mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-05-02 14:26:23 -04:00
AB#2316 Configurable enforced PCRs (#361)
* Add warnings for non enforced, untrusted PCRs * Fix global state in Config PCR map Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße
GitHub
parent
9478303f80
commit
ba4471a228
30 changed files with 350 additions and 323 deletions
|
|
@ -12,6 +12,7 @@ import (
|
|||
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/internal/config"
|
||||
"github.com/spf13/cobra"
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
|
|
@ -93,172 +94,6 @@ func TestNewValidator(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestValidatorWarnings(t *testing.T) {
|
||||
zero := []byte("00000000000000000000000000000000")
|
||||
|
||||
testCases := map[string]struct {
|
||||
pcrs map[uint32][]byte
|
||||
wantWarnings []string
|
||||
wantWInclude []string
|
||||
}{
|
||||
"no warnings": {
|
||||
pcrs: map[uint32][]byte{
|
||||
0: zero,
|
||||
1: zero,
|
||||
2: zero,
|
||||
3: zero,
|
||||
4: zero,
|
||||
5: zero,
|
||||
6: zero,
|
||||
7: zero,
|
||||
8: zero,
|
||||
9: zero,
|
||||
10: zero,
|
||||
11: zero,
|
||||
12: zero,
|
||||
},
|
||||
},
|
||||
"no warnings for missing non critical values": {
|
||||
pcrs: map[uint32][]byte{
|
||||
0: zero,
|
||||
1: zero,
|
||||
2: zero,
|
||||
3: zero,
|
||||
4: zero,
|
||||
5: zero,
|
||||
8: zero,
|
||||
9: zero,
|
||||
11: zero,
|
||||
12: zero,
|
||||
},
|
||||
},
|
||||
"warn for BIOS": {
|
||||
pcrs: map[uint32][]byte{
|
||||
0: zero,
|
||||
2: zero,
|
||||
3: zero,
|
||||
4: zero,
|
||||
5: zero,
|
||||
8: zero,
|
||||
9: zero,
|
||||
11: zero,
|
||||
12: zero,
|
||||
},
|
||||
wantWarnings: []string{"BIOS"},
|
||||
},
|
||||
"warn for OPROM": {
|
||||
pcrs: map[uint32][]byte{
|
||||
0: zero,
|
||||
1: zero,
|
||||
3: zero,
|
||||
4: zero,
|
||||
5: zero,
|
||||
8: zero,
|
||||
9: zero,
|
||||
11: zero,
|
||||
12: zero,
|
||||
},
|
||||
wantWarnings: []string{"OPROM"},
|
||||
},
|
||||
"warn for MBR": {
|
||||
pcrs: map[uint32][]byte{
|
||||
0: zero,
|
||||
1: zero,
|
||||
2: zero,
|
||||
3: zero,
|
||||
5: zero,
|
||||
8: zero,
|
||||
9: zero,
|
||||
11: zero,
|
||||
12: zero,
|
||||
},
|
||||
wantWarnings: []string{"MBR"},
|
||||
},
|
||||
"warn for kernel": {
|
||||
pcrs: map[uint32][]byte{
|
||||
0: zero,
|
||||
1: zero,
|
||||
2: zero,
|
||||
3: zero,
|
||||
4: zero,
|
||||
5: zero,
|
||||
9: zero,
|
||||
11: zero,
|
||||
12: zero,
|
||||
},
|
||||
wantWarnings: []string{"kernel"},
|
||||
},
|
||||
"warn for initrd": {
|
||||
pcrs: map[uint32][]byte{
|
||||
0: zero,
|
||||
1: zero,
|
||||
2: zero,
|
||||
3: zero,
|
||||
4: zero,
|
||||
5: zero,
|
||||
8: zero,
|
||||
11: zero,
|
||||
12: zero,
|
||||
},
|
||||
wantWarnings: []string{"initrd"},
|
||||
},
|
||||
"warn for initialization": {
|
||||
pcrs: map[uint32][]byte{
|
||||
0: zero,
|
||||
1: zero,
|
||||
2: zero,
|
||||
3: zero,
|
||||
4: zero,
|
||||
5: zero,
|
||||
8: zero,
|
||||
9: zero,
|
||||
11: zero,
|
||||
},
|
||||
wantWInclude: []string{"initialization"},
|
||||
},
|
||||
"multi warning": {
|
||||
pcrs: map[uint32][]byte{},
|
||||
wantWarnings: []string{
|
||||
"BIOS",
|
||||
"OPROM",
|
||||
"MBR",
|
||||
"initrd",
|
||||
"kernel",
|
||||
},
|
||||
wantWInclude: []string{"initialization"},
|
||||
},
|
||||
}
|
||||
|
||||
for name, tc := range testCases {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
|
||||
validators := Validator{pcrs: tc.pcrs}
|
||||
|
||||
warnings := validators.Warnings()
|
||||
warningsInclueInit := validators.WarningsIncludeInit()
|
||||
|
||||
if len(tc.wantWarnings) == 0 {
|
||||
assert.Empty(warnings)
|
||||
}
|
||||
for _, w := range tc.wantWarnings {
|
||||
assert.Contains(warnings, w)
|
||||
}
|
||||
for _, w := range tc.wantWarnings {
|
||||
assert.Contains(warningsInclueInit, w)
|
||||
}
|
||||
if len(tc.wantWInclude) == 0 {
|
||||
assert.Equal(len(warnings), len(warningsInclueInit))
|
||||
} else {
|
||||
assert.Greater(len(warningsInclueInit), len(warnings))
|
||||
}
|
||||
for _, w := range tc.wantWInclude {
|
||||
assert.Contains(warningsInclueInit, w)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidatorV(t *testing.T) {
|
||||
zero := []byte("00000000000000000000000000000000")
|
||||
newTestPCRs := func() map[uint32][]byte {
|
||||
|
|
@ -287,17 +122,17 @@ func TestValidatorV(t *testing.T) {
|
|||
"gcp": {
|
||||
provider: cloudprovider.GCP,
|
||||
pcrs: newTestPCRs(),
|
||||
wantVs: gcp.NewValidator(newTestPCRs()),
|
||||
wantVs: gcp.NewValidator(newTestPCRs(), nil),
|
||||
},
|
||||
"azure": {
|
||||
provider: cloudprovider.Azure,
|
||||
pcrs: newTestPCRs(),
|
||||
wantVs: azure.NewValidator(newTestPCRs()),
|
||||
wantVs: azure.NewValidator(newTestPCRs(), nil),
|
||||
},
|
||||
"qemu": {
|
||||
provider: cloudprovider.QEMU,
|
||||
pcrs: newTestPCRs(),
|
||||
wantVs: qemu.NewValidator(newTestPCRs()),
|
||||
wantVs: qemu.NewValidator(newTestPCRs(), nil),
|
||||
},
|
||||
}
|
||||
|
||||
|
|
@ -307,7 +142,7 @@ func TestValidatorV(t *testing.T) {
|
|||
|
||||
validators := &Validator{provider: tc.provider, pcrs: tc.pcrs}
|
||||
|
||||
resultValidator := validators.V()
|
||||
resultValidator := validators.V(&cobra.Command{})
|
||||
|
||||
assert.Equal(tc.wantVs.OID(), resultValidator.OID())
|
||||
})
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue