AB#2316 Configurable enforced PCRs (#361)

* Add warnings for non enforced, untrusted PCRs

* Fix global state in Config PCR map

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2022-08-12 15:59:45 +02:00 committed by GitHub
parent 9478303f80
commit ba4471a228
30 changed files with 350 additions and 323 deletions

View File

@ -17,11 +17,15 @@ All notable changes to Constellation will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased] ## [Unreleased]
### Added ### Added
- Kubernetes operator for Constellation nodes with ability to update node images. - Kubernetes operator for Constellation nodes with ability to update node images.
- cilium strict pod2pod encryption. - cilium strict pod2pod encryption.
- Add a configurable list of enforced measurements to the config. If an expected measurement can not be verified during attestation, but it is not in the list of enforced measurements, only a warning is logged.
### Changed ### Changed
<!-- For changes in existing functionality. --> <!-- For changes in existing functionality. -->
### Deprecated ### Deprecated
@ -33,6 +37,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Security ### Security
<!-- In case of vulnerabilities. --> <!-- In case of vulnerabilities. -->
### Internal ### Internal
- Run e2e tests on all supported versions. - Run e2e tests on all supported versions.
- Run e2e tests on latest debug images, instead of release image. - Run e2e tests on latest debug images, instead of release image.

View File

@ -14,7 +14,9 @@ import (
type clusterFake struct{} type clusterFake struct{}
// InitCluster fakes bootstrapping a new cluster with the current node being the master, returning the arguments required to join the cluster. // InitCluster fakes bootstrapping a new cluster with the current node being the master, returning the arguments required to join the cluster.
func (c *clusterFake) InitCluster(context.Context, []string, string, string, []byte, resources.KMSConfig, map[string]string, []byte, *logger.Logger, func (c *clusterFake) InitCluster(
context.Context, []string, string, string, []byte, []uint32,
resources.KMSConfig, map[string]string, []byte, *logger.Logger,
) ([]byte, error) { ) ([]byte, error) {
return []byte{}, nil return []byte{}, nil
} }

View File

@ -36,6 +36,7 @@ type InitRequest struct {
SshUserKeys []*SSHUserKey `protobuf:"bytes,9,rep,name=ssh_user_keys,json=sshUserKeys,proto3" json:"ssh_user_keys,omitempty"` SshUserKeys []*SSHUserKey `protobuf:"bytes,9,rep,name=ssh_user_keys,json=sshUserKeys,proto3" json:"ssh_user_keys,omitempty"`
Salt []byte `protobuf:"bytes,10,opt,name=salt,proto3" json:"salt,omitempty"` Salt []byte `protobuf:"bytes,10,opt,name=salt,proto3" json:"salt,omitempty"`
HelmDeployments []byte `protobuf:"bytes,11,opt,name=helm_deployments,json=helmDeployments,proto3" json:"helm_deployments,omitempty"` HelmDeployments []byte `protobuf:"bytes,11,opt,name=helm_deployments,json=helmDeployments,proto3" json:"helm_deployments,omitempty"`
EnforcedPcrs []uint32 `protobuf:"varint,12,rep,packed,name=enforced_pcrs,json=enforcedPcrs,proto3" json:"enforced_pcrs,omitempty"`
} }
func (x *InitRequest) Reset() { func (x *InitRequest) Reset() {
@ -147,6 +148,13 @@ func (x *InitRequest) GetHelmDeployments() []byte {
return nil return nil
} }
func (x *InitRequest) GetEnforcedPcrs() []uint32 {
if x != nil {
return x.EnforcedPcrs
}
return nil
}
type InitResponse struct { type InitResponse struct {
state protoimpl.MessageState state protoimpl.MessageState
sizeCache protoimpl.SizeCache sizeCache protoimpl.SizeCache
@ -269,7 +277,7 @@ var File_init_proto protoreflect.FileDescriptor
var file_init_proto_rawDesc = []byte{ var file_init_proto_rawDesc = []byte{
0x0a, 0x0a, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x04, 0x69, 0x6e, 0x0a, 0x0a, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x04, 0x69, 0x6e,
0x69, 0x74, 0x22, 0xe0, 0x03, 0x0a, 0x0b, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x69, 0x74, 0x22, 0x85, 0x04, 0x0a, 0x0b, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65,
0x73, 0x74, 0x12, 0x36, 0x0a, 0x17, 0x61, 0x75, 0x74, 0x6f, 0x73, 0x63, 0x61, 0x6c, 0x69, 0x6e, 0x73, 0x74, 0x12, 0x36, 0x0a, 0x17, 0x61, 0x75, 0x74, 0x6f, 0x73, 0x63, 0x61, 0x6c, 0x69, 0x6e,
0x67, 0x5f, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x01, 0x20, 0x67, 0x5f, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x01, 0x20,
0x03, 0x28, 0x09, 0x52, 0x15, 0x61, 0x75, 0x74, 0x6f, 0x73, 0x63, 0x61, 0x6c, 0x69, 0x6e, 0x67, 0x03, 0x28, 0x09, 0x52, 0x15, 0x61, 0x75, 0x74, 0x6f, 0x73, 0x63, 0x61, 0x6c, 0x69, 0x6e, 0x67,
@ -299,26 +307,28 @@ var file_init_proto_rawDesc = []byte{
0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x73, 0x61, 0x6c, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x68, 0x65, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x73, 0x61, 0x6c, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x68, 0x65,
0x6c, 0x6d, 0x5f, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x0b, 0x6c, 0x6d, 0x5f, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x0b,
0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x68, 0x65, 0x6c, 0x6d, 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x68, 0x65, 0x6c, 0x6d, 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79,
0x6d, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x68, 0x0a, 0x0c, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x12, 0x23, 0x0a, 0x0d, 0x65, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65,
0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x5f, 0x70, 0x63, 0x72, 0x73, 0x18, 0x0c, 0x20, 0x03, 0x28, 0x0d, 0x52, 0x0c, 0x65, 0x6e,
0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x63, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x64, 0x50, 0x63, 0x72, 0x73, 0x22, 0x68, 0x0a, 0x0c, 0x49, 0x6e,
0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x5f, 0x69, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x6b, 0x75,
0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x49, 0x64, 0x62, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a,
0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x6b, 0x75, 0x62, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x77,
0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x64, 0x22, 0x6e, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6f, 0x77,
0x47, 0x0a, 0x0a, 0x53, 0x53, 0x48, 0x55, 0x73, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x12, 0x1a, 0x0a, 0x6e, 0x65, 0x72, 0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72,
0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74,
0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x65, 0x72, 0x49, 0x64, 0x22, 0x47, 0x0a, 0x0a, 0x53, 0x53, 0x48, 0x55, 0x73, 0x65, 0x72, 0x4b,
0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x70, 0x65, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x32, 0x34, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1d,
0x2d, 0x0a, 0x04, 0x49, 0x6e, 0x69, 0x74, 0x12, 0x11, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01,
0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x69, 0x6e, 0x69, 0x28, 0x09, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x32, 0x34, 0x0a,
0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x3d, 0x03, 0x41, 0x50, 0x49, 0x12, 0x2d, 0x0a, 0x04, 0x49, 0x6e, 0x69, 0x74, 0x12, 0x11, 0x2e, 0x69,
0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x12, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f,
0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x6e, 0x73, 0x65, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f,
0x70, 0x65, 0x72, 0x2f, 0x69, 0x6e, 0x69, 0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f,
0x72, 0x6f, 0x74, 0x6f, 0x33, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x62, 0x6f, 0x6f, 0x74,
0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x69, 0x6e, 0x69, 0x74, 0x70, 0x72, 0x6f,
0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
} }
var ( var (

View File

@ -20,6 +20,7 @@ message InitRequest {
repeated SSHUserKey ssh_user_keys = 9; repeated SSHUserKey ssh_user_keys = 9;
bytes salt = 10; bytes salt = 10;
bytes helm_deployments = 11; bytes helm_deployments = 11;
repeated uint32 enforced_pcrs = 12;
} }
message InitResponse { message InitResponse {

View File

@ -115,6 +115,7 @@ func (s *Server) Init(ctx context.Context, req *initproto.InitRequest) (*initpro
req.CloudServiceAccountUri, req.CloudServiceAccountUri,
req.KubernetesVersion, req.KubernetesVersion,
measurementSalt, measurementSalt,
req.EnforcedPcrs,
resources.KMSConfig{ resources.KMSConfig{
MasterSecret: req.MasterSecret, MasterSecret: req.MasterSecret,
Salt: req.Salt, Salt: req.Salt,
@ -197,6 +198,7 @@ type ClusterInitializer interface {
cloudServiceAccountURI string, cloudServiceAccountURI string,
k8sVersion string, k8sVersion string,
measurementSalt []byte, measurementSalt []byte,
enforcedPcrs []uint32,
kmsConfig resources.KMSConfig, kmsConfig resources.KMSConfig,
sshUserKeys map[string]string, sshUserKeys map[string]string,
helmDeployments []byte, helmDeployments []byte,

View File

@ -282,7 +282,9 @@ type stubClusterInitializer struct {
initClusterErr error initClusterErr error
} }
func (i *stubClusterInitializer) InitCluster(context.Context, []string, string, string, []byte, resources.KMSConfig, map[string]string, []byte, *logger.Logger, func (i *stubClusterInitializer) InitCluster(
context.Context, []string, string, string, []byte, []uint32,
resources.KMSConfig, map[string]string, []byte, *logger.Logger,
) ([]byte, error) { ) ([]byte, error) {
return i.initClusterKubeconfig, i.initClusterErr return i.initClusterKubeconfig, i.initClusterErr
} }

View File

@ -23,7 +23,7 @@ type joinServiceDaemonset struct {
} }
// NewJoinServiceDaemonset returns a daemonset for the join service. // NewJoinServiceDaemonset returns a daemonset for the join service.
func NewJoinServiceDaemonset(csp, measurementsJSON string, measurementSalt []byte) *joinServiceDaemonset { func NewJoinServiceDaemonset(csp, measurementsJSON, enforcedPCRsJSON string, measurementSalt []byte) *joinServiceDaemonset {
return &joinServiceDaemonset{ return &joinServiceDaemonset{
ClusterRole: rbac.ClusterRole{ ClusterRole: rbac.ClusterRole{
TypeMeta: meta.TypeMeta{ TypeMeta: meta.TypeMeta{
@ -247,6 +247,7 @@ func NewJoinServiceDaemonset(csp, measurementsJSON string, measurementSalt []byt
}, },
Data: map[string]string{ Data: map[string]string{
constants.MeasurementsFilename: measurementsJSON, constants.MeasurementsFilename: measurementsJSON,
constants.EnforcedPCRsFilename: enforcedPCRsJSON,
}, },
BinaryData: map[string][]byte{ BinaryData: map[string][]byte{
constants.MeasurementSaltFilename: measurementSalt, constants.MeasurementSaltFilename: measurementSalt,

View File

@ -8,7 +8,7 @@ import (
) )
func TestNewJoinServiceDaemonset(t *testing.T) { func TestNewJoinServiceDaemonset(t *testing.T) {
deployment := NewJoinServiceDaemonset("csp", "measurementsJSON", []byte{0x0, 0x1, 0x2}) deployment := NewJoinServiceDaemonset("csp", "measurementsJSON", "enforcedPCRsJSON", []byte{0x0, 0x1, 0x2})
deploymentYAML, err := deployment.Marshal() deploymentYAML, err := deployment.Marshal()
require.NoError(t, err) require.NoError(t, err)

View File

@ -2,6 +2,7 @@ package kubernetes
import ( import (
"context" "context"
"encoding/json"
"errors" "errors"
"fmt" "fmt"
"net" "net"
@ -70,8 +71,8 @@ func New(cloudProvider string, clusterUtil clusterUtil, configProvider configura
// InitCluster initializes a new Kubernetes cluster and applies pod network provider. // InitCluster initializes a new Kubernetes cluster and applies pod network provider.
func (k *KubeWrapper) InitCluster( func (k *KubeWrapper) InitCluster(
ctx context.Context, autoscalingNodeGroups []string, cloudServiceAccountURI, versionString string, ctx context.Context, autoscalingNodeGroups []string, cloudServiceAccountURI, versionString string, measurementSalt []byte,
measurementSalt []byte, kmsConfig resources.KMSConfig, sshUsers map[string]string, helmDeployments []byte, log *logger.Logger, enforcedPCRs []uint32, kmsConfig resources.KMSConfig, sshUsers map[string]string, helmDeployments []byte, log *logger.Logger,
) ([]byte, error) { ) ([]byte, error) {
k8sVersion, err := versions.NewValidK8sVersion(versionString) k8sVersion, err := versions.NewValidK8sVersion(versionString)
if err != nil { if err != nil {
@ -180,7 +181,7 @@ func (k *KubeWrapper) InitCluster(
return nil, fmt.Errorf("setting up kms: %w", err) return nil, fmt.Errorf("setting up kms: %w", err)
} }
if err := k.setupJoinService(k.cloudProvider, k.initialMeasurementsJSON, measurementSalt); err != nil { if err := k.setupJoinService(k.cloudProvider, k.initialMeasurementsJSON, measurementSalt, enforcedPCRs); err != nil {
return nil, fmt.Errorf("setting up join service failed: %w", err) return nil, fmt.Errorf("setting up join service failed: %w", err)
} }
@ -297,8 +298,17 @@ func (k *KubeWrapper) GetKubeconfig() ([]byte, error) {
return k.kubeconfigReader.ReadKubeconfig() return k.kubeconfigReader.ReadKubeconfig()
} }
func (k *KubeWrapper) setupJoinService(csp string, measurementsJSON, measurementSalt []byte) error { func (k *KubeWrapper) setupJoinService(
joinConfiguration := resources.NewJoinServiceDaemonset(csp, string(measurementsJSON), measurementSalt) csp string, measurementsJSON, measurementSalt []byte, enforcedPCRs []uint32,
) error {
enforcedPCRsJSON, err := json.Marshal(enforcedPCRs)
if err != nil {
return fmt.Errorf("marshaling enforcedPCRs: %w", err)
}
joinConfiguration := resources.NewJoinServiceDaemonset(
csp, string(measurementsJSON), string(enforcedPCRsJSON), measurementSalt,
)
return k.clusterUtil.SetupJoinService(k.client, joinConfiguration) return k.clusterUtil.SetupJoinService(k.client, joinConfiguration)
} }

View File

@ -296,7 +296,11 @@ func TestInitCluster(t *testing.T) {
kubeconfigReader: tc.kubeconfigReader, kubeconfigReader: tc.kubeconfigReader,
getIPAddr: func() (string, error) { return privateIP, nil }, getIPAddr: func() (string, error) { return privateIP, nil },
} }
_, err := kube.InitCluster(context.Background(), autoscalingNodeGroups, serviceAccountURI, string(tc.k8sVersion), nil, resources.KMSConfig{MasterSecret: masterSecret}, nil, nil, logger.NewTest(t))
_, err := kube.InitCluster(
context.Background(), autoscalingNodeGroups, serviceAccountURI, string(tc.k8sVersion),
nil, nil, resources.KMSConfig{MasterSecret: masterSecret}, nil, nil, logger.NewTest(t),
)
if tc.wantErr { if tc.wantErr {
assert.Error(err) assert.Error(err)

View File

@ -5,7 +5,6 @@ import (
"encoding/base64" "encoding/base64"
"errors" "errors"
"fmt" "fmt"
"strings"
"github.com/edgelesssys/constellation/internal/atls" "github.com/edgelesssys/constellation/internal/atls"
"github.com/edgelesssys/constellation/internal/attestation/azure" "github.com/edgelesssys/constellation/internal/attestation/azure"
@ -14,13 +13,13 @@ import (
"github.com/edgelesssys/constellation/internal/attestation/vtpm" "github.com/edgelesssys/constellation/internal/attestation/vtpm"
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider" "github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/internal/config" "github.com/edgelesssys/constellation/internal/config"
"github.com/spf13/cobra"
) )
const warningStr = "Warning: not verifying the Constellation cluster's %s measurements\n"
type Validator struct { type Validator struct {
provider cloudprovider.Provider provider cloudprovider.Provider
pcrs map[uint32][]byte pcrs map[uint32][]byte
enforcedPCRs []uint32
validator atls.Validator validator atls.Validator
} }
@ -51,6 +50,16 @@ func (v *Validator) UpdateInitPCRs(ownerID, clusterID string) error {
func (v *Validator) updatePCR(pcrIndex uint32, encoded string) error { func (v *Validator) updatePCR(pcrIndex uint32, encoded string) error {
if encoded == "" { if encoded == "" {
delete(v.pcrs, pcrIndex) delete(v.pcrs, pcrIndex)
// remove enforced PCR if it exists
for i, enforcedIdx := range v.enforcedPCRs {
if enforcedIdx == pcrIndex {
v.enforcedPCRs[i] = v.enforcedPCRs[len(v.enforcedPCRs)-1]
v.enforcedPCRs = v.enforcedPCRs[:len(v.enforcedPCRs)-1]
break
}
}
return nil return nil
} }
decoded, err := base64.StdEncoding.DecodeString(encoded) decoded, err := base64.StdEncoding.DecodeString(encoded)
@ -69,29 +78,35 @@ func (v *Validator) setPCRs(config *config.Config) error {
switch v.provider { switch v.provider {
case cloudprovider.GCP: case cloudprovider.GCP:
gcpPCRs := config.Provider.GCP.Measurements gcpPCRs := config.Provider.GCP.Measurements
if err := v.checkPCRs(gcpPCRs); err != nil { enforcedPCRs := config.Provider.GCP.EnforcedMeasurements
if err := v.checkPCRs(gcpPCRs, enforcedPCRs); err != nil {
return err return err
} }
v.enforcedPCRs = enforcedPCRs
v.pcrs = gcpPCRs v.pcrs = gcpPCRs
case cloudprovider.Azure: case cloudprovider.Azure:
azurePCRs := config.Provider.Azure.Measurements azurePCRs := config.Provider.Azure.Measurements
if err := v.checkPCRs(azurePCRs); err != nil { enforcedPCRs := config.Provider.Azure.EnforcedMeasurements
if err := v.checkPCRs(azurePCRs, enforcedPCRs); err != nil {
return err return err
} }
v.enforcedPCRs = enforcedPCRs
v.pcrs = azurePCRs v.pcrs = azurePCRs
case cloudprovider.QEMU: case cloudprovider.QEMU:
qemuPCRs := config.Provider.QEMU.Measurements qemuPCRs := config.Provider.QEMU.Measurements
if err := v.checkPCRs(qemuPCRs); err != nil { enforcedPCRs := config.Provider.QEMU.EnforcedMeasurements
if err := v.checkPCRs(qemuPCRs, enforcedPCRs); err != nil {
return err return err
} }
v.enforcedPCRs = enforcedPCRs
v.pcrs = qemuPCRs v.pcrs = qemuPCRs
} }
return nil return nil
} }
// V returns the validator as atls.Validator. // V returns the validator as atls.Validator.
func (v *Validator) V() atls.Validator { func (v *Validator) V(cmd *cobra.Command) atls.Validator {
v.updateValidator() v.updateValidator(cmd)
return v.validator return v.validator
} }
@ -100,60 +115,19 @@ func (v *Validator) PCRS() map[uint32][]byte {
return v.pcrs return v.pcrs
} }
func (v *Validator) updateValidator() { func (v *Validator) updateValidator(cmd *cobra.Command) {
switch v.provider { switch v.provider {
case cloudprovider.GCP: case cloudprovider.GCP:
v.validator = gcp.NewValidator(v.pcrs) v.validator = gcp.NewValidator(v.pcrs, v.enforcedPCRs)
case cloudprovider.Azure: case cloudprovider.Azure:
v.validator = azure.NewValidator(v.pcrs) v.validator = azure.NewValidator(v.pcrs, v.enforcedPCRs)
case cloudprovider.QEMU: case cloudprovider.QEMU:
v.validator = qemu.NewValidator(v.pcrs) v.validator = qemu.NewValidator(v.pcrs, v.enforcedPCRs)
} }
v.validator.AddLogger(warnLogger{cmd: cmd})
} }
// Warnings returns warnings for the specifc PCR values that are not verified. func (v *Validator) checkPCRs(pcrs map[uint32][]byte, enforcedPCRs []uint32) error {
//
// PCR allocation inspired by https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_12#Tab1
func (v *Validator) Warnings() string {
sb := &strings.Builder{}
if v.pcrs[0] == nil || v.pcrs[1] == nil {
writeWarnFmt(sb, "BIOS")
}
if v.pcrs[2] == nil || v.pcrs[3] == nil {
writeWarnFmt(sb, "OPROM")
}
if v.pcrs[4] == nil || v.pcrs[5] == nil {
writeWarnFmt(sb, "MBR")
}
// GRUB measures kernel command line and initrd into pcrs 8 and 9
if v.pcrs[8] == nil {
writeWarnFmt(sb, "kernel command line")
}
if v.pcrs[9] == nil {
writeWarnFmt(sb, "initrd")
}
return sb.String()
}
// WarningsIncludeInit returns warnings for the specific PCR values that are not verified.
// Warnings regarding the initialization are included.
//
// PCR allocation inspired by https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_12#Tab1
func (v *Validator) WarningsIncludeInit() string {
warnings := v.Warnings()
if v.pcrs[uint32(vtpm.PCRIndexOwnerID)] == nil || v.pcrs[uint32(vtpm.PCRIndexClusterID)] == nil {
warnings = warnings + fmt.Sprintf(warningStr, "initialization status")
}
return warnings
}
func (v *Validator) checkPCRs(pcrs map[uint32][]byte) error {
if len(pcrs) == 0 { if len(pcrs) == 0 {
return errors.New("no PCR values provided") return errors.New("no PCR values provided")
} }
@ -162,13 +136,20 @@ func (v *Validator) checkPCRs(pcrs map[uint32][]byte) error {
return fmt.Errorf("bad config: PCR[%d]: expected length: %d, but got: %d", k, 32, len(v)) return fmt.Errorf("bad config: PCR[%d]: expected length: %d, but got: %d", k, 32, len(v))
} }
} }
for _, v := range enforcedPCRs {
if _, ok := pcrs[v]; !ok {
return fmt.Errorf("bad config: PCR[%d] is enforced, but no expected measurement is provided", v)
}
}
return nil return nil
} }
func writeWarnFmt(sb *strings.Builder, args ...any) { // warnLogger implements logging of warnings for validators.
writeFmt(sb, warningStr, args...) type warnLogger struct {
cmd *cobra.Command
} }
func writeFmt(sb *strings.Builder, fmtStr string, args ...any) { // Warnf prints a formatted warning from the validator.
sb.WriteString(fmt.Sprintf(fmtStr, args...)) func (wl warnLogger) Warnf(fmtStr string, args ...interface{}) {
wl.cmd.PrintErrf("Warning: %s\n", fmt.Sprintf(fmtStr, args...))
} }

View File

@ -12,6 +12,7 @@ import (
"github.com/edgelesssys/constellation/internal/attestation/vtpm" "github.com/edgelesssys/constellation/internal/attestation/vtpm"
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider" "github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/internal/config" "github.com/edgelesssys/constellation/internal/config"
"github.com/spf13/cobra"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
) )
@ -93,172 +94,6 @@ func TestNewValidator(t *testing.T) {
} }
} }
func TestValidatorWarnings(t *testing.T) {
zero := []byte("00000000000000000000000000000000")
testCases := map[string]struct {
pcrs map[uint32][]byte
wantWarnings []string
wantWInclude []string
}{
"no warnings": {
pcrs: map[uint32][]byte{
0: zero,
1: zero,
2: zero,
3: zero,
4: zero,
5: zero,
6: zero,
7: zero,
8: zero,
9: zero,
10: zero,
11: zero,
12: zero,
},
},
"no warnings for missing non critical values": {
pcrs: map[uint32][]byte{
0: zero,
1: zero,
2: zero,
3: zero,
4: zero,
5: zero,
8: zero,
9: zero,
11: zero,
12: zero,
},
},
"warn for BIOS": {
pcrs: map[uint32][]byte{
0: zero,
2: zero,
3: zero,
4: zero,
5: zero,
8: zero,
9: zero,
11: zero,
12: zero,
},
wantWarnings: []string{"BIOS"},
},
"warn for OPROM": {
pcrs: map[uint32][]byte{
0: zero,
1: zero,
3: zero,
4: zero,
5: zero,
8: zero,
9: zero,
11: zero,
12: zero,
},
wantWarnings: []string{"OPROM"},
},
"warn for MBR": {
pcrs: map[uint32][]byte{
0: zero,
1: zero,
2: zero,
3: zero,
5: zero,
8: zero,
9: zero,
11: zero,
12: zero,
},
wantWarnings: []string{"MBR"},
},
"warn for kernel": {
pcrs: map[uint32][]byte{
0: zero,
1: zero,
2: zero,
3: zero,
4: zero,
5: zero,
9: zero,
11: zero,
12: zero,
},
wantWarnings: []string{"kernel"},
},
"warn for initrd": {
pcrs: map[uint32][]byte{
0: zero,
1: zero,
2: zero,
3: zero,
4: zero,
5: zero,
8: zero,
11: zero,
12: zero,
},
wantWarnings: []string{"initrd"},
},
"warn for initialization": {
pcrs: map[uint32][]byte{
0: zero,
1: zero,
2: zero,
3: zero,
4: zero,
5: zero,
8: zero,
9: zero,
11: zero,
},
wantWInclude: []string{"initialization"},
},
"multi warning": {
pcrs: map[uint32][]byte{},
wantWarnings: []string{
"BIOS",
"OPROM",
"MBR",
"initrd",
"kernel",
},
wantWInclude: []string{"initialization"},
},
}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
validators := Validator{pcrs: tc.pcrs}
warnings := validators.Warnings()
warningsInclueInit := validators.WarningsIncludeInit()
if len(tc.wantWarnings) == 0 {
assert.Empty(warnings)
}
for _, w := range tc.wantWarnings {
assert.Contains(warnings, w)
}
for _, w := range tc.wantWarnings {
assert.Contains(warningsInclueInit, w)
}
if len(tc.wantWInclude) == 0 {
assert.Equal(len(warnings), len(warningsInclueInit))
} else {
assert.Greater(len(warningsInclueInit), len(warnings))
}
for _, w := range tc.wantWInclude {
assert.Contains(warningsInclueInit, w)
}
})
}
}
func TestValidatorV(t *testing.T) { func TestValidatorV(t *testing.T) {
zero := []byte("00000000000000000000000000000000") zero := []byte("00000000000000000000000000000000")
newTestPCRs := func() map[uint32][]byte { newTestPCRs := func() map[uint32][]byte {
@ -287,17 +122,17 @@ func TestValidatorV(t *testing.T) {
"gcp": { "gcp": {
provider: cloudprovider.GCP, provider: cloudprovider.GCP,
pcrs: newTestPCRs(), pcrs: newTestPCRs(),
wantVs: gcp.NewValidator(newTestPCRs()), wantVs: gcp.NewValidator(newTestPCRs(), nil),
}, },
"azure": { "azure": {
provider: cloudprovider.Azure, provider: cloudprovider.Azure,
pcrs: newTestPCRs(), pcrs: newTestPCRs(),
wantVs: azure.NewValidator(newTestPCRs()), wantVs: azure.NewValidator(newTestPCRs(), nil),
}, },
"qemu": { "qemu": {
provider: cloudprovider.QEMU, provider: cloudprovider.QEMU,
pcrs: newTestPCRs(), pcrs: newTestPCRs(),
wantVs: qemu.NewValidator(newTestPCRs()), wantVs: qemu.NewValidator(newTestPCRs(), nil),
}, },
} }
@ -307,7 +142,7 @@ func TestValidatorV(t *testing.T) {
validators := &Validator{provider: tc.provider, pcrs: tc.pcrs} validators := &Validator{provider: tc.provider, pcrs: tc.pcrs}
resultValidator := validators.V() resultValidator := validators.V(&cobra.Command{})
assert.Equal(tc.wantVs.OID(), resultValidator.OID()) assert.Equal(tc.wantVs.OID(), resultValidator.OID())
}) })

View File

@ -54,7 +54,7 @@ func runInitialize(cmd *cobra.Command, args []string) error {
fileHandler := file.NewHandler(afero.NewOsFs()) fileHandler := file.NewHandler(afero.NewOsFs())
serviceAccountCreator := cloudcmd.NewServiceAccountCreator() serviceAccountCreator := cloudcmd.NewServiceAccountCreator()
newDialer := func(validator *cloudcmd.Validator) *dialer.Dialer { newDialer := func(validator *cloudcmd.Validator) *dialer.Dialer {
return dialer.New(nil, validator.V(), &net.Dialer{}) return dialer.New(nil, validator.V(cmd), &net.Dialer{})
} }
helmLoader := &helm.ChartLoader{} helmLoader := &helm.ChartLoader{}
return initialize(cmd, newDialer, serviceAccountCreator, fileHandler, helmLoader) return initialize(cmd, newDialer, serviceAccountCreator, fileHandler, helmLoader)
@ -96,7 +96,6 @@ func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator
if err != nil { if err != nil {
return err return err
} }
cmd.Print(validator.WarningsIncludeInit())
cmd.Println("Creating service account ...") cmd.Println("Creating service account ...")
serviceAccount, stat, err := serviceAccCreator.Create(cmd.Context(), stat, config) serviceAccount, stat, err := serviceAccCreator.Create(cmd.Context(), stat, config)
@ -135,6 +134,7 @@ func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator
KubernetesVersion: config.KubernetesVersion, KubernetesVersion: config.KubernetesVersion,
SshUserKeys: ssh.ToProtoSlice(sshUsers), SshUserKeys: ssh.ToProtoSlice(sshUsers),
HelmDeployments: helmDeployments, HelmDeployments: helmDeployments,
EnforcedPcrs: getEnforcedMeasurements(provider, config),
} }
resp, err := initCall(cmd.Context(), newDialer(validator), stat.BootstrapperHost, req) resp, err := initCall(cmd.Context(), newDialer(validator), stat.BootstrapperHost, req)
if err != nil { if err != nil {
@ -214,6 +214,19 @@ func writeRow(wr io.Writer, col1 string, col2 string) {
fmt.Fprint(wr, col1, "\t", col2, "\n") fmt.Fprint(wr, col1, "\t", col2, "\n")
} }
func getEnforcedMeasurements(provider cloudprovider.Provider, config *config.Config) []uint32 {
switch provider {
case cloudprovider.Azure:
return config.Provider.Azure.EnforcedMeasurements
case cloudprovider.GCP:
return config.Provider.GCP.EnforcedMeasurements
case cloudprovider.QEMU:
return config.Provider.QEMU.EnforcedMeasurements
default:
return nil
}
}
// evalFlagArgs gets the flag values and does preprocessing of these values like // evalFlagArgs gets the flag values and does preprocessing of these values like
// reading the content from file path flags and deriving other values from flag combinations. // reading the content from file path flags and deriving other values from flag combinations.
func evalFlagArgs(cmd *cobra.Command, fileHandler file.Handler) (initFlags, error) { func evalFlagArgs(cmd *cobra.Command, fileHandler file.Handler) (initFlags, error) {

View File

@ -14,6 +14,7 @@ import (
"github.com/edgelesssys/constellation/bootstrapper/initproto" "github.com/edgelesssys/constellation/bootstrapper/initproto"
"github.com/edgelesssys/constellation/cli/internal/cloudcmd" "github.com/edgelesssys/constellation/cli/internal/cloudcmd"
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider" "github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/internal/cloud/cloudtypes" "github.com/edgelesssys/constellation/internal/cloud/cloudtypes"
"github.com/edgelesssys/constellation/internal/config" "github.com/edgelesssys/constellation/internal/config"
@ -158,9 +159,12 @@ func TestInitialize(t *testing.T) {
cmd.SetOut(&out) cmd.SetOut(&out)
var errOut bytes.Buffer var errOut bytes.Buffer
cmd.SetErr(&errOut) cmd.SetErr(&errOut)
cmd.Flags().String("config", "", "") // register persistent flag manually cmd.Flags().String("config", constants.ConfigFilename, "") // register persistent flag manually
fs := afero.NewMemMapFs() fs := afero.NewMemMapFs()
fileHandler := file.NewHandler(fs) fileHandler := file.NewHandler(fs)
config := defaultConfigWithExpectedMeasurements(t, cloudprovider.FromString(tc.existingState.CloudProvider))
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, config))
require.NoError(fileHandler.WriteJSON(constants.StateFilename, tc.existingState, file.OptNone)) require.NoError(fileHandler.WriteJSON(constants.StateFilename, tc.existingState, file.OptNone))
require.NoError(cmd.Flags().Set("autoscale", strconv.FormatBool(tc.setAutoscaleFlag))) require.NoError(cmd.Flags().Set("autoscale", strconv.FormatBool(tc.setAutoscaleFlag)))
@ -476,6 +480,8 @@ func (v *testValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
return attestation.UserData, nil return attestation.UserData, nil
} }
func (v *testValidator) AddLogger(vtpm.WarnLogger) {}
type testIssuer struct { type testIssuer struct {
oid.Getter oid.Getter
pcrs map[uint32][]byte pcrs map[uint32][]byte
@ -506,3 +512,27 @@ func (s *stubInitServer) Init(ctx context.Context, req *initproto.InitRequest) (
s.activateAutoscalingNodeGroups = req.AutoscalingNodeGroups s.activateAutoscalingNodeGroups = req.AutoscalingNodeGroups
return s.initResp, s.initErr return s.initResp, s.initErr
} }
func defaultConfigWithExpectedMeasurements(t *testing.T, csp cloudprovider.Provider) *config.Config {
t.Helper()
config := config.Default()
config.Provider.Azure.SubscriptionID = "01234567-0123-0123-0123-0123456789ab"
config.Provider.Azure.TenantID = "01234567-0123-0123-0123-0123456789ab"
config.Provider.Azure.Location = "test-location"
config.Provider.Azure.UserAssignedIdentity = "test-identity"
config.Provider.Azure.Measurements[8] = []byte("00000000000000000000000000000000")
config.Provider.Azure.Measurements[9] = []byte("11111111111111111111111111111111")
config.Provider.GCP.Region = "test-region"
config.Provider.GCP.Project = "test-project"
config.Provider.GCP.Zone = "test-zone"
config.Provider.GCP.Measurements[8] = []byte("00000000000000000000000000000000")
config.Provider.GCP.Measurements[9] = []byte("11111111111111111111111111111111")
config.Provider.QEMU.Measurements[8] = []byte("00000000000000000000000000000000")
config.Provider.QEMU.Measurements[9] = []byte("11111111111111111111111111111111")
config.RemoveProviderExcept(csp)
return config
}

View File

@ -72,9 +72,8 @@ func recover(cmd *cobra.Command, fileHandler file.Handler, recoveryClient recove
if err != nil { if err != nil {
return err return err
} }
cmd.Print(validators.WarningsIncludeInit())
if err := recoveryClient.Connect(flags.endpoint, validators.V()); err != nil { if err := recoveryClient.Connect(flags.endpoint, validators.V(cmd)); err != nil {
return err return err
} }

View File

@ -6,6 +6,7 @@ import (
"strings" "strings"
"testing" "testing"
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/internal/constants" "github.com/edgelesssys/constellation/internal/constants"
"github.com/edgelesssys/constellation/internal/crypto/testvector" "github.com/edgelesssys/constellation/internal/crypto/testvector"
"github.com/edgelesssys/constellation/internal/file" "github.com/edgelesssys/constellation/internal/file"
@ -125,7 +126,7 @@ func TestRecover(t *testing.T) {
require := require.New(t) require := require.New(t)
cmd := NewRecoverCmd() cmd := NewRecoverCmd()
cmd.Flags().String("config", "", "") // register persistent flag manually cmd.Flags().String("config", constants.ConfigFilename, "") // register persistent flag manually
out := &bytes.Buffer{} out := &bytes.Buffer{}
cmd.SetOut(out) cmd.SetOut(out)
cmd.SetErr(&bytes.Buffer{}) cmd.SetErr(&bytes.Buffer{})
@ -144,6 +145,10 @@ func TestRecover(t *testing.T) {
fs := afero.NewMemMapFs() fs := afero.NewMemMapFs()
fileHandler := file.NewHandler(fs) fileHandler := file.NewHandler(fs)
config := defaultConfigWithExpectedMeasurements(t, cloudprovider.FromString(tc.existingState.CloudProvider))
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, config))
require.NoError(fileHandler.WriteJSON("constellation-mastersecret.json", masterSecret{Key: tc.masterSecret.Secret, Salt: tc.masterSecret.Salt}, file.OptNone)) require.NoError(fileHandler.WriteJSON("constellation-mastersecret.json", masterSecret{Key: tc.masterSecret.Secret, Salt: tc.masterSecret.Salt}, file.OptNone))
if !tc.stateless { if !tc.stateless {
require.NoError(fileHandler.WriteJSON(constants.StateFilename, tc.existingState, file.OptNone)) require.NoError(fileHandler.WriteJSON(constants.StateFilename, tc.existingState, file.OptNone))

View File

@ -70,9 +70,6 @@ func verify(
if err := validators.UpdateInitPCRs(flags.ownerID, flags.clusterID); err != nil { if err := validators.UpdateInitPCRs(flags.ownerID, flags.clusterID); err != nil {
return err return err
} }
if validators.Warnings() != "" {
cmd.Print(validators.Warnings())
}
nonce, err := crypto.GenerateRandomBytes(32) nonce, err := crypto.GenerateRandomBytes(32)
if err != nil { if err != nil {
@ -90,7 +87,7 @@ func verify(
Nonce: nonce, Nonce: nonce,
UserData: userData, UserData: userData,
}, },
validators.V(), validators.V(cmd),
); err != nil { ); err != nil {
return err return err
} }

View File

@ -172,7 +172,7 @@ func TestVerify(t *testing.T) {
require := require.New(t) require := require.New(t)
cmd := NewVerifyCmd() cmd := NewVerifyCmd()
cmd.Flags().String("config", "", "") // register persistent flag manually cmd.Flags().String("config", constants.ConfigFilename, "") // register persistent flag manually
out := &bytes.Buffer{} out := &bytes.Buffer{}
cmd.SetOut(out) cmd.SetOut(out)
cmd.SetErr(&bytes.Buffer{}) cmd.SetErr(&bytes.Buffer{})
@ -190,6 +190,8 @@ func TestVerify(t *testing.T) {
} }
fileHandler := file.NewHandler(tc.setupFs(require)) fileHandler := file.NewHandler(tc.setupFs(require))
config := defaultConfigWithExpectedMeasurements(t, tc.provider)
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, config))
if tc.idFile != nil { if tc.idFile != nil {
require.NoError(fileHandler.WriteJSON(constants.ClusterIDsFileName, tc.idFile, file.OptNone)) require.NoError(fileHandler.WriteJSON(constants.ClusterIDsFileName, tc.idFile, file.OptNone))
} }

View File

@ -17,6 +17,7 @@ import (
"math/big" "math/big"
"time" "time"
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
"github.com/edgelesssys/constellation/internal/crypto" "github.com/edgelesssys/constellation/internal/crypto"
"github.com/edgelesssys/constellation/internal/oid" "github.com/edgelesssys/constellation/internal/oid"
) )
@ -71,6 +72,7 @@ type Issuer interface {
type Validator interface { type Validator interface {
oid.Getter oid.Getter
Validate(attDoc []byte, nonce []byte) ([]byte, error) Validate(attDoc []byte, nonce []byte) ([]byte, error)
AddLogger(log vtpm.WarnLogger)
} }
// getATLSConfigForClientFunc returns a config setup function that is called once for every client connecting to the server. // getATLSConfigForClientFunc returns a config setup function that is called once for every client connecting to the server.
@ -365,6 +367,9 @@ func NewFakeValidators(oid oid.Getter) []Validator {
return []Validator{NewFakeValidator(oid)} return []Validator{NewFakeValidator(oid)}
} }
// AddLogger is a nop for FakeValidator.
func (v FakeValidator) AddLogger(log vtpm.WarnLogger) {}
// Validate unmarshals the attestation document and verifies the nonce. // Validate unmarshals the attestation document and verifies the nonce.
func (v FakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) { func (v FakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
var doc FakeAttestationDoc var doc FakeAttestationDoc

View File

@ -15,10 +15,11 @@ type Validator struct {
} }
// NewValidator initializes a new Azure validator with the provided PCR values. // NewValidator initializes a new Azure validator with the provided PCR values.
func NewValidator(pcrs map[uint32][]byte) *Validator { func NewValidator(pcrs map[uint32][]byte, enforcedPCRs []uint32) *Validator {
return &Validator{ return &Validator{
Validator: vtpm.NewValidator( Validator: vtpm.NewValidator(
pcrs, pcrs,
enforcedPCRs,
trustedKeyFromSNP, trustedKeyFromSNP,
validateAzureCVM, validateAzureCVM,
vtpm.VerifyPKCS1v15, vtpm.VerifyPKCS1v15,

View File

@ -28,10 +28,11 @@ type Validator struct {
} }
// NewValidator initializes a new GCP validator with the provided PCR values. // NewValidator initializes a new GCP validator with the provided PCR values.
func NewValidator(pcrs map[uint32][]byte) *Validator { func NewValidator(pcrs map[uint32][]byte, enforcedPCRs []uint32) *Validator {
return &Validator{ return &Validator{
Validator: vtpm.NewValidator( Validator: vtpm.NewValidator(
pcrs, pcrs,
enforcedPCRs,
trustedKeyFromGCEAPI(newInstanceClient), trustedKeyFromGCEAPI(newInstanceClient),
gceNonHostInfoEvent, gceNonHostInfoEvent,
vtpm.VerifyPKCS1v15, vtpm.VerifyPKCS1v15,

View File

@ -15,10 +15,11 @@ type Validator struct {
} }
// NewValidator initializes a new qemu validator with the provided PCR values. // NewValidator initializes a new qemu validator with the provided PCR values.
func NewValidator(pcrs map[uint32][]byte) *Validator { func NewValidator(pcrs map[uint32][]byte, enforcedPCRs []uint32) *Validator {
return &Validator{ return &Validator{
Validator: vtpm.NewValidator( Validator: vtpm.NewValidator(
pcrs, pcrs,
enforcedPCRs,
unconditionalTrust, unconditionalTrust,
func(attestation vtpm.AttestationDocument) error { return nil }, func(attestation vtpm.AttestationDocument) error { return nil },
vtpm.VerifyPKCS1v15, vtpm.VerifyPKCS1v15,

View File

@ -51,6 +51,11 @@ type (
VerifyUserData func(pub crypto.PublicKey, hash crypto.Hash, hashed, sig []byte) error VerifyUserData func(pub crypto.PublicKey, hash crypto.Hash, hashed, sig []byte) error
) )
// WarnLogger is a logger used to print warnings during attestation validation.
type WarnLogger interface {
Warnf(format string, args ...interface{})
}
// AttestationDocument contains the TPM attestation with signed user data. // AttestationDocument contains the TPM attestation with signed user data.
type AttestationDocument struct { type AttestationDocument struct {
// Attestation contains the TPM event log, PCR values and quotes, and public key of the key used to sign the attestation. // Attestation contains the TPM event log, PCR values and quotes, and public key of the key used to sign the attestation.
@ -122,22 +127,39 @@ func (i *Issuer) Issue(userData []byte, nonce []byte) ([]byte, error) {
// Validator handles validation of TPM based attestation. // Validator handles validation of TPM based attestation.
type Validator struct { type Validator struct {
trustedPcrs map[uint32][]byte expectedPCRs map[uint32][]byte
enforcedPCRs map[uint32]struct{}
getTrustedKey GetTPMTrustedAttestationPublicKey getTrustedKey GetTPMTrustedAttestationPublicKey
validateCVM ValidateCVM validateCVM ValidateCVM
verifyUserData VerifyUserData verifyUserData VerifyUserData
log WarnLogger
} }
// NewValidator returns a new Validator. // NewValidator returns a new Validator.
func NewValidator(trustedPcrs map[uint32][]byte, getTrustedKey GetTPMTrustedAttestationPublicKey, validateCVM ValidateCVM, verifyUserData VerifyUserData) *Validator { func NewValidator(expectedPCRs map[uint32][]byte, enforcedPCRs []uint32,
getTrustedKey GetTPMTrustedAttestationPublicKey, validateCVM ValidateCVM, verifyUserData VerifyUserData,
) *Validator {
// Convert the enforced PCR list to a map for convenient and fast lookup
enforcedMap := make(map[uint32]struct{})
for _, pcr := range enforcedPCRs {
enforcedMap[pcr] = struct{}{}
}
return &Validator{ return &Validator{
trustedPcrs: trustedPcrs, expectedPCRs: expectedPCRs,
enforcedPCRs: enforcedMap,
getTrustedKey: getTrustedKey, getTrustedKey: getTrustedKey,
validateCVM: validateCVM, validateCVM: validateCVM,
verifyUserData: verifyUserData, verifyUserData: verifyUserData,
} }
} }
// AddLogger adds a logger to the validator.
func (v *Validator) AddLogger(log WarnLogger) {
v.log = log
}
// Validate a TPM based attestation. // Validate a TPM based attestation.
func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) { func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) {
var attDoc AttestationDocument var attDoc AttestationDocument
@ -173,10 +195,15 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
for idx, pcr := range v.trustedPcrs { for idx, pcr := range v.expectedPCRs {
if !bytes.Equal(pcr, attDoc.Attestation.Quotes[quoteIdx].Pcrs.Pcrs[idx]) { if !bytes.Equal(pcr, attDoc.Attestation.Quotes[quoteIdx].Pcrs.Pcrs[idx]) {
if _, ok := v.enforcedPCRs[idx]; ok {
return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx) return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx)
} }
if v.log != nil {
v.log.Warnf("Encountered untrusted PCR value at index %d", idx)
}
}
} }
// Verify signed user data // Verify signed user data

View File

@ -4,6 +4,7 @@ import (
"crypto" "crypto"
"encoding/json" "encoding/json"
"errors" "errors"
"fmt"
"io" "io"
"testing" "testing"
@ -45,7 +46,11 @@ func fakeGetInstanceInfo(tpm io.ReadWriteCloser) ([]byte, error) {
return []byte("unit-test"), nil return []byte("unit-test"), nil
} }
func fakeGetTrustedKey(aKPub, instanceInfo []byte) (crypto.PublicKey, error) { func TestValidate(t *testing.T) {
require := require.New(t)
fakeValidateCVM := func(AttestationDocument) error { return nil }
fakeGetTrustedKey := func(aKPub, instanceInfo []byte) (crypto.PublicKey, error) {
pubArea, err := tpm2.DecodePublic(aKPub) pubArea, err := tpm2.DecodePublic(aKPub)
if err != nil { if err != nil {
return nil, err return nil, err
@ -53,18 +58,13 @@ func fakeGetTrustedKey(aKPub, instanceInfo []byte) (crypto.PublicKey, error) {
return pubArea.Key() return pubArea.Key()
} }
func fakeValidateCVM(AttestationDocument) error { return nil } testExpectedPCRs := map[uint32][]byte{
var fakeTrustedPcrs = map[uint32][]byte{
0: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 0: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 1: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
} }
func TestValidate(t *testing.T) {
require := require.New(t)
issuer := NewIssuer(newSimTPMWithEventLog, tpmclient.AttestationKeyRSA, fakeGetInstanceInfo) issuer := NewIssuer(newSimTPMWithEventLog, tpmclient.AttestationKeyRSA, fakeGetInstanceInfo)
validator := NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15) validator := NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15)
nonce := []byte{1, 2, 3, 4} nonce := []byte{1, 2, 3, 4}
challenge := []byte("Constellation") challenge := []byte("Constellation")
@ -82,6 +82,29 @@ func TestValidate(t *testing.T) {
require.NoError(err) require.NoError(err)
require.Equal(challenge, out) require.Equal(challenge, out)
warnLog := &testWarnLog{}
enforcedPCRs := []uint32{0, 1}
expectedPCRs := map[uint32][]byte{
0: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2: {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20},
3: {0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40},
4: {0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60},
5: {0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80},
}
warningValidator := NewValidator(
expectedPCRs,
enforcedPCRs,
fakeGetTrustedKey,
fakeValidateCVM,
VerifyPKCS1v15,
)
warningValidator.AddLogger(warnLog)
out, err = warningValidator.Validate(attDocRaw, nonce)
require.NoError(err)
assert.Equal(t, challenge, out)
assert.Len(t, warnLog.warnings, len(expectedPCRs)-len(enforcedPCRs))
testCases := map[string]struct { testCases := map[string]struct {
validator *Validator validator *Validator
attDoc []byte attDoc []byte
@ -89,13 +112,13 @@ func TestValidate(t *testing.T) {
wantErr bool wantErr bool
}{ }{
"invalid nonce": { "invalid nonce": {
validator: NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15), validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
attDoc: mustMarshalAttestation(attDoc, require), attDoc: mustMarshalAttestation(attDoc, require),
nonce: []byte{4, 3, 2, 1}, nonce: []byte{4, 3, 2, 1},
wantErr: true, wantErr: true,
}, },
"invalid signature": { "invalid signature": {
validator: NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15), validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
attDoc: mustMarshalAttestation(AttestationDocument{ attDoc: mustMarshalAttestation(AttestationDocument{
Attestation: attDoc.Attestation, Attestation: attDoc.Attestation,
InstanceInfo: attDoc.InstanceInfo, InstanceInfo: attDoc.InstanceInfo,
@ -107,7 +130,8 @@ func TestValidate(t *testing.T) {
}, },
"untrusted attestation public key": { "untrusted attestation public key": {
validator: NewValidator( validator: NewValidator(
fakeTrustedPcrs, testExpectedPCRs,
[]uint32{0, 1},
func(akPub, instanceInfo []byte) (crypto.PublicKey, error) { func(akPub, instanceInfo []byte) (crypto.PublicKey, error) {
return nil, errors.New("untrusted") return nil, errors.New("untrusted")
}, },
@ -118,7 +142,8 @@ func TestValidate(t *testing.T) {
}, },
"not a CVM": { "not a CVM": {
validator: NewValidator( validator: NewValidator(
fakeTrustedPcrs, testExpectedPCRs,
[]uint32{0, 1},
fakeGetTrustedKey, fakeGetTrustedKey,
func(attestation AttestationDocument) error { func(attestation AttestationDocument) error {
return errors.New("untrusted") return errors.New("untrusted")
@ -133,6 +158,7 @@ func TestValidate(t *testing.T) {
map[uint32][]byte{ map[uint32][]byte{
0: {0xFF}, 0: {0xFF},
}, },
[]uint32{0},
fakeGetTrustedKey, fakeGetTrustedKey,
fakeValidateCVM, fakeValidateCVM,
VerifyPKCS1v15), VerifyPKCS1v15),
@ -141,7 +167,7 @@ func TestValidate(t *testing.T) {
wantErr: true, wantErr: true,
}, },
"no sha256 quote": { "no sha256 quote": {
validator: NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15), validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
attDoc: mustMarshalAttestation(AttestationDocument{ attDoc: mustMarshalAttestation(AttestationDocument{
Attestation: &attest.Attestation{ Attestation: &attest.Attestation{
AkPub: attDoc.Attestation.AkPub, AkPub: attDoc.Attestation.AkPub,
@ -159,7 +185,7 @@ func TestValidate(t *testing.T) {
wantErr: true, wantErr: true,
}, },
"invalid attestation document": { "invalid attestation document": {
validator: NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15), validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
attDoc: []byte("invalid attestation"), attDoc: []byte("invalid attestation"),
nonce: nonce, nonce: nonce,
wantErr: true, wantErr: true,
@ -368,3 +394,11 @@ func TestGetSelectedPCRs(t *testing.T) {
}) })
} }
} }
type testWarnLog struct {
warnings []string
}
func (w *testWarnLog) Warnf(format string, args ...interface{}) {
w.warnings = append(w.warnings, fmt.Sprintf(format, args...))
}

View File

@ -136,6 +136,9 @@ type AzureConfig struct {
// Expected confidential VM measurements. // Expected confidential VM measurements.
Measurements Measurements `yaml:"measurements"` Measurements Measurements `yaml:"measurements"`
// description: | // description: |
// List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning.
EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
// description: |
// Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure // Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure
UserAssignedIdentity string `yaml:"userAssignedIdentity" validate:"required"` UserAssignedIdentity string `yaml:"userAssignedIdentity" validate:"required"`
} }
@ -163,12 +166,18 @@ type GCPConfig struct {
// description: | // description: |
// Expected confidential VM measurements. // Expected confidential VM measurements.
Measurements Measurements `yaml:"measurements"` Measurements Measurements `yaml:"measurements"`
// description: |
// List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning.
EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
} }
type QEMUConfig struct { type QEMUConfig struct {
// description: | // description: |
// Measurement used to enable measured boot. // Measurement used to enable measured boot.
Measurements Measurements `yaml:"measurements"` Measurements Measurements `yaml:"measurements"`
// description: |
// List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning.
EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
} }
// Default returns a struct with the default config. // Default returns a struct with the default config.
@ -218,7 +227,8 @@ func Default() *Config {
UserAssignedIdentity: "", UserAssignedIdentity: "",
Image: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1659453699", Image: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1659453699",
StateDiskType: "StandardSSD_LRS", // TODO: Replace with Premium_LRS when we replace the default VM size (Standard_D2a_v4) since the size does not support Premium_LRS StateDiskType: "StandardSSD_LRS", // TODO: Replace with Premium_LRS when we replace the default VM size (Standard_D2a_v4) since the size does not support Premium_LRS
Measurements: azurePCRs, Measurements: copyPCRMap(azurePCRs),
EnforcedMeasurements: []uint32{8, 9, 11, 12},
}, },
GCP: &GCPConfig{ GCP: &GCPConfig{
Project: "", Project: "",
@ -233,10 +243,12 @@ func Default() *Config {
"roles/iam.serviceAccountUser", "roles/iam.serviceAccountUser",
}, },
StateDiskType: "pd-ssd", StateDiskType: "pd-ssd",
Measurements: gcpPCRs, Measurements: copyPCRMap(gcpPCRs),
EnforcedMeasurements: []uint32{0, 8, 9, 11, 12},
}, },
QEMU: &QEMUConfig{ QEMU: &QEMUConfig{
Measurements: qemuPCRs, Measurements: copyPCRMap(qemuPCRs),
EnforcedMeasurements: []uint32{11, 12},
}, },
}, },
KubernetesVersion: string(versions.Latest), KubernetesVersion: string(versions.Latest),
@ -346,3 +358,9 @@ func FromFile(fileHandler file.Handler, name string) (*Config, error) {
} }
return &conf, nil return &conf, nil
} }
func copyPCRMap(m map[uint32][]byte) map[uint32][]byte {
res := make(Measurements)
res.CopyFrom(m)
return res
}

View File

@ -168,7 +168,7 @@ func init() {
FieldName: "azure", FieldName: "azure",
}, },
} }
AzureConfigDoc.Fields = make([]encoder.Doc, 7) AzureConfigDoc.Fields = make([]encoder.Doc, 8)
AzureConfigDoc.Fields[0].Name = "subscription" AzureConfigDoc.Fields[0].Name = "subscription"
AzureConfigDoc.Fields[0].Type = "string" AzureConfigDoc.Fields[0].Type = "string"
AzureConfigDoc.Fields[0].Note = "" AzureConfigDoc.Fields[0].Note = ""
@ -199,11 +199,16 @@ func init() {
AzureConfigDoc.Fields[5].Note = "" AzureConfigDoc.Fields[5].Note = ""
AzureConfigDoc.Fields[5].Description = "Expected confidential VM measurements." AzureConfigDoc.Fields[5].Description = "Expected confidential VM measurements."
AzureConfigDoc.Fields[5].Comments[encoder.LineComment] = "Expected confidential VM measurements." AzureConfigDoc.Fields[5].Comments[encoder.LineComment] = "Expected confidential VM measurements."
AzureConfigDoc.Fields[6].Name = "userAssignedIdentity" AzureConfigDoc.Fields[6].Name = "enforcedMeasurements"
AzureConfigDoc.Fields[6].Type = "string" AzureConfigDoc.Fields[6].Type = "[]uint32"
AzureConfigDoc.Fields[6].Note = "" AzureConfigDoc.Fields[6].Note = ""
AzureConfigDoc.Fields[6].Description = "Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure" AzureConfigDoc.Fields[6].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
AzureConfigDoc.Fields[6].Comments[encoder.LineComment] = "Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure" AzureConfigDoc.Fields[6].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
AzureConfigDoc.Fields[7].Name = "userAssignedIdentity"
AzureConfigDoc.Fields[7].Type = "string"
AzureConfigDoc.Fields[7].Note = ""
AzureConfigDoc.Fields[7].Description = "Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure"
AzureConfigDoc.Fields[7].Comments[encoder.LineComment] = "Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure"
GCPConfigDoc.Type = "GCPConfig" GCPConfigDoc.Type = "GCPConfig"
GCPConfigDoc.Comments[encoder.LineComment] = "GCPConfig are GCP specific configuration values used by the CLI." GCPConfigDoc.Comments[encoder.LineComment] = "GCPConfig are GCP specific configuration values used by the CLI."
@ -214,7 +219,7 @@ func init() {
FieldName: "gcp", FieldName: "gcp",
}, },
} }
GCPConfigDoc.Fields = make([]encoder.Doc, 7) GCPConfigDoc.Fields = make([]encoder.Doc, 8)
GCPConfigDoc.Fields[0].Name = "project" GCPConfigDoc.Fields[0].Name = "project"
GCPConfigDoc.Fields[0].Type = "string" GCPConfigDoc.Fields[0].Type = "string"
GCPConfigDoc.Fields[0].Note = "" GCPConfigDoc.Fields[0].Note = ""
@ -250,6 +255,11 @@ func init() {
GCPConfigDoc.Fields[6].Note = "" GCPConfigDoc.Fields[6].Note = ""
GCPConfigDoc.Fields[6].Description = "Expected confidential VM measurements." GCPConfigDoc.Fields[6].Description = "Expected confidential VM measurements."
GCPConfigDoc.Fields[6].Comments[encoder.LineComment] = "Expected confidential VM measurements." GCPConfigDoc.Fields[6].Comments[encoder.LineComment] = "Expected confidential VM measurements."
GCPConfigDoc.Fields[7].Name = "enforcedMeasurements"
GCPConfigDoc.Fields[7].Type = "[]uint32"
GCPConfigDoc.Fields[7].Note = ""
GCPConfigDoc.Fields[7].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
GCPConfigDoc.Fields[7].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
QEMUConfigDoc.Type = "QEMUConfig" QEMUConfigDoc.Type = "QEMUConfig"
QEMUConfigDoc.Comments[encoder.LineComment] = "" QEMUConfigDoc.Comments[encoder.LineComment] = ""
@ -260,12 +270,17 @@ func init() {
FieldName: "qemu", FieldName: "qemu",
}, },
} }
QEMUConfigDoc.Fields = make([]encoder.Doc, 1) QEMUConfigDoc.Fields = make([]encoder.Doc, 2)
QEMUConfigDoc.Fields[0].Name = "measurements" QEMUConfigDoc.Fields[0].Name = "measurements"
QEMUConfigDoc.Fields[0].Type = "Measurements" QEMUConfigDoc.Fields[0].Type = "Measurements"
QEMUConfigDoc.Fields[0].Note = "" QEMUConfigDoc.Fields[0].Note = ""
QEMUConfigDoc.Fields[0].Description = "Measurement used to enable measured boot." QEMUConfigDoc.Fields[0].Description = "Measurement used to enable measured boot."
QEMUConfigDoc.Fields[0].Comments[encoder.LineComment] = "Measurement used to enable measured boot." QEMUConfigDoc.Fields[0].Comments[encoder.LineComment] = "Measurement used to enable measured boot."
QEMUConfigDoc.Fields[1].Name = "enforcedMeasurements"
QEMUConfigDoc.Fields[1].Type = "[]uint32"
QEMUConfigDoc.Fields[1].Note = ""
QEMUConfigDoc.Fields[1].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
QEMUConfigDoc.Fields[1].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
} }
func (_ Config) Doc() *encoder.Doc { func (_ Config) Doc() *encoder.Doc {

View File

@ -65,6 +65,8 @@ const (
ServiceBasePath = "/var/config" ServiceBasePath = "/var/config"
// MeasurementsFilename is the filename of CC measurements. // MeasurementsFilename is the filename of CC measurements.
MeasurementsFilename = "measurements" MeasurementsFilename = "measurements"
// EnforcedPCRsFilename is the filename for a list PCRs that are required to pass attestation.
EnforcedPCRsFilename = "enforcedPCRs"
// MeasurementSaltFilename is the filename of the salt used in creation of the clusterID. // MeasurementSaltFilename is the filename of the salt used in creation of the clusterID.
MeasurementSaltFilename = "measurementSalt" MeasurementSaltFilename = "measurementSalt"
// MeasurementSecretFilename is the filename of the secret used in creation of the clusterID. // MeasurementSecretFilename is the filename of the secret used in creation of the clusterID.

View File

@ -11,6 +11,7 @@ import (
"github.com/edgelesssys/constellation/bootstrapper/initproto" "github.com/edgelesssys/constellation/bootstrapper/initproto"
"github.com/edgelesssys/constellation/internal/atls" "github.com/edgelesssys/constellation/internal/atls"
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"go.uber.org/goleak" "go.uber.org/goleak"
@ -100,6 +101,8 @@ func (v fakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
return doc.UserData, v.err return doc.UserData, v.err
} }
func (v fakeValidator) AddLogger(vtpm.WarnLogger) {}
type fakeOID asn1.ObjectIdentifier type fakeOID asn1.ObjectIdentifier
func (o fakeOID) OID() asn1.ObjectIdentifier { func (o fakeOID) OID() asn1.ObjectIdentifier {

View File

@ -30,11 +30,11 @@ func NewValidator(log *logger.Logger, csp string, fileHandler file.Handler) (*Up
var newValidator newValidatorFunc var newValidator newValidatorFunc
switch cloudprovider.FromString(csp) { switch cloudprovider.FromString(csp) {
case cloudprovider.Azure: case cloudprovider.Azure:
newValidator = func(m map[uint32][]byte) atls.Validator { return azure.NewValidator(m) } newValidator = func(m map[uint32][]byte, e []uint32) atls.Validator { return azure.NewValidator(m, e) }
case cloudprovider.GCP: case cloudprovider.GCP:
newValidator = func(m map[uint32][]byte) atls.Validator { return gcp.NewValidator(m) } newValidator = func(m map[uint32][]byte, e []uint32) atls.Validator { return gcp.NewValidator(m, e) }
case cloudprovider.QEMU: case cloudprovider.QEMU:
newValidator = func(m map[uint32][]byte) atls.Validator { return qemu.NewValidator(m) } newValidator = func(m map[uint32][]byte, e []uint32) atls.Validator { return qemu.NewValidator(m, e) }
default: default:
return nil, fmt.Errorf("unknown cloud service provider: %q", csp) return nil, fmt.Errorf("unknown cloud service provider: %q", csp)
} }
@ -76,9 +76,16 @@ func (u *Updatable) Update() error {
} }
u.log.Debugf("New measurements: %v", measurements) u.log.Debugf("New measurements: %v", measurements)
u.Validator = u.newValidator(measurements) var enforced []uint32
if err := u.fileHandler.ReadJSON(filepath.Join(constants.ServiceBasePath, constants.EnforcedPCRsFilename), &enforced); err != nil {
return err
}
u.log.Debugf("Enforced PCRs: %v", enforced)
u.Validator = u.newValidator(measurements, enforced)
u.Validator.AddLogger(u.log)
return nil return nil
} }
type newValidatorFunc func(measurements map[uint32][]byte) atls.Validator type newValidatorFunc func(measurements map[uint32][]byte, enforcedPCRs []uint32) atls.Validator

View File

@ -14,6 +14,7 @@ import (
"testing" "testing"
"github.com/edgelesssys/constellation/internal/atls" "github.com/edgelesssys/constellation/internal/atls"
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
"github.com/edgelesssys/constellation/internal/constants" "github.com/edgelesssys/constellation/internal/constants"
"github.com/edgelesssys/constellation/internal/file" "github.com/edgelesssys/constellation/internal/file"
"github.com/edgelesssys/constellation/internal/logger" "github.com/edgelesssys/constellation/internal/logger"
@ -72,7 +73,10 @@ func TestNewUpdateableValidator(t *testing.T) {
map[uint32][]byte{ map[uint32][]byte{
11: {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 11: {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
}, },
file.OptNone, ))
require.NoError(handler.WriteJSON(
filepath.Join(constants.ServiceBasePath, constants.EnforcedPCRsFilename),
[]uint32{11},
)) ))
} }
@ -95,7 +99,7 @@ func TestUpdate(t *testing.T) {
require := require.New(t) require := require.New(t)
oid := fakeOID{1, 3, 9900, 1} oid := fakeOID{1, 3, 9900, 1}
newValidator := func(m map[uint32][]byte) atls.Validator { newValidator := func(m map[uint32][]byte, e []uint32) atls.Validator {
return fakeValidator{fakeOID: oid} return fakeValidator{fakeOID: oid}
} }
handler := file.NewHandler(afero.NewMemMapFs()) handler := file.NewHandler(afero.NewMemMapFs())
@ -118,6 +122,10 @@ func TestUpdate(t *testing.T) {
}, },
file.OptNone, file.OptNone,
)) ))
require.NoError(handler.WriteJSON(
filepath.Join(constants.ServiceBasePath, constants.EnforcedPCRsFilename),
[]uint32{11},
))
// call update once to initialize the server's validator // call update once to initialize the server's validator
require.NoError(validator.Update()) require.NoError(validator.Update())
@ -161,7 +169,7 @@ func TestUpdateConcurrency(t *testing.T) {
validator := &Updatable{ validator := &Updatable{
log: logger.NewTest(t), log: logger.NewTest(t),
fileHandler: handler, fileHandler: handler,
newValidator: func(m map[uint32][]byte) atls.Validator { newValidator: func(m map[uint32][]byte, e []uint32) atls.Validator {
return fakeValidator{fakeOID: fakeOID{1, 3, 9900, 1}} return fakeValidator{fakeOID: fakeOID{1, 3, 9900, 1}}
}, },
} }
@ -172,6 +180,10 @@ func TestUpdateConcurrency(t *testing.T) {
}, },
file.OptNone, file.OptNone,
)) ))
require.NoError(handler.WriteJSON(
filepath.Join(constants.ServiceBasePath, constants.EnforcedPCRsFilename),
[]uint32{11},
))
var wg sync.WaitGroup var wg sync.WaitGroup
@ -220,6 +232,8 @@ func (v fakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
return doc.UserData, v.err return doc.UserData, v.err
} }
func (v fakeValidator) AddLogger(logger vtpm.WarnLogger) {}
type fakeOID asn1.ObjectIdentifier type fakeOID asn1.ObjectIdentifier
func (o fakeOID) OID() asn1.ObjectIdentifier { func (o fakeOID) OID() asn1.ObjectIdentifier {