mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-25 07:29:38 -05:00
AB#2316 Configurable enforced PCRs (#361)
* Add warnings for non enforced, untrusted PCRs * Fix global state in Config PCR map Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
parent
9478303f80
commit
ba4471a228
@ -17,11 +17,15 @@ All notable changes to Constellation will be documented in this file.
|
|||||||
|
|
||||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
||||||
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||||
|
|
||||||
## [Unreleased]
|
## [Unreleased]
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
- Kubernetes operator for Constellation nodes with ability to update node images.
|
- Kubernetes operator for Constellation nodes with ability to update node images.
|
||||||
- cilium strict pod2pod encryption.
|
- cilium strict pod2pod encryption.
|
||||||
|
- Add a configurable list of enforced measurements to the config. If an expected measurement can not be verified during attestation, but it is not in the list of enforced measurements, only a warning is logged.
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
<!-- For changes in existing functionality. -->
|
<!-- For changes in existing functionality. -->
|
||||||
### Deprecated
|
### Deprecated
|
||||||
@ -33,6 +37,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|||||||
### Security
|
### Security
|
||||||
<!-- In case of vulnerabilities. -->
|
<!-- In case of vulnerabilities. -->
|
||||||
### Internal
|
### Internal
|
||||||
|
|
||||||
- Run e2e tests on all supported versions.
|
- Run e2e tests on all supported versions.
|
||||||
- Run e2e tests on latest debug images, instead of release image.
|
- Run e2e tests on latest debug images, instead of release image.
|
||||||
|
|
||||||
|
@ -14,7 +14,9 @@ import (
|
|||||||
type clusterFake struct{}
|
type clusterFake struct{}
|
||||||
|
|
||||||
// InitCluster fakes bootstrapping a new cluster with the current node being the master, returning the arguments required to join the cluster.
|
// InitCluster fakes bootstrapping a new cluster with the current node being the master, returning the arguments required to join the cluster.
|
||||||
func (c *clusterFake) InitCluster(context.Context, []string, string, string, []byte, resources.KMSConfig, map[string]string, []byte, *logger.Logger,
|
func (c *clusterFake) InitCluster(
|
||||||
|
context.Context, []string, string, string, []byte, []uint32,
|
||||||
|
resources.KMSConfig, map[string]string, []byte, *logger.Logger,
|
||||||
) ([]byte, error) {
|
) ([]byte, error) {
|
||||||
return []byte{}, nil
|
return []byte{}, nil
|
||||||
}
|
}
|
||||||
|
@ -36,6 +36,7 @@ type InitRequest struct {
|
|||||||
SshUserKeys []*SSHUserKey `protobuf:"bytes,9,rep,name=ssh_user_keys,json=sshUserKeys,proto3" json:"ssh_user_keys,omitempty"`
|
SshUserKeys []*SSHUserKey `protobuf:"bytes,9,rep,name=ssh_user_keys,json=sshUserKeys,proto3" json:"ssh_user_keys,omitempty"`
|
||||||
Salt []byte `protobuf:"bytes,10,opt,name=salt,proto3" json:"salt,omitempty"`
|
Salt []byte `protobuf:"bytes,10,opt,name=salt,proto3" json:"salt,omitempty"`
|
||||||
HelmDeployments []byte `protobuf:"bytes,11,opt,name=helm_deployments,json=helmDeployments,proto3" json:"helm_deployments,omitempty"`
|
HelmDeployments []byte `protobuf:"bytes,11,opt,name=helm_deployments,json=helmDeployments,proto3" json:"helm_deployments,omitempty"`
|
||||||
|
EnforcedPcrs []uint32 `protobuf:"varint,12,rep,packed,name=enforced_pcrs,json=enforcedPcrs,proto3" json:"enforced_pcrs,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func (x *InitRequest) Reset() {
|
func (x *InitRequest) Reset() {
|
||||||
@ -147,6 +148,13 @@ func (x *InitRequest) GetHelmDeployments() []byte {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (x *InitRequest) GetEnforcedPcrs() []uint32 {
|
||||||
|
if x != nil {
|
||||||
|
return x.EnforcedPcrs
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
type InitResponse struct {
|
type InitResponse struct {
|
||||||
state protoimpl.MessageState
|
state protoimpl.MessageState
|
||||||
sizeCache protoimpl.SizeCache
|
sizeCache protoimpl.SizeCache
|
||||||
@ -269,7 +277,7 @@ var File_init_proto protoreflect.FileDescriptor
|
|||||||
|
|
||||||
var file_init_proto_rawDesc = []byte{
|
var file_init_proto_rawDesc = []byte{
|
||||||
0x0a, 0x0a, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x04, 0x69, 0x6e,
|
0x0a, 0x0a, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x04, 0x69, 0x6e,
|
||||||
0x69, 0x74, 0x22, 0xe0, 0x03, 0x0a, 0x0b, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65,
|
0x69, 0x74, 0x22, 0x85, 0x04, 0x0a, 0x0b, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65,
|
||||||
0x73, 0x74, 0x12, 0x36, 0x0a, 0x17, 0x61, 0x75, 0x74, 0x6f, 0x73, 0x63, 0x61, 0x6c, 0x69, 0x6e,
|
0x73, 0x74, 0x12, 0x36, 0x0a, 0x17, 0x61, 0x75, 0x74, 0x6f, 0x73, 0x63, 0x61, 0x6c, 0x69, 0x6e,
|
||||||
0x67, 0x5f, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x01, 0x20,
|
0x67, 0x5f, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x01, 0x20,
|
||||||
0x03, 0x28, 0x09, 0x52, 0x15, 0x61, 0x75, 0x74, 0x6f, 0x73, 0x63, 0x61, 0x6c, 0x69, 0x6e, 0x67,
|
0x03, 0x28, 0x09, 0x52, 0x15, 0x61, 0x75, 0x74, 0x6f, 0x73, 0x63, 0x61, 0x6c, 0x69, 0x6e, 0x67,
|
||||||
@ -299,26 +307,28 @@ var file_init_proto_rawDesc = []byte{
|
|||||||
0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x73, 0x61, 0x6c, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x68, 0x65,
|
0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x73, 0x61, 0x6c, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x68, 0x65,
|
||||||
0x6c, 0x6d, 0x5f, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x0b,
|
0x6c, 0x6d, 0x5f, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x0b,
|
||||||
0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x68, 0x65, 0x6c, 0x6d, 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79,
|
0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x68, 0x65, 0x6c, 0x6d, 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79,
|
||||||
0x6d, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x68, 0x0a, 0x0c, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73,
|
0x6d, 0x65, 0x6e, 0x74, 0x73, 0x12, 0x23, 0x0a, 0x0d, 0x65, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65,
|
||||||
0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x63, 0x6f, 0x6e,
|
0x64, 0x5f, 0x70, 0x63, 0x72, 0x73, 0x18, 0x0c, 0x20, 0x03, 0x28, 0x0d, 0x52, 0x0c, 0x65, 0x6e,
|
||||||
0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x63,
|
0x66, 0x6f, 0x72, 0x63, 0x65, 0x64, 0x50, 0x63, 0x72, 0x73, 0x22, 0x68, 0x0a, 0x0c, 0x49, 0x6e,
|
||||||
0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x5f, 0x69,
|
0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x6b, 0x75,
|
||||||
0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x49, 0x64,
|
0x62, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a,
|
||||||
0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x03,
|
0x6b, 0x75, 0x62, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x77,
|
||||||
0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x64, 0x22,
|
0x6e, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6f, 0x77,
|
||||||
0x47, 0x0a, 0x0a, 0x53, 0x53, 0x48, 0x55, 0x73, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x12, 0x1a, 0x0a,
|
0x6e, 0x65, 0x72, 0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72,
|
||||||
0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
|
0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74,
|
||||||
0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62,
|
0x65, 0x72, 0x49, 0x64, 0x22, 0x47, 0x0a, 0x0a, 0x53, 0x53, 0x48, 0x55, 0x73, 0x65, 0x72, 0x4b,
|
||||||
0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x70,
|
0x65, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
|
||||||
0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x32, 0x34, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12,
|
0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1d,
|
||||||
0x2d, 0x0a, 0x04, 0x49, 0x6e, 0x69, 0x74, 0x12, 0x11, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49,
|
0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01,
|
||||||
0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x69, 0x6e, 0x69,
|
0x28, 0x09, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x32, 0x34, 0x0a,
|
||||||
0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x3d,
|
0x03, 0x41, 0x50, 0x49, 0x12, 0x2d, 0x0a, 0x04, 0x49, 0x6e, 0x69, 0x74, 0x12, 0x11, 0x2e, 0x69,
|
||||||
0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67,
|
0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
|
||||||
0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c,
|
0x12, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f,
|
||||||
0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70,
|
0x6e, 0x73, 0x65, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f,
|
||||||
0x70, 0x65, 0x72, 0x2f, 0x69, 0x6e, 0x69, 0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70,
|
0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f,
|
||||||
0x72, 0x6f, 0x74, 0x6f, 0x33,
|
0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x62, 0x6f, 0x6f, 0x74,
|
||||||
|
0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x69, 0x6e, 0x69, 0x74, 0x70, 0x72, 0x6f,
|
||||||
|
0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
@ -20,6 +20,7 @@ message InitRequest {
|
|||||||
repeated SSHUserKey ssh_user_keys = 9;
|
repeated SSHUserKey ssh_user_keys = 9;
|
||||||
bytes salt = 10;
|
bytes salt = 10;
|
||||||
bytes helm_deployments = 11;
|
bytes helm_deployments = 11;
|
||||||
|
repeated uint32 enforced_pcrs = 12;
|
||||||
}
|
}
|
||||||
|
|
||||||
message InitResponse {
|
message InitResponse {
|
||||||
|
@ -115,6 +115,7 @@ func (s *Server) Init(ctx context.Context, req *initproto.InitRequest) (*initpro
|
|||||||
req.CloudServiceAccountUri,
|
req.CloudServiceAccountUri,
|
||||||
req.KubernetesVersion,
|
req.KubernetesVersion,
|
||||||
measurementSalt,
|
measurementSalt,
|
||||||
|
req.EnforcedPcrs,
|
||||||
resources.KMSConfig{
|
resources.KMSConfig{
|
||||||
MasterSecret: req.MasterSecret,
|
MasterSecret: req.MasterSecret,
|
||||||
Salt: req.Salt,
|
Salt: req.Salt,
|
||||||
@ -197,6 +198,7 @@ type ClusterInitializer interface {
|
|||||||
cloudServiceAccountURI string,
|
cloudServiceAccountURI string,
|
||||||
k8sVersion string,
|
k8sVersion string,
|
||||||
measurementSalt []byte,
|
measurementSalt []byte,
|
||||||
|
enforcedPcrs []uint32,
|
||||||
kmsConfig resources.KMSConfig,
|
kmsConfig resources.KMSConfig,
|
||||||
sshUserKeys map[string]string,
|
sshUserKeys map[string]string,
|
||||||
helmDeployments []byte,
|
helmDeployments []byte,
|
||||||
|
@ -282,7 +282,9 @@ type stubClusterInitializer struct {
|
|||||||
initClusterErr error
|
initClusterErr error
|
||||||
}
|
}
|
||||||
|
|
||||||
func (i *stubClusterInitializer) InitCluster(context.Context, []string, string, string, []byte, resources.KMSConfig, map[string]string, []byte, *logger.Logger,
|
func (i *stubClusterInitializer) InitCluster(
|
||||||
|
context.Context, []string, string, string, []byte, []uint32,
|
||||||
|
resources.KMSConfig, map[string]string, []byte, *logger.Logger,
|
||||||
) ([]byte, error) {
|
) ([]byte, error) {
|
||||||
return i.initClusterKubeconfig, i.initClusterErr
|
return i.initClusterKubeconfig, i.initClusterErr
|
||||||
}
|
}
|
||||||
|
@ -23,7 +23,7 @@ type joinServiceDaemonset struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// NewJoinServiceDaemonset returns a daemonset for the join service.
|
// NewJoinServiceDaemonset returns a daemonset for the join service.
|
||||||
func NewJoinServiceDaemonset(csp, measurementsJSON string, measurementSalt []byte) *joinServiceDaemonset {
|
func NewJoinServiceDaemonset(csp, measurementsJSON, enforcedPCRsJSON string, measurementSalt []byte) *joinServiceDaemonset {
|
||||||
return &joinServiceDaemonset{
|
return &joinServiceDaemonset{
|
||||||
ClusterRole: rbac.ClusterRole{
|
ClusterRole: rbac.ClusterRole{
|
||||||
TypeMeta: meta.TypeMeta{
|
TypeMeta: meta.TypeMeta{
|
||||||
@ -247,6 +247,7 @@ func NewJoinServiceDaemonset(csp, measurementsJSON string, measurementSalt []byt
|
|||||||
},
|
},
|
||||||
Data: map[string]string{
|
Data: map[string]string{
|
||||||
constants.MeasurementsFilename: measurementsJSON,
|
constants.MeasurementsFilename: measurementsJSON,
|
||||||
|
constants.EnforcedPCRsFilename: enforcedPCRsJSON,
|
||||||
},
|
},
|
||||||
BinaryData: map[string][]byte{
|
BinaryData: map[string][]byte{
|
||||||
constants.MeasurementSaltFilename: measurementSalt,
|
constants.MeasurementSaltFilename: measurementSalt,
|
||||||
|
@ -8,7 +8,7 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
func TestNewJoinServiceDaemonset(t *testing.T) {
|
func TestNewJoinServiceDaemonset(t *testing.T) {
|
||||||
deployment := NewJoinServiceDaemonset("csp", "measurementsJSON", []byte{0x0, 0x1, 0x2})
|
deployment := NewJoinServiceDaemonset("csp", "measurementsJSON", "enforcedPCRsJSON", []byte{0x0, 0x1, 0x2})
|
||||||
deploymentYAML, err := deployment.Marshal()
|
deploymentYAML, err := deployment.Marshal()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
@ -2,6 +2,7 @@ package kubernetes
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
@ -70,8 +71,8 @@ func New(cloudProvider string, clusterUtil clusterUtil, configProvider configura
|
|||||||
|
|
||||||
// InitCluster initializes a new Kubernetes cluster and applies pod network provider.
|
// InitCluster initializes a new Kubernetes cluster and applies pod network provider.
|
||||||
func (k *KubeWrapper) InitCluster(
|
func (k *KubeWrapper) InitCluster(
|
||||||
ctx context.Context, autoscalingNodeGroups []string, cloudServiceAccountURI, versionString string,
|
ctx context.Context, autoscalingNodeGroups []string, cloudServiceAccountURI, versionString string, measurementSalt []byte,
|
||||||
measurementSalt []byte, kmsConfig resources.KMSConfig, sshUsers map[string]string, helmDeployments []byte, log *logger.Logger,
|
enforcedPCRs []uint32, kmsConfig resources.KMSConfig, sshUsers map[string]string, helmDeployments []byte, log *logger.Logger,
|
||||||
) ([]byte, error) {
|
) ([]byte, error) {
|
||||||
k8sVersion, err := versions.NewValidK8sVersion(versionString)
|
k8sVersion, err := versions.NewValidK8sVersion(versionString)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -180,7 +181,7 @@ func (k *KubeWrapper) InitCluster(
|
|||||||
return nil, fmt.Errorf("setting up kms: %w", err)
|
return nil, fmt.Errorf("setting up kms: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := k.setupJoinService(k.cloudProvider, k.initialMeasurementsJSON, measurementSalt); err != nil {
|
if err := k.setupJoinService(k.cloudProvider, k.initialMeasurementsJSON, measurementSalt, enforcedPCRs); err != nil {
|
||||||
return nil, fmt.Errorf("setting up join service failed: %w", err)
|
return nil, fmt.Errorf("setting up join service failed: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -297,8 +298,17 @@ func (k *KubeWrapper) GetKubeconfig() ([]byte, error) {
|
|||||||
return k.kubeconfigReader.ReadKubeconfig()
|
return k.kubeconfigReader.ReadKubeconfig()
|
||||||
}
|
}
|
||||||
|
|
||||||
func (k *KubeWrapper) setupJoinService(csp string, measurementsJSON, measurementSalt []byte) error {
|
func (k *KubeWrapper) setupJoinService(
|
||||||
joinConfiguration := resources.NewJoinServiceDaemonset(csp, string(measurementsJSON), measurementSalt)
|
csp string, measurementsJSON, measurementSalt []byte, enforcedPCRs []uint32,
|
||||||
|
) error {
|
||||||
|
enforcedPCRsJSON, err := json.Marshal(enforcedPCRs)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("marshaling enforcedPCRs: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
joinConfiguration := resources.NewJoinServiceDaemonset(
|
||||||
|
csp, string(measurementsJSON), string(enforcedPCRsJSON), measurementSalt,
|
||||||
|
)
|
||||||
|
|
||||||
return k.clusterUtil.SetupJoinService(k.client, joinConfiguration)
|
return k.clusterUtil.SetupJoinService(k.client, joinConfiguration)
|
||||||
}
|
}
|
||||||
|
@ -296,7 +296,11 @@ func TestInitCluster(t *testing.T) {
|
|||||||
kubeconfigReader: tc.kubeconfigReader,
|
kubeconfigReader: tc.kubeconfigReader,
|
||||||
getIPAddr: func() (string, error) { return privateIP, nil },
|
getIPAddr: func() (string, error) { return privateIP, nil },
|
||||||
}
|
}
|
||||||
_, err := kube.InitCluster(context.Background(), autoscalingNodeGroups, serviceAccountURI, string(tc.k8sVersion), nil, resources.KMSConfig{MasterSecret: masterSecret}, nil, nil, logger.NewTest(t))
|
|
||||||
|
_, err := kube.InitCluster(
|
||||||
|
context.Background(), autoscalingNodeGroups, serviceAccountURI, string(tc.k8sVersion),
|
||||||
|
nil, nil, resources.KMSConfig{MasterSecret: masterSecret}, nil, nil, logger.NewTest(t),
|
||||||
|
)
|
||||||
|
|
||||||
if tc.wantErr {
|
if tc.wantErr {
|
||||||
assert.Error(err)
|
assert.Error(err)
|
||||||
|
@ -5,7 +5,6 @@ import (
|
|||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"strings"
|
|
||||||
|
|
||||||
"github.com/edgelesssys/constellation/internal/atls"
|
"github.com/edgelesssys/constellation/internal/atls"
|
||||||
"github.com/edgelesssys/constellation/internal/attestation/azure"
|
"github.com/edgelesssys/constellation/internal/attestation/azure"
|
||||||
@ -14,13 +13,13 @@ import (
|
|||||||
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||||
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
|
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
|
||||||
"github.com/edgelesssys/constellation/internal/config"
|
"github.com/edgelesssys/constellation/internal/config"
|
||||||
|
"github.com/spf13/cobra"
|
||||||
)
|
)
|
||||||
|
|
||||||
const warningStr = "Warning: not verifying the Constellation cluster's %s measurements\n"
|
|
||||||
|
|
||||||
type Validator struct {
|
type Validator struct {
|
||||||
provider cloudprovider.Provider
|
provider cloudprovider.Provider
|
||||||
pcrs map[uint32][]byte
|
pcrs map[uint32][]byte
|
||||||
|
enforcedPCRs []uint32
|
||||||
validator atls.Validator
|
validator atls.Validator
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -51,6 +50,16 @@ func (v *Validator) UpdateInitPCRs(ownerID, clusterID string) error {
|
|||||||
func (v *Validator) updatePCR(pcrIndex uint32, encoded string) error {
|
func (v *Validator) updatePCR(pcrIndex uint32, encoded string) error {
|
||||||
if encoded == "" {
|
if encoded == "" {
|
||||||
delete(v.pcrs, pcrIndex)
|
delete(v.pcrs, pcrIndex)
|
||||||
|
|
||||||
|
// remove enforced PCR if it exists
|
||||||
|
for i, enforcedIdx := range v.enforcedPCRs {
|
||||||
|
if enforcedIdx == pcrIndex {
|
||||||
|
v.enforcedPCRs[i] = v.enforcedPCRs[len(v.enforcedPCRs)-1]
|
||||||
|
v.enforcedPCRs = v.enforcedPCRs[:len(v.enforcedPCRs)-1]
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
decoded, err := base64.StdEncoding.DecodeString(encoded)
|
decoded, err := base64.StdEncoding.DecodeString(encoded)
|
||||||
@ -69,29 +78,35 @@ func (v *Validator) setPCRs(config *config.Config) error {
|
|||||||
switch v.provider {
|
switch v.provider {
|
||||||
case cloudprovider.GCP:
|
case cloudprovider.GCP:
|
||||||
gcpPCRs := config.Provider.GCP.Measurements
|
gcpPCRs := config.Provider.GCP.Measurements
|
||||||
if err := v.checkPCRs(gcpPCRs); err != nil {
|
enforcedPCRs := config.Provider.GCP.EnforcedMeasurements
|
||||||
|
if err := v.checkPCRs(gcpPCRs, enforcedPCRs); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
v.enforcedPCRs = enforcedPCRs
|
||||||
v.pcrs = gcpPCRs
|
v.pcrs = gcpPCRs
|
||||||
case cloudprovider.Azure:
|
case cloudprovider.Azure:
|
||||||
azurePCRs := config.Provider.Azure.Measurements
|
azurePCRs := config.Provider.Azure.Measurements
|
||||||
if err := v.checkPCRs(azurePCRs); err != nil {
|
enforcedPCRs := config.Provider.Azure.EnforcedMeasurements
|
||||||
|
if err := v.checkPCRs(azurePCRs, enforcedPCRs); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
v.enforcedPCRs = enforcedPCRs
|
||||||
v.pcrs = azurePCRs
|
v.pcrs = azurePCRs
|
||||||
case cloudprovider.QEMU:
|
case cloudprovider.QEMU:
|
||||||
qemuPCRs := config.Provider.QEMU.Measurements
|
qemuPCRs := config.Provider.QEMU.Measurements
|
||||||
if err := v.checkPCRs(qemuPCRs); err != nil {
|
enforcedPCRs := config.Provider.QEMU.EnforcedMeasurements
|
||||||
|
if err := v.checkPCRs(qemuPCRs, enforcedPCRs); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
v.enforcedPCRs = enforcedPCRs
|
||||||
v.pcrs = qemuPCRs
|
v.pcrs = qemuPCRs
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// V returns the validator as atls.Validator.
|
// V returns the validator as atls.Validator.
|
||||||
func (v *Validator) V() atls.Validator {
|
func (v *Validator) V(cmd *cobra.Command) atls.Validator {
|
||||||
v.updateValidator()
|
v.updateValidator(cmd)
|
||||||
return v.validator
|
return v.validator
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -100,60 +115,19 @@ func (v *Validator) PCRS() map[uint32][]byte {
|
|||||||
return v.pcrs
|
return v.pcrs
|
||||||
}
|
}
|
||||||
|
|
||||||
func (v *Validator) updateValidator() {
|
func (v *Validator) updateValidator(cmd *cobra.Command) {
|
||||||
switch v.provider {
|
switch v.provider {
|
||||||
case cloudprovider.GCP:
|
case cloudprovider.GCP:
|
||||||
v.validator = gcp.NewValidator(v.pcrs)
|
v.validator = gcp.NewValidator(v.pcrs, v.enforcedPCRs)
|
||||||
case cloudprovider.Azure:
|
case cloudprovider.Azure:
|
||||||
v.validator = azure.NewValidator(v.pcrs)
|
v.validator = azure.NewValidator(v.pcrs, v.enforcedPCRs)
|
||||||
case cloudprovider.QEMU:
|
case cloudprovider.QEMU:
|
||||||
v.validator = qemu.NewValidator(v.pcrs)
|
v.validator = qemu.NewValidator(v.pcrs, v.enforcedPCRs)
|
||||||
}
|
}
|
||||||
|
v.validator.AddLogger(warnLogger{cmd: cmd})
|
||||||
}
|
}
|
||||||
|
|
||||||
// Warnings returns warnings for the specifc PCR values that are not verified.
|
func (v *Validator) checkPCRs(pcrs map[uint32][]byte, enforcedPCRs []uint32) error {
|
||||||
//
|
|
||||||
// PCR allocation inspired by https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_12#Tab1
|
|
||||||
func (v *Validator) Warnings() string {
|
|
||||||
sb := &strings.Builder{}
|
|
||||||
|
|
||||||
if v.pcrs[0] == nil || v.pcrs[1] == nil {
|
|
||||||
writeWarnFmt(sb, "BIOS")
|
|
||||||
}
|
|
||||||
|
|
||||||
if v.pcrs[2] == nil || v.pcrs[3] == nil {
|
|
||||||
writeWarnFmt(sb, "OPROM")
|
|
||||||
}
|
|
||||||
|
|
||||||
if v.pcrs[4] == nil || v.pcrs[5] == nil {
|
|
||||||
writeWarnFmt(sb, "MBR")
|
|
||||||
}
|
|
||||||
|
|
||||||
// GRUB measures kernel command line and initrd into pcrs 8 and 9
|
|
||||||
if v.pcrs[8] == nil {
|
|
||||||
writeWarnFmt(sb, "kernel command line")
|
|
||||||
}
|
|
||||||
if v.pcrs[9] == nil {
|
|
||||||
writeWarnFmt(sb, "initrd")
|
|
||||||
}
|
|
||||||
|
|
||||||
return sb.String()
|
|
||||||
}
|
|
||||||
|
|
||||||
// WarningsIncludeInit returns warnings for the specific PCR values that are not verified.
|
|
||||||
// Warnings regarding the initialization are included.
|
|
||||||
//
|
|
||||||
// PCR allocation inspired by https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_12#Tab1
|
|
||||||
func (v *Validator) WarningsIncludeInit() string {
|
|
||||||
warnings := v.Warnings()
|
|
||||||
if v.pcrs[uint32(vtpm.PCRIndexOwnerID)] == nil || v.pcrs[uint32(vtpm.PCRIndexClusterID)] == nil {
|
|
||||||
warnings = warnings + fmt.Sprintf(warningStr, "initialization status")
|
|
||||||
}
|
|
||||||
|
|
||||||
return warnings
|
|
||||||
}
|
|
||||||
|
|
||||||
func (v *Validator) checkPCRs(pcrs map[uint32][]byte) error {
|
|
||||||
if len(pcrs) == 0 {
|
if len(pcrs) == 0 {
|
||||||
return errors.New("no PCR values provided")
|
return errors.New("no PCR values provided")
|
||||||
}
|
}
|
||||||
@ -162,13 +136,20 @@ func (v *Validator) checkPCRs(pcrs map[uint32][]byte) error {
|
|||||||
return fmt.Errorf("bad config: PCR[%d]: expected length: %d, but got: %d", k, 32, len(v))
|
return fmt.Errorf("bad config: PCR[%d]: expected length: %d, but got: %d", k, 32, len(v))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
for _, v := range enforcedPCRs {
|
||||||
|
if _, ok := pcrs[v]; !ok {
|
||||||
|
return fmt.Errorf("bad config: PCR[%d] is enforced, but no expected measurement is provided", v)
|
||||||
|
}
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func writeWarnFmt(sb *strings.Builder, args ...any) {
|
// warnLogger implements logging of warnings for validators.
|
||||||
writeFmt(sb, warningStr, args...)
|
type warnLogger struct {
|
||||||
|
cmd *cobra.Command
|
||||||
}
|
}
|
||||||
|
|
||||||
func writeFmt(sb *strings.Builder, fmtStr string, args ...any) {
|
// Warnf prints a formatted warning from the validator.
|
||||||
sb.WriteString(fmt.Sprintf(fmtStr, args...))
|
func (wl warnLogger) Warnf(fmtStr string, args ...interface{}) {
|
||||||
|
wl.cmd.PrintErrf("Warning: %s\n", fmt.Sprintf(fmtStr, args...))
|
||||||
}
|
}
|
||||||
|
@ -12,6 +12,7 @@ import (
|
|||||||
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||||
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
|
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
|
||||||
"github.com/edgelesssys/constellation/internal/config"
|
"github.com/edgelesssys/constellation/internal/config"
|
||||||
|
"github.com/spf13/cobra"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -93,172 +94,6 @@ func TestNewValidator(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestValidatorWarnings(t *testing.T) {
|
|
||||||
zero := []byte("00000000000000000000000000000000")
|
|
||||||
|
|
||||||
testCases := map[string]struct {
|
|
||||||
pcrs map[uint32][]byte
|
|
||||||
wantWarnings []string
|
|
||||||
wantWInclude []string
|
|
||||||
}{
|
|
||||||
"no warnings": {
|
|
||||||
pcrs: map[uint32][]byte{
|
|
||||||
0: zero,
|
|
||||||
1: zero,
|
|
||||||
2: zero,
|
|
||||||
3: zero,
|
|
||||||
4: zero,
|
|
||||||
5: zero,
|
|
||||||
6: zero,
|
|
||||||
7: zero,
|
|
||||||
8: zero,
|
|
||||||
9: zero,
|
|
||||||
10: zero,
|
|
||||||
11: zero,
|
|
||||||
12: zero,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
"no warnings for missing non critical values": {
|
|
||||||
pcrs: map[uint32][]byte{
|
|
||||||
0: zero,
|
|
||||||
1: zero,
|
|
||||||
2: zero,
|
|
||||||
3: zero,
|
|
||||||
4: zero,
|
|
||||||
5: zero,
|
|
||||||
8: zero,
|
|
||||||
9: zero,
|
|
||||||
11: zero,
|
|
||||||
12: zero,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
"warn for BIOS": {
|
|
||||||
pcrs: map[uint32][]byte{
|
|
||||||
0: zero,
|
|
||||||
2: zero,
|
|
||||||
3: zero,
|
|
||||||
4: zero,
|
|
||||||
5: zero,
|
|
||||||
8: zero,
|
|
||||||
9: zero,
|
|
||||||
11: zero,
|
|
||||||
12: zero,
|
|
||||||
},
|
|
||||||
wantWarnings: []string{"BIOS"},
|
|
||||||
},
|
|
||||||
"warn for OPROM": {
|
|
||||||
pcrs: map[uint32][]byte{
|
|
||||||
0: zero,
|
|
||||||
1: zero,
|
|
||||||
3: zero,
|
|
||||||
4: zero,
|
|
||||||
5: zero,
|
|
||||||
8: zero,
|
|
||||||
9: zero,
|
|
||||||
11: zero,
|
|
||||||
12: zero,
|
|
||||||
},
|
|
||||||
wantWarnings: []string{"OPROM"},
|
|
||||||
},
|
|
||||||
"warn for MBR": {
|
|
||||||
pcrs: map[uint32][]byte{
|
|
||||||
0: zero,
|
|
||||||
1: zero,
|
|
||||||
2: zero,
|
|
||||||
3: zero,
|
|
||||||
5: zero,
|
|
||||||
8: zero,
|
|
||||||
9: zero,
|
|
||||||
11: zero,
|
|
||||||
12: zero,
|
|
||||||
},
|
|
||||||
wantWarnings: []string{"MBR"},
|
|
||||||
},
|
|
||||||
"warn for kernel": {
|
|
||||||
pcrs: map[uint32][]byte{
|
|
||||||
0: zero,
|
|
||||||
1: zero,
|
|
||||||
2: zero,
|
|
||||||
3: zero,
|
|
||||||
4: zero,
|
|
||||||
5: zero,
|
|
||||||
9: zero,
|
|
||||||
11: zero,
|
|
||||||
12: zero,
|
|
||||||
},
|
|
||||||
wantWarnings: []string{"kernel"},
|
|
||||||
},
|
|
||||||
"warn for initrd": {
|
|
||||||
pcrs: map[uint32][]byte{
|
|
||||||
0: zero,
|
|
||||||
1: zero,
|
|
||||||
2: zero,
|
|
||||||
3: zero,
|
|
||||||
4: zero,
|
|
||||||
5: zero,
|
|
||||||
8: zero,
|
|
||||||
11: zero,
|
|
||||||
12: zero,
|
|
||||||
},
|
|
||||||
wantWarnings: []string{"initrd"},
|
|
||||||
},
|
|
||||||
"warn for initialization": {
|
|
||||||
pcrs: map[uint32][]byte{
|
|
||||||
0: zero,
|
|
||||||
1: zero,
|
|
||||||
2: zero,
|
|
||||||
3: zero,
|
|
||||||
4: zero,
|
|
||||||
5: zero,
|
|
||||||
8: zero,
|
|
||||||
9: zero,
|
|
||||||
11: zero,
|
|
||||||
},
|
|
||||||
wantWInclude: []string{"initialization"},
|
|
||||||
},
|
|
||||||
"multi warning": {
|
|
||||||
pcrs: map[uint32][]byte{},
|
|
||||||
wantWarnings: []string{
|
|
||||||
"BIOS",
|
|
||||||
"OPROM",
|
|
||||||
"MBR",
|
|
||||||
"initrd",
|
|
||||||
"kernel",
|
|
||||||
},
|
|
||||||
wantWInclude: []string{"initialization"},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
for name, tc := range testCases {
|
|
||||||
t.Run(name, func(t *testing.T) {
|
|
||||||
assert := assert.New(t)
|
|
||||||
|
|
||||||
validators := Validator{pcrs: tc.pcrs}
|
|
||||||
|
|
||||||
warnings := validators.Warnings()
|
|
||||||
warningsInclueInit := validators.WarningsIncludeInit()
|
|
||||||
|
|
||||||
if len(tc.wantWarnings) == 0 {
|
|
||||||
assert.Empty(warnings)
|
|
||||||
}
|
|
||||||
for _, w := range tc.wantWarnings {
|
|
||||||
assert.Contains(warnings, w)
|
|
||||||
}
|
|
||||||
for _, w := range tc.wantWarnings {
|
|
||||||
assert.Contains(warningsInclueInit, w)
|
|
||||||
}
|
|
||||||
if len(tc.wantWInclude) == 0 {
|
|
||||||
assert.Equal(len(warnings), len(warningsInclueInit))
|
|
||||||
} else {
|
|
||||||
assert.Greater(len(warningsInclueInit), len(warnings))
|
|
||||||
}
|
|
||||||
for _, w := range tc.wantWInclude {
|
|
||||||
assert.Contains(warningsInclueInit, w)
|
|
||||||
}
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestValidatorV(t *testing.T) {
|
func TestValidatorV(t *testing.T) {
|
||||||
zero := []byte("00000000000000000000000000000000")
|
zero := []byte("00000000000000000000000000000000")
|
||||||
newTestPCRs := func() map[uint32][]byte {
|
newTestPCRs := func() map[uint32][]byte {
|
||||||
@ -287,17 +122,17 @@ func TestValidatorV(t *testing.T) {
|
|||||||
"gcp": {
|
"gcp": {
|
||||||
provider: cloudprovider.GCP,
|
provider: cloudprovider.GCP,
|
||||||
pcrs: newTestPCRs(),
|
pcrs: newTestPCRs(),
|
||||||
wantVs: gcp.NewValidator(newTestPCRs()),
|
wantVs: gcp.NewValidator(newTestPCRs(), nil),
|
||||||
},
|
},
|
||||||
"azure": {
|
"azure": {
|
||||||
provider: cloudprovider.Azure,
|
provider: cloudprovider.Azure,
|
||||||
pcrs: newTestPCRs(),
|
pcrs: newTestPCRs(),
|
||||||
wantVs: azure.NewValidator(newTestPCRs()),
|
wantVs: azure.NewValidator(newTestPCRs(), nil),
|
||||||
},
|
},
|
||||||
"qemu": {
|
"qemu": {
|
||||||
provider: cloudprovider.QEMU,
|
provider: cloudprovider.QEMU,
|
||||||
pcrs: newTestPCRs(),
|
pcrs: newTestPCRs(),
|
||||||
wantVs: qemu.NewValidator(newTestPCRs()),
|
wantVs: qemu.NewValidator(newTestPCRs(), nil),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -307,7 +142,7 @@ func TestValidatorV(t *testing.T) {
|
|||||||
|
|
||||||
validators := &Validator{provider: tc.provider, pcrs: tc.pcrs}
|
validators := &Validator{provider: tc.provider, pcrs: tc.pcrs}
|
||||||
|
|
||||||
resultValidator := validators.V()
|
resultValidator := validators.V(&cobra.Command{})
|
||||||
|
|
||||||
assert.Equal(tc.wantVs.OID(), resultValidator.OID())
|
assert.Equal(tc.wantVs.OID(), resultValidator.OID())
|
||||||
})
|
})
|
||||||
|
@ -54,7 +54,7 @@ func runInitialize(cmd *cobra.Command, args []string) error {
|
|||||||
fileHandler := file.NewHandler(afero.NewOsFs())
|
fileHandler := file.NewHandler(afero.NewOsFs())
|
||||||
serviceAccountCreator := cloudcmd.NewServiceAccountCreator()
|
serviceAccountCreator := cloudcmd.NewServiceAccountCreator()
|
||||||
newDialer := func(validator *cloudcmd.Validator) *dialer.Dialer {
|
newDialer := func(validator *cloudcmd.Validator) *dialer.Dialer {
|
||||||
return dialer.New(nil, validator.V(), &net.Dialer{})
|
return dialer.New(nil, validator.V(cmd), &net.Dialer{})
|
||||||
}
|
}
|
||||||
helmLoader := &helm.ChartLoader{}
|
helmLoader := &helm.ChartLoader{}
|
||||||
return initialize(cmd, newDialer, serviceAccountCreator, fileHandler, helmLoader)
|
return initialize(cmd, newDialer, serviceAccountCreator, fileHandler, helmLoader)
|
||||||
@ -96,7 +96,6 @@ func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
cmd.Print(validator.WarningsIncludeInit())
|
|
||||||
|
|
||||||
cmd.Println("Creating service account ...")
|
cmd.Println("Creating service account ...")
|
||||||
serviceAccount, stat, err := serviceAccCreator.Create(cmd.Context(), stat, config)
|
serviceAccount, stat, err := serviceAccCreator.Create(cmd.Context(), stat, config)
|
||||||
@ -135,6 +134,7 @@ func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator
|
|||||||
KubernetesVersion: config.KubernetesVersion,
|
KubernetesVersion: config.KubernetesVersion,
|
||||||
SshUserKeys: ssh.ToProtoSlice(sshUsers),
|
SshUserKeys: ssh.ToProtoSlice(sshUsers),
|
||||||
HelmDeployments: helmDeployments,
|
HelmDeployments: helmDeployments,
|
||||||
|
EnforcedPcrs: getEnforcedMeasurements(provider, config),
|
||||||
}
|
}
|
||||||
resp, err := initCall(cmd.Context(), newDialer(validator), stat.BootstrapperHost, req)
|
resp, err := initCall(cmd.Context(), newDialer(validator), stat.BootstrapperHost, req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -214,6 +214,19 @@ func writeRow(wr io.Writer, col1 string, col2 string) {
|
|||||||
fmt.Fprint(wr, col1, "\t", col2, "\n")
|
fmt.Fprint(wr, col1, "\t", col2, "\n")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getEnforcedMeasurements(provider cloudprovider.Provider, config *config.Config) []uint32 {
|
||||||
|
switch provider {
|
||||||
|
case cloudprovider.Azure:
|
||||||
|
return config.Provider.Azure.EnforcedMeasurements
|
||||||
|
case cloudprovider.GCP:
|
||||||
|
return config.Provider.GCP.EnforcedMeasurements
|
||||||
|
case cloudprovider.QEMU:
|
||||||
|
return config.Provider.QEMU.EnforcedMeasurements
|
||||||
|
default:
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// evalFlagArgs gets the flag values and does preprocessing of these values like
|
// evalFlagArgs gets the flag values and does preprocessing of these values like
|
||||||
// reading the content from file path flags and deriving other values from flag combinations.
|
// reading the content from file path flags and deriving other values from flag combinations.
|
||||||
func evalFlagArgs(cmd *cobra.Command, fileHandler file.Handler) (initFlags, error) {
|
func evalFlagArgs(cmd *cobra.Command, fileHandler file.Handler) (initFlags, error) {
|
||||||
|
@ -14,6 +14,7 @@ import (
|
|||||||
|
|
||||||
"github.com/edgelesssys/constellation/bootstrapper/initproto"
|
"github.com/edgelesssys/constellation/bootstrapper/initproto"
|
||||||
"github.com/edgelesssys/constellation/cli/internal/cloudcmd"
|
"github.com/edgelesssys/constellation/cli/internal/cloudcmd"
|
||||||
|
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||||
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
|
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
|
||||||
"github.com/edgelesssys/constellation/internal/cloud/cloudtypes"
|
"github.com/edgelesssys/constellation/internal/cloud/cloudtypes"
|
||||||
"github.com/edgelesssys/constellation/internal/config"
|
"github.com/edgelesssys/constellation/internal/config"
|
||||||
@ -158,9 +159,12 @@ func TestInitialize(t *testing.T) {
|
|||||||
cmd.SetOut(&out)
|
cmd.SetOut(&out)
|
||||||
var errOut bytes.Buffer
|
var errOut bytes.Buffer
|
||||||
cmd.SetErr(&errOut)
|
cmd.SetErr(&errOut)
|
||||||
cmd.Flags().String("config", "", "") // register persistent flag manually
|
cmd.Flags().String("config", constants.ConfigFilename, "") // register persistent flag manually
|
||||||
fs := afero.NewMemMapFs()
|
fs := afero.NewMemMapFs()
|
||||||
fileHandler := file.NewHandler(fs)
|
fileHandler := file.NewHandler(fs)
|
||||||
|
|
||||||
|
config := defaultConfigWithExpectedMeasurements(t, cloudprovider.FromString(tc.existingState.CloudProvider))
|
||||||
|
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, config))
|
||||||
require.NoError(fileHandler.WriteJSON(constants.StateFilename, tc.existingState, file.OptNone))
|
require.NoError(fileHandler.WriteJSON(constants.StateFilename, tc.existingState, file.OptNone))
|
||||||
require.NoError(cmd.Flags().Set("autoscale", strconv.FormatBool(tc.setAutoscaleFlag)))
|
require.NoError(cmd.Flags().Set("autoscale", strconv.FormatBool(tc.setAutoscaleFlag)))
|
||||||
|
|
||||||
@ -476,6 +480,8 @@ func (v *testValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
|
|||||||
return attestation.UserData, nil
|
return attestation.UserData, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (v *testValidator) AddLogger(vtpm.WarnLogger) {}
|
||||||
|
|
||||||
type testIssuer struct {
|
type testIssuer struct {
|
||||||
oid.Getter
|
oid.Getter
|
||||||
pcrs map[uint32][]byte
|
pcrs map[uint32][]byte
|
||||||
@ -506,3 +512,27 @@ func (s *stubInitServer) Init(ctx context.Context, req *initproto.InitRequest) (
|
|||||||
s.activateAutoscalingNodeGroups = req.AutoscalingNodeGroups
|
s.activateAutoscalingNodeGroups = req.AutoscalingNodeGroups
|
||||||
return s.initResp, s.initErr
|
return s.initResp, s.initErr
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func defaultConfigWithExpectedMeasurements(t *testing.T, csp cloudprovider.Provider) *config.Config {
|
||||||
|
t.Helper()
|
||||||
|
config := config.Default()
|
||||||
|
|
||||||
|
config.Provider.Azure.SubscriptionID = "01234567-0123-0123-0123-0123456789ab"
|
||||||
|
config.Provider.Azure.TenantID = "01234567-0123-0123-0123-0123456789ab"
|
||||||
|
config.Provider.Azure.Location = "test-location"
|
||||||
|
config.Provider.Azure.UserAssignedIdentity = "test-identity"
|
||||||
|
config.Provider.Azure.Measurements[8] = []byte("00000000000000000000000000000000")
|
||||||
|
config.Provider.Azure.Measurements[9] = []byte("11111111111111111111111111111111")
|
||||||
|
|
||||||
|
config.Provider.GCP.Region = "test-region"
|
||||||
|
config.Provider.GCP.Project = "test-project"
|
||||||
|
config.Provider.GCP.Zone = "test-zone"
|
||||||
|
config.Provider.GCP.Measurements[8] = []byte("00000000000000000000000000000000")
|
||||||
|
config.Provider.GCP.Measurements[9] = []byte("11111111111111111111111111111111")
|
||||||
|
|
||||||
|
config.Provider.QEMU.Measurements[8] = []byte("00000000000000000000000000000000")
|
||||||
|
config.Provider.QEMU.Measurements[9] = []byte("11111111111111111111111111111111")
|
||||||
|
|
||||||
|
config.RemoveProviderExcept(csp)
|
||||||
|
return config
|
||||||
|
}
|
||||||
|
@ -72,9 +72,8 @@ func recover(cmd *cobra.Command, fileHandler file.Handler, recoveryClient recove
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
cmd.Print(validators.WarningsIncludeInit())
|
|
||||||
|
|
||||||
if err := recoveryClient.Connect(flags.endpoint, validators.V()); err != nil {
|
if err := recoveryClient.Connect(flags.endpoint, validators.V(cmd)); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -6,6 +6,7 @@ import (
|
|||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
|
||||||
"github.com/edgelesssys/constellation/internal/constants"
|
"github.com/edgelesssys/constellation/internal/constants"
|
||||||
"github.com/edgelesssys/constellation/internal/crypto/testvector"
|
"github.com/edgelesssys/constellation/internal/crypto/testvector"
|
||||||
"github.com/edgelesssys/constellation/internal/file"
|
"github.com/edgelesssys/constellation/internal/file"
|
||||||
@ -125,7 +126,7 @@ func TestRecover(t *testing.T) {
|
|||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
cmd := NewRecoverCmd()
|
cmd := NewRecoverCmd()
|
||||||
cmd.Flags().String("config", "", "") // register persistent flag manually
|
cmd.Flags().String("config", constants.ConfigFilename, "") // register persistent flag manually
|
||||||
out := &bytes.Buffer{}
|
out := &bytes.Buffer{}
|
||||||
cmd.SetOut(out)
|
cmd.SetOut(out)
|
||||||
cmd.SetErr(&bytes.Buffer{})
|
cmd.SetErr(&bytes.Buffer{})
|
||||||
@ -144,6 +145,10 @@ func TestRecover(t *testing.T) {
|
|||||||
|
|
||||||
fs := afero.NewMemMapFs()
|
fs := afero.NewMemMapFs()
|
||||||
fileHandler := file.NewHandler(fs)
|
fileHandler := file.NewHandler(fs)
|
||||||
|
|
||||||
|
config := defaultConfigWithExpectedMeasurements(t, cloudprovider.FromString(tc.existingState.CloudProvider))
|
||||||
|
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, config))
|
||||||
|
|
||||||
require.NoError(fileHandler.WriteJSON("constellation-mastersecret.json", masterSecret{Key: tc.masterSecret.Secret, Salt: tc.masterSecret.Salt}, file.OptNone))
|
require.NoError(fileHandler.WriteJSON("constellation-mastersecret.json", masterSecret{Key: tc.masterSecret.Secret, Salt: tc.masterSecret.Salt}, file.OptNone))
|
||||||
if !tc.stateless {
|
if !tc.stateless {
|
||||||
require.NoError(fileHandler.WriteJSON(constants.StateFilename, tc.existingState, file.OptNone))
|
require.NoError(fileHandler.WriteJSON(constants.StateFilename, tc.existingState, file.OptNone))
|
||||||
|
@ -70,9 +70,6 @@ func verify(
|
|||||||
if err := validators.UpdateInitPCRs(flags.ownerID, flags.clusterID); err != nil {
|
if err := validators.UpdateInitPCRs(flags.ownerID, flags.clusterID); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if validators.Warnings() != "" {
|
|
||||||
cmd.Print(validators.Warnings())
|
|
||||||
}
|
|
||||||
|
|
||||||
nonce, err := crypto.GenerateRandomBytes(32)
|
nonce, err := crypto.GenerateRandomBytes(32)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -90,7 +87,7 @@ func verify(
|
|||||||
Nonce: nonce,
|
Nonce: nonce,
|
||||||
UserData: userData,
|
UserData: userData,
|
||||||
},
|
},
|
||||||
validators.V(),
|
validators.V(cmd),
|
||||||
); err != nil {
|
); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -172,7 +172,7 @@ func TestVerify(t *testing.T) {
|
|||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
cmd := NewVerifyCmd()
|
cmd := NewVerifyCmd()
|
||||||
cmd.Flags().String("config", "", "") // register persistent flag manually
|
cmd.Flags().String("config", constants.ConfigFilename, "") // register persistent flag manually
|
||||||
out := &bytes.Buffer{}
|
out := &bytes.Buffer{}
|
||||||
cmd.SetOut(out)
|
cmd.SetOut(out)
|
||||||
cmd.SetErr(&bytes.Buffer{})
|
cmd.SetErr(&bytes.Buffer{})
|
||||||
@ -190,6 +190,8 @@ func TestVerify(t *testing.T) {
|
|||||||
}
|
}
|
||||||
fileHandler := file.NewHandler(tc.setupFs(require))
|
fileHandler := file.NewHandler(tc.setupFs(require))
|
||||||
|
|
||||||
|
config := defaultConfigWithExpectedMeasurements(t, tc.provider)
|
||||||
|
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, config))
|
||||||
if tc.idFile != nil {
|
if tc.idFile != nil {
|
||||||
require.NoError(fileHandler.WriteJSON(constants.ClusterIDsFileName, tc.idFile, file.OptNone))
|
require.NoError(fileHandler.WriteJSON(constants.ClusterIDsFileName, tc.idFile, file.OptNone))
|
||||||
}
|
}
|
||||||
|
@ -17,6 +17,7 @@ import (
|
|||||||
"math/big"
|
"math/big"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||||
"github.com/edgelesssys/constellation/internal/crypto"
|
"github.com/edgelesssys/constellation/internal/crypto"
|
||||||
"github.com/edgelesssys/constellation/internal/oid"
|
"github.com/edgelesssys/constellation/internal/oid"
|
||||||
)
|
)
|
||||||
@ -71,6 +72,7 @@ type Issuer interface {
|
|||||||
type Validator interface {
|
type Validator interface {
|
||||||
oid.Getter
|
oid.Getter
|
||||||
Validate(attDoc []byte, nonce []byte) ([]byte, error)
|
Validate(attDoc []byte, nonce []byte) ([]byte, error)
|
||||||
|
AddLogger(log vtpm.WarnLogger)
|
||||||
}
|
}
|
||||||
|
|
||||||
// getATLSConfigForClientFunc returns a config setup function that is called once for every client connecting to the server.
|
// getATLSConfigForClientFunc returns a config setup function that is called once for every client connecting to the server.
|
||||||
@ -365,6 +367,9 @@ func NewFakeValidators(oid oid.Getter) []Validator {
|
|||||||
return []Validator{NewFakeValidator(oid)}
|
return []Validator{NewFakeValidator(oid)}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// AddLogger is a nop for FakeValidator.
|
||||||
|
func (v FakeValidator) AddLogger(log vtpm.WarnLogger) {}
|
||||||
|
|
||||||
// Validate unmarshals the attestation document and verifies the nonce.
|
// Validate unmarshals the attestation document and verifies the nonce.
|
||||||
func (v FakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
|
func (v FakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
|
||||||
var doc FakeAttestationDoc
|
var doc FakeAttestationDoc
|
||||||
|
@ -15,10 +15,11 @@ type Validator struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// NewValidator initializes a new Azure validator with the provided PCR values.
|
// NewValidator initializes a new Azure validator with the provided PCR values.
|
||||||
func NewValidator(pcrs map[uint32][]byte) *Validator {
|
func NewValidator(pcrs map[uint32][]byte, enforcedPCRs []uint32) *Validator {
|
||||||
return &Validator{
|
return &Validator{
|
||||||
Validator: vtpm.NewValidator(
|
Validator: vtpm.NewValidator(
|
||||||
pcrs,
|
pcrs,
|
||||||
|
enforcedPCRs,
|
||||||
trustedKeyFromSNP,
|
trustedKeyFromSNP,
|
||||||
validateAzureCVM,
|
validateAzureCVM,
|
||||||
vtpm.VerifyPKCS1v15,
|
vtpm.VerifyPKCS1v15,
|
||||||
|
@ -28,10 +28,11 @@ type Validator struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// NewValidator initializes a new GCP validator with the provided PCR values.
|
// NewValidator initializes a new GCP validator with the provided PCR values.
|
||||||
func NewValidator(pcrs map[uint32][]byte) *Validator {
|
func NewValidator(pcrs map[uint32][]byte, enforcedPCRs []uint32) *Validator {
|
||||||
return &Validator{
|
return &Validator{
|
||||||
Validator: vtpm.NewValidator(
|
Validator: vtpm.NewValidator(
|
||||||
pcrs,
|
pcrs,
|
||||||
|
enforcedPCRs,
|
||||||
trustedKeyFromGCEAPI(newInstanceClient),
|
trustedKeyFromGCEAPI(newInstanceClient),
|
||||||
gceNonHostInfoEvent,
|
gceNonHostInfoEvent,
|
||||||
vtpm.VerifyPKCS1v15,
|
vtpm.VerifyPKCS1v15,
|
||||||
|
@ -15,10 +15,11 @@ type Validator struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// NewValidator initializes a new qemu validator with the provided PCR values.
|
// NewValidator initializes a new qemu validator with the provided PCR values.
|
||||||
func NewValidator(pcrs map[uint32][]byte) *Validator {
|
func NewValidator(pcrs map[uint32][]byte, enforcedPCRs []uint32) *Validator {
|
||||||
return &Validator{
|
return &Validator{
|
||||||
Validator: vtpm.NewValidator(
|
Validator: vtpm.NewValidator(
|
||||||
pcrs,
|
pcrs,
|
||||||
|
enforcedPCRs,
|
||||||
unconditionalTrust,
|
unconditionalTrust,
|
||||||
func(attestation vtpm.AttestationDocument) error { return nil },
|
func(attestation vtpm.AttestationDocument) error { return nil },
|
||||||
vtpm.VerifyPKCS1v15,
|
vtpm.VerifyPKCS1v15,
|
||||||
|
@ -51,6 +51,11 @@ type (
|
|||||||
VerifyUserData func(pub crypto.PublicKey, hash crypto.Hash, hashed, sig []byte) error
|
VerifyUserData func(pub crypto.PublicKey, hash crypto.Hash, hashed, sig []byte) error
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// WarnLogger is a logger used to print warnings during attestation validation.
|
||||||
|
type WarnLogger interface {
|
||||||
|
Warnf(format string, args ...interface{})
|
||||||
|
}
|
||||||
|
|
||||||
// AttestationDocument contains the TPM attestation with signed user data.
|
// AttestationDocument contains the TPM attestation with signed user data.
|
||||||
type AttestationDocument struct {
|
type AttestationDocument struct {
|
||||||
// Attestation contains the TPM event log, PCR values and quotes, and public key of the key used to sign the attestation.
|
// Attestation contains the TPM event log, PCR values and quotes, and public key of the key used to sign the attestation.
|
||||||
@ -122,22 +127,39 @@ func (i *Issuer) Issue(userData []byte, nonce []byte) ([]byte, error) {
|
|||||||
|
|
||||||
// Validator handles validation of TPM based attestation.
|
// Validator handles validation of TPM based attestation.
|
||||||
type Validator struct {
|
type Validator struct {
|
||||||
trustedPcrs map[uint32][]byte
|
expectedPCRs map[uint32][]byte
|
||||||
|
enforcedPCRs map[uint32]struct{}
|
||||||
getTrustedKey GetTPMTrustedAttestationPublicKey
|
getTrustedKey GetTPMTrustedAttestationPublicKey
|
||||||
validateCVM ValidateCVM
|
validateCVM ValidateCVM
|
||||||
verifyUserData VerifyUserData
|
verifyUserData VerifyUserData
|
||||||
|
|
||||||
|
log WarnLogger
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewValidator returns a new Validator.
|
// NewValidator returns a new Validator.
|
||||||
func NewValidator(trustedPcrs map[uint32][]byte, getTrustedKey GetTPMTrustedAttestationPublicKey, validateCVM ValidateCVM, verifyUserData VerifyUserData) *Validator {
|
func NewValidator(expectedPCRs map[uint32][]byte, enforcedPCRs []uint32,
|
||||||
|
getTrustedKey GetTPMTrustedAttestationPublicKey, validateCVM ValidateCVM, verifyUserData VerifyUserData,
|
||||||
|
) *Validator {
|
||||||
|
// Convert the enforced PCR list to a map for convenient and fast lookup
|
||||||
|
enforcedMap := make(map[uint32]struct{})
|
||||||
|
for _, pcr := range enforcedPCRs {
|
||||||
|
enforcedMap[pcr] = struct{}{}
|
||||||
|
}
|
||||||
|
|
||||||
return &Validator{
|
return &Validator{
|
||||||
trustedPcrs: trustedPcrs,
|
expectedPCRs: expectedPCRs,
|
||||||
|
enforcedPCRs: enforcedMap,
|
||||||
getTrustedKey: getTrustedKey,
|
getTrustedKey: getTrustedKey,
|
||||||
validateCVM: validateCVM,
|
validateCVM: validateCVM,
|
||||||
verifyUserData: verifyUserData,
|
verifyUserData: verifyUserData,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// AddLogger adds a logger to the validator.
|
||||||
|
func (v *Validator) AddLogger(log WarnLogger) {
|
||||||
|
v.log = log
|
||||||
|
}
|
||||||
|
|
||||||
// Validate a TPM based attestation.
|
// Validate a TPM based attestation.
|
||||||
func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) {
|
func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) {
|
||||||
var attDoc AttestationDocument
|
var attDoc AttestationDocument
|
||||||
@ -173,10 +195,15 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
for idx, pcr := range v.trustedPcrs {
|
for idx, pcr := range v.expectedPCRs {
|
||||||
if !bytes.Equal(pcr, attDoc.Attestation.Quotes[quoteIdx].Pcrs.Pcrs[idx]) {
|
if !bytes.Equal(pcr, attDoc.Attestation.Quotes[quoteIdx].Pcrs.Pcrs[idx]) {
|
||||||
|
if _, ok := v.enforcedPCRs[idx]; ok {
|
||||||
return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx)
|
return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx)
|
||||||
}
|
}
|
||||||
|
if v.log != nil {
|
||||||
|
v.log.Warnf("Encountered untrusted PCR value at index %d", idx)
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Verify signed user data
|
// Verify signed user data
|
||||||
|
@ -4,6 +4,7 @@ import (
|
|||||||
"crypto"
|
"crypto"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
@ -45,7 +46,11 @@ func fakeGetInstanceInfo(tpm io.ReadWriteCloser) ([]byte, error) {
|
|||||||
return []byte("unit-test"), nil
|
return []byte("unit-test"), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func fakeGetTrustedKey(aKPub, instanceInfo []byte) (crypto.PublicKey, error) {
|
func TestValidate(t *testing.T) {
|
||||||
|
require := require.New(t)
|
||||||
|
|
||||||
|
fakeValidateCVM := func(AttestationDocument) error { return nil }
|
||||||
|
fakeGetTrustedKey := func(aKPub, instanceInfo []byte) (crypto.PublicKey, error) {
|
||||||
pubArea, err := tpm2.DecodePublic(aKPub)
|
pubArea, err := tpm2.DecodePublic(aKPub)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -53,18 +58,13 @@ func fakeGetTrustedKey(aKPub, instanceInfo []byte) (crypto.PublicKey, error) {
|
|||||||
return pubArea.Key()
|
return pubArea.Key()
|
||||||
}
|
}
|
||||||
|
|
||||||
func fakeValidateCVM(AttestationDocument) error { return nil }
|
testExpectedPCRs := map[uint32][]byte{
|
||||||
|
|
||||||
var fakeTrustedPcrs = map[uint32][]byte{
|
|
||||||
0: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
0: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||||
1: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
1: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestValidate(t *testing.T) {
|
|
||||||
require := require.New(t)
|
|
||||||
|
|
||||||
issuer := NewIssuer(newSimTPMWithEventLog, tpmclient.AttestationKeyRSA, fakeGetInstanceInfo)
|
issuer := NewIssuer(newSimTPMWithEventLog, tpmclient.AttestationKeyRSA, fakeGetInstanceInfo)
|
||||||
validator := NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15)
|
validator := NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15)
|
||||||
|
|
||||||
nonce := []byte{1, 2, 3, 4}
|
nonce := []byte{1, 2, 3, 4}
|
||||||
challenge := []byte("Constellation")
|
challenge := []byte("Constellation")
|
||||||
@ -82,6 +82,29 @@ func TestValidate(t *testing.T) {
|
|||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
require.Equal(challenge, out)
|
require.Equal(challenge, out)
|
||||||
|
|
||||||
|
warnLog := &testWarnLog{}
|
||||||
|
enforcedPCRs := []uint32{0, 1}
|
||||||
|
expectedPCRs := map[uint32][]byte{
|
||||||
|
0: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||||
|
1: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||||
|
2: {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20},
|
||||||
|
3: {0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40},
|
||||||
|
4: {0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60},
|
||||||
|
5: {0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80},
|
||||||
|
}
|
||||||
|
warningValidator := NewValidator(
|
||||||
|
expectedPCRs,
|
||||||
|
enforcedPCRs,
|
||||||
|
fakeGetTrustedKey,
|
||||||
|
fakeValidateCVM,
|
||||||
|
VerifyPKCS1v15,
|
||||||
|
)
|
||||||
|
warningValidator.AddLogger(warnLog)
|
||||||
|
out, err = warningValidator.Validate(attDocRaw, nonce)
|
||||||
|
require.NoError(err)
|
||||||
|
assert.Equal(t, challenge, out)
|
||||||
|
assert.Len(t, warnLog.warnings, len(expectedPCRs)-len(enforcedPCRs))
|
||||||
|
|
||||||
testCases := map[string]struct {
|
testCases := map[string]struct {
|
||||||
validator *Validator
|
validator *Validator
|
||||||
attDoc []byte
|
attDoc []byte
|
||||||
@ -89,13 +112,13 @@ func TestValidate(t *testing.T) {
|
|||||||
wantErr bool
|
wantErr bool
|
||||||
}{
|
}{
|
||||||
"invalid nonce": {
|
"invalid nonce": {
|
||||||
validator: NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
|
validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
|
||||||
attDoc: mustMarshalAttestation(attDoc, require),
|
attDoc: mustMarshalAttestation(attDoc, require),
|
||||||
nonce: []byte{4, 3, 2, 1},
|
nonce: []byte{4, 3, 2, 1},
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"invalid signature": {
|
"invalid signature": {
|
||||||
validator: NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
|
validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
|
||||||
attDoc: mustMarshalAttestation(AttestationDocument{
|
attDoc: mustMarshalAttestation(AttestationDocument{
|
||||||
Attestation: attDoc.Attestation,
|
Attestation: attDoc.Attestation,
|
||||||
InstanceInfo: attDoc.InstanceInfo,
|
InstanceInfo: attDoc.InstanceInfo,
|
||||||
@ -107,7 +130,8 @@ func TestValidate(t *testing.T) {
|
|||||||
},
|
},
|
||||||
"untrusted attestation public key": {
|
"untrusted attestation public key": {
|
||||||
validator: NewValidator(
|
validator: NewValidator(
|
||||||
fakeTrustedPcrs,
|
testExpectedPCRs,
|
||||||
|
[]uint32{0, 1},
|
||||||
func(akPub, instanceInfo []byte) (crypto.PublicKey, error) {
|
func(akPub, instanceInfo []byte) (crypto.PublicKey, error) {
|
||||||
return nil, errors.New("untrusted")
|
return nil, errors.New("untrusted")
|
||||||
},
|
},
|
||||||
@ -118,7 +142,8 @@ func TestValidate(t *testing.T) {
|
|||||||
},
|
},
|
||||||
"not a CVM": {
|
"not a CVM": {
|
||||||
validator: NewValidator(
|
validator: NewValidator(
|
||||||
fakeTrustedPcrs,
|
testExpectedPCRs,
|
||||||
|
[]uint32{0, 1},
|
||||||
fakeGetTrustedKey,
|
fakeGetTrustedKey,
|
||||||
func(attestation AttestationDocument) error {
|
func(attestation AttestationDocument) error {
|
||||||
return errors.New("untrusted")
|
return errors.New("untrusted")
|
||||||
@ -133,6 +158,7 @@ func TestValidate(t *testing.T) {
|
|||||||
map[uint32][]byte{
|
map[uint32][]byte{
|
||||||
0: {0xFF},
|
0: {0xFF},
|
||||||
},
|
},
|
||||||
|
[]uint32{0},
|
||||||
fakeGetTrustedKey,
|
fakeGetTrustedKey,
|
||||||
fakeValidateCVM,
|
fakeValidateCVM,
|
||||||
VerifyPKCS1v15),
|
VerifyPKCS1v15),
|
||||||
@ -141,7 +167,7 @@ func TestValidate(t *testing.T) {
|
|||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"no sha256 quote": {
|
"no sha256 quote": {
|
||||||
validator: NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
|
validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
|
||||||
attDoc: mustMarshalAttestation(AttestationDocument{
|
attDoc: mustMarshalAttestation(AttestationDocument{
|
||||||
Attestation: &attest.Attestation{
|
Attestation: &attest.Attestation{
|
||||||
AkPub: attDoc.Attestation.AkPub,
|
AkPub: attDoc.Attestation.AkPub,
|
||||||
@ -159,7 +185,7 @@ func TestValidate(t *testing.T) {
|
|||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"invalid attestation document": {
|
"invalid attestation document": {
|
||||||
validator: NewValidator(fakeTrustedPcrs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
|
validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15),
|
||||||
attDoc: []byte("invalid attestation"),
|
attDoc: []byte("invalid attestation"),
|
||||||
nonce: nonce,
|
nonce: nonce,
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
@ -368,3 +394,11 @@ func TestGetSelectedPCRs(t *testing.T) {
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type testWarnLog struct {
|
||||||
|
warnings []string
|
||||||
|
}
|
||||||
|
|
||||||
|
func (w *testWarnLog) Warnf(format string, args ...interface{}) {
|
||||||
|
w.warnings = append(w.warnings, fmt.Sprintf(format, args...))
|
||||||
|
}
|
||||||
|
@ -136,6 +136,9 @@ type AzureConfig struct {
|
|||||||
// Expected confidential VM measurements.
|
// Expected confidential VM measurements.
|
||||||
Measurements Measurements `yaml:"measurements"`
|
Measurements Measurements `yaml:"measurements"`
|
||||||
// description: |
|
// description: |
|
||||||
|
// List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning.
|
||||||
|
EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
|
||||||
|
// description: |
|
||||||
// Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure
|
// Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure
|
||||||
UserAssignedIdentity string `yaml:"userAssignedIdentity" validate:"required"`
|
UserAssignedIdentity string `yaml:"userAssignedIdentity" validate:"required"`
|
||||||
}
|
}
|
||||||
@ -163,12 +166,18 @@ type GCPConfig struct {
|
|||||||
// description: |
|
// description: |
|
||||||
// Expected confidential VM measurements.
|
// Expected confidential VM measurements.
|
||||||
Measurements Measurements `yaml:"measurements"`
|
Measurements Measurements `yaml:"measurements"`
|
||||||
|
// description: |
|
||||||
|
// List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning.
|
||||||
|
EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type QEMUConfig struct {
|
type QEMUConfig struct {
|
||||||
// description: |
|
// description: |
|
||||||
// Measurement used to enable measured boot.
|
// Measurement used to enable measured boot.
|
||||||
Measurements Measurements `yaml:"measurements"`
|
Measurements Measurements `yaml:"measurements"`
|
||||||
|
// description: |
|
||||||
|
// List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning.
|
||||||
|
EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Default returns a struct with the default config.
|
// Default returns a struct with the default config.
|
||||||
@ -218,7 +227,8 @@ func Default() *Config {
|
|||||||
UserAssignedIdentity: "",
|
UserAssignedIdentity: "",
|
||||||
Image: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1659453699",
|
Image: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1659453699",
|
||||||
StateDiskType: "StandardSSD_LRS", // TODO: Replace with Premium_LRS when we replace the default VM size (Standard_D2a_v4) since the size does not support Premium_LRS
|
StateDiskType: "StandardSSD_LRS", // TODO: Replace with Premium_LRS when we replace the default VM size (Standard_D2a_v4) since the size does not support Premium_LRS
|
||||||
Measurements: azurePCRs,
|
Measurements: copyPCRMap(azurePCRs),
|
||||||
|
EnforcedMeasurements: []uint32{8, 9, 11, 12},
|
||||||
},
|
},
|
||||||
GCP: &GCPConfig{
|
GCP: &GCPConfig{
|
||||||
Project: "",
|
Project: "",
|
||||||
@ -233,10 +243,12 @@ func Default() *Config {
|
|||||||
"roles/iam.serviceAccountUser",
|
"roles/iam.serviceAccountUser",
|
||||||
},
|
},
|
||||||
StateDiskType: "pd-ssd",
|
StateDiskType: "pd-ssd",
|
||||||
Measurements: gcpPCRs,
|
Measurements: copyPCRMap(gcpPCRs),
|
||||||
|
EnforcedMeasurements: []uint32{0, 8, 9, 11, 12},
|
||||||
},
|
},
|
||||||
QEMU: &QEMUConfig{
|
QEMU: &QEMUConfig{
|
||||||
Measurements: qemuPCRs,
|
Measurements: copyPCRMap(qemuPCRs),
|
||||||
|
EnforcedMeasurements: []uint32{11, 12},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
KubernetesVersion: string(versions.Latest),
|
KubernetesVersion: string(versions.Latest),
|
||||||
@ -346,3 +358,9 @@ func FromFile(fileHandler file.Handler, name string) (*Config, error) {
|
|||||||
}
|
}
|
||||||
return &conf, nil
|
return &conf, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func copyPCRMap(m map[uint32][]byte) map[uint32][]byte {
|
||||||
|
res := make(Measurements)
|
||||||
|
res.CopyFrom(m)
|
||||||
|
return res
|
||||||
|
}
|
||||||
|
@ -168,7 +168,7 @@ func init() {
|
|||||||
FieldName: "azure",
|
FieldName: "azure",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
AzureConfigDoc.Fields = make([]encoder.Doc, 7)
|
AzureConfigDoc.Fields = make([]encoder.Doc, 8)
|
||||||
AzureConfigDoc.Fields[0].Name = "subscription"
|
AzureConfigDoc.Fields[0].Name = "subscription"
|
||||||
AzureConfigDoc.Fields[0].Type = "string"
|
AzureConfigDoc.Fields[0].Type = "string"
|
||||||
AzureConfigDoc.Fields[0].Note = ""
|
AzureConfigDoc.Fields[0].Note = ""
|
||||||
@ -199,11 +199,16 @@ func init() {
|
|||||||
AzureConfigDoc.Fields[5].Note = ""
|
AzureConfigDoc.Fields[5].Note = ""
|
||||||
AzureConfigDoc.Fields[5].Description = "Expected confidential VM measurements."
|
AzureConfigDoc.Fields[5].Description = "Expected confidential VM measurements."
|
||||||
AzureConfigDoc.Fields[5].Comments[encoder.LineComment] = "Expected confidential VM measurements."
|
AzureConfigDoc.Fields[5].Comments[encoder.LineComment] = "Expected confidential VM measurements."
|
||||||
AzureConfigDoc.Fields[6].Name = "userAssignedIdentity"
|
AzureConfigDoc.Fields[6].Name = "enforcedMeasurements"
|
||||||
AzureConfigDoc.Fields[6].Type = "string"
|
AzureConfigDoc.Fields[6].Type = "[]uint32"
|
||||||
AzureConfigDoc.Fields[6].Note = ""
|
AzureConfigDoc.Fields[6].Note = ""
|
||||||
AzureConfigDoc.Fields[6].Description = "Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure"
|
AzureConfigDoc.Fields[6].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||||
AzureConfigDoc.Fields[6].Comments[encoder.LineComment] = "Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure"
|
AzureConfigDoc.Fields[6].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||||
|
AzureConfigDoc.Fields[7].Name = "userAssignedIdentity"
|
||||||
|
AzureConfigDoc.Fields[7].Type = "string"
|
||||||
|
AzureConfigDoc.Fields[7].Note = ""
|
||||||
|
AzureConfigDoc.Fields[7].Description = "Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure"
|
||||||
|
AzureConfigDoc.Fields[7].Comments[encoder.LineComment] = "Authorize spawned VMs to access Azure API. See: https://constellation-docs.edgeless.systems/6c320851-bdd2-41d5-bf10-e27427398692/#/getting-started/install?id=azure"
|
||||||
|
|
||||||
GCPConfigDoc.Type = "GCPConfig"
|
GCPConfigDoc.Type = "GCPConfig"
|
||||||
GCPConfigDoc.Comments[encoder.LineComment] = "GCPConfig are GCP specific configuration values used by the CLI."
|
GCPConfigDoc.Comments[encoder.LineComment] = "GCPConfig are GCP specific configuration values used by the CLI."
|
||||||
@ -214,7 +219,7 @@ func init() {
|
|||||||
FieldName: "gcp",
|
FieldName: "gcp",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
GCPConfigDoc.Fields = make([]encoder.Doc, 7)
|
GCPConfigDoc.Fields = make([]encoder.Doc, 8)
|
||||||
GCPConfigDoc.Fields[0].Name = "project"
|
GCPConfigDoc.Fields[0].Name = "project"
|
||||||
GCPConfigDoc.Fields[0].Type = "string"
|
GCPConfigDoc.Fields[0].Type = "string"
|
||||||
GCPConfigDoc.Fields[0].Note = ""
|
GCPConfigDoc.Fields[0].Note = ""
|
||||||
@ -250,6 +255,11 @@ func init() {
|
|||||||
GCPConfigDoc.Fields[6].Note = ""
|
GCPConfigDoc.Fields[6].Note = ""
|
||||||
GCPConfigDoc.Fields[6].Description = "Expected confidential VM measurements."
|
GCPConfigDoc.Fields[6].Description = "Expected confidential VM measurements."
|
||||||
GCPConfigDoc.Fields[6].Comments[encoder.LineComment] = "Expected confidential VM measurements."
|
GCPConfigDoc.Fields[6].Comments[encoder.LineComment] = "Expected confidential VM measurements."
|
||||||
|
GCPConfigDoc.Fields[7].Name = "enforcedMeasurements"
|
||||||
|
GCPConfigDoc.Fields[7].Type = "[]uint32"
|
||||||
|
GCPConfigDoc.Fields[7].Note = ""
|
||||||
|
GCPConfigDoc.Fields[7].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||||
|
GCPConfigDoc.Fields[7].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||||
|
|
||||||
QEMUConfigDoc.Type = "QEMUConfig"
|
QEMUConfigDoc.Type = "QEMUConfig"
|
||||||
QEMUConfigDoc.Comments[encoder.LineComment] = ""
|
QEMUConfigDoc.Comments[encoder.LineComment] = ""
|
||||||
@ -260,12 +270,17 @@ func init() {
|
|||||||
FieldName: "qemu",
|
FieldName: "qemu",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
QEMUConfigDoc.Fields = make([]encoder.Doc, 1)
|
QEMUConfigDoc.Fields = make([]encoder.Doc, 2)
|
||||||
QEMUConfigDoc.Fields[0].Name = "measurements"
|
QEMUConfigDoc.Fields[0].Name = "measurements"
|
||||||
QEMUConfigDoc.Fields[0].Type = "Measurements"
|
QEMUConfigDoc.Fields[0].Type = "Measurements"
|
||||||
QEMUConfigDoc.Fields[0].Note = ""
|
QEMUConfigDoc.Fields[0].Note = ""
|
||||||
QEMUConfigDoc.Fields[0].Description = "Measurement used to enable measured boot."
|
QEMUConfigDoc.Fields[0].Description = "Measurement used to enable measured boot."
|
||||||
QEMUConfigDoc.Fields[0].Comments[encoder.LineComment] = "Measurement used to enable measured boot."
|
QEMUConfigDoc.Fields[0].Comments[encoder.LineComment] = "Measurement used to enable measured boot."
|
||||||
|
QEMUConfigDoc.Fields[1].Name = "enforcedMeasurements"
|
||||||
|
QEMUConfigDoc.Fields[1].Type = "[]uint32"
|
||||||
|
QEMUConfigDoc.Fields[1].Note = ""
|
||||||
|
QEMUConfigDoc.Fields[1].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||||
|
QEMUConfigDoc.Fields[1].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||||
}
|
}
|
||||||
|
|
||||||
func (_ Config) Doc() *encoder.Doc {
|
func (_ Config) Doc() *encoder.Doc {
|
||||||
|
@ -65,6 +65,8 @@ const (
|
|||||||
ServiceBasePath = "/var/config"
|
ServiceBasePath = "/var/config"
|
||||||
// MeasurementsFilename is the filename of CC measurements.
|
// MeasurementsFilename is the filename of CC measurements.
|
||||||
MeasurementsFilename = "measurements"
|
MeasurementsFilename = "measurements"
|
||||||
|
// EnforcedPCRsFilename is the filename for a list PCRs that are required to pass attestation.
|
||||||
|
EnforcedPCRsFilename = "enforcedPCRs"
|
||||||
// MeasurementSaltFilename is the filename of the salt used in creation of the clusterID.
|
// MeasurementSaltFilename is the filename of the salt used in creation of the clusterID.
|
||||||
MeasurementSaltFilename = "measurementSalt"
|
MeasurementSaltFilename = "measurementSalt"
|
||||||
// MeasurementSecretFilename is the filename of the secret used in creation of the clusterID.
|
// MeasurementSecretFilename is the filename of the secret used in creation of the clusterID.
|
||||||
|
@ -11,6 +11,7 @@ import (
|
|||||||
|
|
||||||
"github.com/edgelesssys/constellation/bootstrapper/initproto"
|
"github.com/edgelesssys/constellation/bootstrapper/initproto"
|
||||||
"github.com/edgelesssys/constellation/internal/atls"
|
"github.com/edgelesssys/constellation/internal/atls"
|
||||||
|
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
"go.uber.org/goleak"
|
"go.uber.org/goleak"
|
||||||
@ -100,6 +101,8 @@ func (v fakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
|
|||||||
return doc.UserData, v.err
|
return doc.UserData, v.err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (v fakeValidator) AddLogger(vtpm.WarnLogger) {}
|
||||||
|
|
||||||
type fakeOID asn1.ObjectIdentifier
|
type fakeOID asn1.ObjectIdentifier
|
||||||
|
|
||||||
func (o fakeOID) OID() asn1.ObjectIdentifier {
|
func (o fakeOID) OID() asn1.ObjectIdentifier {
|
||||||
|
@ -30,11 +30,11 @@ func NewValidator(log *logger.Logger, csp string, fileHandler file.Handler) (*Up
|
|||||||
var newValidator newValidatorFunc
|
var newValidator newValidatorFunc
|
||||||
switch cloudprovider.FromString(csp) {
|
switch cloudprovider.FromString(csp) {
|
||||||
case cloudprovider.Azure:
|
case cloudprovider.Azure:
|
||||||
newValidator = func(m map[uint32][]byte) atls.Validator { return azure.NewValidator(m) }
|
newValidator = func(m map[uint32][]byte, e []uint32) atls.Validator { return azure.NewValidator(m, e) }
|
||||||
case cloudprovider.GCP:
|
case cloudprovider.GCP:
|
||||||
newValidator = func(m map[uint32][]byte) atls.Validator { return gcp.NewValidator(m) }
|
newValidator = func(m map[uint32][]byte, e []uint32) atls.Validator { return gcp.NewValidator(m, e) }
|
||||||
case cloudprovider.QEMU:
|
case cloudprovider.QEMU:
|
||||||
newValidator = func(m map[uint32][]byte) atls.Validator { return qemu.NewValidator(m) }
|
newValidator = func(m map[uint32][]byte, e []uint32) atls.Validator { return qemu.NewValidator(m, e) }
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("unknown cloud service provider: %q", csp)
|
return nil, fmt.Errorf("unknown cloud service provider: %q", csp)
|
||||||
}
|
}
|
||||||
@ -76,9 +76,16 @@ func (u *Updatable) Update() error {
|
|||||||
}
|
}
|
||||||
u.log.Debugf("New measurements: %v", measurements)
|
u.log.Debugf("New measurements: %v", measurements)
|
||||||
|
|
||||||
u.Validator = u.newValidator(measurements)
|
var enforced []uint32
|
||||||
|
if err := u.fileHandler.ReadJSON(filepath.Join(constants.ServiceBasePath, constants.EnforcedPCRsFilename), &enforced); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
u.log.Debugf("Enforced PCRs: %v", enforced)
|
||||||
|
|
||||||
|
u.Validator = u.newValidator(measurements, enforced)
|
||||||
|
u.Validator.AddLogger(u.log)
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
type newValidatorFunc func(measurements map[uint32][]byte) atls.Validator
|
type newValidatorFunc func(measurements map[uint32][]byte, enforcedPCRs []uint32) atls.Validator
|
||||||
|
@ -14,6 +14,7 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/edgelesssys/constellation/internal/atls"
|
"github.com/edgelesssys/constellation/internal/atls"
|
||||||
|
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
|
||||||
"github.com/edgelesssys/constellation/internal/constants"
|
"github.com/edgelesssys/constellation/internal/constants"
|
||||||
"github.com/edgelesssys/constellation/internal/file"
|
"github.com/edgelesssys/constellation/internal/file"
|
||||||
"github.com/edgelesssys/constellation/internal/logger"
|
"github.com/edgelesssys/constellation/internal/logger"
|
||||||
@ -72,7 +73,10 @@ func TestNewUpdateableValidator(t *testing.T) {
|
|||||||
map[uint32][]byte{
|
map[uint32][]byte{
|
||||||
11: {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
|
11: {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
|
||||||
},
|
},
|
||||||
file.OptNone,
|
))
|
||||||
|
require.NoError(handler.WriteJSON(
|
||||||
|
filepath.Join(constants.ServiceBasePath, constants.EnforcedPCRsFilename),
|
||||||
|
[]uint32{11},
|
||||||
))
|
))
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -95,7 +99,7 @@ func TestUpdate(t *testing.T) {
|
|||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
oid := fakeOID{1, 3, 9900, 1}
|
oid := fakeOID{1, 3, 9900, 1}
|
||||||
newValidator := func(m map[uint32][]byte) atls.Validator {
|
newValidator := func(m map[uint32][]byte, e []uint32) atls.Validator {
|
||||||
return fakeValidator{fakeOID: oid}
|
return fakeValidator{fakeOID: oid}
|
||||||
}
|
}
|
||||||
handler := file.NewHandler(afero.NewMemMapFs())
|
handler := file.NewHandler(afero.NewMemMapFs())
|
||||||
@ -118,6 +122,10 @@ func TestUpdate(t *testing.T) {
|
|||||||
},
|
},
|
||||||
file.OptNone,
|
file.OptNone,
|
||||||
))
|
))
|
||||||
|
require.NoError(handler.WriteJSON(
|
||||||
|
filepath.Join(constants.ServiceBasePath, constants.EnforcedPCRsFilename),
|
||||||
|
[]uint32{11},
|
||||||
|
))
|
||||||
|
|
||||||
// call update once to initialize the server's validator
|
// call update once to initialize the server's validator
|
||||||
require.NoError(validator.Update())
|
require.NoError(validator.Update())
|
||||||
@ -161,7 +169,7 @@ func TestUpdateConcurrency(t *testing.T) {
|
|||||||
validator := &Updatable{
|
validator := &Updatable{
|
||||||
log: logger.NewTest(t),
|
log: logger.NewTest(t),
|
||||||
fileHandler: handler,
|
fileHandler: handler,
|
||||||
newValidator: func(m map[uint32][]byte) atls.Validator {
|
newValidator: func(m map[uint32][]byte, e []uint32) atls.Validator {
|
||||||
return fakeValidator{fakeOID: fakeOID{1, 3, 9900, 1}}
|
return fakeValidator{fakeOID: fakeOID{1, 3, 9900, 1}}
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
@ -172,6 +180,10 @@ func TestUpdateConcurrency(t *testing.T) {
|
|||||||
},
|
},
|
||||||
file.OptNone,
|
file.OptNone,
|
||||||
))
|
))
|
||||||
|
require.NoError(handler.WriteJSON(
|
||||||
|
filepath.Join(constants.ServiceBasePath, constants.EnforcedPCRsFilename),
|
||||||
|
[]uint32{11},
|
||||||
|
))
|
||||||
|
|
||||||
var wg sync.WaitGroup
|
var wg sync.WaitGroup
|
||||||
|
|
||||||
@ -220,6 +232,8 @@ func (v fakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
|
|||||||
return doc.UserData, v.err
|
return doc.UserData, v.err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (v fakeValidator) AddLogger(logger vtpm.WarnLogger) {}
|
||||||
|
|
||||||
type fakeOID asn1.ObjectIdentifier
|
type fakeOID asn1.ObjectIdentifier
|
||||||
|
|
||||||
func (o fakeOID) OID() asn1.ObjectIdentifier {
|
func (o fakeOID) OID() asn1.ObjectIdentifier {
|
||||||
|
Loading…
Reference in New Issue
Block a user