mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 06:59:40 -05:00
AB#2316 Configurable enforced PCRs (#361)
* Add warnings for non enforced, untrusted PCRs * Fix global state in Config PCR map Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
parent
9478303f80
commit
ba4471a228
@ -17,11 +17,15 @@ All notable changes to Constellation will be documented in this file.
|
||||
|
||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
||||
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
### Added
|
||||
|
||||
- Kubernetes operator for Constellation nodes with ability to update node images.
|
||||
- cilium strict pod2pod encryption.
|
||||
- Add a configurable list of enforced measurements to the config. If an expected measurement can not be verified during attestation, but it is not in the list of enforced measurements, only a warning is logged.
|
||||
|
||||
### Changed
|
||||
<!-- For changes in existing functionality. -->
|
||||
### Deprecated
|
||||
@ -33,6 +37,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
### Security
|
||||
<!-- In case of vulnerabilities. -->
|
||||
### Internal
|
||||
|
||||
- Run e2e tests on all supported versions.
|
||||
- Run e2e tests on latest debug images, instead of release image.
|
||||
|
||||
|
@ -14,7 +14,9 @@ import (
|
||||
type clusterFake struct{}
|
||||
|
||||
// InitCluster fakes bootstrapping a new cluster with the current node being the master, returning the arguments required to join the cluster.
|
||||
func (c *clusterFake) InitCluster(context.Context, []string, string, string, []byte, resources.KMSConfig, map[string]string, []byte, *logger.Logger,
|
||||
func (c *clusterFake) InitCluster(
|
||||
context.Context, []string, string, string, []byte, []uint32,
|
||||
resources.KMSConfig, map[string]string, []byte, *logger.Logger,
|
||||
) ([]byte, error) {
|
||||
return []byte{}, nil
|
||||
}
|
||||
|
@ -36,6 +36,7 @@ type InitRequest struct {
|
||||
SshUserKeys []*SSHUserKey `protobuf:"bytes,9,rep,name=ssh_user_keys,json=sshUserKeys,proto3" json:"ssh_user_keys,omitempty"`
|
||||
Salt []byte `protobuf:"bytes,10,opt,name=salt,proto3" json:"salt,omitempty"`
|
||||
HelmDeployments []byte `protobuf:"bytes,11,opt,name=helm_deployments,json=helmDeployments,proto3" json:"helm_deployments,omitempty"`
|
||||
EnforcedPcrs []uint32 `protobuf:"varint,12,rep,packed,name=enforced_pcrs,json=enforcedPcrs,proto3" json:"enforced_pcrs,omitempty"`
|
||||
}
|
||||
|
||||
func (x *InitRequest) Reset() {
|
||||
@ -147,6 +148,13 @@ func (x *InitRequest) GetHelmDeployments() []byte {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (x *InitRequest) GetEnforcedPcrs() []uint32 {
|
||||
if x != nil {
|
||||
return x.EnforcedPcrs
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
type InitResponse struct {
|
||||
state protoimpl.MessageState
|
||||
sizeCache protoimpl.SizeCache
|
||||
@ -269,7 +277,7 @@ var File_init_proto protoreflect.FileDescriptor
|
||||
|
||||
var file_init_proto_rawDesc = []byte{
|
||||
0x0a, 0x0a, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x04, 0x69, 0x6e,
|
||||
0x69, 0x74, 0x22, 0xe0, 0x03, 0x0a, 0x0b, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65,
|
||||
0x69, 0x74, 0x22, 0x85, 0x04, 0x0a, 0x0b, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65,
|
||||
0x73, 0x74, 0x12, 0x36, 0x0a, 0x17, 0x61, 0x75, 0x74, 0x6f, 0x73, 0x63, 0x61, 0x6c, 0x69, 0x6e,
|
||||
0x67, 0x5f, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x01, 0x20,
|
||||
0x03, 0x28, 0x09, 0x52, 0x15, 0x61, 0x75, 0x74, 0x6f, 0x73, 0x63, 0x61, 0x6c, 0x69, 0x6e, 0x67,
|
||||
@ -299,26 +307,28 @@ var file_init_proto_rawDesc = []byte{
|
||||
0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x73, 0x61, 0x6c, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x68, 0x65,
|
||||
0x6c, 0x6d, 0x5f, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x0b,
|
||||
0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x68, 0x65, 0x6c, 0x6d, 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79,
|
||||
0x6d, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x68, 0x0a, 0x0c, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73,
|
||||
0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x63, 0x6f, 0x6e,
|
||||
0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x63,
|
||||
0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x5f, 0x69,
|
||||
0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x49, 0x64,
|
||||
0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x03,
|
||||
0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x64, 0x22,
|
||||
0x47, 0x0a, 0x0a, 0x53, 0x53, 0x48, 0x55, 0x73, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x12, 0x1a, 0x0a,
|
||||
0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
|
||||
0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62,
|
||||
0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x70,
|
||||
0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x32, 0x34, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12,
|
||||
0x2d, 0x0a, 0x04, 0x49, 0x6e, 0x69, 0x74, 0x12, 0x11, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49,
|
||||
0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x69, 0x6e, 0x69,
|
||||
0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x3d,
|
||||
0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67,
|
||||
0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c,
|
||||
0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70,
|
||||
0x70, 0x65, 0x72, 0x2f, 0x69, 0x6e, 0x69, 0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70,
|
||||
0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||
0x6d, 0x65, 0x6e, 0x74, 0x73, 0x12, 0x23, 0x0a, 0x0d, 0x65, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65,
|
||||
0x64, 0x5f, 0x70, 0x63, 0x72, 0x73, 0x18, 0x0c, 0x20, 0x03, 0x28, 0x0d, 0x52, 0x0c, 0x65, 0x6e,
|
||||
0x66, 0x6f, 0x72, 0x63, 0x65, 0x64, 0x50, 0x63, 0x72, 0x73, 0x22, 0x68, 0x0a, 0x0c, 0x49, 0x6e,
|
||||
0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x6b, 0x75,
|
||||
0x62, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a,
|
||||
0x6b, 0x75, 0x62, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x77,
|
||||
0x6e, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6f, 0x77,
|
||||
0x6e, 0x65, 0x72, 0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72,
|
||||
0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74,
|
||||
0x65, 0x72, 0x49, 0x64, 0x22, 0x47, 0x0a, 0x0a, 0x53, 0x53, 0x48, 0x55, 0x73, 0x65, 0x72, 0x4b,
|
||||
0x65, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
|
||||
0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1d,
|
||||
0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01,
|
||||
0x28, 0x09, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x32, 0x34, 0x0a,
|
||||
0x03, 0x41, 0x50, 0x49, 0x12, 0x2d, 0x0a, 0x04, 0x49, 0x6e, 0x69, 0x74, 0x12, 0x11, 0x2e, 0x69,
|
||||
0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
|
||||
0x12, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f,
|
||||
0x6e, 0x73, 0x65, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f,
|
||||
0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f,
|
||||
0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x62, 0x6f, 0x6f, 0x74,
|
||||
0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x69, 0x6e, 0x69, 0x74, 0x70, 0x72, 0x6f,
|
||||
0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||
}
|
||||
|
||||
var (
|
||||
|
@ -20,6 +20,7 @@ message InitRequest {
|
||||
repeated SSHUserKey ssh_user_keys = 9;
|
||||
bytes salt = 10;
|
||||
bytes helm_deployments = 11;
|
||||
repeated uint32 enforced_pcrs = 12;
|
||||
}
|
||||
|
||||
message InitResponse {
|
||||
|
@ -115,6 +115,7 @@ func (s *Server) Init(ctx context.Context, req *initproto.InitRequest) (*initpro
|
||||
req.CloudServiceAccountUri,
|
||||
req.KubernetesVersion,
|
||||
measurementSalt,
|
||||
req.EnforcedPcrs,
|
||||
resources.KMSConfig{
|
||||
MasterSecret: req.MasterSecret,
|
||||
Salt: req.Salt,
|
||||
@ -197,6 +198,7 @@ type ClusterInitializer interface {
|
||||
cloudServiceAccountURI string,
|
||||
k8sVersion string,
|
||||
measurementSalt []byte,
|
||||
enforcedPcrs []uint32,
|
||||
kmsConfig resources.KMSConfig,
|
||||
sshUserKeys map[string]string,
|
||||
helmDeployments []byte,
|
||||
|
@ -282,7 +282,9 @@ type stubClusterInitializer struct {
|
||||
initClusterErr error
|
||||
}
|
||||
|
||||
func (i *stubClusterInitializer) InitCluster(context.Context, []string, string, string, []byte, resources.KMSConfig, map[string]string, []byte, *logger.Logger,
|
||||
func (i *stubClusterInitializer) InitCluster(
|
||||
context.Context, []string, string, string, []byte, []uint32,
|
||||
resources.KMSConfig, map[string]string, []byte, *logger.Logger,
|
||||
) ([]byte, error) {
|
||||
return i.initClusterKubeconfig, i.initClusterErr
|
||||
}
|
||||
|
@ -23,7 +23,7 @@ type joinServiceDaemonset struct {
|
||||
}
|
||||
|
||||
// NewJoinServiceDaemonset returns a daemonset for the join service.
|
||||
func NewJoinServiceDaemonset(csp, measurementsJSON string, measurementSalt []byte) *joinServiceDaemonset {
|
||||
func NewJoinServiceDaemonset(csp, measurementsJSON, enforcedPCRsJSON string, measurementSalt []byte) *joinServiceDaemonset {
|
||||
return &joinServiceDaemonset{
|
||||
ClusterRole: rbac.ClusterRole{
|
||||
TypeMeta: meta.TypeMeta{
|
||||
@ -247,6 +247,7 @@ func NewJoinServiceDaemonset(csp, measurementsJSON string, measurementSalt []byt
|
||||
},
|
||||
Data: map[string]string{
|
||||
constants.MeasurementsFilename: measurementsJSON,
|
||||
constants.EnforcedPCRsFilename: enforcedPCRsJSON,
|
||||
},
|
||||
BinaryData: map[string][]byte{
|
||||
constants.MeasurementSaltFilename: measurementSalt,
|
||||
|
@ -8,7 +8,7 @@ import (
|
||||
)
|
||||
|
||||
func TestNewJoinServiceDaemonset(t *testing.T) {
|
||||
deployment := NewJoinServiceDaemonset("csp", "measurementsJSON", []byte{0x0, 0x1, 0x2})
|
||||
deployment := NewJoinServiceDaemonset("csp", "measurementsJSON", "enforcedPCRsJSON", []byte{0x0, 0x1, 0x2})
|
||||
deploymentYAML, err := deployment.Marshal()
|
||||
require.NoError(t, err)
|
||||
|
||||
|
@ -2,6 +2,7 @@ package kubernetes
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net"
|
||||
@ -70,8 +71,8 @@ func New(cloudProvider string, clusterUtil clusterUtil, configProvider configura
|
||||
|
||||
// InitCluster initializes a new Kubernetes cluster and applies pod network provider.
|
||||
func (k *KubeWrapper) InitCluster(
|
||||
ctx context.Context, autoscalingNodeGroups []string, cloudServiceAccountURI, versionString string,
|
||||
measurementSalt []byte, kmsConfig resources.KMSConfig, sshUsers map[string]string, helmDeployments []byte, log *logger.Logger,
|
||||
ctx context.Context, autoscalingNodeGroups []string, cloudServiceAccountURI, versionString string, measurementSalt []byte,
|
||||
enforcedPCRs []uint32, kmsConfig resources.KMSConfig, sshUsers map[string]string, helmDeployments []byte, log *logger.Logger,
|
||||
) ([]byte, error) {
|
||||
k8sVersion, err := versions.NewValidK8sVersion(versionString)
|
||||
if err != nil {
|
||||
@ -180,7 +181,7 @@ func (k *KubeWrapper) InitCluster(
|
||||
return nil, fmt.Errorf("setting up kms: %w", err)
|
||||
}
|
||||
|
||||
if err := k.setupJoinService(k.cloudProvider, k.initialMeasurementsJSON, measurementSalt); err != nil {
|
||||
if err := k.setupJoinService(k.cloudProvider, k.initialMeasurementsJSON, measurementSalt, enforcedPCRs); err != nil {
|
||||
return nil, fmt.Errorf("setting up join service failed: %w", err)
|
||||
}
|
||||
|
||||
@ -297,8 +298,17 @@ func (k *KubeWrapper) GetKubeconfig() ([]byte, error) {
|
||||
return k.kubeconfigReader.ReadKubeconfig()
|
||||
}
|
||||
|
||||
func (k *KubeWrapper) setupJoinService(csp string, measurementsJSON, measurementSalt []byte) error {
|
||||
joinConfiguration := resources.NewJoinServiceDaemonset(csp, string(measurementsJSON), measurementSalt)
|
||||
func (k *KubeWrapper) setupJoinService(
|
||||
csp string, measurementsJSON, measurementSalt []byte, enforcedPCRs []uint32,
|
||||
) error {
|
||||
enforcedPCRsJSON, err := json.Marshal(enforcedPCRs)
|
||||
if err != nil {
|
||||
return fmt.Errorf("marshaling enforcedPCRs: %w", err)
|
||||
}
|
||||
|
||||
joinConfiguration := resources.NewJoinServiceDaemonset(
|
||||
csp, string(measurementsJSON), string(enforcedPCRsJSON), measurementSalt,
|
||||
)
|
||||
|
||||
return k.clusterUtil.SetupJoinService(k.client, joinConfiguration)
|
||||
}
|
||||
|
@ -296,7 +296,11 @@ func TestInitCluster(t *testing.T) {
|
||||
kubeconfigReader: tc.kubeconfigReader,
|
||||
getIPAddr: func() (string, error) { return privateIP, nil },
|
||||
}
|
||||
_, err := kube.InitCluster(context.Background(), autoscalingNodeGroups, serviceAccountURI, string(tc.k8sVersion), nil, resources.KMSConfig{MasterSecret: masterSecret}, nil, nil, logger.NewTest(t))
|
||||
|
||||
_, err := kube.InitCluster(
|
||||
context.Background(), autoscalingNodeGroups, serviceAccountURI, string(tc.k8sVersion),
|
||||
nil, nil, resources.KMSConfig{MasterSecret: masterSecret}, nil, nil, logger.NewTest(t),
|
||||
)
|
||||
|
||||
if tc.wantErr {
|
||||
assert.Error(err)
|
||||
|
@ -5,7 +5,6 @@ import (
|
||||
"encoding/base64"
|
||||
"errors"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/azure"
|
||||
@ -14,14 +13,14 @@ import (
|
||||
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/internal/config"
|
||||
"github.com/spf13/cobra"
|
||||
)
|
||||
|
||||
const warningStr = "Warning: not verifying the Constellation cluster's %s measurements\n"
|
||||
|
||||
type Validator struct {
|
||||
provider cloudprovider.Provider
|
||||
pcrs map[uint32][]byte
|
||||
validator atls.Validator
|
||||
provider cloudprovider.Provider
|
||||
pcrs map[uint32][]byte
|
||||
enforcedPCRs []uint32
|
||||
validator atls.Validator
|
||||
}
|
||||
|
||||
func NewValidator(provider cloudprovider.Provider, config *config.Config) (*Validator, error) {
|
||||
@ -51,6 +50,16 @@ func (v *Validator) UpdateInitPCRs(ownerID, clusterID string) error {
|
||||
func (v *Validator) updatePCR(pcrIndex uint32, encoded string) error {
|
||||
if encoded == "" {
|
||||
delete(v.pcrs, pcrIndex)
|
||||
|
||||
// remove enforced PCR if it exists
|
||||
for i, enforcedIdx := range v.enforcedPCRs {
|
||||
if enforcedIdx == pcrIndex {
|
||||
v.enforcedPCRs[i] = v.enforcedPCRs[len(v.enforcedPCRs)-1]
|
||||
v.enforcedPCRs = v.enforcedPCRs[:len(v.enforcedPCRs)-1]
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
decoded, err := base64.StdEncoding.DecodeString(encoded)
|
||||
@ -69,29 +78,35 @@ func (v *Validator) setPCRs(config *config.Config) error {
|
||||
switch v.provider {
|
||||
case cloudprovider.GCP:
|
||||
gcpPCRs := config.Provider.GCP.Measurements
|
||||
if err := v.checkPCRs(gcpPCRs); err != nil {
|
||||
enforcedPCRs := config.Provider.GCP.EnforcedMeasurements
|
||||
if err := v.checkPCRs(gcpPCRs, enforcedPCRs); err != nil {
|
||||
return err
|
||||
}
|
||||
v.enforcedPCRs = enforcedPCRs
|
||||
v.pcrs = gcpPCRs
|
||||
case cloudprovider.Azure:
|
||||
azurePCRs := config.Provider.Azure.Measurements
|
||||
if err := v.checkPCRs(azurePCRs); err != nil {
|
||||
enforcedPCRs := config.Provider.Azure.EnforcedMeasurements
|
||||
if err := v.checkPCRs(azurePCRs, enforcedPCRs); err != nil {
|
||||
return err
|
||||
}
|
||||
v.enforcedPCRs = enforcedPCRs
|
||||
v.pcrs = azurePCRs
|
||||
case cloudprovider.QEMU:
|
||||
qemuPCRs := config.Provider.QEMU.Measurements
|
||||
if err := v.checkPCRs(qemuPCRs); err != nil {
|
||||
enforcedPCRs := config.Provider.QEMU.EnforcedMeasurements
|
||||
if err := v.checkPCRs(qemuPCRs, enforcedPCRs); err != nil {
|
||||
return err
|
||||
}
|
||||
v.enforcedPCRs = enforcedPCRs
|
||||
v.pcrs = qemuPCRs
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// V returns the validator as atls.Validator.
|
||||
func (v *Validator) V() atls.Validator {
|
||||
v.updateValidator()
|
||||
func (v *Validator) V(cmd *cobra.Command) atls.Validator {
|
||||
v.updateValidator(cmd)
|
||||
return v.validator
|
||||
}
|
||||
|
||||
@ -100,60 +115,19 @@ func (v *Validator) PCRS() map[uint32][]byte {
|
||||
return v.pcrs
|
||||
}
|
||||
|
||||
func (v *Validator) updateValidator() {
|
||||
func (v *Validator) updateValidator(cmd *cobra.Command) {
|
||||
switch v.provider {
|
||||
case cloudprovider.GCP:
|
||||
v.validator = gcp.NewValidator(v.pcrs)
|
||||
v.validator = gcp.NewValidator(v.pcrs, v.enforcedPCRs)
|
||||
case cloudprovider.Azure:
|
||||
v.validator = azure.NewValidator(v.pcrs)
|
||||
v.validator = azure.NewValidator(v.pcrs, v.enforcedPCRs)
|
||||
case cloudprovider.QEMU:
|
||||
v.validator = qemu.NewValidator(v.pcrs)
|
||||
v.validator = qemu.NewValidator(v.pcrs, v.enforcedPCRs)
|
||||
}
|
||||
v.validator.AddLogger(warnLogger{cmd: cmd})
|
||||
}
|
||||
|
||||
// Warnings returns warnings for the specifc PCR values that are not verified.
|
||||
//
|
||||
// PCR allocation inspired by https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_12#Tab1
|
||||
func (v *Validator) Warnings() string {
|
||||
sb := &strings.Builder{}
|
||||
|
||||
if v.pcrs[0] == nil || v.pcrs[1] == nil {
|
||||
writeWarnFmt(sb, "BIOS")
|
||||
}
|
||||
|
||||
if v.pcrs[2] == nil || v.pcrs[3] == nil {
|
||||
writeWarnFmt(sb, "OPROM")
|
||||
}
|
||||
|
||||
if v.pcrs[4] == nil || v.pcrs[5] == nil {
|
||||
writeWarnFmt(sb, "MBR")
|
||||
}
|
||||
|
||||
// GRUB measures kernel command line and initrd into pcrs 8 and 9
|
||||
if v.pcrs[8] == nil {
|
||||
writeWarnFmt(sb, "kernel command line")
|
||||
}
|
||||
if v.pcrs[9] == nil {
|
||||
writeWarnFmt(sb, "initrd")
|
||||
}
|
||||
|
||||
return sb.String()
|
||||
}
|
||||
|
||||
// WarningsIncludeInit returns warnings for the specific PCR values that are not verified.
|
||||
// Warnings regarding the initialization are included.
|
||||
//
|
||||
// PCR allocation inspired by https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_12#Tab1
|
||||
func (v *Validator) WarningsIncludeInit() string {
|
||||
warnings := v.Warnings()
|
||||
if v.pcrs[uint32(vtpm.PCRIndexOwnerID)] == nil || v.pcrs[uint32(vtpm.PCRIndexClusterID)] == nil {
|
||||
warnings = warnings + fmt.Sprintf(warningStr, "initialization status")
|
||||
}
|
||||
|
||||
return warnings
|
||||
}
|
||||
|
||||
func (v *Validator) checkPCRs(pcrs map[uint32][]byte) error {
|
||||
func (v *Validator) checkPCRs(pcrs map[uint32][]byte, enforcedPCRs []uint32) error {
|
||||
if len(pcrs) == 0 {
|
||||
return errors.New("no PCR values provided")
|
||||
}
|
||||
@ -162,13 +136,20 @@ func (v *Validator) checkPCRs(pcrs map[uint32][]byte) error {
|
||||
return fmt.Errorf("bad config: PCR[%d]: expected length: %d, but got: %d", k, 32, len(v))
|
||||
}
|
||||
}
|
||||
for _, v := range enforcedPCRs {
|
||||
if _, ok := pcrs[v]; !ok {
|
||||
return fmt.Errorf("bad config: PCR[%d] is enforced, but no expected measurement is provided", v)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func writeWarnFmt(sb *strings.Builder, args ...any) {
|
||||
writeFmt(sb, warningStr, args...)
|
||||
// warnLogger implements logging of warnings for validators.
|
||||
type warnLogger struct {
|
||||
cmd *cobra.Command
|
||||
}
|
||||
|
||||
func writeFmt(sb *strings.Builder, fmtStr string, args ...any) {
|
||||
sb.WriteString(fmt.Sprintf(fmtStr, args...))
|
||||
// Warnf prints a formatted warning from the validator.
|
||||
func (wl warnLogger) Warnf(fmtStr string, args ...interface{}) {
|
||||
wl.cmd.PrintErrf("Warning: %s\n", fmt.Sprintf(fmtStr, args...))
|
||||
}
|
||||
|
@ -12,6 +12,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/internal/config"
|
||||
"github.com/spf13/cobra"
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
@ -93,172 +94,6 @@ func TestNewValidator(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidatorWarnings(t *testing.T) {
|
||||
zero := []byte("00000000000000000000000000000000")
|
||||
|
||||
testCases := map[string]struct {
|
||||
pcrs map[uint32][]byte
|
||||
wantWarnings []string
|
||||
wantWInclude []string
|
||||
}{
|
||||
"no warnings": {
|
||||
pcrs: map[uint32][]byte{
|
||||
0: zero,
|
||||
1: zero,
|
||||
2: zero,
|
||||
3: zero,
|
||||
4: zero,
|
||||
5: zero,
|
||||
6: zero,
|
||||
7: zero,
|
||||
8: zero,
|
||||
9: zero,
|
||||
10: zero,
|
||||
11: zero,
|
||||
12: zero,
|
||||
},
|
||||
},
|
||||
"no warnings for missing non critical values": {
|
||||
pcrs: map[uint32][]byte{
|
||||
0: zero,
|
||||
1: zero,
|
||||
2: zero,
|
||||
3: zero,
|
||||
4: zero,
|
||||
5: zero,
|
||||
8: zero,
|
||||
9: zero,
|
||||
11: zero,
|
||||
12: zero,
|
||||
},
|
||||
},
|
||||
"warn for BIOS": {
|
||||
pcrs: map[uint32][]byte{
|
||||
0: zero,
|
||||
2: zero,
|
||||
3: zero,
|
||||
4: zero,
|
||||
5: zero,
|
||||
8: zero,
|
||||
9: zero,
|
||||
11: zero,
|
||||
12: zero,
|
||||
},
|
||||
wantWarnings: []string{"BIOS"},
|
||||
},
|
||||
"warn for OPROM": {
|
||||
pcrs: map[uint32][]byte{
|
||||
0: zero,
|
||||
1: zero,
|
||||
3: zero,
|
||||
4: zero,
|
||||
5: zero,
|
||||
8: zero,
|
||||
9: zero,
|
||||
11: zero,
|
||||
12: zero,
|
||||
},
|
||||
wantWarnings: []string{"OPROM"},
|
||||
},
|
||||
"warn for MBR": {
|
||||
pcrs: map[uint32][]byte{
|
||||
0: zero,
|
||||
1: zero,
|
||||
2: zero,
|
||||
3: zero,
|
||||
5: zero,
|
||||
8: zero,
|
||||
9: zero,
|
||||
11: zero,
|
||||
12: zero,
|
||||
},
|
||||
wantWarnings: []string{"MBR"},
|
||||
},
|
||||
"warn for kernel": {
|
||||
pcrs: map[uint32][]byte{
|
||||
0: zero,
|
||||
1: zero,
|
||||
2: zero,
|
||||
3: zero,
|
||||
4: zero,
|
||||
5: zero,
|
||||
9: zero,
|
||||
11: zero,
|
||||
12: zero,
|
||||
},
|
||||
wantWarnings: []string{"kernel"},
|
||||
},
|
||||
"warn for initrd": {
|
||||
pcrs: map[uint32][]byte{
|
||||
0: zero,
|
||||
1: zero,
|
||||
2: zero,
|
||||
3: zero,
|
||||
4: zero,
|
||||
5: zero,
|
||||
8: zero,
|
||||
11: zero,
|
||||
12: zero,
|
||||
},
|
||||
wantWarnings: []string{"initrd"},
|
||||
},
|
||||
"warn for initialization": {
|
||||
pcrs: map[uint32][]byte{
|
||||
0: zero,
|
||||
1: zero,
|
||||
2: zero,
|
||||
3: zero,
|
||||
4: zero,
|
||||
5: zero,
|
||||
8: zero,
|
||||
9: zero,
|
||||
11: zero,
|
||||
},
|
||||
wantWInclude: []string{"initialization"},
|
||||
},
|
||||
"multi warning": {
|
||||
pcrs: map[uint32][]byte{},
|
||||
wantWarnings: []string{
|
||||
"BIOS",
|
||||
"OPROM",
|
||||
"MBR",
|
||||
"initrd",
|
||||
"kernel",
|
||||
},
|
||||
wantWInclude: []string{"initialization"},
|
||||
},
|
||||
}
|
||||
|
||||
for name, tc := range testCases {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
|
||||
validators := Validator{pcrs: tc.pcrs}
|
||||
|
||||
warnings := validators.Warnings()
|
||||
warningsInclueInit := validators.WarningsIncludeInit()
|
||||
|
||||
if len(tc.wantWarnings) == 0 {
|
||||
assert.Empty(warnings)
|
||||
}
|
||||
for _, w := range tc.wantWarnings {
|
||||
assert.Contains(warnings, w)
|
||||
}
|
||||
for _, w := range tc.wantWarnings {
|
||||
assert.Contains(warningsInclueInit, w)
|
||||
}
|
||||
if len(tc.wantWInclude) == 0 {
|
||||
assert.Equal(len(warnings), len(warningsInclueInit))
|
||||
} else {
|
||||
assert.Greater(len(warningsInclueInit), len(warnings))
|
||||
}
|
||||
for _, w := range tc.wantWInclude {
|
||||
assert.Contains(warningsInclueInit, w)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidatorV(t *testing.T) {
|
||||
zero := []byte("00000000000000000000000000000000")
|
||||
newTestPCRs := func() map[uint32][]byte {
|
||||
@ -287,17 +122,17 @@ func TestValidatorV(t *testing.T) {
|
||||
"gcp": {
|
||||
provider: cloudprovider.GCP,
|
||||
pcrs: newTestPCRs(),
|
||||
wantVs: gcp.NewValidator(newTestPCRs()),
|
||||
wantVs: gcp.NewValidator(newTestPCRs(), nil),
|
||||
},
|
||||
"azure": {
|
||||
provider: cloudprovider.Azure,
|
||||
pcrs: newTestPCRs(),
|
||||
wantVs: azure.NewValidator(newTestPCRs()),
|
||||
wantVs: azure.NewValidator(newTestPCRs(), nil),
|
||||
},
|
||||
"qemu": {
|
||||
provider: cloudprovider.QEMU,
|
||||
pcrs: newTestPCRs(),
|
||||
wantVs: qemu.NewValidator(newTestPCRs()),
|
||||
wantVs: qemu.NewValidator(newTestPCRs(), nil),
|
||||
},
|
||||
}
|
||||
|
||||
@ -307,7 +142,7 @@ func TestValidatorV(t *testing.T) {
|
||||
|
||||
validators := &Validator{provider: tc.provider, pcrs: tc.pcrs}
|
||||
|
||||
resultValidator := validators.V()
|
||||
resultValidator := validators.V(&cobra.Command{})
|
||||
|
||||
assert.Equal(tc.wantVs.OID(), resultValidator.OID())
|
||||
})
|
||||
|
@ -54,7 +54,7 @@ func runInitialize(cmd *cobra.Command, args []string) error {
|
||||
fileHandler := file.NewHandler(afero.NewOsFs())
|
||||
serviceAccountCreator := cloudcmd.NewServiceAccountCreator()
|
||||
newDialer := func(validator *cloudcmd.Validator) *dialer.Dialer {
|
||||
return dialer.New(nil, validator.V(), &net.Dialer{})
|
||||
return dialer.New(nil, validator.V(cmd), &net.Dialer{})
|
||||
}
|
||||
helmLoader := &helm.ChartLoader{}
|
||||
return initialize(cmd, newDialer, serviceAccountCreator, fileHandler, helmLoader)
|
||||
@ -96,7 +96,6 @@ func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
cmd.Print(validator.WarningsIncludeInit())
|
||||
|
||||
cmd.Println("Creating service account ...")
|
||||
serviceAccount, stat, err := serviceAccCreator.Create(cmd.Context(), stat, config)
|
||||
@ -135,6 +134,7 @@ func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator
|
||||
KubernetesVersion: config.KubernetesVersion,
|
||||
SshUserKeys: ssh.ToProtoSlice(sshUsers),
|
||||
HelmDeployments: helmDeployments,
|
||||
EnforcedPcrs: getEnforcedMeasurements(provider, config),
|
||||
}
|
||||
resp, err := initCall(cmd.Context(), newDialer(validator), stat.BootstrapperHost, req)
|
||||
if err != nil {
|
||||
@ -214,6 +214,19 @@ func writeRow(wr io.Writer, col1 string, col2 string) {
|
||||
fmt.Fprint(wr, col1, "\t", col2, "\n")
|
||||
}
|
||||
|
||||
func getEnforcedMeasurements(provider cloudprovider.Provider, config *config.Config) []uint32 {
|
||||
switch provider {
|
||||
case cloudprovider.Azure:
|
||||
return config.Provider.Azure.EnforcedMeasurements
|
||||
case cloudprovider.GCP:
|
||||
return config.Provider.GCP.EnforcedMeasurements
|
||||
case cloudprovider.QEMU:
|
||||
return config.Provider.QEMU.EnforcedMeasurements
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
// evalFlagArgs gets the flag values and does preprocessing of these values like
|
||||
// reading the content from file path flags and deriving other values from flag combinations.
|
||||
func evalFlagArgs(cmd *cobra.Command, fileHandler file.Handler) (initFlags, error) {
|
||||
|
@ -14,6 +14,7 @@ import (
|
||||
|
||||
"github.com/edgelesssys/constellation/bootstrapper/initproto"
|
||||
"github.com/edgelesssys/constellation/cli/internal/cloudcmd"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/internal/cloud/cloudtypes"
|
||||
"github.com/edgelesssys/constellation/internal/config"
|
||||
@ -158,9 +159,12 @@ func TestInitialize(t *testing.T) {
|
||||
cmd.SetOut(&out)
|
||||
var errOut bytes.Buffer
|
||||
cmd.SetErr(&errOut)
|
||||
cmd.Flags().String("config", "", "") // register persistent flag manually
|
||||
cmd.Flags().String("config", constants.ConfigFilename, "") // register persistent flag manually
|
||||
fs := afero.NewMemMapFs()
|
||||
fileHandler := file.NewHandler(fs)
|
||||
|
||||
config := defaultConfigWithExpectedMeasurements(t, cloudprovider.FromString(tc.existingState.CloudProvider))
|
||||
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, config))
|
||||
require.NoError(fileHandler.WriteJSON(constants.StateFilename, tc.existingState, file.OptNone))
|
||||
require.NoError(cmd.Flags().Set("autoscale", strconv.FormatBool(tc.setAutoscaleFlag)))
|
||||
|
||||
@ -476,6 +480,8 @@ func (v *testValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
|
||||
return attestation.UserData, nil
|
||||
}
|
||||
|
||||
func (v *testValidator) AddLogger(vtpm.WarnLogger) {}
|
||||
|
||||
type testIssuer struct {
|
||||
oid.Getter
|
||||
pcrs map[uint32][]byte
|
||||
@ -506,3 +512,27 @@ func (s *stubInitServer) Init(ctx context.Context, req *initproto.InitRequest) (
|
||||
s.activateAutoscalingNodeGroups = req.AutoscalingNodeGroups
|
||||
return s.initResp, s.initErr
|
||||
}
|
||||
|
||||
func defaultConfigWithExpectedMeasurements(t *testing.T, csp cloudprovider.Provider) *config.Config {
|
||||
t.Helper()
|
||||
config := config.Default()
|
||||
|
||||
config.Provider.Azure.SubscriptionID = "01234567-0123-0123-0123-0123456789ab"
|
||||
config.Provider.Azure.TenantID = "01234567-0123-0123-0123-0123456789ab"
|
||||
config.Provider.Azure.Location = "test-location"
|
||||
config.Provider.Azure.UserAssignedIdentity = "test-identity"
|
||||
config.Provider.Azure.Measurements[8] = []byte("00000000000000000000000000000000")
|
||||
config.Provider.Azure.Measurements[9] = []byte("11111111111111111111111111111111")
|
||||
|
||||
config.Provider.GCP.Region = "test-region"
|
||||
config.Provider.GCP.Project = "test-project"
|
||||
config.Provider.GCP.Zone = "test-zone"
|
||||
config.Provider.GCP.Measurements[8] = []byte("00000000000000000000000000000000")
|
||||
config.Provider.GCP.Measurements[9] = []byte("11111111111111111111111111111111")
|
||||
|
||||
config.Provider.QEMU.Measurements[8] = []byte("00000000000000000000000000000000")
|
||||
config.Provider.QEMU.Measurements[9] = []byte("11111111111111111111111111111111")
|
||||
|
||||
config.RemoveProviderExcept(csp)
|
||||
return config
|
||||
}
|
||||
|
@ -72,9 +72,8 @@ func recover(cmd *cobra.Command, fileHandler file.Handler, recoveryClient recove
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
cmd.Print(validators.WarningsIncludeInit())
|
||||
|
||||
if err := recoveryClient.Connect(flags.endpoint, validators.V()); err != nil {
|
||||
if err := recoveryClient.Connect(flags.endpoint, validators.V(cmd)); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
|
@ -6,6 +6,7 @@ import (
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/internal/constants"
|
||||
"github.com/edgelesssys/constellation/internal/crypto/testvector"
|
||||
"github.com/edgelesssys/constellation/internal/file"
|
||||
@ -125,7 +126,7 @@ func TestRecover(t *testing.T) {
|
||||
require := require.New(t)
|
||||
|
||||
cmd := NewRecoverCmd()
|
||||
cmd.Flags().String("config", "", "") // register persistent flag manually
|
||||
cmd.Flags().String("config", constants.ConfigFilename, "") // register persistent flag manually
|
||||
out := &bytes.Buffer{}
|
||||
cmd.SetOut(out)
|
||||
cmd.SetErr(&bytes.Buffer{})
|
||||
@ -144,6 +145,10 @@ func TestRecover(t *testing.T) {
|
||||
|
||||
fs := afero.NewMemMapFs()
|
||||
fileHandler := file.NewHandler(fs)
|
||||
|
||||
config := defaultConfigWithExpectedMeasurements(t, cloudprovider.FromString(tc.existingState.CloudProvider))
|
||||
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, config))
|
||||
|
||||
require.NoError(fileHandler.WriteJSON("constellation-mastersecret.json", masterSecret{Key: tc.masterSecret.Secret, Salt: tc.masterSecret.Salt}, file.OptNone))
|
||||
if !tc.stateless {
|
||||
require.NoError(fileHandler.WriteJSON(constants.StateFilename, tc.existingState, file.OptNone))
|
||||
|
@ -70,9 +70,6 @@ func verify(
|
||||
if err := validators.UpdateInitPCRs(flags.ownerID, flags.clusterID); err != nil {
|
||||
return err
|
||||
}
|
||||
if validators.Warnings() != "" {
|
||||
cmd.Print(validators.Warnings())
|
||||
}
|
||||
|
||||
nonce, err := crypto.GenerateRandomBytes(32)
|
||||
if err != nil {
|
||||
@ -90,7 +87,7 @@ func verify(
|
||||
Nonce: nonce,
|
||||
UserData: userData,
|
||||
},
|
||||
validators.V(),
|
||||
validators.V(cmd),
|
||||
); err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -172,7 +172,7 @@ func TestVerify(t *testing.T) {
|
||||
require := require.New(t)
|
||||
|
||||
cmd := NewVerifyCmd()
|
||||
cmd.Flags().String("config", "", "") // register persistent flag manually
|
||||
cmd.Flags().String("config", constants.ConfigFilename, "") // register persistent flag manually
|
||||
out := &bytes.Buffer{}
|
||||
cmd.SetOut(out)
|
||||
cmd.SetErr(&bytes.Buffer{})
|
||||
@ -190,6 +190,8 @@ func TestVerify(t *testing.T) {
|
||||
}
|
||||
fileHandler := file.NewHandler(tc.setupFs(require))
|
||||
|
||||
config := defaultConfigWithExpectedMeasurements(t, tc.provider)
|
||||
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, config))
|
||||
if tc.idFile != nil {
|
||||
require.NoError(fileHandler.WriteJSON(constants.ClusterIDsFileName, tc.idFile, file.OptNone))
|
||||
}
|
||||
|
@ -17,6 +17,7 @@ import (
|
||||
"math/big"
|
||||
"time"
|
||||
|
||||
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/internal/crypto"
|
||||
"github.com/edgelesssys/constellation/internal/oid"
|
||||
)
|
||||
@ -71,6 +72,7 @@ type Issuer interface {
|
||||
type Validator interface {
|
||||
oid.Getter
|
||||
Validate(attDoc []byte, nonce []byte) ([]byte, error)
|
||||
AddLogger(log vtpm.WarnLogger)
|
||||
}
|
||||
|
||||
// getATLSConfigForClientFunc returns a config setup function that is called once for every client connecting to the server.
|
||||
@ -365,6 +367,9 @@ func NewFakeValidators(oid oid.Getter) []Validator {
|
||||
return []Validator{NewFakeValidator(oid)}
|
||||
}
|
||||
|
||||
// AddLogger is a nop for FakeValidator.
|
||||
func (v FakeValidator) AddLogger(log vtpm.WarnLogger) {}
|
||||
|
||||
// Validate unmarshals the attestation document and verifies the nonce.
|
||||
func (v FakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
|
||||
var doc FakeAttestationDoc
|
||||
|
@ -15,10 +15,11 @@ type Validator struct {
|
||||
}
|
||||
|
||||
// NewValidator initializes a new Azure validator with the provided PCR values.
|
||||
func NewValidator(pcrs map[uint32][]byte) *Validator {
|
||||
func NewValidator(pcrs map[uint32][]byte, enforcedPCRs []uint32) *Validator {
|
||||
return &Validator{
|
||||
Validator: vtpm.NewValidator(
|
||||
pcrs,
|
||||
enforcedPCRs,
|
||||
trustedKeyFromSNP,
|
||||
validateAzureCVM,
|
||||
vtpm.VerifyPKCS1v15,
|
||||
|
@ -28,10 +28,11 @@ type Validator struct {
|
||||
}
|
||||
|
||||
// NewValidator initializes a new GCP validator with the provided PCR values.
|
||||
func NewValidator(pcrs map[uint32][]byte) *Validator {
|
||||
func NewValidator(pcrs map[uint32][]byte, enforcedPCRs []uint32) *Validator {
|
||||
return &Validator{
|
||||
Validator: vtpm.NewValidator(
|
||||
pcrs,
|
||||
enforcedPCRs,
|
||||
trustedKeyFromGCEAPI(newInstanceClient),
|
||||
gceNonHostInfoEvent,
|
||||
vtpm.VerifyPKCS1v15,
|
||||
|
@ -15,10 +15,11 @@ type Validator struct {
|
||||
}
|
||||
|
||||
// NewValidator initializes a new qemu validator with the provided PCR values.
|
||||
func NewValidator(pcrs map[uint32][]byte) *Validator {
|
||||
func NewValidator(pcrs map[uint32][]byte, enforcedPCRs []uint32) *Validator {
|
||||
return &Validator{
|
||||
Validator: vtpm.NewValidator(
|
||||
pcrs,
|
||||
enforcedPCRs,
|
||||
unconditionalTrust,
|
||||
func(attestation vtpm.AttestationDocument) error { return nil },
|
||||
vtpm.VerifyPKCS1v15,
|
||||
|
@ -51,6 +51,11 @@ type (
|
||||
VerifyUserData func(pub crypto.PublicKey, hash crypto.Hash, hashed, sig []byte) error
|
||||
)
|
||||
|
||||
// WarnLogger is a logger used to print warnings during attestation validation.
|
||||
type WarnLogger interface {
|
||||
Warnf(format string, args ...interface{})
|
||||
}
|
||||
|
||||
// AttestationDocument contains the TPM attestation with signed user data.
|
||||
type AttestationDocument struct {
|
||||
// Attestation contains the TPM event log, PCR values and quotes, and public key of the key used to sign the attestation.
|
||||
@ -122,22 +127,39 @@ func (i *Issuer) Issue(userData []byte, nonce []byte) ([]byte, error) {
|
||||
|
||||
// Validator handles validation of TPM based attestation.
|
||||
type Validator struct {
|
||||
trustedPcrs map[uint32][]byte
|
||||
expectedPCRs map[uint32][]byte
|
||||
enforcedPCRs map[uint32]struct{}
|
||||
getTrustedKey GetTPMTrustedAttestationPublicKey
|
||||
validateCVM ValidateCVM
|
||||
verifyUserData VerifyUserData
|
||||
|
||||
log WarnLogger
|
||||
}
|
||||
|
||||
// NewValidator returns a new Validator.
|
||||
func NewValidator(trustedPcrs map[uint32][]byte, getTrustedKey GetTPMTrustedAttestationPublicKey, validateCVM ValidateCVM, verifyUserData VerifyUserData) *Validator {
|
||||
func NewValidator(expectedPCRs map[uint32][]byte, enforcedPCRs []uint32,
|
||||
getTrustedKey GetTPMTrustedAttestationPublicKey, validateCVM ValidateCVM, verifyUserData VerifyUserData,
|
||||
) *Validator {
|
||||
// Convert the enforced PCR list to a map for convenient and fast lookup
|
||||
enforcedMap := make(map[uint32]struct{})
|
||||
for _, pcr := range enforcedPCRs {
|
||||
enforcedMap[pcr] = struct{}{}
|
||||
}
|
||||
|
||||
return &Validator{
|
||||
trustedPcrs: trustedPcrs,
|
||||
expectedPCRs: expectedPCRs,
|
||||
enforcedPCRs: enforcedMap,
|
||||
getTrustedKey: getTrustedKey,
|
||||
validateCVM: validateCVM,
|
||||
verifyUserData: verifyUserData,
|
||||
}
|
||||
}
|
||||
|
||||
// AddLogger adds a logger to the validator.
|
||||
func (v *Validator) AddLogger(log WarnLogger) {
|
||||
v.log = log
|
||||
}
|
||||
|
||||
// Validate a TPM based attestation.
|
||||
func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) {
|
||||
var attDoc AttestationDocument
|
||||
@ -173,9 +195,14 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) {
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
for idx, pcr := range v.trustedPcrs {
|
||||
for idx, pcr := range v.expectedPCRs {
|
||||
if !bytes.Equal(pcr, attDoc.Attestation.Quotes[quoteIdx].Pcrs.Pcrs[idx]) {
|
||||
return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx)
|
||||
if _, ok := v.enforcedPCRs[idx]; ok {
|
||||
return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx)
|
||||
}
|
||||
if v.log != nil {
|
||||
v.log.Warnf("Encountered untrusted PCR value at index %d", idx)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -4,6 +4,7 @@ import (
|
||||
"crypto"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"testing"
|
||||
|
||||
@ -45,26 +46,25 @@ func fakeGetInstanceInfo(tpm io.ReadWriteCloser) ([]byte, error) {
|
||||
return []byte("unit-test"), nil
|
||||
}
|
||||
|
||||
func fakeGetTrustedKey(aKPub, instanceInfo []byte) (crypto.PublicKey, error) {
|
||||
pubArea, err := tpm2.DecodePublic(aKPub)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return pubArea.Key()
|
||||
}
|
||||
|
||||
func fakeValidateCVM(AttestationDocument) error { return nil }
|
||||
|
||||
var fakeTrustedPcrs = map[uint32][]byte{
|
||||
0: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||
1: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||
}
|
||||
|
||||
func TestValidate(t *testing.T) {
|
||||
require := require.New(t)
|
||||
|
||||
fakeValidateCVM := func(AttestationDocument) error { return nil }
|
||||
fakeGetTrustedKey := func(aKPub, instanceInfo []byte) (crypto.PublicKey, error) {
|
||||
pubArea, err := tpm2.DecodePublic(aKPub)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return pubArea.Key()
|
||||
}
|
||||
|
||||
testExpectedPCRs := map[uint32][]byte{
|
||||
0: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||
1: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||
}
|
||||
|
||||
issuer := NewIssuer(newSimTPMWithEventLog, tpmclient.AttestationKeyRSA, fakeGetInstanceInfo)
|
||||
validator := NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15)
|
||||
validator := NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15)
|
||||
|
||||
nonce := []byte{1, 2, 3, 4}
|
||||
challenge := []byte("Constellation")
|
||||
@ -82,6 +82,29 @@ func TestValidate(t *testing.T) {
|
||||
require.NoError(err)
|
||||
require.Equal(challenge, out)
|
||||
|
||||
warnLog := &testWarnLog{}
|
||||
enforcedPCRs := []uint32{0, 1}
|
||||
expectedPCRs := map[uint32][]byte{
|
||||
0: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||
1: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||
2: {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20},
|
||||
3: {0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40},
|
||||
4: {0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60},
|
||||
5: {0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80},
|
||||
}
|
||||
warningValidator := NewValidator(
|
||||
expectedPCRs,
|
||||
enforcedPCRs,
|
||||
fakeGetTrustedKey,
|
||||
fakeValidateCVM,
|
||||
VerifyPKCS1v15,
|
||||
)
|
||||
warningValidator.AddLogger(warnLog)
|
||||
out, err = warningValidator.Validate(attDocRaw, nonce)
|
||||
require.NoError(err)
|
||||
assert.Equal(t, challenge, out)
|
||||
assert.Len(t, warnLog.warnings, len(expectedPCRs)-len(enforcedPCRs))
|
||||
|
||||
testCases := map[string]struct {
|
||||
validator *Validator
|
||||
attDoc []byte
|
||||
@ -89,13 +112,13 @@ func TestValidate(t *testing.T) {
|
||||
wantErr bool
|
||||
}{
|
||||
"invalid nonce": {
|
||||
validator: NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
|
||||
validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
|
||||
attDoc: mustMarshalAttestation(attDoc, require),
|
||||
nonce: []byte{4, 3, 2, 1},
|
||||
wantErr: true,
|
||||
},
|
||||
"invalid signature": {
|
||||
validator: NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
|
||||
validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
|
||||
attDoc: mustMarshalAttestation(AttestationDocument{
|
||||
Attestation: attDoc.Attestation,
|
||||
InstanceInfo: attDoc.InstanceInfo,
|
||||
@ -107,7 +130,8 @@ func TestValidate(t *testing.T) {
|
||||
},
|
||||
"untrusted attestation public key": {
|
||||
validator: NewValidator(
|
||||
fakeTrustedPcrs,
|
||||
testExpectedPCRs,
|
||||
[]uint32{0, 1},
|
||||
func(akPub, instanceInfo []byte) (crypto.PublicKey, error) {
|
||||
return nil, errors.New("untrusted")
|
||||
},
|
||||
@ -118,7 +142,8 @@ func TestValidate(t *testing.T) {
|
||||
},
|
||||
"not a CVM": {
|
||||
validator: NewValidator(
|
||||
fakeTrustedPcrs,
|
||||
testExpectedPCRs,
|
||||
[]uint32{0, 1},
|
||||
fakeGetTrustedKey,
|
||||
func(attestation AttestationDocument) error {
|
||||
return errors.New("untrusted")
|
||||
@ -133,6 +158,7 @@ func TestValidate(t *testing.T) {
|
||||
map[uint32][]byte{
|
||||
0: {0xFF},
|
||||
},
|
||||
[]uint32{0},
|
||||
fakeGetTrustedKey,
|
||||
fakeValidateCVM,
|
||||
VerifyPKCS1v15),
|
||||
@ -141,7 +167,7 @@ func TestValidate(t *testing.T) {
|
||||
wantErr: true,
|
||||
},
|
||||
"no sha256 quote": {
|
||||
validator: NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
|
||||
validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
|
||||
attDoc: mustMarshalAttestation(AttestationDocument{
|
||||
Attestation: &attest.Attestation{
|
||||
AkPub: attDoc.Attestation.AkPub,
|
||||
@ -159,7 +185,7 @@ func TestValidate(t *testing.T) {
|
||||
wantErr: true,
|
||||
},
|
||||
"invalid attestation document": {
|
||||
validator: NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
|
||||
validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
|
||||
attDoc: []byte("invalid attestation"),
|
||||
nonce: nonce,
|
||||
wantErr: true,
|
||||
@ -368,3 +394,11 @@ func TestGetSelectedPCRs(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
type testWarnLog struct {
|
||||
warnings []string
|
||||
}
|
||||
|
||||
func (w *testWarnLog) Warnf(format string, args ...interface{}) {
|
||||
w.warnings = append(w.warnings, fmt.Sprintf(format, args...))
|
||||
}
|
||||
|
@ -136,6 +136,9 @@ type AzureConfig struct {
|
||||
// Expected confidential VM measurements.
|
||||
Measurements Measurements `yaml:"measurements"`
|
||||
// description: |
|
||||
// List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning.
|
||||
EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
|
||||
// description: |
|
||||
// Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure
|
||||
UserAssignedIdentity string `yaml:"userAssignedIdentity" validate:"required"`
|
||||
}
|
||||
@ -163,12 +166,18 @@ type GCPConfig struct {
|
||||
// description: |
|
||||
// Expected confidential VM measurements.
|
||||
Measurements Measurements `yaml:"measurements"`
|
||||
// description: |
|
||||
// List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning.
|
||||
EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
|
||||
}
|
||||
|
||||
type QEMUConfig struct {
|
||||
// description: |
|
||||
// Measurement used to enable measured boot.
|
||||
Measurements Measurements `yaml:"measurements"`
|
||||
// description: |
|
||||
// List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning.
|
||||
EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
|
||||
}
|
||||
|
||||
// Default returns a struct with the default config.
|
||||
@ -218,7 +227,8 @@ func Default() *Config {
|
||||
UserAssignedIdentity: "",
|
||||
Image: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1659453699",
|
||||
StateDiskType: "StandardSSD_LRS", // TODO: Replace with Premium_LRS when we replace the default VM size (Standard_D2a_v4) since the size does not support Premium_LRS
|
||||
Measurements: azurePCRs,
|
||||
Measurements: copyPCRMap(azurePCRs),
|
||||
EnforcedMeasurements: []uint32{8, 9, 11, 12},
|
||||
},
|
||||
GCP: &GCPConfig{
|
||||
Project: "",
|
||||
@ -232,11 +242,13 @@ func Default() *Config {
|
||||
"roles/storage.admin",
|
||||
"roles/iam.serviceAccountUser",
|
||||
},
|
||||
StateDiskType: "pd-ssd",
|
||||
Measurements: gcpPCRs,
|
||||
StateDiskType: "pd-ssd",
|
||||
Measurements: copyPCRMap(gcpPCRs),
|
||||
EnforcedMeasurements: []uint32{0, 8, 9, 11, 12},
|
||||
},
|
||||
QEMU: &QEMUConfig{
|
||||
Measurements: qemuPCRs,
|
||||
Measurements: copyPCRMap(qemuPCRs),
|
||||
EnforcedMeasurements: []uint32{11, 12},
|
||||
},
|
||||
},
|
||||
KubernetesVersion: string(versions.Latest),
|
||||
@ -346,3 +358,9 @@ func FromFile(fileHandler file.Handler, name string) (*Config, error) {
|
||||
}
|
||||
return &conf, nil
|
||||
}
|
||||
|
||||
func copyPCRMap(m map[uint32][]byte) map[uint32][]byte {
|
||||
res := make(Measurements)
|
||||
res.CopyFrom(m)
|
||||
return res
|
||||
}
|
||||
|
@ -168,7 +168,7 @@ func init() {
|
||||
FieldName: "azure",
|
||||
},
|
||||
}
|
||||
AzureConfigDoc.Fields = make([]encoder.Doc, 7)
|
||||
AzureConfigDoc.Fields = make([]encoder.Doc, 8)
|
||||
AzureConfigDoc.Fields[0].Name = "subscription"
|
||||
AzureConfigDoc.Fields[0].Type = "string"
|
||||
AzureConfigDoc.Fields[0].Note = ""
|
||||
@ -199,11 +199,16 @@ func init() {
|
||||
AzureConfigDoc.Fields[5].Note = ""
|
||||
AzureConfigDoc.Fields[5].Description = "Expected confidential VM measurements."
|
||||
AzureConfigDoc.Fields[5].Comments[encoder.LineComment] = "Expected confidential VM measurements."
|
||||
AzureConfigDoc.Fields[6].Name = "userAssignedIdentity"
|
||||
AzureConfigDoc.Fields[6].Type = "string"
|
||||
AzureConfigDoc.Fields[6].Name = "enforcedMeasurements"
|
||||
AzureConfigDoc.Fields[6].Type = "[]uint32"
|
||||
AzureConfigDoc.Fields[6].Note = ""
|
||||
AzureConfigDoc.Fields[6].Description = "Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure"
|
||||
AzureConfigDoc.Fields[6].Comments[encoder.LineComment] = "Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure"
|
||||
AzureConfigDoc.Fields[6].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||
AzureConfigDoc.Fields[6].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||
AzureConfigDoc.Fields[7].Name = "userAssignedIdentity"
|
||||
AzureConfigDoc.Fields[7].Type = "string"
|
||||
AzureConfigDoc.Fields[7].Note = ""
|
||||
AzureConfigDoc.Fields[7].Description = "Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure"
|
||||
AzureConfigDoc.Fields[7].Comments[encoder.LineComment] = "Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure"
|
||||
|
||||
GCPConfigDoc.Type = "GCPConfig"
|
||||
GCPConfigDoc.Comments[encoder.LineComment] = "GCPConfig are GCP specific configuration values used by the CLI."
|
||||
@ -214,7 +219,7 @@ func init() {
|
||||
FieldName: "gcp",
|
||||
},
|
||||
}
|
||||
GCPConfigDoc.Fields = make([]encoder.Doc, 7)
|
||||
GCPConfigDoc.Fields = make([]encoder.Doc, 8)
|
||||
GCPConfigDoc.Fields[0].Name = "project"
|
||||
GCPConfigDoc.Fields[0].Type = "string"
|
||||
GCPConfigDoc.Fields[0].Note = ""
|
||||
@ -250,6 +255,11 @@ func init() {
|
||||
GCPConfigDoc.Fields[6].Note = ""
|
||||
GCPConfigDoc.Fields[6].Description = "Expected confidential VM measurements."
|
||||
GCPConfigDoc.Fields[6].Comments[encoder.LineComment] = "Expected confidential VM measurements."
|
||||
GCPConfigDoc.Fields[7].Name = "enforcedMeasurements"
|
||||
GCPConfigDoc.Fields[7].Type = "[]uint32"
|
||||
GCPConfigDoc.Fields[7].Note = ""
|
||||
GCPConfigDoc.Fields[7].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||
GCPConfigDoc.Fields[7].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||
|
||||
QEMUConfigDoc.Type = "QEMUConfig"
|
||||
QEMUConfigDoc.Comments[encoder.LineComment] = ""
|
||||
@ -260,12 +270,17 @@ func init() {
|
||||
FieldName: "qemu",
|
||||
},
|
||||
}
|
||||
QEMUConfigDoc.Fields = make([]encoder.Doc, 1)
|
||||
QEMUConfigDoc.Fields = make([]encoder.Doc, 2)
|
||||
QEMUConfigDoc.Fields[0].Name = "measurements"
|
||||
QEMUConfigDoc.Fields[0].Type = "Measurements"
|
||||
QEMUConfigDoc.Fields[0].Note = ""
|
||||
QEMUConfigDoc.Fields[0].Description = "Measurement used to enable measured boot."
|
||||
QEMUConfigDoc.Fields[0].Comments[encoder.LineComment] = "Measurement used to enable measured boot."
|
||||
QEMUConfigDoc.Fields[1].Name = "enforcedMeasurements"
|
||||
QEMUConfigDoc.Fields[1].Type = "[]uint32"
|
||||
QEMUConfigDoc.Fields[1].Note = ""
|
||||
QEMUConfigDoc.Fields[1].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||
QEMUConfigDoc.Fields[1].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||
}
|
||||
|
||||
func (_ Config) Doc() *encoder.Doc {
|
||||
|
@ -65,6 +65,8 @@ const (
|
||||
ServiceBasePath = "/var/config"
|
||||
// MeasurementsFilename is the filename of CC measurements.
|
||||
MeasurementsFilename = "measurements"
|
||||
// EnforcedPCRsFilename is the filename for a list PCRs that are required to pass attestation.
|
||||
EnforcedPCRsFilename = "enforcedPCRs"
|
||||
// MeasurementSaltFilename is the filename of the salt used in creation of the clusterID.
|
||||
MeasurementSaltFilename = "measurementSalt"
|
||||
// MeasurementSecretFilename is the filename of the secret used in creation of the clusterID.
|
||||
|
@ -11,6 +11,7 @@ import (
|
||||
|
||||
"github.com/edgelesssys/constellation/bootstrapper/initproto"
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"go.uber.org/goleak"
|
||||
@ -100,6 +101,8 @@ func (v fakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
|
||||
return doc.UserData, v.err
|
||||
}
|
||||
|
||||
func (v fakeValidator) AddLogger(vtpm.WarnLogger) {}
|
||||
|
||||
type fakeOID asn1.ObjectIdentifier
|
||||
|
||||
func (o fakeOID) OID() asn1.ObjectIdentifier {
|
||||
|
@ -30,11 +30,11 @@ func NewValidator(log *logger.Logger, csp string, fileHandler file.Handler) (*Up
|
||||
var newValidator newValidatorFunc
|
||||
switch cloudprovider.FromString(csp) {
|
||||
case cloudprovider.Azure:
|
||||
newValidator = func(m map[uint32][]byte) atls.Validator { return azure.NewValidator(m) }
|
||||
newValidator = func(m map[uint32][]byte, e []uint32) atls.Validator { return azure.NewValidator(m, e) }
|
||||
case cloudprovider.GCP:
|
||||
newValidator = func(m map[uint32][]byte) atls.Validator { return gcp.NewValidator(m) }
|
||||
newValidator = func(m map[uint32][]byte, e []uint32) atls.Validator { return gcp.NewValidator(m, e) }
|
||||
case cloudprovider.QEMU:
|
||||
newValidator = func(m map[uint32][]byte) atls.Validator { return qemu.NewValidator(m) }
|
||||
newValidator = func(m map[uint32][]byte, e []uint32) atls.Validator { return qemu.NewValidator(m, e) }
|
||||
default:
|
||||
return nil, fmt.Errorf("unknown cloud service provider: %q", csp)
|
||||
}
|
||||
@ -76,9 +76,16 @@ func (u *Updatable) Update() error {
|
||||
}
|
||||
u.log.Debugf("New measurements: %v", measurements)
|
||||
|
||||
u.Validator = u.newValidator(measurements)
|
||||
var enforced []uint32
|
||||
if err := u.fileHandler.ReadJSON(filepath.Join(constants.ServiceBasePath, constants.EnforcedPCRsFilename), &enforced); err != nil {
|
||||
return err
|
||||
}
|
||||
u.log.Debugf("Enforced PCRs: %v", enforced)
|
||||
|
||||
u.Validator = u.newValidator(measurements, enforced)
|
||||
u.Validator.AddLogger(u.log)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
type newValidatorFunc func(measurements map[uint32][]byte) atls.Validator
|
||||
type newValidatorFunc func(measurements map[uint32][]byte, enforcedPCRs []uint32) atls.Validator
|
||||
|
@ -14,6 +14,7 @@ import (
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/internal/atls"
|
||||
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/internal/constants"
|
||||
"github.com/edgelesssys/constellation/internal/file"
|
||||
"github.com/edgelesssys/constellation/internal/logger"
|
||||
@ -72,7 +73,10 @@ func TestNewUpdateableValidator(t *testing.T) {
|
||||
map[uint32][]byte{
|
||||
11: {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
|
||||
},
|
||||
file.OptNone,
|
||||
))
|
||||
require.NoError(handler.WriteJSON(
|
||||
filepath.Join(constants.ServiceBasePath, constants.EnforcedPCRsFilename),
|
||||
[]uint32{11},
|
||||
))
|
||||
}
|
||||
|
||||
@ -95,7 +99,7 @@ func TestUpdate(t *testing.T) {
|
||||
require := require.New(t)
|
||||
|
||||
oid := fakeOID{1, 3, 9900, 1}
|
||||
newValidator := func(m map[uint32][]byte) atls.Validator {
|
||||
newValidator := func(m map[uint32][]byte, e []uint32) atls.Validator {
|
||||
return fakeValidator{fakeOID: oid}
|
||||
}
|
||||
handler := file.NewHandler(afero.NewMemMapFs())
|
||||
@ -118,6 +122,10 @@ func TestUpdate(t *testing.T) {
|
||||
},
|
||||
file.OptNone,
|
||||
))
|
||||
require.NoError(handler.WriteJSON(
|
||||
filepath.Join(constants.ServiceBasePath, constants.EnforcedPCRsFilename),
|
||||
[]uint32{11},
|
||||
))
|
||||
|
||||
// call update once to initialize the server's validator
|
||||
require.NoError(validator.Update())
|
||||
@ -161,7 +169,7 @@ func TestUpdateConcurrency(t *testing.T) {
|
||||
validator := &Updatable{
|
||||
log: logger.NewTest(t),
|
||||
fileHandler: handler,
|
||||
newValidator: func(m map[uint32][]byte) atls.Validator {
|
||||
newValidator: func(m map[uint32][]byte, e []uint32) atls.Validator {
|
||||
return fakeValidator{fakeOID: fakeOID{1, 3, 9900, 1}}
|
||||
},
|
||||
}
|
||||
@ -172,6 +180,10 @@ func TestUpdateConcurrency(t *testing.T) {
|
||||
},
|
||||
file.OptNone,
|
||||
))
|
||||
require.NoError(handler.WriteJSON(
|
||||
filepath.Join(constants.ServiceBasePath, constants.EnforcedPCRsFilename),
|
||||
[]uint32{11},
|
||||
))
|
||||
|
||||
var wg sync.WaitGroup
|
||||
|
||||
@ -220,6 +232,8 @@ func (v fakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
|
||||
return doc.UserData, v.err
|
||||
}
|
||||
|
||||
func (v fakeValidator) AddLogger(logger vtpm.WarnLogger) {}
|
||||
|
||||
type fakeOID asn1.ObjectIdentifier
|
||||
|
||||
func (o fakeOID) OID() asn1.ObjectIdentifier {
|
||||
|
Loading…
Reference in New Issue
Block a user