mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-11 15:39:33 -05:00
measurements: Add length field for WithAllBytes
This commit is contained in:
Nils Hanke
Malte Poll
parent
fe3622d982
commit
9e987778e0
@ -18,37 +18,37 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
func TestValidatorUpdateInitPCRs(t *testing.T) {
|
func TestValidatorUpdateInitPCRs(t *testing.T) {
|
||||||
zero := measurements.WithAllBytes(0x00, measurements.WarnOnly)
|
zero := measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength)
|
||||||
one := measurements.WithAllBytes(0x11, measurements.WarnOnly)
|
one := measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength)
|
||||||
one64 := base64.StdEncoding.EncodeToString(one.Expected[:])
|
one64 := base64.StdEncoding.EncodeToString(one.Expected[:])
|
||||||
oneHash := sha256.Sum256(one.Expected[:])
|
oneHash := sha256.Sum256(one.Expected[:])
|
||||||
pcrZeroUpdatedOne := sha256.Sum256(append(zero.Expected[:], oneHash[:]...))
|
pcrZeroUpdatedOne := sha256.Sum256(append(zero.Expected[:], oneHash[:]...))
|
||||||
newTestPCRs := func() measurements.M {
|
newTestPCRs := func() measurements.M {
|
||||||
return measurements.M{
|
return measurements.M{
|
||||||
0: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
0: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
1: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
1: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
2: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
2: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
3: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
3: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
4: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
4: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
5: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
5: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
6: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
6: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
7: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
7: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
8: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
8: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
9: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
9: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
10: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
10: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
11: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
11: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
12: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
12: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
13: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
13: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
14: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
14: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
15: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
15: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
16: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
16: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
17: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
17: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
18: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
18: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
19: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
19: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
20: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
20: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
21: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
21: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
22: measurements.WithAllBytes(0x11, measurements.WarnOnly),
|
22: measurements.WithAllBytes(0x11, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
23: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
23: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -430,13 +430,13 @@ func TestAttestation(t *testing.T) {
|
|||||||
cfg := config.Default()
|
cfg := config.Default()
|
||||||
cfg.Image = "image"
|
cfg.Image = "image"
|
||||||
cfg.RemoveProviderExcept(cloudprovider.QEMU)
|
cfg.RemoveProviderExcept(cloudprovider.QEMU)
|
||||||
cfg.Attestation.QEMUVTPM.Measurements[0] = measurements.WithAllBytes(0x00, measurements.Enforce)
|
cfg.Attestation.QEMUVTPM.Measurements[0] = measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||||
cfg.Attestation.QEMUVTPM.Measurements[1] = measurements.WithAllBytes(0x11, measurements.Enforce)
|
cfg.Attestation.QEMUVTPM.Measurements[1] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||||
cfg.Attestation.QEMUVTPM.Measurements[2] = measurements.WithAllBytes(0x22, measurements.Enforce)
|
cfg.Attestation.QEMUVTPM.Measurements[2] = measurements.WithAllBytes(0x22, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||||
cfg.Attestation.QEMUVTPM.Measurements[3] = measurements.WithAllBytes(0x33, measurements.Enforce)
|
cfg.Attestation.QEMUVTPM.Measurements[3] = measurements.WithAllBytes(0x33, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||||
cfg.Attestation.QEMUVTPM.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
|
cfg.Attestation.QEMUVTPM.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||||
cfg.Attestation.QEMUVTPM.Measurements[9] = measurements.WithAllBytes(0x99, measurements.Enforce)
|
cfg.Attestation.QEMUVTPM.Measurements[9] = measurements.WithAllBytes(0x99, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||||
cfg.Attestation.QEMUVTPM.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
|
cfg.Attestation.QEMUVTPM.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||||
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, cfg, file.OptNone))
|
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, cfg, file.OptNone))
|
||||||
|
|
||||||
newDialer := func(v atls.Validator) *dialer.Dialer {
|
newDialer := func(v atls.Validator) *dialer.Dialer {
|
||||||
@ -537,21 +537,21 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs
|
|||||||
conf.Provider.Azure.ResourceGroup = "test-resource-group"
|
conf.Provider.Azure.ResourceGroup = "test-resource-group"
|
||||||
conf.Provider.Azure.AppClientID = "01234567-0123-0123-0123-0123456789ab"
|
conf.Provider.Azure.AppClientID = "01234567-0123-0123-0123-0123456789ab"
|
||||||
conf.Provider.Azure.ClientSecretValue = "test-client-secret"
|
conf.Provider.Azure.ClientSecretValue = "test-client-secret"
|
||||||
conf.Attestation.AzureSEVSNP.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
|
conf.Attestation.AzureSEVSNP.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||||
conf.Attestation.AzureSEVSNP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce)
|
conf.Attestation.AzureSEVSNP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||||
conf.Attestation.AzureSEVSNP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
|
conf.Attestation.AzureSEVSNP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||||
case cloudprovider.GCP:
|
case cloudprovider.GCP:
|
||||||
conf.Provider.GCP.Region = "test-region"
|
conf.Provider.GCP.Region = "test-region"
|
||||||
conf.Provider.GCP.Project = "test-project"
|
conf.Provider.GCP.Project = "test-project"
|
||||||
conf.Provider.GCP.Zone = "test-zone"
|
conf.Provider.GCP.Zone = "test-zone"
|
||||||
conf.Provider.GCP.ServiceAccountKeyPath = "test-key-path"
|
conf.Provider.GCP.ServiceAccountKeyPath = "test-key-path"
|
||||||
conf.Attestation.GCPSEVES.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
|
conf.Attestation.GCPSEVES.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||||
conf.Attestation.GCPSEVES.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce)
|
conf.Attestation.GCPSEVES.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||||
conf.Attestation.GCPSEVES.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
|
conf.Attestation.GCPSEVES.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||||
case cloudprovider.QEMU:
|
case cloudprovider.QEMU:
|
||||||
conf.Attestation.QEMUVTPM.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce)
|
conf.Attestation.QEMUVTPM.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||||
conf.Attestation.QEMUVTPM.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce)
|
conf.Attestation.QEMUVTPM.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||||
conf.Attestation.QEMUVTPM.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce)
|
conf.Attestation.QEMUVTPM.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
|
||||||
}
|
}
|
||||||
|
|
||||||
conf.RemoveProviderExcept(csp)
|
conf.RemoveProviderExcept(csp)
|
||||||
|
|||||||
@ -21,6 +21,7 @@ import (
|
|||||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||||
|
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||||
"github.com/edgelesssys/constellation/v2/internal/versionsapi"
|
"github.com/edgelesssys/constellation/v2/internal/versionsapi"
|
||||||
"github.com/spf13/afero"
|
"github.com/spf13/afero"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
@ -39,7 +40,7 @@ func TestBuildString(t *testing.T) {
|
|||||||
upgrade: versionUpgrade{
|
upgrade: versionUpgrade{
|
||||||
newServices: "v2.5.0",
|
newServices: "v2.5.0",
|
||||||
newImages: map[string]measurements.M{
|
newImages: map[string]measurements.M{
|
||||||
"v2.5.0": measurements.DefaultsFor(cloudprovider.QEMU),
|
"v2.5.0": measurements.DefaultsFor(variant.QEMUVTPM{}),
|
||||||
},
|
},
|
||||||
newKubernetes: []string{"v1.24.12", "v1.25.6"},
|
newKubernetes: []string{"v1.24.12", "v1.25.6"},
|
||||||
newCLI: []string{"v2.5.0", "v2.6.0"},
|
newCLI: []string{"v2.5.0", "v2.6.0"},
|
||||||
@ -236,7 +237,7 @@ func TestUpgradeCheck(t *testing.T) {
|
|||||||
supportedServicesVersions: "v2.5.0",
|
supportedServicesVersions: "v2.5.0",
|
||||||
supportedImages: []versionsapi.Version{v2_3},
|
supportedImages: []versionsapi.Version{v2_3},
|
||||||
supportedImageVersions: map[string]measurements.M{
|
supportedImageVersions: map[string]measurements.M{
|
||||||
"v2.3.0": measurements.DefaultsFor(cloudprovider.QEMU),
|
"v2.3.0": measurements.DefaultsFor(variant.QEMUVTPM{}),
|
||||||
},
|
},
|
||||||
supportedK8sVersions: []string{"v1.24.5", "v1.24.12", "v1.25.6"},
|
supportedK8sVersions: []string{"v1.24.5", "v1.24.12", "v1.25.6"},
|
||||||
currentServicesVersions: "v2.4.0",
|
currentServicesVersions: "v2.4.0",
|
||||||
|
|||||||
@ -64,7 +64,7 @@ func TestConstellationServices(t *testing.T) {
|
|||||||
config: &config.Config{
|
config: &config.Config{
|
||||||
Provider: config.ProviderConfig{AWS: &config.AWSConfig{}},
|
Provider: config.ProviderConfig{AWS: &config.AWSConfig{}},
|
||||||
Attestation: config.AttestationConfig{AWSNitroTPM: &config.AWSNitroTPM{
|
Attestation: config.AttestationConfig{AWSNitroTPM: &config.AWSNitroTPM{
|
||||||
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)},
|
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength)},
|
||||||
}},
|
}},
|
||||||
},
|
},
|
||||||
valuesModifier: prepareAWSValues,
|
valuesModifier: prepareAWSValues,
|
||||||
@ -76,7 +76,7 @@ func TestConstellationServices(t *testing.T) {
|
|||||||
DeployCSIDriver: toPtr(true),
|
DeployCSIDriver: toPtr(true),
|
||||||
}},
|
}},
|
||||||
Attestation: config.AttestationConfig{AzureSEVSNP: &config.AzureSEVSNP{
|
Attestation: config.AttestationConfig{AzureSEVSNP: &config.AzureSEVSNP{
|
||||||
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)},
|
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength)},
|
||||||
FirmwareSignerConfig: config.SNPFirmwareSignerConfig{
|
FirmwareSignerConfig: config.SNPFirmwareSignerConfig{
|
||||||
AcceptedKeyDigests: idkeydigest.List{bytes.Repeat([]byte{0xAA}, 32)},
|
AcceptedKeyDigests: idkeydigest.List{bytes.Repeat([]byte{0xAA}, 32)},
|
||||||
EnforcementPolicy: idkeydigest.MAAFallback,
|
EnforcementPolicy: idkeydigest.MAAFallback,
|
||||||
@ -95,7 +95,7 @@ func TestConstellationServices(t *testing.T) {
|
|||||||
DeployCSIDriver: toPtr(true),
|
DeployCSIDriver: toPtr(true),
|
||||||
}},
|
}},
|
||||||
Attestation: config.AttestationConfig{GCPSEVES: &config.GCPSEVES{
|
Attestation: config.AttestationConfig{GCPSEVES: &config.GCPSEVES{
|
||||||
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)},
|
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength)},
|
||||||
}},
|
}},
|
||||||
},
|
},
|
||||||
valuesModifier: prepareGCPValues,
|
valuesModifier: prepareGCPValues,
|
||||||
@ -105,7 +105,7 @@ func TestConstellationServices(t *testing.T) {
|
|||||||
config: &config.Config{
|
config: &config.Config{
|
||||||
Provider: config.ProviderConfig{OpenStack: &config.OpenStackConfig{}},
|
Provider: config.ProviderConfig{OpenStack: &config.OpenStackConfig{}},
|
||||||
Attestation: config.AttestationConfig{QEMUVTPM: &config.QEMUVTPM{
|
Attestation: config.AttestationConfig{QEMUVTPM: &config.QEMUVTPM{
|
||||||
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)},
|
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength)},
|
||||||
}},
|
}},
|
||||||
},
|
},
|
||||||
valuesModifier: prepareOpenStackValues,
|
valuesModifier: prepareOpenStackValues,
|
||||||
@ -115,7 +115,7 @@ func TestConstellationServices(t *testing.T) {
|
|||||||
config: &config.Config{
|
config: &config.Config{
|
||||||
Provider: config.ProviderConfig{QEMU: &config.QEMUConfig{}},
|
Provider: config.ProviderConfig{QEMU: &config.QEMUConfig{}},
|
||||||
Attestation: config.AttestationConfig{QEMUVTPM: &config.QEMUVTPM{
|
Attestation: config.AttestationConfig{QEMUVTPM: &config.QEMUVTPM{
|
||||||
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)},
|
Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength)},
|
||||||
}},
|
}},
|
||||||
},
|
},
|
||||||
valuesModifier: prepareQEMUValues,
|
valuesModifier: prepareQEMUValues,
|
||||||
@ -525,7 +525,6 @@ func prepareOpenStackValues(values map[string]any) error {
|
|||||||
if !ok {
|
if !ok {
|
||||||
return errors.New("missing 'join-service' key")
|
return errors.New("missing 'join-service' key")
|
||||||
}
|
}
|
||||||
|
|
||||||
joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
|
joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
|
||||||
|
|
||||||
ccmVals, ok := values["ccm"].(map[string]any)
|
ccmVals, ok := values["ccm"].(map[string]any)
|
||||||
@ -555,7 +554,6 @@ func prepareQEMUValues(values map[string]any) error {
|
|||||||
if !ok {
|
if !ok {
|
||||||
return errors.New("missing 'join-service' key")
|
return errors.New("missing 'join-service' key")
|
||||||
}
|
}
|
||||||
|
|
||||||
joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
|
joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
|
||||||
|
|
||||||
verificationVals, ok := values["verification-service"].(map[string]any)
|
verificationVals, ok := values["verification-service"].(map[string]any)
|
||||||
|
|||||||
@ -265,7 +265,7 @@ func TestUpdateMeasurements(t *testing.T) {
|
|||||||
},
|
},
|
||||||
newConfig: &config.GCPSEVES{
|
newConfig: &config.GCPSEVES{
|
||||||
Measurements: measurements.M{
|
Measurements: measurements.M{
|
||||||
0: measurements.WithAllBytes(0xBB, measurements.Enforce),
|
0: measurements.WithAllBytes(0xBB, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
wantUpdate: true,
|
wantUpdate: true,
|
||||||
@ -278,7 +278,7 @@ func TestUpdateMeasurements(t *testing.T) {
|
|||||||
},
|
},
|
||||||
newConfig: &config.GCPSEVES{
|
newConfig: &config.GCPSEVES{
|
||||||
Measurements: measurements.M{
|
Measurements: measurements.M{
|
||||||
0: measurements.WithAllBytes(0xAA, measurements.Enforce),
|
0: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -290,7 +290,7 @@ func TestUpdateMeasurements(t *testing.T) {
|
|||||||
},
|
},
|
||||||
newConfig: &config.GCPSEVES{
|
newConfig: &config.GCPSEVES{
|
||||||
Measurements: measurements.M{
|
Measurements: measurements.M{
|
||||||
0: measurements.WithAllBytes(0xAA, measurements.WarnOnly),
|
0: measurements.WithAllBytes(0xAA, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
wantUpdate: true,
|
wantUpdate: true,
|
||||||
@ -303,7 +303,7 @@ func TestUpdateMeasurements(t *testing.T) {
|
|||||||
},
|
},
|
||||||
newConfig: &config.GCPSEVES{
|
newConfig: &config.GCPSEVES{
|
||||||
Measurements: measurements.M{
|
Measurements: measurements.M{
|
||||||
0: measurements.WithAllBytes(0xAA, measurements.Enforce),
|
0: measurements.WithAllBytes(0xAA, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
wantUpdate: true,
|
wantUpdate: true,
|
||||||
@ -312,7 +312,7 @@ func TestUpdateMeasurements(t *testing.T) {
|
|||||||
updater: &stubStableClient{getErr: someErr},
|
updater: &stubStableClient{getErr: someErr},
|
||||||
newConfig: &config.GCPSEVES{
|
newConfig: &config.GCPSEVES{
|
||||||
Measurements: measurements.M{
|
Measurements: measurements.M{
|
||||||
0: measurements.WithAllBytes(0xBB, measurements.Enforce),
|
0: measurements.WithAllBytes(0xBB, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
@ -326,7 +326,7 @@ func TestUpdateMeasurements(t *testing.T) {
|
|||||||
},
|
},
|
||||||
newConfig: &config.GCPSEVES{
|
newConfig: &config.GCPSEVES{
|
||||||
Measurements: measurements.M{
|
Measurements: measurements.M{
|
||||||
0: measurements.WithAllBytes(0xBB, measurements.Enforce),
|
0: measurements.WithAllBytes(0xBB, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
|
|||||||
@ -35,6 +35,8 @@ import (
|
|||||||
// this tool is used to generate hardcoded measurements for the enterprise build.
|
// this tool is used to generate hardcoded measurements for the enterprise build.
|
||||||
// Measurements are embedded in the constellation cli.
|
// Measurements are embedded in the constellation cli.
|
||||||
|
|
||||||
|
// TODO(v2.8 | AB#3130): Update tool to use variant.Variant instead of cloudprovider.Provider
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
defaultConf := config.Default()
|
defaultConf := config.Default()
|
||||||
log.Printf("Generating measurements for %s\n", defaultConf.Image)
|
log.Printf("Generating measurements for %s\n", defaultConf.Image)
|
||||||
|
|||||||
@ -325,10 +325,12 @@ func (m *Measurement) unmarshal(eM encodedMeasurement) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// WithAllBytes returns a measurement value where all 32 bytes are set to b.
|
// WithAllBytes returns a measurement value where all bytes are set to b. Takes a dynamic length as input.
|
||||||
func WithAllBytes(b byte, validationOpt MeasurementValidationOption) Measurement {
|
// Expected are either 32 bytes (PCRMeasurementLength) or 48 bytes (TDXMeasurementLength).
|
||||||
|
// Over inputs are possible in this function, but potentially rejected elsewhere.
|
||||||
|
func WithAllBytes(b byte, validationOpt MeasurementValidationOption, len int) Measurement {
|
||||||
return Measurement{
|
return Measurement{
|
||||||
Expected: bytes.Repeat([]byte{b}, 32),
|
Expected: bytes.Repeat([]byte{b}, len),
|
||||||
ValidationOpt: validationOpt,
|
ValidationOpt: validationOpt,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -8,60 +8,60 @@ SPDX-License-Identifier: AGPL-3.0-only
|
|||||||
|
|
||||||
package measurements
|
package measurements
|
||||||
|
|
||||||
import "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
import (
|
||||||
|
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||||
|
)
|
||||||
|
|
||||||
// DefaultsFor provides the default measurements for given cloud provider.
|
// DefaultsFor provides the default measurements for given cloud provider.
|
||||||
func DefaultsFor(provider cloudprovider.Provider) M {
|
func DefaultsFor(attestationVariant variant.Variant) M {
|
||||||
switch provider {
|
switch attestationVariant {
|
||||||
case cloudprovider.AWS:
|
case variant.AWSNitroTPM{}:
|
||||||
return M{
|
return M{
|
||||||
4: PlaceHolderMeasurement(),
|
4: PlaceHolderMeasurement(),
|
||||||
8: WithAllBytes(0x00, Enforce),
|
8: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
9: PlaceHolderMeasurement(),
|
9: PlaceHolderMeasurement(),
|
||||||
11: WithAllBytes(0x00, Enforce),
|
11: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
12: PlaceHolderMeasurement(),
|
12: PlaceHolderMeasurement(),
|
||||||
13: WithAllBytes(0x00, Enforce),
|
13: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
|
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
}
|
}
|
||||||
case cloudprovider.Azure:
|
case variant.AzureSEVSNP{}:
|
||||||
return M{
|
return M{
|
||||||
4: PlaceHolderMeasurement(),
|
4: PlaceHolderMeasurement(),
|
||||||
8: WithAllBytes(0x00, Enforce),
|
8: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
9: PlaceHolderMeasurement(),
|
9: PlaceHolderMeasurement(),
|
||||||
11: WithAllBytes(0x00, Enforce),
|
11: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
12: PlaceHolderMeasurement(),
|
12: PlaceHolderMeasurement(),
|
||||||
13: WithAllBytes(0x00, Enforce),
|
13: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
|
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
}
|
}
|
||||||
case cloudprovider.GCP:
|
case variant.GCPSEVES{}:
|
||||||
return M{
|
return M{
|
||||||
4: PlaceHolderMeasurement(),
|
4: PlaceHolderMeasurement(),
|
||||||
8: WithAllBytes(0x00, Enforce),
|
8: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
9: PlaceHolderMeasurement(),
|
9: PlaceHolderMeasurement(),
|
||||||
11: WithAllBytes(0x00, Enforce),
|
11: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
12: PlaceHolderMeasurement(),
|
12: PlaceHolderMeasurement(),
|
||||||
13: WithAllBytes(0x00, Enforce),
|
13: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
|
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
}
|
}
|
||||||
case cloudprovider.QEMU:
|
case variant.QEMUTDX{}:
|
||||||
return M{
|
return M{
|
||||||
|
0: PlaceHolderMeasurement(),
|
||||||
|
1: PlaceHolderMeasurement(),
|
||||||
|
2: PlaceHolderMeasurement(),
|
||||||
|
3: PlaceHolderMeasurement(),
|
||||||
4: PlaceHolderMeasurement(),
|
4: PlaceHolderMeasurement(),
|
||||||
8: WithAllBytes(0x00, Enforce),
|
|
||||||
9: PlaceHolderMeasurement(),
|
|
||||||
11: WithAllBytes(0x00, Enforce),
|
|
||||||
12: PlaceHolderMeasurement(),
|
|
||||||
13: WithAllBytes(0x00, Enforce),
|
|
||||||
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
|
|
||||||
}
|
}
|
||||||
case cloudprovider.OpenStack:
|
case variant.QEMUVTPM{}:
|
||||||
return M{
|
return M{
|
||||||
4: PlaceHolderMeasurement(),
|
4: PlaceHolderMeasurement(),
|
||||||
8: WithAllBytes(0x00, Enforce),
|
8: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
9: PlaceHolderMeasurement(),
|
9: PlaceHolderMeasurement(),
|
||||||
11: WithAllBytes(0x00, Enforce),
|
11: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
12: PlaceHolderMeasurement(),
|
12: PlaceHolderMeasurement(),
|
||||||
13: WithAllBytes(0x00, Enforce),
|
13: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce),
|
uint32(PCRIndexClusterID): WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
}
|
}
|
||||||
default:
|
default:
|
||||||
return nil
|
return nil
|
||||||
|
|||||||
@ -206,8 +206,8 @@ func TestEncodeM(t *testing.T) {
|
|||||||
}{
|
}{
|
||||||
"basic": {
|
"basic": {
|
||||||
m: M{
|
m: M{
|
||||||
1: WithAllBytes(1, false),
|
1: WithAllBytes(1, false, PCRMeasurementLength),
|
||||||
2: WithAllBytes(2, true),
|
2: WithAllBytes(2, WarnOnly, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
want: `1:
|
want: `1:
|
||||||
expected: "0101010101010101010101010101010101010101010101010101010101010101"
|
expected: "0101010101010101010101010101010101010101010101010101010101010101"
|
||||||
@ -219,10 +219,10 @@ func TestEncodeM(t *testing.T) {
|
|||||||
},
|
},
|
||||||
"output is sorted": {
|
"output is sorted": {
|
||||||
m: M{
|
m: M{
|
||||||
3: WithAllBytes(0, false),
|
3: WithAllBytes(0, false, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0, false),
|
1: WithAllBytes(0, false, PCRMeasurementLength),
|
||||||
11: WithAllBytes(0, false),
|
11: WithAllBytes(0, false, PCRMeasurementLength),
|
||||||
2: WithAllBytes(0, false),
|
2: WithAllBytes(0, false, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
want: `1:
|
want: `1:
|
||||||
expected: "0000000000000000000000000000000000000000000000000000000000000000"
|
expected: "0000000000000000000000000000000000000000000000000000000000000000"
|
||||||
@ -261,48 +261,48 @@ func TestMeasurementsCopyFrom(t *testing.T) {
|
|||||||
"add to empty": {
|
"add to empty": {
|
||||||
current: M{},
|
current: M{},
|
||||||
newMeasurements: M{
|
newMeasurements: M{
|
||||||
1: WithAllBytes(0x00, WarnOnly),
|
1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||||
2: WithAllBytes(0x01, WarnOnly),
|
2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||||
3: WithAllBytes(0x02, WarnOnly),
|
3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
wantMeasurements: M{
|
wantMeasurements: M{
|
||||||
1: WithAllBytes(0x00, WarnOnly),
|
1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||||
2: WithAllBytes(0x01, WarnOnly),
|
2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||||
3: WithAllBytes(0x02, WarnOnly),
|
3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"keep existing": {
|
"keep existing": {
|
||||||
current: M{
|
current: M{
|
||||||
4: WithAllBytes(0x01, Enforce),
|
4: WithAllBytes(0x01, Enforce, PCRMeasurementLength),
|
||||||
5: WithAllBytes(0x02, WarnOnly),
|
5: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
newMeasurements: M{
|
newMeasurements: M{
|
||||||
1: WithAllBytes(0x00, WarnOnly),
|
1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||||
2: WithAllBytes(0x01, WarnOnly),
|
2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||||
3: WithAllBytes(0x02, WarnOnly),
|
3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
wantMeasurements: M{
|
wantMeasurements: M{
|
||||||
1: WithAllBytes(0x00, WarnOnly),
|
1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||||
2: WithAllBytes(0x01, WarnOnly),
|
2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||||
3: WithAllBytes(0x02, WarnOnly),
|
3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength),
|
||||||
4: WithAllBytes(0x01, Enforce),
|
4: WithAllBytes(0x01, Enforce, PCRMeasurementLength),
|
||||||
5: WithAllBytes(0x02, WarnOnly),
|
5: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"overwrite existing": {
|
"overwrite existing": {
|
||||||
current: M{
|
current: M{
|
||||||
2: WithAllBytes(0x04, Enforce),
|
2: WithAllBytes(0x04, Enforce, PCRMeasurementLength),
|
||||||
3: WithAllBytes(0x05, Enforce),
|
3: WithAllBytes(0x05, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
newMeasurements: M{
|
newMeasurements: M{
|
||||||
1: WithAllBytes(0x00, WarnOnly),
|
1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||||
2: WithAllBytes(0x01, WarnOnly),
|
2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||||
3: WithAllBytes(0x02, WarnOnly),
|
3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
wantMeasurements: M{
|
wantMeasurements: M{
|
||||||
1: WithAllBytes(0x00, WarnOnly),
|
1: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||||
2: WithAllBytes(0x01, WarnOnly),
|
2: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||||
3: WithAllBytes(0x02, WarnOnly),
|
3: WithAllBytes(0x02, WarnOnly, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
@ -371,7 +371,7 @@ func TestMeasurementsFetchAndVerify(t *testing.T) {
|
|||||||
signature: "MEYCIQD1RR91pWPw1BMWXTSmTBHg/JtfKerbZNQ9PJTWDdW0sgIhANQbETJGb67qzQmMVmcq007VUFbHRMtYWKZeeyRf0gVa",
|
signature: "MEYCIQD1RR91pWPw1BMWXTSmTBHg/JtfKerbZNQ9PJTWDdW0sgIhANQbETJGb67qzQmMVmcq007VUFbHRMtYWKZeeyRf0gVa",
|
||||||
signatureStatus: http.StatusOK,
|
signatureStatus: http.StatusOK,
|
||||||
wantMeasurements: M{
|
wantMeasurements: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
wantSHA: "c04e13c1312b6f5659303871d14bf49b05c99a6515548763b6322f60bbb61a24",
|
wantSHA: "c04e13c1312b6f5659303871d14bf49b05c99a6515548763b6322f60bbb61a24",
|
||||||
},
|
},
|
||||||
@ -382,7 +382,7 @@ func TestMeasurementsFetchAndVerify(t *testing.T) {
|
|||||||
signature: "MEUCIQC9WI2ijlQjBktYFctKpbnqkUTey3U9W99Jp1NTLi5AbQIgNZxxOtiawgTkWPXLoH9D2CxpEjxQrqLn/zWF6NoKxWQ=",
|
signature: "MEUCIQC9WI2ijlQjBktYFctKpbnqkUTey3U9W99Jp1NTLi5AbQIgNZxxOtiawgTkWPXLoH9D2CxpEjxQrqLn/zWF6NoKxWQ=",
|
||||||
signatureStatus: http.StatusOK,
|
signatureStatus: http.StatusOK,
|
||||||
wantMeasurements: M{
|
wantMeasurements: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
wantSHA: "648fcfd5d22e623a948ab2dd4eb334be2701d8f158231726084323003daab8d4",
|
wantSHA: "648fcfd5d22e623a948ab2dd4eb334be2701d8f158231726084323003daab8d4",
|
||||||
},
|
},
|
||||||
@ -492,15 +492,15 @@ func TestGetEnforced(t *testing.T) {
|
|||||||
}{
|
}{
|
||||||
"only warnings": {
|
"only warnings": {
|
||||||
input: M{
|
input: M{
|
||||||
0: WithAllBytes(0x00, WarnOnly),
|
0: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0x01, WarnOnly),
|
1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
want: map[uint32]struct{}{},
|
want: map[uint32]struct{}{},
|
||||||
},
|
},
|
||||||
"all enforced": {
|
"all enforced": {
|
||||||
input: M{
|
input: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0x01, Enforce),
|
1: WithAllBytes(0x01, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
want: map[uint32]struct{}{
|
want: map[uint32]struct{}{
|
||||||
0: {},
|
0: {},
|
||||||
@ -509,9 +509,9 @@ func TestGetEnforced(t *testing.T) {
|
|||||||
},
|
},
|
||||||
"mixed": {
|
"mixed": {
|
||||||
input: M{
|
input: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0x01, WarnOnly),
|
1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||||
2: WithAllBytes(0x02, Enforce),
|
2: WithAllBytes(0x02, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
want: map[uint32]struct{}{
|
want: map[uint32]struct{}{
|
||||||
0: {},
|
0: {},
|
||||||
@ -543,56 +543,56 @@ func TestSetEnforced(t *testing.T) {
|
|||||||
}{
|
}{
|
||||||
"no enforced measurements": {
|
"no enforced measurements": {
|
||||||
input: M{
|
input: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0x01, Enforce),
|
1: WithAllBytes(0x01, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
enforced: []uint32{},
|
enforced: []uint32{},
|
||||||
wantM: M{
|
wantM: M{
|
||||||
0: WithAllBytes(0x00, WarnOnly),
|
0: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0x01, WarnOnly),
|
1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"all enforced measurements": {
|
"all enforced measurements": {
|
||||||
input: M{
|
input: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0x01, Enforce),
|
1: WithAllBytes(0x01, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
enforced: []uint32{0, 1},
|
enforced: []uint32{0, 1},
|
||||||
wantM: M{
|
wantM: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0x01, Enforce),
|
1: WithAllBytes(0x01, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"mixed": {
|
"mixed": {
|
||||||
input: M{
|
input: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0x01, Enforce),
|
1: WithAllBytes(0x01, Enforce, PCRMeasurementLength),
|
||||||
2: WithAllBytes(0x02, Enforce),
|
2: WithAllBytes(0x02, Enforce, PCRMeasurementLength),
|
||||||
3: WithAllBytes(0x03, Enforce),
|
3: WithAllBytes(0x03, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
enforced: []uint32{0, 2},
|
enforced: []uint32{0, 2},
|
||||||
wantM: M{
|
wantM: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0x01, WarnOnly),
|
1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||||
2: WithAllBytes(0x02, Enforce),
|
2: WithAllBytes(0x02, Enforce, PCRMeasurementLength),
|
||||||
3: WithAllBytes(0x03, WarnOnly),
|
3: WithAllBytes(0x03, WarnOnly, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"warn only to enforced": {
|
"warn only to enforced": {
|
||||||
input: M{
|
input: M{
|
||||||
0: WithAllBytes(0x00, WarnOnly),
|
0: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0x01, WarnOnly),
|
1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
enforced: []uint32{0, 1},
|
enforced: []uint32{0, 1},
|
||||||
wantM: M{
|
wantM: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0x01, Enforce),
|
1: WithAllBytes(0x01, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"more enforced than measurements": {
|
"more enforced than measurements": {
|
||||||
input: M{
|
input: M{
|
||||||
0: WithAllBytes(0x00, WarnOnly),
|
0: WithAllBytes(0x00, WarnOnly, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0x01, WarnOnly),
|
1: WithAllBytes(0x01, WarnOnly, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
enforced: []uint32{0, 1, 2},
|
enforced: []uint32{0, 1, 2},
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
@ -622,7 +622,7 @@ func TestWithAllBytes(t *testing.T) {
|
|||||||
}{
|
}{
|
||||||
"0x00 warnOnly": {
|
"0x00 warnOnly": {
|
||||||
b: 0x00,
|
b: 0x00,
|
||||||
warnOnly: true,
|
warnOnly: WarnOnly,
|
||||||
wantMeasurement: Measurement{
|
wantMeasurement: Measurement{
|
||||||
Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||||
ValidationOpt: WarnOnly,
|
ValidationOpt: WarnOnly,
|
||||||
@ -630,7 +630,7 @@ func TestWithAllBytes(t *testing.T) {
|
|||||||
},
|
},
|
||||||
"0x00": {
|
"0x00": {
|
||||||
b: 0x00,
|
b: 0x00,
|
||||||
warnOnly: false,
|
warnOnly: Enforce,
|
||||||
wantMeasurement: Measurement{
|
wantMeasurement: Measurement{
|
||||||
Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||||
ValidationOpt: Enforce,
|
ValidationOpt: Enforce,
|
||||||
@ -638,7 +638,7 @@ func TestWithAllBytes(t *testing.T) {
|
|||||||
},
|
},
|
||||||
"0x01 warnOnly": {
|
"0x01 warnOnly": {
|
||||||
b: 0x01,
|
b: 0x01,
|
||||||
warnOnly: true,
|
warnOnly: WarnOnly,
|
||||||
wantMeasurement: Measurement{
|
wantMeasurement: Measurement{
|
||||||
Expected: []byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
|
Expected: []byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
|
||||||
ValidationOpt: WarnOnly,
|
ValidationOpt: WarnOnly,
|
||||||
@ -646,7 +646,7 @@ func TestWithAllBytes(t *testing.T) {
|
|||||||
},
|
},
|
||||||
"0x01": {
|
"0x01": {
|
||||||
b: 0x01,
|
b: 0x01,
|
||||||
warnOnly: false,
|
warnOnly: Enforce,
|
||||||
wantMeasurement: Measurement{
|
wantMeasurement: Measurement{
|
||||||
Expected: []byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
|
Expected: []byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
|
||||||
ValidationOpt: Enforce,
|
ValidationOpt: Enforce,
|
||||||
@ -654,7 +654,7 @@ func TestWithAllBytes(t *testing.T) {
|
|||||||
},
|
},
|
||||||
"0xFF warnOnly": {
|
"0xFF warnOnly": {
|
||||||
b: 0xFF,
|
b: 0xFF,
|
||||||
warnOnly: true,
|
warnOnly: WarnOnly,
|
||||||
wantMeasurement: Measurement{
|
wantMeasurement: Measurement{
|
||||||
Expected: []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
|
Expected: []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
|
||||||
ValidationOpt: WarnOnly,
|
ValidationOpt: WarnOnly,
|
||||||
@ -662,7 +662,7 @@ func TestWithAllBytes(t *testing.T) {
|
|||||||
},
|
},
|
||||||
"0xFF": {
|
"0xFF": {
|
||||||
b: 0xFF,
|
b: 0xFF,
|
||||||
warnOnly: false,
|
warnOnly: Enforce,
|
||||||
wantMeasurement: Measurement{
|
wantMeasurement: Measurement{
|
||||||
Expected: []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
|
Expected: []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
|
||||||
ValidationOpt: Enforce,
|
ValidationOpt: Enforce,
|
||||||
@ -673,7 +673,7 @@ func TestWithAllBytes(t *testing.T) {
|
|||||||
for name, tc := range testCases {
|
for name, tc := range testCases {
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
measurement := WithAllBytes(tc.b, tc.warnOnly)
|
measurement := WithAllBytes(tc.b, tc.warnOnly, PCRMeasurementLength)
|
||||||
assert.Equal(tc.wantMeasurement, measurement)
|
assert.Equal(tc.wantMeasurement, measurement)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
@ -687,44 +687,44 @@ func TestEqualTo(t *testing.T) {
|
|||||||
}{
|
}{
|
||||||
"same values": {
|
"same values": {
|
||||||
given: M{
|
given: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0xFF, Enforce),
|
1: WithAllBytes(0xFF, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
other: M{
|
other: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0xFF, Enforce),
|
1: WithAllBytes(0xFF, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
wantEqual: true,
|
wantEqual: true,
|
||||||
},
|
},
|
||||||
"different number of elements": {
|
"different number of elements": {
|
||||||
given: M{
|
given: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0xFF, Enforce),
|
1: WithAllBytes(0xFF, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
other: M{
|
other: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
wantEqual: false,
|
wantEqual: false,
|
||||||
},
|
},
|
||||||
"different values": {
|
"different values": {
|
||||||
given: M{
|
given: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0xFF, Enforce),
|
1: WithAllBytes(0xFF, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
other: M{
|
other: M{
|
||||||
0: WithAllBytes(0xFF, Enforce),
|
0: WithAllBytes(0xFF, Enforce, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0x00, Enforce),
|
1: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
wantEqual: false,
|
wantEqual: false,
|
||||||
},
|
},
|
||||||
"different warn settings": {
|
"different warn settings": {
|
||||||
given: M{
|
given: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0xFF, Enforce),
|
1: WithAllBytes(0xFF, Enforce, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
other: M{
|
other: M{
|
||||||
0: WithAllBytes(0x00, Enforce),
|
0: WithAllBytes(0x00, Enforce, PCRMeasurementLength),
|
||||||
1: WithAllBytes(0xFF, WarnOnly),
|
1: WithAllBytes(0xFF, WarnOnly, PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
wantEqual: false,
|
wantEqual: false,
|
||||||
},
|
},
|
||||||
|
|||||||
@ -70,9 +70,9 @@ func TestValidate(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
testExpectedPCRs := measurements.M{
|
testExpectedPCRs := measurements.M{
|
||||||
0: measurements.WithAllBytes(0x00, measurements.Enforce),
|
0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
1: measurements.WithAllBytes(0x00, measurements.Enforce),
|
1: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
uint32(measurements.PCRIndexClusterID): measurements.WithAllBytes(0x00, measurements.Enforce),
|
uint32(measurements.PCRIndexClusterID): measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
}
|
}
|
||||||
warnLog := &testAttestationLogger{}
|
warnLog := &testAttestationLogger{}
|
||||||
|
|
||||||
@ -119,8 +119,8 @@ func TestValidate(t *testing.T) {
|
|||||||
require.Error(err)
|
require.Error(err)
|
||||||
|
|
||||||
expectedPCRs := measurements.M{
|
expectedPCRs := measurements.M{
|
||||||
0: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
0: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
1: measurements.WithAllBytes(0x00, measurements.WarnOnly),
|
1: measurements.WithAllBytes(0x00, measurements.WarnOnly, measurements.PCRMeasurementLength),
|
||||||
2: measurements.Measurement{
|
2: measurements.Measurement{
|
||||||
Expected: []byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20},
|
Expected: []byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20},
|
||||||
ValidationOpt: measurements.WarnOnly,
|
ValidationOpt: measurements.WarnOnly,
|
||||||
|
|||||||
@ -12,7 +12,7 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
"gopkg.in/yaml.v3"
|
"gopkg.in/yaml.v3"
|
||||||
@ -26,19 +26,22 @@ func TestUnmarshalAttestationConfig(t *testing.T) {
|
|||||||
cfg AttestationCfg
|
cfg AttestationCfg
|
||||||
}{
|
}{
|
||||||
"AWSNitroTPM": {
|
"AWSNitroTPM": {
|
||||||
cfg: &AWSNitroTPM{Measurements: measurements.DefaultsFor(cloudprovider.AWS)},
|
cfg: &AWSNitroTPM{Measurements: measurements.DefaultsFor(variant.AWSNitroTPM{})},
|
||||||
},
|
},
|
||||||
"AzureSEVSNP": {
|
"AzureSEVSNP": {
|
||||||
cfg: DefaultForAzureSEVSNP(),
|
cfg: DefaultForAzureSEVSNP(),
|
||||||
},
|
},
|
||||||
"AzureTrustedLaunch": {
|
"AzureTrustedLaunch": {
|
||||||
cfg: &AzureTrustedLaunch{Measurements: measurements.DefaultsFor(cloudprovider.Azure)},
|
cfg: &AzureTrustedLaunch{Measurements: measurements.DefaultsFor(variant.AzureTrustedLaunch{})},
|
||||||
},
|
},
|
||||||
"GCPSEVES": {
|
"GCPSEVES": {
|
||||||
cfg: &GCPSEVES{Measurements: measurements.DefaultsFor(cloudprovider.GCP)},
|
cfg: &GCPSEVES{Measurements: measurements.DefaultsFor(variant.GCPSEVES{})},
|
||||||
},
|
},
|
||||||
"QEMUVTPM": {
|
"QEMUVTPM": {
|
||||||
cfg: &QEMUVTPM{Measurements: measurements.DefaultsFor(cloudprovider.QEMU)},
|
cfg: &QEMUVTPM{Measurements: measurements.DefaultsFor(variant.QEMUVTPM{})},
|
||||||
|
},
|
||||||
|
"QEMUTDX": {
|
||||||
|
cfg: &QEMUTDX{Measurements: measurements.DefaultsFor(variant.QEMUTDX{})},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -344,11 +344,11 @@ func Default() *Config {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
Attestation: AttestationConfig{
|
Attestation: AttestationConfig{
|
||||||
AWSNitroTPM: &AWSNitroTPM{Measurements: measurements.DefaultsFor(cloudprovider.AWS)},
|
AWSNitroTPM: &AWSNitroTPM{Measurements: measurements.DefaultsFor(variant.AWSNitroTPM{})},
|
||||||
AzureSEVSNP: DefaultForAzureSEVSNP(),
|
AzureSEVSNP: DefaultForAzureSEVSNP(),
|
||||||
AzureTrustedLaunch: &AzureTrustedLaunch{Measurements: measurements.DefaultsFor(cloudprovider.Azure)},
|
AzureTrustedLaunch: &AzureTrustedLaunch{Measurements: measurements.DefaultsFor(variant.AzureTrustedLaunch{})},
|
||||||
GCPSEVES: &GCPSEVES{Measurements: measurements.DefaultsFor(cloudprovider.GCP)},
|
GCPSEVES: &GCPSEVES{Measurements: measurements.DefaultsFor(variant.GCPSEVES{})},
|
||||||
QEMUVTPM: &QEMUVTPM{Measurements: measurements.DefaultsFor(cloudprovider.QEMU)},
|
QEMUVTPM: &QEMUVTPM{Measurements: measurements.DefaultsFor(variant.QEMUVTPM{})},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -727,7 +727,7 @@ type AzureSEVSNP struct {
|
|||||||
// TODO(AB#3042): replace with dynamic lookup for configurable values.
|
// TODO(AB#3042): replace with dynamic lookup for configurable values.
|
||||||
func DefaultForAzureSEVSNP() *AzureSEVSNP {
|
func DefaultForAzureSEVSNP() *AzureSEVSNP {
|
||||||
return &AzureSEVSNP{
|
return &AzureSEVSNP{
|
||||||
Measurements: measurements.DefaultsFor(cloudprovider.Azure),
|
Measurements: measurements.DefaultsFor(variant.AzureSEVSNP{}),
|
||||||
BootloaderVersion: 2,
|
BootloaderVersion: 2,
|
||||||
TEEVersion: 0,
|
TEEVersion: 0,
|
||||||
SNPVersion: 6,
|
SNPVersion: 6,
|
||||||
|
|||||||
@ -130,7 +130,7 @@ func TestNewWithDefaultOptions(t *testing.T) {
|
|||||||
c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity"
|
c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity"
|
||||||
c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e"
|
c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e"
|
||||||
c.Attestation.AzureSEVSNP.Measurements = measurements.M{
|
c.Attestation.AzureSEVSNP.Measurements = measurements.M{
|
||||||
0: measurements.WithAllBytes(0x00, measurements.Enforce),
|
0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
}
|
}
|
||||||
return c
|
return c
|
||||||
}(),
|
}(),
|
||||||
@ -152,7 +152,7 @@ func TestNewWithDefaultOptions(t *testing.T) {
|
|||||||
c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity"
|
c.Provider.Azure.UserAssignedIdentity = "/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity"
|
||||||
c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e"
|
c.Provider.Azure.AppClientID = "3ea4bdc1-1cc1-4237-ae78-0831eff3491e"
|
||||||
c.Attestation.AzureSEVSNP.Measurements = measurements.M{
|
c.Attestation.AzureSEVSNP.Measurements = measurements.M{
|
||||||
0: measurements.WithAllBytes(0x00, measurements.Enforce),
|
0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
}
|
}
|
||||||
return c
|
return c
|
||||||
}(),
|
}(),
|
||||||
@ -253,7 +253,7 @@ func TestValidate(t *testing.T) {
|
|||||||
cnf.Provider = ProviderConfig{}
|
cnf.Provider = ProviderConfig{}
|
||||||
cnf.Provider.Azure = az
|
cnf.Provider.Azure = az
|
||||||
cnf.Attestation.AzureSEVSNP.Measurements = measurements.M{
|
cnf.Attestation.AzureSEVSNP.Measurements = measurements.M{
|
||||||
0: measurements.WithAllBytes(0x00, measurements.Enforce),
|
0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
}
|
}
|
||||||
return cnf
|
return cnf
|
||||||
}(),
|
}(),
|
||||||
@ -280,7 +280,7 @@ func TestValidate(t *testing.T) {
|
|||||||
cnf.Provider = ProviderConfig{}
|
cnf.Provider = ProviderConfig{}
|
||||||
cnf.Provider.GCP = gcp
|
cnf.Provider.GCP = gcp
|
||||||
cnf.Attestation.GCPSEVES.Measurements = measurements.M{
|
cnf.Attestation.GCPSEVES.Measurements = measurements.M{
|
||||||
0: measurements.WithAllBytes(0x00, measurements.Enforce),
|
0: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
}
|
}
|
||||||
return cnf
|
return cnf
|
||||||
}(),
|
}(),
|
||||||
@ -404,9 +404,9 @@ func TestConfigGeneratedDocsFresh(t *testing.T) {
|
|||||||
func TestConfig_UpdateMeasurements(t *testing.T) {
|
func TestConfig_UpdateMeasurements(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
newMeasurements := measurements.M{
|
newMeasurements := measurements.M{
|
||||||
1: measurements.WithAllBytes(0x00, measurements.Enforce),
|
1: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
2: measurements.WithAllBytes(0x01, measurements.Enforce),
|
2: measurements.WithAllBytes(0x01, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
3: measurements.WithAllBytes(0x02, measurements.Enforce),
|
3: measurements.WithAllBytes(0x02, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
}
|
}
|
||||||
|
|
||||||
{ // AWS
|
{ // AWS
|
||||||
|
|||||||
@ -49,11 +49,11 @@ func TestNewUpdateableValidator(t *testing.T) {
|
|||||||
},
|
},
|
||||||
"gcp": {
|
"gcp": {
|
||||||
variant: variant.GCPSEVES{},
|
variant: variant.GCPSEVES{},
|
||||||
config: &config.GCPSEVES{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}},
|
config: &config.GCPSEVES{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}},
|
||||||
},
|
},
|
||||||
"qemu": {
|
"qemu": {
|
||||||
variant: variant.QEMUVTPM{},
|
variant: variant.QEMUVTPM{},
|
||||||
config: &config.QEMUVTPM{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}},
|
config: &config.QEMUVTPM{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}},
|
||||||
},
|
},
|
||||||
"no file": {
|
"no file": {
|
||||||
variant: variant.AzureSEVSNP{},
|
variant: variant.AzureSEVSNP{},
|
||||||
@ -61,7 +61,7 @@ func TestNewUpdateableValidator(t *testing.T) {
|
|||||||
},
|
},
|
||||||
"invalid provider": {
|
"invalid provider": {
|
||||||
variant: fakeOID{1, 3, 9900, 9999, 9999},
|
variant: fakeOID{1, 3, 9900, 9999, 9999},
|
||||||
config: &config.GCPSEVES{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}},
|
config: &config.GCPSEVES{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}},
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
@ -112,7 +112,7 @@ func TestUpdate(t *testing.T) {
|
|||||||
// write measurement config
|
// write measurement config
|
||||||
require.NoError(handler.WriteJSON(
|
require.NoError(handler.WriteJSON(
|
||||||
filepath.Join(constants.ServiceBasePath, constants.AttestationConfigFilename),
|
filepath.Join(constants.ServiceBasePath, constants.AttestationConfigFilename),
|
||||||
&config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}},
|
&config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}},
|
||||||
))
|
))
|
||||||
|
|
||||||
// call update once to initialize the server's validator
|
// call update once to initialize the server's validator
|
||||||
@ -156,7 +156,7 @@ func TestOIDConcurrency(t *testing.T) {
|
|||||||
handler := file.NewHandler(afero.NewMemMapFs())
|
handler := file.NewHandler(afero.NewMemMapFs())
|
||||||
require.NoError(handler.WriteJSON(
|
require.NoError(handler.WriteJSON(
|
||||||
filepath.Join(constants.ServiceBasePath, constants.AttestationConfigFilename),
|
filepath.Join(constants.ServiceBasePath, constants.AttestationConfigFilename),
|
||||||
&config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}},
|
&config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}},
|
||||||
))
|
))
|
||||||
|
|
||||||
// create server
|
// create server
|
||||||
@ -196,7 +196,7 @@ func TestUpdateConcurrency(t *testing.T) {
|
|||||||
}
|
}
|
||||||
require.NoError(handler.WriteJSON(
|
require.NoError(handler.WriteJSON(
|
||||||
filepath.Join(constants.ServiceBasePath, constants.AttestationConfigFilename),
|
filepath.Join(constants.ServiceBasePath, constants.AttestationConfigFilename),
|
||||||
&config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce)}},
|
&config.DummyCfg{Measurements: measurements.M{11: measurements.WithAllBytes(0x00, measurements.Enforce, measurements.PCRMeasurementLength)}},
|
||||||
file.OptNone,
|
file.OptNone,
|
||||||
))
|
))
|
||||||
|
|
||||||
|
|||||||
@ -35,7 +35,7 @@ func main() {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
log.With(zap.Error(err)).Fatalf("Failed to read TPM measurements")
|
log.With(zap.Error(err)).Fatalf("Failed to read TPM measurements")
|
||||||
}
|
}
|
||||||
case oid.QEMUTDX{}:
|
case variant.QEMUTDX{}:
|
||||||
m, err = tdx.Measurements()
|
m, err = tdx.Measurements()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.With(zap.Error(err)).Fatalf("Failed to read Intel TDX measurements")
|
log.With(zap.Error(err)).Fatalf("Failed to read Intel TDX measurements")
|
||||||
|
|||||||
@ -23,9 +23,9 @@ func TestSortMeasurements(t *testing.T) {
|
|||||||
"pre sorted TPM": {
|
"pre sorted TPM": {
|
||||||
measurementType: TPM,
|
measurementType: TPM,
|
||||||
input: measurements.M{
|
input: measurements.M{
|
||||||
0: measurements.WithAllBytes(0x11, measurements.Enforce),
|
0: measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
1: measurements.WithAllBytes(0x22, measurements.Enforce),
|
1: measurements.WithAllBytes(0x22, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
2: measurements.WithAllBytes(0x33, measurements.Enforce),
|
2: measurements.WithAllBytes(0x33, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
want: []Measurement{
|
want: []Measurement{
|
||||||
{
|
{
|
||||||
@ -45,9 +45,9 @@ func TestSortMeasurements(t *testing.T) {
|
|||||||
"unsorted TPM": {
|
"unsorted TPM": {
|
||||||
measurementType: TPM,
|
measurementType: TPM,
|
||||||
input: measurements.M{
|
input: measurements.M{
|
||||||
1: measurements.WithAllBytes(0x22, measurements.Enforce),
|
1: measurements.WithAllBytes(0x22, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
0: measurements.WithAllBytes(0x11, measurements.Enforce),
|
0: measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
2: measurements.WithAllBytes(0x33, measurements.Enforce),
|
2: measurements.WithAllBytes(0x33, measurements.Enforce, measurements.PCRMeasurementLength),
|
||||||
},
|
},
|
||||||
want: []Measurement{
|
want: []Measurement{
|
||||||
{
|
{
|
||||||
@ -67,44 +67,44 @@ func TestSortMeasurements(t *testing.T) {
|
|||||||
"pre sorted TDX": {
|
"pre sorted TDX": {
|
||||||
measurementType: TDX,
|
measurementType: TDX,
|
||||||
input: measurements.M{
|
input: measurements.M{
|
||||||
0: measurements.WithAllBytes(0x11, false),
|
0: measurements.WithAllBytes(0x11, measurements.Enforce, measurements.TDXMeasurementLength),
|
||||||
1: measurements.WithAllBytes(0x22, false),
|
1: measurements.WithAllBytes(0x22, measurements.Enforce, measurements.TDXMeasurementLength),
|
||||||
2: measurements.WithAllBytes(0x33, false),
|
2: measurements.WithAllBytes(0x33, measurements.Enforce, measurements.TDXMeasurementLength),
|
||||||
},
|
},
|
||||||
want: []Measurement{
|
want: []Measurement{
|
||||||
{
|
{
|
||||||
Index: "MRTD",
|
Index: "MRTD",
|
||||||
Value: bytes.Repeat([]byte{0x11}, 32),
|
Value: bytes.Repeat([]byte{0x11}, 48),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Index: "RTMR[0]",
|
Index: "RTMR[0]",
|
||||||
Value: bytes.Repeat([]byte{0x22}, 32),
|
Value: bytes.Repeat([]byte{0x22}, 48),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Index: "RTMR[1]",
|
Index: "RTMR[1]",
|
||||||
Value: bytes.Repeat([]byte{0x33}, 32),
|
Value: bytes.Repeat([]byte{0x33}, 48),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"unsorted TDX": {
|
"unsorted TDX": {
|
||||||
measurementType: TDX,
|
measurementType: TDX,
|
||||||
input: measurements.M{
|
input: measurements.M{
|
||||||
1: measurements.WithAllBytes(0x22, false),
|
1: measurements.WithAllBytes(0x22, measurements.Enforce, measurements.TDXMeasurementLength),
|
||||||
0: measurements.WithAllBytes(0x11, false),
|
0: measurements.WithAllBytes(0x11, measurements.Enforce, measurements.TDXMeasurementLength),
|
||||||
2: measurements.WithAllBytes(0x33, false),
|
2: measurements.WithAllBytes(0x33, measurements.Enforce, measurements.TDXMeasurementLength),
|
||||||
},
|
},
|
||||||
want: []Measurement{
|
want: []Measurement{
|
||||||
{
|
{
|
||||||
Index: "MRTD",
|
Index: "MRTD",
|
||||||
Value: bytes.Repeat([]byte{0x11}, 32),
|
Value: bytes.Repeat([]byte{0x11}, 48),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Index: "RTMR[0]",
|
Index: "RTMR[0]",
|
||||||
Value: bytes.Repeat([]byte{0x22}, 32),
|
Value: bytes.Repeat([]byte{0x22}, 48),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Index: "RTMR[1]",
|
Index: "RTMR[1]",
|
||||||
Value: bytes.Repeat([]byte{0x33}, 32),
|
Value: bytes.Repeat([]byte{0x33}, 48),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user