From baad7d8310871fba0637eb13f030e2a3d04d2ec9 Mon Sep 17 00:00:00 2001 From: Adrian Stobbe Date: Wed, 10 Jan 2024 13:32:13 +0100 Subject: [PATCH] aws sev snp resolves latest version values on GetAttestationConfig (#2810) --- internal/config/aws.go | 11 +++++++++++ internal/config/azure.go | 11 +++++++++++ internal/config/config.go | 20 ++++++++------------ 3 files changed, 30 insertions(+), 12 deletions(-) diff --git a/internal/config/aws.go b/internal/config/aws.go index f10fd4f86..37cb7928d 100644 --- a/internal/config/aws.go +++ b/internal/config/aws.go @@ -16,6 +16,8 @@ import ( "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" ) +var _ sevsnpMarshaller = &AWSSEVSNP{} + // DefaultForAWSSEVSNP provides a valid default configuration for AWS SEV-SNP attestation. func DefaultForAWSSEVSNP() *AWSSEVSNP { return &AWSSEVSNP{ @@ -61,6 +63,15 @@ func (c AWSSEVSNP) EqualTo(other AttestationCfg) (bool, error) { return measurementsEqual && bootloaderEqual && teeEqual && snpEqual && microcodeEqual && rootKeyEqual && signingKeyEqual, nil } +func (c *AWSSEVSNP) getToMarshallLatestWithResolvedVersions() AttestationCfg { + cp := *c + cp.BootloaderVersion.WantLatest = false + cp.TEEVersion.WantLatest = false + cp.SNPVersion.WantLatest = false + cp.MicrocodeVersion.WantLatest = false + return &cp +} + // FetchAndSetLatestVersionNumbers fetches the latest version numbers from the configapi and sets them. func (c *AWSSEVSNP) FetchAndSetLatestVersionNumbers(ctx context.Context, fetcher attestationconfigapi.Fetcher) error { // Only talk to the API if at least one version number is set to latest. diff --git a/internal/config/azure.go b/internal/config/azure.go index c6690e972..0f1dbcf66 100644 --- a/internal/config/azure.go +++ b/internal/config/azure.go @@ -17,6 +17,8 @@ import ( "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" ) +var _ sevsnpMarshaller = &AzureSEVSNP{} + // DefaultForAzureSEVSNP returns the default configuration for Azure SEV-SNP attestation. // Version numbers have placeholder values and the latest available values can be fetched using [AzureSEVSNP.FetchAndSetLatestVersionNumbers]. func DefaultForAzureSEVSNP() *AzureSEVSNP { @@ -98,6 +100,15 @@ func (c *AzureSEVSNP) mergeWithLatestVersion(latest attestationconfigapi.SEVSNPV } } +func (c *AzureSEVSNP) getToMarshallLatestWithResolvedVersions() AttestationCfg { + cp := *c + cp.BootloaderVersion.WantLatest = false + cp.TEEVersion.WantLatest = false + cp.SNPVersion.WantLatest = false + cp.MicrocodeVersion.WantLatest = false + return &cp +} + // GetVariant returns azure-trusted-launch as the variant. func (AzureTrustedLaunch) GetVariant() variant.Variant { return variant.AzureTrustedLaunch{} diff --git a/internal/config/config.go b/internal/config/config.go index 8ed672d60..abb283b77 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -629,15 +629,13 @@ func (c *Config) GetProvider() cloudprovider.Provider { // GetAttestationConfig returns the configured attestation config. func (c *Config) GetAttestationConfig() AttestationCfg { if c.Attestation.AWSSEVSNP != nil { - return c.Attestation.AWSSEVSNP + return c.Attestation.AWSSEVSNP.getToMarshallLatestWithResolvedVersions() } if c.Attestation.AWSNitroTPM != nil { return c.Attestation.AWSNitroTPM } if c.Attestation.AzureSEVSNP != nil { - cp := *c.Attestation.AzureSEVSNP - cp.setWantLatestToFalse() - return &cp + return c.Attestation.AzureSEVSNP.getToMarshallLatestWithResolvedVersions() } if c.Attestation.AzureTrustedLaunch != nil { return c.Attestation.AzureTrustedLaunch @@ -1114,17 +1112,15 @@ type AzureSEVSNP struct { AMDSigningKey Certificate `json:"amdSigningKey,omitempty" yaml:"amdSigningKey,omitempty" validate:"len=0"` } -// setWantLatestToFalse sets the WantLatest field to false for all versions in order to unmarshal the numerical versions instead of the string "latest". -func (c *AzureSEVSNP) setWantLatestToFalse() { - c.BootloaderVersion.WantLatest = false - c.TEEVersion.WantLatest = false - c.SNPVersion.WantLatest = false - c.MicrocodeVersion.WantLatest = false -} - // AzureTrustedLaunch is the configuration for Azure Trusted Launch attestation. type AzureTrustedLaunch struct { // description: | // Expected TPM measurements. Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"` } + +// sevsnpMarshaller is used to marshall "latest" versions with resolved version numbers. +type sevsnpMarshaller interface { + // getToMarshallLatestWithResolvedVersions brings the attestation config into a state where marshalling uses the numerical version numbers for "latest" versions. + getToMarshallLatestWithResolvedVersions() AttestationCfg +}