytes(0x11, measurements.WarnOnly), - 20: measurements.WithAllBytes(0x11, measurements.WarnOnly), - 21: measurements.WithAllBytes(0x11, measurements.WarnOnly), - 22: measurements.WithAllBytes(0x11, measurements.WarnOnly), - 23: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 0: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 1: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 2: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 3: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 4: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 5: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 6: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 7: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 8: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 9: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 10: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 11: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 12: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 13: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 14: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 15: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 16: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 17: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength), + 18: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength), + 19: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength), + 20: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength), + 21: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength), + 22: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength), + 23: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), } } diff --git a/cli/internal/cmd/init_test.go b/cli/internal/cmd/init_test.go index 04912969e..7c341d82e 100644 --- a/cli/internal/cmd/init_test.go +++ b/cli/internal/cmd/init_test.go @@ -430,13 +430,13 @@ func TestAttestation(t *testing.T) { cfg := config.Default() cfg.Image = "image" cfg.RemoveProviderExcept(cloudprovider.QEMU) - cfg.Attestation.QEMUVTPM.Measurements[0] = measurements.WithAllBytes(0x00, measurements.Enforce) - cfg.Attestation.QEMUVTPM.Measurements[1] = measurements.WithAllBytes(0x11, measurements.Enforce) - cfg.Attestation.QEMUVTPM.Measurements[2] = measurements.WithAllBytes(0x22, measurements.Enforce) - cfg.Attestation.QEMUVTPM.Measurements[3] = measurements.WithAllBytes(0x33, measurements.Enforce) - cfg.Attestation.QEMUVTPM.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce) - cfg.Attestation.QEMUVTPM.Measurements[9] = measurements.WithAllBytes(0x99, measurements.Enforce) - cfg.Attestation.QEMUVTPM.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce) + cfg.Attestation.QEMUVTPM.Measurements[0] = measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength) + cfg.Attestation.QEMUVTPM.Measurements[1] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength) + cfg.Attestation.QEMUVTPM.Measurements[2] = measurements.WithAllBytes(0x22, measurements.Enforce, measurements.PCRMeasurementLength) + cfg.Attestation.QEMUVTPM.Measurements[3] = measurements.WithAllBytes(0x33, measurements.Enforce, measurements.PCRMeasurementLength) + cfg.Attestation.QEMUVTPM.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength) + cfg.Attestation.QEMUVTPM.Measurements[9] = measurements.WithAllBytes(0x99, measurements.Enforce, measurements.PCRMeasurementLength) + cfg.Attestation.QEMUVTPM.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength) require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, cfg, file.OptNone)) newDialer := func(v atls.Validator) *dialer.Dialer { @@ -537,21 +537,21 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs conf.Provider.Azure.ResourceGroup = "test-resource-group" conf.Provider.Azure.AppClientID = "01234567-0123-0123-0123-0123456789ab" conf.Provider.Azure.ClientSecretValue = "test-client-secret" - conf.Attestation.AzureSEVSNP.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce) - conf.Attestation.AzureSEVSNP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce) - conf.Attestation.AzureSEVSNP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce) + conf.Attestation.AzureSEVSNP.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength) + conf.Attestation.AzureSEVSNP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength) + conf.Attestation.AzureSEVSNP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength) case cloudprovider.GCP: conf.Provider.GCP.Region = "test-region" conf.Provider.GCP.Project = "test-project" conf.Provider.GCP.Zone = "test-zone" conf.Provider.GCP.ServiceAccountKeyPath = "test-key-path" - conf.Attestation.GCPSEVES.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce) - conf.Attestation.GCPSEVES.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce) - conf.Attestation.GCPSEVES.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce) + conf.Attestation.GCPSEVES.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength) + conf.Attestation.GCPSEVES.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength) + conf.Attestation.GCPSEVES.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength) case cloudprovider.QEMU: - conf.Attestation.QEMUVTPM.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce) - conf.Attestation.QEMUVTPM.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce) - conf.Attestation.QEMUVTPM.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce) + conf.Attestation.QEMUVTPM.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength) + conf.Attestation.QEMUVTPM.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength) + conf.Attestation.QEMUVTPM.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength) } conf.RemoveProviderExcept(csp) diff --git a/cli/internal/cmd/upgradecheck_test.go b/cli/internal/cmd/upgradecheck_test.go index 39bae2746..06b5f3157 100644 --- a/cli/internal/cmd/upgradecheck_test.go +++ b/cli/internal/cmd/upgradecheck_test.go @@ -21,6 +21,7 @@ import ( "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/file" "github.com/edgelesssys/constellation/v2/internal/logger" + "github.com/edgelesssys/constellation/v2/internal/variant" "github.com/edgelesssys/constellation/v2/internal/versionsapi" "github.com/spf13/afero" "github.com/stretchr/testify/assert" @@ -39,7 +40,7 @@ func TestBuildString(t *testing.T) { upgrade: versionUpgrade{ newServices: "v2.5.0", newImages: map[string]measurements.M{ - "v2.5.0": measurements.DefaultsFor(cloudprovider.QEMU), + "v2.5.0": measurements.DefaultsFor(variant.QEMUVTPM{}), }, newKubernetes: []string{"v1.24.12", "v1.25.6"}, newCLI: []string{"v2.5.0", "v2.6.0"}, @@ -236,7 +237,7 @@ func TestUpgradeCheck(t *testing.T) { supportedServicesVersions: "v2.5.0", supportedImages: []versionsapi.Version{v2_3}, supportedImageVersions: map[string]measurements.M{ - "v2.3.0": measurements.DefaultsFor(cloudprovider.QEMU), + "v2.3.0": measurements.DefaultsFor(variant.QEMUVTPM{}), }, supportedK8sVersions: []string{"v1.24.5", "v1.24.12", "v1.25.6"}, currentServicesVersions: "v2.4.0", diff --git a/cli/internal/helm/loader_test.go b/cli/internal/helm/loader_test.go index 11d04847e..6197def69 100644 --- a/cli/internal/helm/loader_test.go +++ b/cli/internal/helm/loader_test.go @@ -64,7 +64,7 @@ func TestConstellationServices(t *testing.T) { config: &config.Config{ Provider: config.ProviderConfig{AWS: &config.AWSConfig{}}, Attestation: config.AttestationConfig{AWSNitroTPM: &config.AWSNitroTPM{ - Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)}, + Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength)}, }}, }, valuesModifier: prepareAWSValues, @@ -76,7 +76,7 @@ func TestConstellationServices(t *testing.T) { DeployCSIDriver: toPtr(true), }}, Attestation: config.AttestationConfig{AzureSEVSNP: &config.AzureSEVSNP{ - Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)}, + Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength)}, FirmwareSignerConfig: config.SNPFirmwareSignerConfig{ AcceptedKeyDigests: idkeydigest.List{bytes.Repeat([]byte{0xAA}, 32)}, EnforcementPolicy: idkeydigest.MAAFallback, @@ -95,7 +95,7 @@ func TestConstellationServices(t *testing.T) { DeployCSIDriver: toPtr(true), }}, Attestation: config.AttestationConfig{GCPSEVES: &config.GCPSEVES{ - Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)}, + Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength)}, }}, }, valuesModifier: prepareGCPValues, @@ -105,7 +105,7 @@ func TestConstellationServices(t *testing.T) { config: &config.Config{ Provider: config.ProviderConfig{OpenStack: &config.OpenStackConfig{}}, Attestation: config.AttestationConfig{QEMUVTPM: &config.QEMUVTPM{ - Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)}, + Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength)}, }}, }, valuesModifier: prepareOpenStackValues, @@ -115,7 +115,7 @@ func TestConstellationServices(t *testing.T) { config: &config.Config{ Provider: config.ProviderConfig{QEMU: &config.QEMUConfig{}}, Attestation: config.AttestationConfig{QEMUVTPM: &config.QEMUVTPM{ - Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)}, + Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength)}, }}, }, valuesModifier: prepareQEMUValues, @@ -525,7 +525,6 @@ func prepareOpenStackValues(values map[string]any) error { if !ok { return errors.New("missing 'join-service' key") } - joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ccmVals, ok := values["ccm"].(map[string]any) @@ -555,7 +554,6 @@ func prepareQEMUValues(values map[string]any) error { if !ok { return errors.New("missing 'join-service' key") } - joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" verificationVals, ok := values["verification-service"].(map[string]any) diff --git a/cli/internal/kubernetes/upgrade_test.go b/cli/internal/kubernetes/upgrade_test.go index 957847380..bcbae368d 100644 --- a/cli/internal/kubernetes/upgrade_test.go +++ b/cli/internal/kubernetes/upgrade_test.go @@ -265,7 +265,7 @@ func TestUpdateMeasurements(t *testing.T) { }, newConfig: &config.GCPSEVES{ Measurements: measurements.M{ - 0: measurements.WithAllBytes(0xBB, measurements.Enforce), + 0: measurements.WithAllBytes(0xBB, measurements.Enforce, measurements.PCRMeasurementLength), }, }, wantUpdate: true, @@ -278,7 +278,7 @@ func TestUpdateMeasurements(t *testing.T) { }, newConfig: &config.GCPSEVES{ Measurements: measurements.M{ - 0: measurements.WithAllBytes(0xAA, measurements.Enforce), + 0: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength), }, }, }, @@ -290,7 +290,7 @@ func TestUpdateMeasurements(t *testing.T) { }, newConfig: &config.GCPSEVES{ Measurements: measurements.M{ - 0: measurements.WithAllBytes(0xAA, measurements.WarnOnly), + 0: measurements.WithAllBytes(0xAA, measurements.WarnOnly, measurements.PCRMeasurementLength), }, }, wantUpdate: true, @@ -303,7 +303,7 @@ func TestUpdateMeasurements(t *testing.T) { }, newConfig: &config.GCPSEVES{ Measurements: measurements.M{ - 0: measurements.WithAllBytes(0xAA, measurements.Enforce), + 0: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength), }, }, wantUpdate: true, @@ -312,7 +312,7 @@ func TestUpdateMeasurements(t *testing.T) { updater: &stubStableClient{getErr: someErr}, newConfig: &config.GCPSEVES{ Measurements: measurements.M{ - 0: measurements.WithAllBytes(0xBB, measurements.Enforce), + 0: measurements.WithAllBytes(0xBB, measurements.Enforce, measurements.PCRMeasurementLength), }, }, wantErr: true, @@ -326,7 +326,7 @@ func TestUpdateMeasurements(t *testing.T) { }, newConfig: &config.GCPSEVES{ Measurements: measurements.M{ - 0: measurements.WithAllBytes(0xBB, measurements.Enforce), + 0: measurements.WithAllBytes(0xBB, measurements.Enforce, measurements.PCRMeasurementLength), }, }, wantErr: true, diff --git a/internal/attestation/measurements/measurement-generator/generate.go b/internal/attestation/measurements/measurement-generator/generate.go index fbafbb4fc..319d6469a 100644 --- a/internal/attestation/measurements/measurement-generator/generate.go +++ b/internal/attestation/measurements/measurement-generator/generate.go @@ -35,6 +35,8 @@ import ( // this tool is used to generate hardcoded measurements for the enterprise build. // Measurements are embedded in the constellation cli. +// TODO(v2.8 | AB#3130): Update tool to use variant.Variant instead of cloudprovider.Provider + func main() { defaultConf := config.Default() log.Printf("Generating measurements for %s\n", defaultConf.Image) diff --git a/internal/attestation/measurements/measurements.go b/internal/attestation/measurements/measurements.go index bfda46923..6e91a1413 100644 --- a/internal/attestation/measurements/measurements.go +++ b/internal/attestation/measurements/measurements.go @@ -325,10 +325,12 @@ func (m *Measurement) unmarshal(eM encodedMeasurement) error { return nil } -// WithAllBytes returns a measurement value where all 32 bytes are set to b. -func WithAllBytes(b byte, validationOpt MeasurementValidationOption) Measurement { +// WithAllBytes returns a measurement value where all bytes are set to b. Takes a dynamic length as input. +// Expected are either 32 bytes (PCRMeasurementLength) or 48 bytes (TDXMeasurementLength). +// Over inputs are possible in this function, but potentially rejected elsewhere. +func WithAllBytes(b byte, validationOpt MeasurementValidationOption, len int) Measurement { return Measurement{ - Expected: bytes.Repeat([]byte{b}, 32), + Expected: bytes.Repeat([]byte{b}, len), ValidationOpt: validationOpt, } } diff --git a/internal/attestation/measurements/measurements_oss.go b/internal/attestation/measurements/measurements_oss.go index eb17b71a8..bf69f7bf0 100644 --- a/internal/attestation/measurements/measurements_oss.go +++ b/internal/attestation/measurements/measurements_oss.go @@ -8,60 +8,60 @@ SPDX-License-Identifier: AGPL-3.0-only package measurements -import "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" +import ( + "github.com/edgelesssys/constellation/v2/internal/variant" +) // DefaultsFor provides the default measurements for given cloud provider. -func DefaultsFor(provider cloudprovider.Provider) M { - switch provider { - case cloudprovider.AWS: +func DefaultsFor(attestationVariant variant.Variant) M { + switch attestationVariant { + case variant.AWSNitroTPM{}: return M{ 4: PlaceHolderMeasurement(), - 8: WithAllBytes(0x00, Enforce), + 8: WithAllBytes(0x00, Enforce, PCRMeasurementLength), 9: PlaceHolderMeasurement(), - 11: WithAllBytes(0x00, Enforce), + 11: WithAllBytes(0x00, Enforce, PCRMeasurementLength), 12: PlaceHolderMeasurement(), - 13: WithAllBytes(0x00, Enforce), - uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce), + 13: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce, PCRMeasurementLength), } - case cloudprovider.Azure: + case variant.AzureSEVSNP{}: return M{ 4: PlaceHolderMeasurement(), - 8: WithAllBytes(0x00, Enforce), + 8: WithAllBytes(0x00, Enforce, PCRMeasurementLength), 9: PlaceHolderMeasurement(), - 11: WithAllBytes(0x00, Enforce), + 11: WithAllBytes(0x00, Enforce, PCRMeasurementLength), 12: PlaceHolderMeasurement(), - 13: WithAllBytes(0x00, Enforce), - uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce), + 13: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce, PCRMeasurementLength), } - case cloudprovider.GCP: + case variant.GCPSEVES{}: return M{ 4: PlaceHolderMeasurement(), - 8: WithAllBytes(0x00, Enforce), + 8: WithAllBytes(0x00, Enforce, PCRMeasurementLength), 9: PlaceHolderMeasurement(), - 11: WithAllBytes(0x00, Enforce), + 11: WithAllBytes(0x00, Enforce, PCRMeasurementLength), 12: PlaceHolderMeasurement(), - 13: WithAllBytes(0x00, Enforce), - uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce), + 13: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce, PCRMeasurementLength), } - case cloudprovider.QEMU: + case variant.QEMUTDX{}: return M{ - 4: PlaceHolderMeasurement(), - 8: WithAllBytes(0x00, Enforce), - 9: PlaceHolderMeasurement(), - 11: WithAllBytes(0x00, Enforce), - 12: PlaceHolderMeasurement(), - 13: WithAllBytes(0x00, Enforce), - uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce), + 0: PlaceHolderMeasurement(), + 1: PlaceHolderMeasurement(), + 2: PlaceHolderMeasurement(), + 3: PlaceHolderMeasurement(), + 4: PlaceHolderMeasurement(), } - case cloudprovider.OpenStack: + case variant.QEMUVTPM{}: return M{ 4: PlaceHolderMeasurement(), - 8: WithAllBytes(0x00, Enforce), + 8: WithAllBytes(0x00, Enforce, PCRMeasurementLength), 9: PlaceHolderMeasurement(), - 11: WithAllBytes(0x00, Enforce), + 11: WithAllBytes(0x00, Enforce, PCRMeasurementLength), 12: PlaceHolderMeasurement(), - 13: WithAllBytes(0x00, Enforce), - uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce), + 13: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce, PCRMeasurementLength), } default: return nil diff --git a/internal/attestation/measurements/measurements_test.go b/internal/attestation/measurements/measurements_test.go index ea605f8f0..71a4972f1 100644 --- a/internal/attestation/measurements/measurements_test.go +++ b/internal/attestation/measurements/measurements_test.go @@ -206,8 +206,8 @@ func TestEncodeM(t *testing.T) { }{ "basic": { m: M{ - 1: WithAllBytes(1, false), - 2: WithAllBytes(2, true), + 1: WithAllBytes(1, false, PCRMeasurementLength), + 2: WithAllBytes(2, WarnOnly, PCRMeasurementLength), }, want: `1: expected: "0101010101010101010101010101010101010101010101010101010101010101" @@ -219,10 +219,10 @@ func TestEncodeM(t *testing.T) { }, "output is sorted": { m: M{ - 3: WithAllBytes(0, false), - 1: WithAllBytes(0, false), - 11: WithAllBytes(0, false), - 2: WithAllBytes(0, false), + 3: WithAllBytes(0, false, PCRMeasurementLength), + 1: WithAllBytes(0, false, PCRMeasurementLength), + 11: WithAllBytes(0, false, PCRMeasurementLength), + 2: WithAllBytes(0, false, PCRMeasurementLength), }, want: `1: expected: "0000000000000000000000000000000000000000000000000000000000000000" @@ -261,48 +261,48 @@ func TestMeasurementsCopyFrom(t *testing.T) { "add to empty": { current: M{}, newMeasurements: M{ - 1: WithAllBytes(0x00, WarnOnly), - 2: WithAllBytes(0x01, WarnOnly), - 3: WithAllBytes(0x02, WarnOnly), + 1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength), + 2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength), + 3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength), }, wantMeasurements: M{ - 1: WithAllBytes(0x00, WarnOnly), - 2: WithAllBytes(0x01, WarnOnly), - 3: WithAllBytes(0x02, WarnOnly), + 1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength), + 2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength), + 3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength), }, }, "keep existing": { current: M{ - 4: WithAllBytes(0x01, Enforce), - 5: WithAllBytes(0x02, WarnOnly), + 4: WithAllBytes(0x01, Enforce, PCRMeasurementLength), + 5: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength), }, newMeasurements: M{ - 1: WithAllBytes(0x00, WarnOnly), - 2: WithAllBytes(0x01, WarnOnly), - 3: WithAllBytes(0x02, WarnOnly), + 1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength), + 2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength), + 3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength), }, wantMeasurements: M{ - 1: WithAllBytes(0x00, WarnOnly), - 2: WithAllBytes(0x01, WarnOnly), - 3: WithAllBytes(0x02, WarnOnly), - 4: WithAllBytes(0x01, Enforce), - 5: WithAllBytes(0x02, WarnOnly), + 1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength), + 2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength), + 3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength), + 4: WithAllBytes(0x01, Enforce, PCRMeasurementLength), + 5: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength), }, }, "overwrite existing": { current: M{ - 2: WithAllBytes(0x04, Enforce), - 3: WithAllBytes(0x05, Enforce), + 2: WithAllBytes(0x04, Enforce, PCRMeasurementLength), + 3: WithAllBytes(0x05, Enforce, PCRMeasurementLength), }, newMeasurements: M{ - 1: WithAllBytes(0x00, WarnOnly), - 2: WithAllBytes(0x01, WarnOnly), - 3: WithAllBytes(0x02, WarnOnly), + 1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength), + 2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength), + 3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength), }, wantMeasurements: M{ - 1: WithAllBytes(0x00, WarnOnly), - 2: WithAllBytes(0x01, WarnOnly), - 3: WithAllBytes(0x02, WarnOnly), + 1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength), + 2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength), + 3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength), }, }, } @@ -371,7 +371,7 @@ func TestMeasurementsFetchAndVerify(t *testing.T) { signature: "MEYCIQD1RR91pWPw1BMWXTSmTBHg/JtfKerbZNQ9PJTWDdW0sgIhANQbETJGb67qzQmMVmcq007VUFbHRMtYWKZeeyRf0gVa", signatureStatus: http.StatusOK, wantMeasurements: M{ - 0: WithAllBytes(0x00, Enforce), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), }, wantSHA: "c04e13c1312b6f5659303871d14bf49b05c99a6515548763b6322f60bbb61a24", }, @@ -382,7 +382,7 @@ func TestMeasurementsFetchAndVerify(t *testing.T) { signature: "MEUCIQC9WI2ijlQjBktYFctKpbnqkUTey3U9W99Jp1NTLi5AbQIgNZxxOtiawgTkWPXLoH9D2CxpEjxQrqLn/zWF6NoKxWQ=", signatureStatus: http.StatusOK, wantMeasurements: M{ - 0: WithAllBytes(0x00, Enforce), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), }, wantSHA: "648fcfd5d22e623a948ab2dd4eb334be2701d8f158231726084323003daab8d4", }, @@ -492,15 +492,15 @@ func TestGetEnforced(t *testing.T) { }{ "only warnings": { input: M{ - 0: WithAllBytes(0x00, WarnOnly), - 1: WithAllBytes(0x01, WarnOnly), + 0: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength), + 1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength), }, want: map[uint32]struct{}{}, }, "all enforced": { input: M{ - 0: WithAllBytes(0x00, Enforce), - 1: WithAllBytes(0x01, Enforce), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + 1: WithAllBytes(0x01, Enforce, PCRMeasurementLength), }, want: map[uint32]struct{}{ 0: {}, @@ -509,9 +509,9 @@ func TestGetEnforced(t *testing.T) { }, "mixed": { input: M{ - 0: WithAllBytes(0x00, Enforce), - 1: WithAllBytes(0x01, WarnOnly), - 2: WithAllBytes(0x02, Enforce), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + 1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength), + 2: WithAllBytes(0x02, Enforce, PCRMeasurementLength), }, want: map[uint32]struct{}{ 0: {}, @@ -543,56 +543,56 @@ func TestSetEnforced(t *testing.T) { }{ "no enforced measurements": { input: M{ - 0: WithAllBytes(0x00, Enforce), - 1: WithAllBytes(0x01, Enforce), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + 1: WithAllBytes(0x01, Enforce, PCRMeasurementLength), }, enforced: []uint32{}, wantM: M{ - 0: WithAllBytes(0x00, WarnOnly), - 1: WithAllBytes(0x01, WarnOnly), + 0: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength), + 1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength), }, }, "all enforced measurements": { input: M{ - 0: WithAllBytes(0x00, Enforce), - 1: WithAllBytes(0x01, Enforce), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + 1: WithAllBytes(0x01, Enforce, PCRMeasurementLength), }, enforced: []uint32{0, 1}, wantM: M{ - 0: WithAllBytes(0x00, Enforce), - 1: WithAllBytes(0x01, Enforce), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + 1: WithAllBytes(0x01, Enforce, PCRMeasurementLength), }, }, "mixed": { input: M{ - 0: WithAllBytes(0x00, Enforce), - 1: WithAllBytes(0x01, Enforce), - 2: WithAllBytes(0x02, Enforce), - 3: WithAllBytes(0x03, Enforce), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + 1: WithAllBytes(0x01, Enforce, PCRMeasurementLength), + 2: WithAllBytes(0x02, Enforce, PCRMeasurementLength), + 3: WithAllBytes(0x03, Enforce, PCRMeasurementLength), }, enforced: []uint32{0, 2}, wantM: M{ - 0: WithAllBytes(0x00, Enforce), - 1: WithAllBytes(0x01, WarnOnly), - 2: WithAllBytes(0x02, Enforce), - 3: WithAllBytes(0x03, WarnOnly), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + 1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength), + 2: WithAllBytes(0x02, Enforce, PCRMeasurementLength), + 3: WithAllBytes(0x03, WarnOnly, PCRMeasurementLength), }, }, "warn only to enforced": { input: M{ - 0: WithAllBytes(0x00, WarnOnly), - 1: WithAllBytes(0x01, WarnOnly), + 0: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength), + 1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength), }, enforced: []uint32{0, 1}, wantM: M{ - 0: WithAllBytes(0x00, Enforce), - 1: WithAllBytes(0x01, Enforce), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + 1: WithAllBytes(0x01, Enforce, PCRMeasurementLength), }, }, "more enforced than measurements": { input: M{ - 0: WithAllBytes(0x00, WarnOnly), - 1: WithAllBytes(0x01, WarnOnly), + 0: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength), + 1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength), }, enforced: []uint32{0, 1, 2}, wantErr: true, @@ -622,7 +622,7 @@ func TestWithAllBytes(t *testing.T) { }{ "0x00 warnOnly": { b: 0x00, - warnOnly: true, + warnOnly: WarnOnly, wantMeasurement: Measurement{ Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly, @@ -630,7 +630,7 @@ func TestWithAllBytes(t *testing.T) { }, "0x00": { b: 0x00, - warnOnly: false, + warnOnly: Enforce, wantMeasurement: Measurement{ Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce, @@ -638,7 +638,7 @@ func TestWithAllBytes(t *testing.T) { }, "0x01 warnOnly": { b: 0x01, - warnOnly: true, + warnOnly: WarnOnly, wantMeasurement: Measurement{ Expected: []byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}, ValidationOpt: WarnOnly, @@ -646,7 +646,7 @@ func TestWithAllBytes(t *testing.T) { }, "0x01": { b: 0x01, - warnOnly: false, + warnOnly: Enforce, wantMeasurement: Measurement{ Expected: []byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}, ValidationOpt: Enforce, @@ -654,7 +654,7 @@ func TestWithAllBytes(t *testing.T) { }, "0xFF warnOnly": { b: 0xFF, - warnOnly: true, + warnOnly: WarnOnly, wantMeasurement: Measurement{ Expected: []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, ValidationOpt: WarnOnly, @@ -662,7 +662,7 @@ func TestWithAllBytes(t *testing.T) { }, "0xFF": { b: 0xFF, - warnOnly: false, + warnOnly: Enforce, wantMeasurement: Measurement{ Expected: []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, ValidationOpt: Enforce, @@ -673,7 +673,7 @@ func TestWithAllBytes(t *testing.T) { for name, tc := range testCases { t.Run(name, func(t *testing.T) { assert := assert.New(t) - measurement := WithAllBytes(tc.b, tc.warnOnly) + measurement := WithAllBytes(tc.b, tc.warnOnly, PCRMeasurementLength) assert.Equal(tc.wantMeasurement, measurement) }) } @@ -687,44 +687,44 @@ func TestEqualTo(t *testing.T) { }{ "same values": { given: M{ - 0: WithAllBytes(0x00, Enforce), - 1: WithAllBytes(0xFF, Enforce), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + 1: WithAllBytes(0xFF, Enforce, PCRMeasurementLength), }, other: M{ - 0: WithAllBytes(0x00, Enforce), - 1: WithAllBytes(0xFF, Enforce), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + 1: WithAllBytes(0xFF, Enforce, PCRMeasurementLength), }, wantEqual: true, }, "different number of elements": { given: M{ - 0: WithAllBytes(0x00, Enforce), - 1: WithAllBytes(0xFF, Enforce), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + 1: WithAllBytes(0xFF, Enforce, PCRMeasurementLength), }, other: M{ - 0: WithAllBytes(0x00, Enforce), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), }, wantEqual: false, }, "different values": { given: M{ - 0: WithAllBytes(0x00, Enforce), - 1: WithAllBytes(0xFF, Enforce), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + 1: WithAllBytes(0xFF, Enforce, PCRMeasurementLength), }, other: M{ - 0: WithAllBytes(0xFF, Enforce), - 1: WithAllBytes(0x00, Enforce), + 0: WithAllBytes(0xFF, Enforce, PCRMeasurementLength), + 1: WithAllBytes(0x00, Enforce, PCRMeasurementLength), }, wantEqual: false, }, "different warn settings": { given: M{ - 0: WithAllBytes(0x00, Enforce), - 1: WithAllBytes(0xFF, Enforce), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + 1: WithAllBytes(0xFF, Enforce, PCRMeasurementLength), }, other: M{ - 0: WithAllBytes(0x00, Enforce), - 1: WithAllBytes(0xFF, WarnOnly), + 0: WithAllBytes(0x00, Enforce, PCRMeasurementLength), + 1: WithAllBytes(0xFF, WarnOnly, PCRMeasurementLength), }, wantEqual: false, }, diff --git a/internal/attestation/vtpm/attestation_test.go b/internal/attestation/vtpm/attestation_test.go index 74d6a0668..4a0327879 100644 --- a/internal/attestation/vtpm/attestation_test.go +++ b/internal/attestation/vtpm/attestation_test.go @@ -70,9 +70,9 @@ func TestValidate(t *testing.T) { } testExpectedPCRs := measurements.M{ - 0: measurements.WithAllBytes(0x00, measurements.Enforce), - 1: measurements.WithAllBytes(0x00, measurements.Enforce), - uint32(measurements.PCRIndexClusterID): measurements.WithAllBytes(0x00, measurements.Enforce), + 0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength), + 1: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength), + uint32(measurements.PCRIndexClusterID): measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength), } warnLog := &testAttestationLogger{} @@ -119,8 +119,8 @@ func TestValidate(t *testing.T) { require.Error(err) expectedPCRs := measurements.M{ - 0: measurements.WithAllBytes(0x00, measurements.WarnOnly), - 1: measurements.WithAllBytes(0x00, measurements.WarnOnly), + 0: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), + 1: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength), 2: measurements.Measurement{ Expected: []byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20}, ValidationOpt: measurements.WarnOnly, diff --git a/internal/config/attestation_test.go b/internal/config/attestation_test.go index 1ed86e57f..5162d6e27 100644 --- a/internal/config/attestation_test.go +++ b/internal/config/attestation_test.go @@ -12,7 +12,7 @@ import ( "testing" "github.com/edgelesssys/constellation/v2/internal/attestation/measurements" - "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" + "github.com/edgelesssys/constellation/v2/internal/variant" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "gopkg.in/yaml.v3" @@ -26,19 +26,22 @@ func TestUnmarshalAttestationConfig(t *testing.T) { cfg AttestationCfg }{ "AWSNitroTPM": { - cfg: &AWSNitroTPM{Measurements: measurements.DefaultsFor(cloudprovider.AWS)}, + cfg: &AWSNitroTPM{Measurements: measurements.DefaultsFor(variant.AWSNitroTPM{})}, }, "AzureSEVSNP": { cfg: DefaultForAzureSEVSNP(), }, "AzureTrustedLaunch": { - cfg: &AzureTrustedLaunch{Measurements: measurements.DefaultsFor(cloudprovider.Azure)}, + cfg: &AzureTrustedLaunch{Measurements: measurements.DefaultsFor(variant.AzureTrustedLaunch{})}, }, "GCPSEVES": { - cfg: &GCPSEVES{Measurements: measurements.DefaultsFor(cloudprovider.GCP)}, + cfg: &GCPSEVES{Measurements: measurements.DefaultsFor(variant.GCPSEVES{})}, }, "QEMUVTPM": { - cfg: &QEMUVTPM{Measurements: measurements.DefaultsFor(cloudprovider.QEMU)}, + cfg: &QEMUVTPM{Measurements: measurements.DefaultsFor(variant.QEMUVTPM{})}, + }, + "QEMUTDX": { + cfg: &QEMUTDX{Measurements: measurements.DefaultsFor(variant.QEMUTDX{})}, }, } diff --git a/internal/config/config.go b/internal/config/config.go index 21861e64e..059f48143 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -344,11 +344,11 @@ func Default() *Config { }, }, Attestation: AttestationConfig{ - AWSNitroTPM: &AWSNitroTPM{Measurements: measurements.DefaultsFor(cloudprovider.AWS)}, + AWSNitroTPM: &AWSNitroTPM{Measurements: measurements.DefaultsFor(variant.AWSNitroTPM{})}, AzureSEVSNP: DefaultForAzureSEVSNP(), - AzureTrustedLaunch: &AzureTrustedLaunch{Measurements: measurements.DefaultsFor(cloudprovider.Azure)}, - GCPSEVES: &GCPSEVES{Measurements: measurements.DefaultsFor(cloudprovider.GCP)}, - QEMUVTPM: &QEMUVTPM{Measurements: measurements.DefaultsFor(cloudprovider.QEMU)}, + AzureTrustedLaunch: &AzureTrustedLaunch{Measurements: measurements.DefaultsFor(variant.AzureTrustedLaunch{})}, + GCPSEVES: &GCPSEVES{Measurements: measurements.DefaultsFor(variant.GCPSEVES{})}, + QEMUVTPM: &QEMUVTPM{Measurements: measurements.DefaultsFor(variant.QEMUVTPM{})}, }, } } @@ -727,7 +727,7 @@ type AzureSEVSNP struct { // TODO(AB#3042): replace with dynamic lookup for configurable values. func DefaultForAzureSEVSNP() *AzureSEVSNP { return &AzureSEVSNP{ - Measurements: measurements.DefaultsFor(cloudprovider.Azure), + Measurements: measurements.DefaultsFor(variant.AzureSEVSNP{}), BootloaderVersion: 2, TEEVersion: 0, SNPVersion: 6, diff --git a/internal/config/config_test.go b/internal/config/config_test.go index a68c3d86c..c4cdd7d1c 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -130,7 +130,7 @@ func TestNewWithDefaultOptions(t *testing.T) { c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity" c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e" c.Attestation.AzureSEVSNP.Measurements = measurements.M{ - 0: measurements.WithAllBytes(0x00, measurements.Enforce), + 0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength), } return c }(), @@ -152,7 +152,7 @@ func TestNewWithDefaultOptions(t *testing.T) { c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity" c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e" c.Attestation.AzureSEVSNP.Measurements = measurements.M{ - 0: measurements.WithAllBytes(0x00, measurements.Enforce), + 0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength), } return c }(), @@ -253,7 +253,7 @@ func TestValidate(t *testing.T) { cnf.Provider = ProviderConfig{} cnf.Provider.Azure = az cnf.Attestation.AzureSEVSNP.Measurements = measurements.M{ - 0: measurements.WithAllBytes(0x00, measurements.Enforce), + 0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength), } return cnf }(), @@ -280,7 +280,7 @@ func TestValidate(t *testing.T) { cnf.Provider = ProviderConfig{} cnf.Provider.GCP = gcp cnf.Attestation.GCPSEVES.Measurements = measurements.M{ - 0: measurements.WithAllBytes(0x00, measurements.Enforce), + 0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength), } return cnf }(), @@ -404,9 +404,9 @@ func TestConfigGeneratedDocsFresh(t *testing.T) { func TestConfig_UpdateMeasurements(t *testing.T) { assert := assert.New(t) newMeasurements := measurements.M{ - 1: measurements.WithAllBytes(0x00, measurements.Enforce), - 2: measurements.WithAllBytes(0x01, measurements.Enforce), - 3: measurements.WithAllBytes(0x02, measurements.Enforce), + 1: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength), + 2: measurements.WithAllBytes(0x01, measurements.Enforce, measurements.PCRMeasurementLength), + 3: measurements.WithAllBytes(0x02, measurements.Enforce, measurements.PCRMeasurementLength), } { // AWS diff --git a/internal/watcher/validator_test.go b/internal/watcher/validator_test.go index ebb2c0324..044d295b1 100644 --- a/internal/watcher/validator_test.go +++ b/internal/watcher/validator_test.go @@ -49,11 +49,11 @@ func TestNewUpdateableValidator(t *testing.T) { }, "gcp": { variant: variant.GCPSEVES{}, - config: &config.GCPSEVES{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}}, + config: &config.GCPSEVES{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}}, }, "qemu": { variant: variant.QEMUVTPM{}, - config: &config.QEMUVTPM{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}}, + config: &config.QEMUVTPM{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}}, }, "no file": { variant: variant.AzureSEVSNP{}, @@ -61,7 +61,7 @@ func TestNewUpdateableValidator(t *testing.T) { }, "invalid provider": { variant: fakeOID{1, 3, 9900, 9999, 9999}, - config: &config.GCPSEVES{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}}, + config: &config.GCPSEVES{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}}, wantErr: true, }, } @@ -112,7 +112,7 @@ func TestUpdate(t *testing.T) { // write measurement config require.NoError(handler.WriteJSON( filepath.Join(constants.ServiceBasePath, constants.AttestationConfigFilename), - &config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}}, + &config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}}, )) // call update once to initialize the server's validator @@ -156,7 +156,7 @@ func TestOIDConcurrency(t *testing.T) { handler := file.NewHandler(afero.NewMemMapFs()) require.NoError(handler.WriteJSON( filepath.Join(constants.ServiceBasePath, constants.AttestationConfigFilename), - &config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}}, + &config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}}, )) // create server @@ -196,7 +196,7 @@ func TestUpdateConcurrency(t *testing.T) { } require.NoError(handler.WriteJSON( filepath.Join(constants.ServiceBasePath, constants.AttestationConfigFilename), - &config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}}, + &config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}}, file.OptNone, )) diff --git a/measurement-reader/cmd/main.go b/measurement-reader/cmd/main.go index 6589a4bda..dc0e68c49 100644 --- a/measurement-reader/cmd/main.go +++ b/measurement-reader/cmd/main.go @@ -35,7 +35,7 @@ func main() { if err != nil { log.With(zap.Error(err)).Fatalf("Failed to read TPM measurements") } - case oid.QEMUTDX{}: + case variant.QEMUTDX{}: m, err = tdx.Measurements() if err != nil { log.With(zap.Error(err)).Fatalf("Failed to read Intel TDX measurements") diff --git a/measurement-reader/internal/sorted/sorted_test.go b/measurement-reader/internal/sorted/sorted_test.go index 47527e533..6f64fc418 100644 --- a/measurement-reader/internal/sorted/sorted_test.go +++ b/measurement-reader/internal/sorted/sorted_test.go @@ -23,9 +23,9 @@ func TestSortMeasurements(t *testing.T) { "pre sorted TPM": { measurementType: TPM, input: measurements.M{ - 0: measurements.WithAllBytes(0x11, measurements.Enforce), - 1: measurements.WithAllBytes(0x22, measurements.Enforce), - 2: measurements.WithAllBytes(0x33, measurements.Enforce), + 0: measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength), + 1: measurements.WithAllBytes(0x22, measurements.Enforce, measurements.PCRMeasurementLength), + 2: measurements.WithAllBytes(0x33, measurements.Enforce, measurements.PCRMeasurementLength), }, want: []Measurement{ { @@ -45,9 +45,9 @@ func TestSortMeasurements(t *testing.T) { "unsorted TPM": { measurementType: TPM, input: measurements.M{ - 1: measurements.WithAllBytes(0x22, measurements.Enforce), - 0: measurements.WithAllBytes(0x11, measurements.Enforce), - 2: measurements.WithAllBytes(0x33, measurements.Enforce), + 1: measurements.WithAllBytes(0x22, measurements.Enforce, measurements.PCRMeasurementLength), + 0: measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength), + 2: measurements.WithAllBytes(0x33, measurements.Enforce, measurements.PCRMeasurementLength), }, want: []Measurement{ { @@ -67,44 +67,44 @@ func TestSortMeasurements(t *testing.T) { "pre sorted TDX": { measurementType: TDX, input: measurements.M{ - 0: measurements.WithAllBytes(0x11, false), - 1: measurements.WithAllBytes(0x22, false), - 2: measurements.WithAllBytes(0x33, false), + 0: measurements.WithAllBytes(0x11, measurements.Enforce, measurements.TDXMeasurementLength), + 1: measurements.WithAllBytes(0x22, measurements.Enforce, measurements.TDXMeasurementLength), + 2: measurements.WithAllBytes(0x33, measurements.Enforce, measurements.TDXMeasurementLength), }, want: []Measurement{ { Index: "MRTD", - Value: bytes.Repeat([]byte{0x11}, 32), + Value: bytes.Repeat([]byte{0x11}, 48), }, { Index: "RTMR[0]", - Value: bytes.Repeat([]byte{0x22}, 32), + Value: bytes.Repeat([]byte{0x22}, 48), }, { Index: "RTMR[1]", - Value: bytes.Repeat([]byte{0x33}, 32), + Value: bytes.Repeat([]byte{0x33}, 48), }, }, }, "unsorted TDX": { measurementType: TDX, input: measurements.M{ - 1: measurements.WithAllBytes(0x22, false), - 0: measurements.WithAllBytes(0x11, false), - 2: measurements.WithAllBytes(0x33, false), + 1: measurements.WithAllBytes(0x22, measurements.Enforce, measurements.TDXMeasurementLength), + 0: measurements.WithAllBytes(0x11, measurements.Enforce, measurements.TDXMeasurementLength), + 2: measurements.WithAllBytes(0x33, measurements.Enforce, measurements.TDXMeasurementLength), }, want: []Measurement{ { Index: "MRTD", - Value: bytes.Repeat([]byte{0x11}, 32), + Value: bytes.Repeat([]byte{0x11}, 48), }, { Index: "RTMR[0]", - Value: bytes.Repeat([]byte{0x22}, 32), + Value: bytes.Repeat([]byte{0x22}, 48), }, { Index: "RTMR[1]", - Value: bytes.Repeat([]byte{0x33}, 32), + Value: bytes.Repeat([]byte{0x33}, 48), }, }, },