AB#2316 Configurable enforced PCRs (#361)

* Add warnings for non enforced, untrusted PCRs * Fix global state in Config PCR map Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-09-19 12:34:44 -04:00 · 2022-08-12 15:59:45 +02:00 · 2022-08-12 15:59:45 +02:00 · ba4471a228
commit ba4471a228
parent 9478303f80
30 changed files with 350 additions and 323 deletions
--- a/internal/atls/atls.go
+++ b/internal/atls/atls.go
@ -17,6 +17,7 @@ import (
 	"math/big"
 	"time"

+	"github.com/edgelesssys/constellation/internal/attestation/vtpm"
 	"github.com/edgelesssys/constellation/internal/crypto"
 	"github.com/edgelesssys/constellation/internal/oid"
 )
@ -71,6 +72,7 @@ type Issuer interface {
 type Validator interface {
 	oid.Getter
 	Validate(attDoc []byte, nonce []byte) ([]byte, error)
+	AddLogger(log vtpm.WarnLogger)
 }

 // getATLSConfigForClientFunc returns a config setup function that is called once for every client connecting to the server.
@ -365,6 +367,9 @@ func NewFakeValidators(oid oid.Getter) []Validator {
 	return []Validator{NewFakeValidator(oid)}
 }

+// AddLogger is a nop for FakeValidator.
+func (v FakeValidator) AddLogger(log vtpm.WarnLogger) {}
+
 // Validate unmarshals the attestation document and verifies the nonce.
 func (v FakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
 	var doc FakeAttestationDoc
--- a/internal/attestation/azure/validator.go
+++ b/internal/attestation/azure/validator.go
@ -15,10 +15,11 @@ type Validator struct {
 }

 // NewValidator initializes a new Azure validator with the provided PCR values.
-func NewValidator(pcrs map[uint32][]byte) *Validator {
+func NewValidator(pcrs map[uint32][]byte, enforcedPCRs []uint32) *Validator {
 	return &Validator{
 		Validator: vtpm.NewValidator(
 			pcrs,
+			enforcedPCRs,
 			trustedKeyFromSNP,
 			validateAzureCVM,
 			vtpm.VerifyPKCS1v15,
--- a/internal/attestation/gcp/validator.go
+++ b/internal/attestation/gcp/validator.go
@ -28,10 +28,11 @@ type Validator struct {
 }

 // NewValidator initializes a new GCP validator with the provided PCR values.
-func NewValidator(pcrs map[uint32][]byte) *Validator {
+func NewValidator(pcrs map[uint32][]byte, enforcedPCRs []uint32) *Validator {
 	return &Validator{
 		Validator: vtpm.NewValidator(
 			pcrs,
+			enforcedPCRs,
 			trustedKeyFromGCEAPI(newInstanceClient),
 			gceNonHostInfoEvent,
 			vtpm.VerifyPKCS1v15,
--- a/internal/attestation/qemu/validator.go
+++ b/internal/attestation/qemu/validator.go
@ -15,10 +15,11 @@ type Validator struct {
 }

 // NewValidator initializes a new qemu validator with the provided PCR values.
-func NewValidator(pcrs map[uint32][]byte) *Validator {
+func NewValidator(pcrs map[uint32][]byte, enforcedPCRs []uint32) *Validator {
 	return &Validator{
 		Validator: vtpm.NewValidator(
 			pcrs,
+			enforcedPCRs,
 			unconditionalTrust,
 			func(attestation vtpm.AttestationDocument) error { return nil },
 			vtpm.VerifyPKCS1v15,
--- a/internal/attestation/vtpm/attestation.go
+++ b/internal/attestation/vtpm/attestation.go
@ -51,6 +51,11 @@ type (
 	VerifyUserData func(pub crypto.PublicKey, hash crypto.Hash, hashed, sig []byte) error
 )

+// WarnLogger is a logger used to print warnings during attestation validation.
+type WarnLogger interface {
+	Warnf(format string, args ...interface{})
+}
+
 // AttestationDocument contains the TPM attestation with signed user data.
 type AttestationDocument struct {
 	// Attestation contains the TPM event log, PCR values and quotes, and public key of the key used to sign the attestation.
@ -122,22 +127,39 @@ func (i *Issuer) Issue(userData []byte, nonce []byte) ([]byte, error) {

 // Validator handles validation of TPM based attestation.
 type Validator struct {
-	trustedPcrs    map[uint32][]byte
+	expectedPCRs   map[uint32][]byte
+	enforcedPCRs   map[uint32]struct{}
 	getTrustedKey  GetTPMTrustedAttestationPublicKey
 	validateCVM    ValidateCVM
 	verifyUserData VerifyUserData
+
+	log WarnLogger
 }

 // NewValidator returns a new Validator.
-func NewValidator(trustedPcrs map[uint32][]byte, getTrustedKey GetTPMTrustedAttestationPublicKey, validateCVM ValidateCVM, verifyUserData VerifyUserData) *Validator {
+func NewValidator(expectedPCRs map[uint32][]byte, enforcedPCRs []uint32,
+	getTrustedKey GetTPMTrustedAttestationPublicKey, validateCVM ValidateCVM, verifyUserData VerifyUserData,
+) *Validator {
+	// Convert the enforced PCR list to a map for convenient and fast lookup
+	enforcedMap := make(map[uint32]struct{})
+	for _, pcr := range enforcedPCRs {
+		enforcedMap[pcr] = struct{}{}
+	}
+
 	return &Validator{
-		trustedPcrs:    trustedPcrs,
+		expectedPCRs:   expectedPCRs,
+		enforcedPCRs:   enforcedMap,
 		getTrustedKey:  getTrustedKey,
 		validateCVM:    validateCVM,
 		verifyUserData: verifyUserData,
 	}
 }

+// AddLogger adds a logger to the validator.
+func (v *Validator) AddLogger(log WarnLogger) {
+	v.log = log
+}
+
 // Validate a TPM based attestation.
 func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) {
 	var attDoc AttestationDocument
@ -173,9 +195,14 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	for idx, pcr := range v.trustedPcrs {
+	for idx, pcr := range v.expectedPCRs {
 		if !bytes.Equal(pcr, attDoc.Attestation.Quotes[quoteIdx].Pcrs.Pcrs[idx]) {
-			return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx)
+			if _, ok := v.enforcedPCRs[idx]; ok {
+				return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx)
+			}
+			if v.log != nil {
+				v.log.Warnf("Encountered untrusted PCR value at index %d", idx)
+			}
 		}
 	}

--- a/internal/attestation/vtpm/attestation_test.go
+++ b/internal/attestation/vtpm/attestation_test.go
@ -4,6 +4,7 @@ import (
 	"crypto"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io"
 	"testing"

@ -45,26 +46,25 @@ func fakeGetInstanceInfo(tpm io.ReadWriteCloser) ([]byte, error) {
 	return []byte("unit-test"), nil
 }

-func fakeGetTrustedKey(aKPub, instanceInfo []byte) (crypto.PublicKey, error) {
-	pubArea, err := tpm2.DecodePublic(aKPub)
-	if err != nil {
-		return nil, err
-	}
-	return pubArea.Key()
-}
-
-func fakeValidateCVM(AttestationDocument) error { return nil }
-
-var fakeTrustedPcrs = map[uint32][]byte{
-	0: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-	1: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-}
-
 func TestValidate(t *testing.T) {
 	require := require.New(t)

+	fakeValidateCVM := func(AttestationDocument) error { return nil }
+	fakeGetTrustedKey := func(aKPub, instanceInfo []byte) (crypto.PublicKey, error) {
+		pubArea, err := tpm2.DecodePublic(aKPub)
+		if err != nil {
+			return nil, err
+		}
+		return pubArea.Key()
+	}
+
+	testExpectedPCRs := map[uint32][]byte{
+		0: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		1: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+	}
+
 	issuer := NewIssuer(newSimTPMWithEventLog, tpmclient.AttestationKeyRSA, fakeGetInstanceInfo)
-	validator := NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15)
+	validator := NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15)

 	nonce := []byte{1, 2, 3, 4}
 	challenge := []byte("Constellation")
@ -82,6 +82,29 @@ func TestValidate(t *testing.T) {
 	require.NoError(err)
 	require.Equal(challenge, out)

+	warnLog := &testWarnLog{}
+	enforcedPCRs := []uint32{0, 1}
+	expectedPCRs := map[uint32][]byte{
+		0: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		1: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		2: {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20},
+		3: {0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40},
+		4: {0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60},
+		5: {0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80},
+	}
+	warningValidator := NewValidator(
+		expectedPCRs,
+		enforcedPCRs,
+		fakeGetTrustedKey,
+		fakeValidateCVM,
+		VerifyPKCS1v15,
+	)
+	warningValidator.AddLogger(warnLog)
+	out, err = warningValidator.Validate(attDocRaw, nonce)
+	require.NoError(err)
+	assert.Equal(t, challenge, out)
+	assert.Len(t, warnLog.warnings, len(expectedPCRs)-len(enforcedPCRs))
+
 	testCases := map[string]struct {
 		validator *Validator
 		attDoc    []byte
@ -89,13 +112,13 @@ func TestValidate(t *testing.T) {
 		wantErr   bool
 	}{
 		"invalid nonce": {
-			validator: NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
+			validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
 			attDoc:    mustMarshalAttestation(attDoc, require),
 			nonce:     []byte{4, 3, 2, 1},
 			wantErr:   true,
 		},
 		"invalid signature": {
-			validator: NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
+			validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
 			attDoc: mustMarshalAttestation(AttestationDocument{
 				Attestation:       attDoc.Attestation,
 				InstanceInfo:      attDoc.InstanceInfo,
@ -107,7 +130,8 @@ func TestValidate(t *testing.T) {
 		},
 		"untrusted attestation public key": {
 			validator: NewValidator(
-				fakeTrustedPcrs,
+				testExpectedPCRs,
+				[]uint32{0, 1},
 				func(akPub, instanceInfo []byte) (crypto.PublicKey, error) {
 					return nil, errors.New("untrusted")
 				},
@ -118,7 +142,8 @@ func TestValidate(t *testing.T) {
 		},
 		"not a CVM": {
 			validator: NewValidator(
-				fakeTrustedPcrs,
+				testExpectedPCRs,
+				[]uint32{0, 1},
 				fakeGetTrustedKey,
 				func(attestation AttestationDocument) error {
 					return errors.New("untrusted")
@ -133,6 +158,7 @@ func TestValidate(t *testing.T) {
 				map[uint32][]byte{
 					0: {0xFF},
 				},
+				[]uint32{0},
 				fakeGetTrustedKey,
 				fakeValidateCVM,
 				VerifyPKCS1v15),
@ -141,7 +167,7 @@ func TestValidate(t *testing.T) {
 			wantErr: true,
 		},
 		"no sha256 quote": {
-			validator: NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
+			validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
 			attDoc: mustMarshalAttestation(AttestationDocument{
 				Attestation: &attest.Attestation{
 					AkPub: attDoc.Attestation.AkPub,
@ -159,7 +185,7 @@ func TestValidate(t *testing.T) {
 			wantErr: true,
 		},
 		"invalid attestation document": {
-			validator: NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
+			validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
 			attDoc:    []byte("invalid attestation"),
 			nonce:     nonce,
 			wantErr:   true,
@ -368,3 +394,11 @@ func TestGetSelectedPCRs(t *testing.T) {
 		})
 	}
 }
+
+type testWarnLog struct {
+	warnings []string
+}
+
+func (w *testWarnLog) Warnf(format string, args ...interface{}) {
+	w.warnings = append(w.warnings, fmt.Sprintf(format, args...))
+}
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -136,6 +136,9 @@ type AzureConfig struct {
 	//   Expected confidential VM measurements.
 	Measurements Measurements `yaml:"measurements"`
 	// description: |
+	//   List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning.
+	EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
+	// description: |
 	//   Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure
 	UserAssignedIdentity string `yaml:"userAssignedIdentity" validate:"required"`
 }
@ -163,12 +166,18 @@ type GCPConfig struct {
 	// description: |
 	//   Expected confidential VM measurements.
 	Measurements Measurements `yaml:"measurements"`
+	// description: |
+	//   List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning.
+	EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
 }

 type QEMUConfig struct {
 	// description: |
 	//   Measurement used to enable measured boot.
 	Measurements Measurements `yaml:"measurements"`
+	// description: |
+	//   List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning.
+	EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
 }

 // Default returns a struct with the default config.
@ -218,7 +227,8 @@ func Default() *Config {
 				UserAssignedIdentity: "",
 				Image:                "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1659453699",
 				StateDiskType:        "StandardSSD_LRS", // TODO: Replace with Premium_LRS when we replace the default VM size (Standard_D2a_v4) since the size does not support Premium_LRS
-				Measurements:         azurePCRs,
+				Measurements:         copyPCRMap(azurePCRs),
+				EnforcedMeasurements: []uint32{8, 9, 11, 12},
 			},
 			GCP: &GCPConfig{
 				Project: "",
@ -232,11 +242,13 @@ func Default() *Config {
 					"roles/storage.admin",
 					"roles/iam.serviceAccountUser",
 				},
-				StateDiskType: "pd-ssd",
-				Measurements:  gcpPCRs,
+				StateDiskType:        "pd-ssd",
+				Measurements:         copyPCRMap(gcpPCRs),
+				EnforcedMeasurements: []uint32{0, 8, 9, 11, 12},
 			},
 			QEMU: &QEMUConfig{
-				Measurements: qemuPCRs,
+				Measurements:         copyPCRMap(qemuPCRs),
+				EnforcedMeasurements: []uint32{11, 12},
 			},
 		},
 		KubernetesVersion: string(versions.Latest),
@ -346,3 +358,9 @@ func FromFile(fileHandler file.Handler, name string) (*Config, error) {
 	}
 	return &conf, nil
 }
+
+func copyPCRMap(m map[uint32][]byte) map[uint32][]byte {
+	res := make(Measurements)
+	res.CopyFrom(m)
+	return res
+}
--- a/internal/config/config_doc.go
+++ b/internal/config/config_doc.go
@ -168,7 +168,7 @@ func init() {
 			FieldName: "azure",
 		},
 	}
-	AzureConfigDoc.Fields = make([]encoder.Doc, 7)
+	AzureConfigDoc.Fields = make([]encoder.Doc, 8)
 	AzureConfigDoc.Fields[0].Name = "subscription"
 	AzureConfigDoc.Fields[0].Type = "string"
 	AzureConfigDoc.Fields[0].Note = ""
@ -199,11 +199,16 @@ func init() {
 	AzureConfigDoc.Fields[5].Note = ""
 	AzureConfigDoc.Fields[5].Description = "Expected confidential VM measurements."
 	AzureConfigDoc.Fields[5].Comments[encoder.LineComment] = "Expected confidential VM measurements."
-	AzureConfigDoc.Fields[6].Name = "userAssignedIdentity"
-	AzureConfigDoc.Fields[6].Type = "string"
+	AzureConfigDoc.Fields[6].Name = "enforcedMeasurements"
+	AzureConfigDoc.Fields[6].Type = "[]uint32"
 	AzureConfigDoc.Fields[6].Note = ""
-	AzureConfigDoc.Fields[6].Description = "Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure"
-	AzureConfigDoc.Fields[6].Comments[encoder.LineComment] = "Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure"
+	AzureConfigDoc.Fields[6].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
+	AzureConfigDoc.Fields[6].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
+	AzureConfigDoc.Fields[7].Name = "userAssignedIdentity"
+	AzureConfigDoc.Fields[7].Type = "string"
+	AzureConfigDoc.Fields[7].Note = ""
+	AzureConfigDoc.Fields[7].Description = "Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure"
+	AzureConfigDoc.Fields[7].Comments[encoder.LineComment] = "Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure"

 	GCPConfigDoc.Type = "GCPConfig"
 	GCPConfigDoc.Comments[encoder.LineComment] = "GCPConfig are GCP specific configuration values used by the CLI."
@ -214,7 +219,7 @@ func init() {
 			FieldName: "gcp",
 		},
 	}
-	GCPConfigDoc.Fields = make([]encoder.Doc, 7)
+	GCPConfigDoc.Fields = make([]encoder.Doc, 8)
 	GCPConfigDoc.Fields[0].Name = "project"
 	GCPConfigDoc.Fields[0].Type = "string"
 	GCPConfigDoc.Fields[0].Note = ""
@ -250,6 +255,11 @@ func init() {
 	GCPConfigDoc.Fields[6].Note = ""
 	GCPConfigDoc.Fields[6].Description = "Expected confidential VM measurements."
 	GCPConfigDoc.Fields[6].Comments[encoder.LineComment] = "Expected confidential VM measurements."
+	GCPConfigDoc.Fields[7].Name = "enforcedMeasurements"
+	GCPConfigDoc.Fields[7].Type = "[]uint32"
+	GCPConfigDoc.Fields[7].Note = ""
+	GCPConfigDoc.Fields[7].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
+	GCPConfigDoc.Fields[7].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."

 	QEMUConfigDoc.Type = "QEMUConfig"
 	QEMUConfigDoc.Comments[encoder.LineComment] = ""
@ -260,12 +270,17 @@ func init() {
 			FieldName: "qemu",
 		},
 	}
-	QEMUConfigDoc.Fields = make([]encoder.Doc, 1)
+	QEMUConfigDoc.Fields = make([]encoder.Doc, 2)
 	QEMUConfigDoc.Fields[0].Name = "measurements"
 	QEMUConfigDoc.Fields[0].Type = "Measurements"
 	QEMUConfigDoc.Fields[0].Note = ""
 	QEMUConfigDoc.Fields[0].Description = "Measurement used to enable measured boot."
 	QEMUConfigDoc.Fields[0].Comments[encoder.LineComment] = "Measurement used to enable measured boot."
+	QEMUConfigDoc.Fields[1].Name = "enforcedMeasurements"
+	QEMUConfigDoc.Fields[1].Type = "[]uint32"
+	QEMUConfigDoc.Fields[1].Note = ""
+	QEMUConfigDoc.Fields[1].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
+	QEMUConfigDoc.Fields[1].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
 }

 func (_ Config) Doc() *encoder.Doc {
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -65,6 +65,8 @@ const (
 	ServiceBasePath = "/var/config"
 	// MeasurementsFilename is the filename of CC measurements.
 	MeasurementsFilename = "measurements"
+	// EnforcedPCRsFilename is the filename for a list PCRs that are required to pass attestation.
+	EnforcedPCRsFilename = "enforcedPCRs"
 	// MeasurementSaltFilename is the filename of the salt used in creation of the clusterID.
 	MeasurementSaltFilename = "measurementSalt"
 	// MeasurementSecretFilename is the filename of the secret used in creation of the clusterID.
--- a/internal/grpc/atlscredentials/atlscredentials_test.go
+++ b/internal/grpc/atlscredentials/atlscredentials_test.go
@ -11,6 +11,7 @@ import (

 	"github.com/edgelesssys/constellation/bootstrapper/initproto"
 	"github.com/edgelesssys/constellation/internal/atls"
+	"github.com/edgelesssys/constellation/internal/attestation/vtpm"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/goleak"
@ -100,6 +101,8 @@ func (v fakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
 	return doc.UserData, v.err
 }

+func (v fakeValidator) AddLogger(vtpm.WarnLogger) {}
+
 type fakeOID asn1.ObjectIdentifier

 func (o fakeOID) OID() asn1.ObjectIdentifier {
--- a/internal/watcher/validator.go
+++ b/internal/watcher/validator.go
@ -30,11 +30,11 @@ func NewValidator(log *logger.Logger, csp string, fileHandler file.Handler) (*Up
 	var newValidator newValidatorFunc
 	switch cloudprovider.FromString(csp) {
 	case cloudprovider.Azure:
-		newValidator = func(m map[uint32][]byte) atls.Validator { return azure.NewValidator(m) }
+		newValidator = func(m map[uint32][]byte, e []uint32) atls.Validator { return azure.NewValidator(m, e) }
 	case cloudprovider.GCP:
-		newValidator = func(m map[uint32][]byte) atls.Validator { return gcp.NewValidator(m) }
+		newValidator = func(m map[uint32][]byte, e []uint32) atls.Validator { return gcp.NewValidator(m, e) }
 	case cloudprovider.QEMU:
-		newValidator = func(m map[uint32][]byte) atls.Validator { return qemu.NewValidator(m) }
+		newValidator = func(m map[uint32][]byte, e []uint32) atls.Validator { return qemu.NewValidator(m, e) }
 	default:
 		return nil, fmt.Errorf("unknown cloud service provider: %q", csp)
 	}
@ -76,9 +76,16 @@ func (u *Updatable) Update() error {
 	}
 	u.log.Debugf("New measurements: %v", measurements)

-	u.Validator = u.newValidator(measurements)
+	var enforced []uint32
+	if err := u.fileHandler.ReadJSON(filepath.Join(constants.ServiceBasePath, constants.EnforcedPCRsFilename), &enforced); err != nil {
+		return err
+	}
+	u.log.Debugf("Enforced PCRs: %v", enforced)
+
+	u.Validator = u.newValidator(measurements, enforced)
+	u.Validator.AddLogger(u.log)

 	return nil
 }

-type newValidatorFunc func(measurements map[uint32][]byte) atls.Validator
+type newValidatorFunc func(measurements map[uint32][]byte, enforcedPCRs []uint32) atls.Validator
--- a/internal/watcher/validator_test.go
+++ b/internal/watcher/validator_test.go
@ -14,6 +14,7 @@ import (
 	"testing"

 	"github.com/edgelesssys/constellation/internal/atls"
+	"github.com/edgelesssys/constellation/internal/attestation/vtpm"
 	"github.com/edgelesssys/constellation/internal/constants"
 	"github.com/edgelesssys/constellation/internal/file"
 	"github.com/edgelesssys/constellation/internal/logger"
@ -72,7 +73,10 @@ func TestNewUpdateableValidator(t *testing.T) {
 					map[uint32][]byte{
 						11: {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
 					},
-					file.OptNone,
+				))
+				require.NoError(handler.WriteJSON(
+					filepath.Join(constants.ServiceBasePath, constants.EnforcedPCRsFilename),
+					[]uint32{11},
 				))
 			}

@ -95,7 +99,7 @@ func TestUpdate(t *testing.T) {
 	require := require.New(t)

 	oid := fakeOID{1, 3, 9900, 1}
-	newValidator := func(m map[uint32][]byte) atls.Validator {
+	newValidator := func(m map[uint32][]byte, e []uint32) atls.Validator {
 		return fakeValidator{fakeOID: oid}
 	}
 	handler := file.NewHandler(afero.NewMemMapFs())
@ -118,6 +122,10 @@ func TestUpdate(t *testing.T) {
 		},
 		file.OptNone,
 	))
+	require.NoError(handler.WriteJSON(
+		filepath.Join(constants.ServiceBasePath, constants.EnforcedPCRsFilename),
+		[]uint32{11},
+	))

 	// call update once to initialize the server's validator
 	require.NoError(validator.Update())
@ -161,7 +169,7 @@ func TestUpdateConcurrency(t *testing.T) {
 	validator := &Updatable{
 		log:         logger.NewTest(t),
 		fileHandler: handler,
-		newValidator: func(m map[uint32][]byte) atls.Validator {
+		newValidator: func(m map[uint32][]byte, e []uint32) atls.Validator {
 			return fakeValidator{fakeOID: fakeOID{1, 3, 9900, 1}}
 		},
 	}
@ -172,6 +180,10 @@ func TestUpdateConcurrency(t *testing.T) {
 		},
 		file.OptNone,
 	))
+	require.NoError(handler.WriteJSON(
+		filepath.Join(constants.ServiceBasePath, constants.EnforcedPCRsFilename),
+		[]uint32{11},
+	))

 	var wg sync.WaitGroup

@ -220,6 +232,8 @@ func (v fakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
 	return doc.UserData, v.err
 }

+func (v fakeValidator) AddLogger(logger vtpm.WarnLogger) {}
+
 type fakeOID asn1.ObjectIdentifier

 func (o fakeOID) OID() asn1.ObjectIdentifier {