mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
Use TDX device to mark node as initialized (#1426)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße
Malte Poll
parent
9e987778e0
commit
bda999d54e
@ -9,6 +9,7 @@ package main
|
||||
import (
|
||||
"context"
|
||||
"flag"
|
||||
"io"
|
||||
"net"
|
||||
"os"
|
||||
"path/filepath"
|
||||
@ -18,6 +19,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/disk-mapper/internal/rejoinclient"
|
||||
"github.com/edgelesssys/constellation/v2/disk-mapper/internal/setup"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/choose"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/tdx"
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
||||
awscloud "github.com/edgelesssys/constellation/v2/internal/cloud/aws"
|
||||
azurecloud "github.com/edgelesssys/constellation/v2/internal/cloud/azure"
|
||||
@ -123,6 +125,13 @@ func main() {
|
||||
}
|
||||
defer mapper.Close()
|
||||
|
||||
// Use TDX if available
|
||||
openDevice := vtpm.OpenVTPM
|
||||
if attestVariant.OID().Equal(oid.QEMUTDX{}.OID()) {
|
||||
openDevice = func() (io.ReadWriteCloser, error) {
|
||||
return tdx.Open()
|
||||
}
|
||||
}
|
||||
setupManger := setup.New(
|
||||
log.Named("setupManager"),
|
||||
*csp,
|
||||
@ -130,7 +139,7 @@ func main() {
|
||||
afero.Afero{Fs: afero.NewOsFs()},
|
||||
mapper,
|
||||
setup.DiskMounter{},
|
||||
vtpm.OpenVTPM,
|
||||
openDevice,
|
||||
)
|
||||
|
||||
if err := setupManger.LogDevices(); err != nil {
|
||||
|
||||
@ -48,29 +48,29 @@ const (
|
||||
|
||||
// Manager handles formatting, mapping, mounting and unmounting of state disks.
|
||||
type Manager struct {
|
||||
log *logger.Logger
|
||||
csp string
|
||||
diskPath string
|
||||
fs afero.Afero
|
||||
mapper DeviceMapper
|
||||
mounter Mounter
|
||||
config ConfigurationGenerator
|
||||
openTPM vtpm.TPMOpenFunc
|
||||
log *logger.Logger
|
||||
csp string
|
||||
diskPath string
|
||||
fs afero.Afero
|
||||
mapper DeviceMapper
|
||||
mounter Mounter
|
||||
config ConfigurationGenerator
|
||||
openDevice vtpm.TPMOpenFunc
|
||||
}
|
||||
|
||||
// New initializes a SetupManager with the given parameters.
|
||||
func New(log *logger.Logger, csp string, diskPath string, fs afero.Afero,
|
||||
mapper DeviceMapper, mounter Mounter, openTPM vtpm.TPMOpenFunc,
|
||||
mapper DeviceMapper, mounter Mounter, openDevice vtpm.TPMOpenFunc,
|
||||
) *Manager {
|
||||
return &Manager{
|
||||
log: log,
|
||||
csp: csp,
|
||||
diskPath: diskPath,
|
||||
fs: fs,
|
||||
mapper: mapper,
|
||||
mounter: mounter,
|
||||
config: systemd.New(fs),
|
||||
openTPM: openTPM,
|
||||
log: log,
|
||||
csp: csp,
|
||||
diskPath: diskPath,
|
||||
fs: fs,
|
||||
mapper: mapper,
|
||||
mounter: mounter,
|
||||
config: systemd.New(fs),
|
||||
openDevice: openDevice,
|
||||
}
|
||||
}
|
||||
|
||||
@ -110,7 +110,7 @@ func (s *Manager) PrepareExistingDisk(recover RecoveryDoer) error {
|
||||
}
|
||||
|
||||
// taint the node as initialized
|
||||
if err := initialize.MarkNodeAsBootstrapped(s.openTPM, clusterID); err != nil {
|
||||
if err := initialize.MarkNodeAsBootstrapped(s.openDevice, clusterID); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
|
||||
@ -43,7 +43,7 @@ func TestPrepareExistingDisk(t *testing.T) {
|
||||
mapper *stubMapper
|
||||
mounter *stubMounter
|
||||
configGenerator *stubConfigurationGenerator
|
||||
openTPM vtpm.TPMOpenFunc
|
||||
openDevice vtpm.TPMOpenFunc
|
||||
missingState bool
|
||||
wantErr bool
|
||||
}{
|
||||
@ -52,14 +52,14 @@ func TestPrepareExistingDisk(t *testing.T) {
|
||||
mapper: &stubMapper{uuid: "test"},
|
||||
mounter: &stubMounter{},
|
||||
configGenerator: &stubConfigurationGenerator{},
|
||||
openTPM: vtpm.OpenNOPTPM,
|
||||
openDevice: vtpm.OpenNOPTPM,
|
||||
},
|
||||
"WaitForDecryptionKey fails": {
|
||||
recoveryDoer: &stubRecoveryDoer{recoveryErr: someErr},
|
||||
mapper: &stubMapper{uuid: "test"},
|
||||
mounter: &stubMounter{},
|
||||
configGenerator: &stubConfigurationGenerator{},
|
||||
openTPM: vtpm.OpenNOPTPM,
|
||||
openDevice: vtpm.OpenNOPTPM,
|
||||
wantErr: true,
|
||||
},
|
||||
"MapDisk fails": {
|
||||
@ -70,7 +70,7 @@ func TestPrepareExistingDisk(t *testing.T) {
|
||||
},
|
||||
mounter: &stubMounter{},
|
||||
configGenerator: &stubConfigurationGenerator{},
|
||||
openTPM: vtpm.OpenNOPTPM,
|
||||
openDevice: vtpm.OpenNOPTPM,
|
||||
wantErr: true,
|
||||
},
|
||||
"MkdirAll fails": {
|
||||
@ -78,7 +78,7 @@ func TestPrepareExistingDisk(t *testing.T) {
|
||||
mapper: &stubMapper{uuid: "test"},
|
||||
mounter: &stubMounter{mkdirAllErr: someErr},
|
||||
configGenerator: &stubConfigurationGenerator{},
|
||||
openTPM: vtpm.OpenNOPTPM,
|
||||
openDevice: vtpm.OpenNOPTPM,
|
||||
wantErr: true,
|
||||
},
|
||||
"Mount fails": {
|
||||
@ -86,7 +86,7 @@ func TestPrepareExistingDisk(t *testing.T) {
|
||||
mapper: &stubMapper{uuid: "test"},
|
||||
mounter: &stubMounter{mountErr: someErr},
|
||||
configGenerator: &stubConfigurationGenerator{},
|
||||
openTPM: vtpm.OpenNOPTPM,
|
||||
openDevice: vtpm.OpenNOPTPM,
|
||||
wantErr: true,
|
||||
},
|
||||
"Unmount fails": {
|
||||
@ -94,7 +94,7 @@ func TestPrepareExistingDisk(t *testing.T) {
|
||||
mapper: &stubMapper{uuid: "test"},
|
||||
mounter: &stubMounter{unmountErr: someErr},
|
||||
configGenerator: &stubConfigurationGenerator{},
|
||||
openTPM: vtpm.OpenNOPTPM,
|
||||
openDevice: vtpm.OpenNOPTPM,
|
||||
wantErr: true,
|
||||
},
|
||||
"MarkNodeAsBootstrapped fails": {
|
||||
@ -102,7 +102,7 @@ func TestPrepareExistingDisk(t *testing.T) {
|
||||
mapper: &stubMapper{uuid: "test"},
|
||||
mounter: &stubMounter{unmountErr: someErr},
|
||||
configGenerator: &stubConfigurationGenerator{},
|
||||
openTPM: failOpener,
|
||||
openDevice: failOpener,
|
||||
wantErr: true,
|
||||
},
|
||||
"Generating config fails": {
|
||||
@ -110,7 +110,7 @@ func TestPrepareExistingDisk(t *testing.T) {
|
||||
mapper: &stubMapper{uuid: "test"},
|
||||
mounter: &stubMounter{},
|
||||
configGenerator: &stubConfigurationGenerator{generateErr: someErr},
|
||||
openTPM: failOpener,
|
||||
openDevice: failOpener,
|
||||
wantErr: true,
|
||||
},
|
||||
"no state file": {
|
||||
@ -118,7 +118,7 @@ func TestPrepareExistingDisk(t *testing.T) {
|
||||
mapper: &stubMapper{uuid: "test"},
|
||||
mounter: &stubMounter{},
|
||||
configGenerator: &stubConfigurationGenerator{},
|
||||
openTPM: vtpm.OpenNOPTPM,
|
||||
openDevice: vtpm.OpenNOPTPM,
|
||||
missingState: true,
|
||||
wantErr: true,
|
||||
},
|
||||
@ -136,14 +136,14 @@ func TestPrepareExistingDisk(t *testing.T) {
|
||||
}
|
||||
|
||||
setupManager := &Manager{
|
||||
log: logger.NewTest(t),
|
||||
csp: "test",
|
||||
diskPath: "disk-path",
|
||||
fs: fs,
|
||||
mapper: tc.mapper,
|
||||
mounter: tc.mounter,
|
||||
config: tc.configGenerator,
|
||||
openTPM: tc.openTPM,
|
||||
log: logger.NewTest(t),
|
||||
csp: "test",
|
||||
diskPath: "disk-path",
|
||||
fs: fs,
|
||||
mapper: tc.mapper,
|
||||
mounter: tc.mounter,
|
||||
config: tc.configGenerator,
|
||||
openDevice: tc.openDevice,
|
||||
}
|
||||
|
||||
err := setupManager.PrepareExistingDisk(tc.recoveryDoer)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user