Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-09-20 00:06:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

enforce pcr4

Browse Source
This commit is contained in:
Thomas Tendyck 2022-09-08 17:09:49 +02:00 committed by Thomas Tendyck
parent ef26917c5e
commit a85777fd02
3 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cli/internal/cmd/init_test.go
View File

@ -517,6 +517,7 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs
conf.Provider.Azure.ResourceGroup = "test-resource-group"
conf.Provider.Azure.AppClientID = "test-client-secret-id"
conf.Provider.Azure.ClientSecretValue = "test-client-secret"
conf.Provider.Azure.Measurements[4] = []byte("44444444444444444444444444444444")
conf.Provider.Azure.Measurements[8] = []byte("00000000000000000000000000000000")
conf.Provider.Azure.Measurements[9] = []byte("11111111111111111111111111111111")
case cloudprovider.GCP:
@ -524,6 +525,7 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs
conf.Provider.GCP.Project = "test-project"
conf.Provider.GCP.Image = "some/image/location"
conf.Provider.GCP.Zone = "test-zone"
conf.Provider.GCP.Measurements[4] = []byte("44444444444444444444444444444444")
conf.Provider.GCP.Measurements[8] = []byte("00000000000000000000000000000000")
conf.Provider.GCP.Measurements[9] = []byte("11111111111111111111111111111111")
case cloudprovider.QEMU:

6
docs/docs/architecture/attestation.md
View File

@ -147,7 +147,7 @@ The latter means that value can be generated offline and compared to the one in
| 7 | Secure Boot State | Azure, Constellation Bootloader | No |
| 8 | Kernel command line, GRUB config | Constellation Bootloader | Yes |
| 9 | Kernel, initramfs | Constellation Bootloader | Yes |
| 10 | Reserved | - | Yes |
| 10 | Reserved | - | No |
| 11 | Reserved | Constellation Bootstrapper | Yes |
| 12 | ClusterID | Constellation Bootstrapper | Yes |
| 13–23 | Unused | - | - |
@ -177,7 +177,7 @@ The latter means that value can be generated offline and compared to the one in
| 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No |
| 8 | Kernel command line, GRUB config | Constellation Bootloader | Yes |
| 9 | Kernel, initramfs | Constellation Bootloader | Yes |
| 10 | Reserved | Constellation Bootstrapper | Yes |
| 10 | Reserved | - | No |
| 11 | Reserved | Constellation Bootstrapper | Yes |
| 12 | ClusterID | Constellation Bootstrapper | Yes |
| 13–23 | Unused |- | - |
@ -233,5 +233,5 @@ flowchart LR
B[CLI]-- "contains" -->D["Public Key"]
A[Edgeless]-- "signs" -->E["Runtime measurements"]
D["Public Key"]-- "verifies" -->E["Runtime measurements"]
E["Runtime measurements"]-- "verify" -->F["Constellation cluster"]
E["Runtime measurements"]-- "verify" -->F["Constellation cluster"]
```

4
internal/config/config.go
View File

@ -209,7 +209,7 @@ func Default() *Config {
InstanceType: "Standard_DC4as_v5",
StateDiskType: "Premium_LRS",
Measurements: copyPCRMap(azurePCRs),
EnforcedMeasurements: []uint32{8, 9, 11, 12},
EnforcedMeasurements: []uint32{4, 8, 9, 11, 12},
IdKeyDigest: "57486a447ec0f1958002a22a06b7673b9fd27d11e1c6527498056054c5fa92d23c50f9de44072760fe2b6fb89740b696",
EnforceIdKeyDigest: func() *bool { b := true; return &b }(),
ConfidentialVM: func() *bool { b := true; return &b }(),
@ -223,7 +223,7 @@ func Default() *Config {
StateDiskType: "pd-ssd",
ServiceAccountKeyPath: "",
Measurements: copyPCRMap(gcpPCRs),
EnforcedMeasurements: []uint32{0, 8, 9, 11, 12},
EnforcedMeasurements: []uint32{0, 4, 8, 9, 11, 12},
},
QEMU: &QEMUConfig{
Measurements: copyPCRMap(qemuPCRs),