From bda999d54e0cdf4fe835e1275d696fb5721210e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?=
 <66256922+daniel-weisse@users.noreply.github.com>
Date: Tue, 14 Mar 2023 14:17:36 +0100
Subject: [PATCH] Use TDX device to mark node as initialized (#1426)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
---
 disk-mapper/cmd/main.go                  | 11 +++++++-
 disk-mapper/internal/setup/setup.go      | 36 ++++++++++++------------
 disk-mapper/internal/setup/setup_test.go | 36 ++++++++++++------------
 3 files changed, 46 insertions(+), 37 deletions(-)

diff --git a/disk-mapper/cmd/main.go b/disk-mapper/cmd/main.go
index 0f367d5d6..bfb11b1ef 100644
--- a/disk-mapper/cmd/main.go
+++ b/disk-mapper/cmd/main.go
@@ -9,6 +9,7 @@ package main
 import (
 	"context"
 	"flag"
+	"io"
 	"net"
 	"os"
 	"path/filepath"
@@ -18,6 +19,7 @@ import (
 	"github.com/edgelesssys/constellation/v2/disk-mapper/internal/rejoinclient"
 	"github.com/edgelesssys/constellation/v2/disk-mapper/internal/setup"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/choose"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/tdx"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
 	awscloud "github.com/edgelesssys/constellation/v2/internal/cloud/aws"
 	azurecloud "github.com/edgelesssys/constellation/v2/internal/cloud/azure"
@@ -123,6 +125,13 @@ func main() {
 	}
 	defer mapper.Close()
 
+	// Use TDX if available
+	openDevice := vtpm.OpenVTPM
+	if attestVariant.OID().Equal(oid.QEMUTDX{}.OID()) {
+		openDevice = func() (io.ReadWriteCloser, error) {
+			return tdx.Open()
+		}
+	}
 	setupManger := setup.New(
 		log.Named("setupManager"),
 		*csp,
@@ -130,7 +139,7 @@ func main() {
 		afero.Afero{Fs: afero.NewOsFs()},
 		mapper,
 		setup.DiskMounter{},
-		vtpm.OpenVTPM,
+		openDevice,
 	)
 
 	if err := setupManger.LogDevices(); err != nil {
diff --git a/disk-mapper/internal/setup/setup.go b/disk-mapper/internal/setup/setup.go
index 06cd97997..d722cd07b 100644
--- a/disk-mapper/internal/setup/setup.go
+++ b/disk-mapper/internal/setup/setup.go
@@ -48,29 +48,29 @@ const (
 
 // Manager handles formatting, mapping, mounting and unmounting of state disks.
 type Manager struct {
-	log      *logger.Logger
-	csp      string
-	diskPath string
-	fs       afero.Afero
-	mapper   DeviceMapper
-	mounter  Mounter
-	config   ConfigurationGenerator
-	openTPM  vtpm.TPMOpenFunc
+	log        *logger.Logger
+	csp        string
+	diskPath   string
+	fs         afero.Afero
+	mapper     DeviceMapper
+	mounter    Mounter
+	config     ConfigurationGenerator
+	openDevice vtpm.TPMOpenFunc
 }
 
 // New initializes a SetupManager with the given parameters.
 func New(log *logger.Logger, csp string, diskPath string, fs afero.Afero,
-	mapper DeviceMapper, mounter Mounter, openTPM vtpm.TPMOpenFunc,
+	mapper DeviceMapper, mounter Mounter, openDevice vtpm.TPMOpenFunc,
 ) *Manager {
 	return &Manager{
-		log:      log,
-		csp:      csp,
-		diskPath: diskPath,
-		fs:       fs,
-		mapper:   mapper,
-		mounter:  mounter,
-		config:   systemd.New(fs),
-		openTPM:  openTPM,
+		log:        log,
+		csp:        csp,
+		diskPath:   diskPath,
+		fs:         fs,
+		mapper:     mapper,
+		mounter:    mounter,
+		config:     systemd.New(fs),
+		openDevice: openDevice,
 	}
 }
 
@@ -110,7 +110,7 @@ func (s *Manager) PrepareExistingDisk(recover RecoveryDoer) error {
 	}
 
 	// taint the node as initialized
-	if err := initialize.MarkNodeAsBootstrapped(s.openTPM, clusterID); err != nil {
+	if err := initialize.MarkNodeAsBootstrapped(s.openDevice, clusterID); err != nil {
 		return err
 	}
 
diff --git a/disk-mapper/internal/setup/setup_test.go b/disk-mapper/internal/setup/setup_test.go
index 02aad307f..aa2abfa3b 100644
--- a/disk-mapper/internal/setup/setup_test.go
+++ b/disk-mapper/internal/setup/setup_test.go
@@ -43,7 +43,7 @@ func TestPrepareExistingDisk(t *testing.T) {
 		mapper          *stubMapper
 		mounter         *stubMounter
 		configGenerator *stubConfigurationGenerator
-		openTPM         vtpm.TPMOpenFunc
+		openDevice      vtpm.TPMOpenFunc
 		missingState    bool
 		wantErr         bool
 	}{
@@ -52,14 +52,14 @@ func TestPrepareExistingDisk(t *testing.T) {
 			mapper:          &stubMapper{uuid: "test"},
 			mounter:         &stubMounter{},
 			configGenerator: &stubConfigurationGenerator{},
-			openTPM:         vtpm.OpenNOPTPM,
+			openDevice:      vtpm.OpenNOPTPM,
 		},
 		"WaitForDecryptionKey fails": {
 			recoveryDoer:    &stubRecoveryDoer{recoveryErr: someErr},
 			mapper:          &stubMapper{uuid: "test"},
 			mounter:         &stubMounter{},
 			configGenerator: &stubConfigurationGenerator{},
-			openTPM:         vtpm.OpenNOPTPM,
+			openDevice:      vtpm.OpenNOPTPM,
 			wantErr:         true,
 		},
 		"MapDisk fails": {
@@ -70,7 +70,7 @@ func TestPrepareExistingDisk(t *testing.T) {
 			},
 			mounter:         &stubMounter{},
 			configGenerator: &stubConfigurationGenerator{},
-			openTPM:         vtpm.OpenNOPTPM,
+			openDevice:      vtpm.OpenNOPTPM,
 			wantErr:         true,
 		},
 		"MkdirAll fails": {
@@ -78,7 +78,7 @@ func TestPrepareExistingDisk(t *testing.T) {
 			mapper:          &stubMapper{uuid: "test"},
 			mounter:         &stubMounter{mkdirAllErr: someErr},
 			configGenerator: &stubConfigurationGenerator{},
-			openTPM:         vtpm.OpenNOPTPM,
+			openDevice:      vtpm.OpenNOPTPM,
 			wantErr:         true,
 		},
 		"Mount fails": {
@@ -86,7 +86,7 @@ func TestPrepareExistingDisk(t *testing.T) {
 			mapper:          &stubMapper{uuid: "test"},
 			mounter:         &stubMounter{mountErr: someErr},
 			configGenerator: &stubConfigurationGenerator{},
-			openTPM:         vtpm.OpenNOPTPM,
+			openDevice:      vtpm.OpenNOPTPM,
 			wantErr:         true,
 		},
 		"Unmount fails": {
@@ -94,7 +94,7 @@ func TestPrepareExistingDisk(t *testing.T) {
 			mapper:          &stubMapper{uuid: "test"},
 			mounter:         &stubMounter{unmountErr: someErr},
 			configGenerator: &stubConfigurationGenerator{},
-			openTPM:         vtpm.OpenNOPTPM,
+			openDevice:      vtpm.OpenNOPTPM,
 			wantErr:         true,
 		},
 		"MarkNodeAsBootstrapped fails": {
@@ -102,7 +102,7 @@ func TestPrepareExistingDisk(t *testing.T) {
 			mapper:          &stubMapper{uuid: "test"},
 			mounter:         &stubMounter{unmountErr: someErr},
 			configGenerator: &stubConfigurationGenerator{},
-			openTPM:         failOpener,
+			openDevice:      failOpener,
 			wantErr:         true,
 		},
 		"Generating config fails": {
@@ -110,7 +110,7 @@ func TestPrepareExistingDisk(t *testing.T) {
 			mapper:          &stubMapper{uuid: "test"},
 			mounter:         &stubMounter{},
 			configGenerator: &stubConfigurationGenerator{generateErr: someErr},
-			openTPM:         failOpener,
+			openDevice:      failOpener,
 			wantErr:         true,
 		},
 		"no state file": {
@@ -118,7 +118,7 @@ func TestPrepareExistingDisk(t *testing.T) {
 			mapper:          &stubMapper{uuid: "test"},
 			mounter:         &stubMounter{},
 			configGenerator: &stubConfigurationGenerator{},
-			openTPM:         vtpm.OpenNOPTPM,
+			openDevice:      vtpm.OpenNOPTPM,
 			missingState:    true,
 			wantErr:         true,
 		},
@@ -136,14 +136,14 @@ func TestPrepareExistingDisk(t *testing.T) {
 			}
 
 			setupManager := &Manager{
-				log:      logger.NewTest(t),
-				csp:      "test",
-				diskPath: "disk-path",
-				fs:       fs,
-				mapper:   tc.mapper,
-				mounter:  tc.mounter,
-				config:   tc.configGenerator,
-				openTPM:  tc.openTPM,
+				log:        logger.NewTest(t),
+				csp:        "test",
+				diskPath:   "disk-path",
+				fs:         fs,
+				mapper:     tc.mapper,
+				mounter:    tc.mounter,
+				config:     tc.configGenerator,
+				openDevice: tc.openDevice,
 			}
 
 			err := setupManager.PrepareExistingDisk(tc.recoveryDoer)