mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-02-02 10:35:08 -05:00
Use TDX device to mark node as initialized (#1426)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße
Malte Poll
parent
9e987778e0
commit
bda999d54e
@ -9,6 +9,7 @@ package main
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"flag"
|
"flag"
|
||||||
|
"io"
|
||||||
"net"
|
"net"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
@ -18,6 +19,7 @@ import (
|
|||||||
"github.com/edgelesssys/constellation/v2/disk-mapper/internal/rejoinclient"
|
"github.com/edgelesssys/constellation/v2/disk-mapper/internal/rejoinclient"
|
||||||
"github.com/edgelesssys/constellation/v2/disk-mapper/internal/setup"
|
"github.com/edgelesssys/constellation/v2/disk-mapper/internal/setup"
|
||||||
"github.com/edgelesssys/constellation/v2/internal/attestation/choose"
|
"github.com/edgelesssys/constellation/v2/internal/attestation/choose"
|
||||||
|
"github.com/edgelesssys/constellation/v2/internal/attestation/tdx"
|
||||||
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
||||||
awscloud "github.com/edgelesssys/constellation/v2/internal/cloud/aws"
|
awscloud "github.com/edgelesssys/constellation/v2/internal/cloud/aws"
|
||||||
azurecloud "github.com/edgelesssys/constellation/v2/internal/cloud/azure"
|
azurecloud "github.com/edgelesssys/constellation/v2/internal/cloud/azure"
|
||||||
@ -123,6 +125,13 @@ func main() {
|
|||||||
}
|
}
|
||||||
defer mapper.Close()
|
defer mapper.Close()
|
||||||
|
|
||||||
|
// Use TDX if available
|
||||||
|
openDevice := vtpm.OpenVTPM
|
||||||
|
if attestVariant.OID().Equal(oid.QEMUTDX{}.OID()) {
|
||||||
|
openDevice = func() (io.ReadWriteCloser, error) {
|
||||||
|
return tdx.Open()
|
||||||
|
}
|
||||||
|
}
|
||||||
setupManger := setup.New(
|
setupManger := setup.New(
|
||||||
log.Named("setupManager"),
|
log.Named("setupManager"),
|
||||||
*csp,
|
*csp,
|
||||||
@ -130,7 +139,7 @@ func main() {
|
|||||||
afero.Afero{Fs: afero.NewOsFs()},
|
afero.Afero{Fs: afero.NewOsFs()},
|
||||||
mapper,
|
mapper,
|
||||||
setup.DiskMounter{},
|
setup.DiskMounter{},
|
||||||
vtpm.OpenVTPM,
|
openDevice,
|
||||||
)
|
)
|
||||||
|
|
||||||
if err := setupManger.LogDevices(); err != nil {
|
if err := setupManger.LogDevices(); err != nil {
|
||||||
|
|||||||
@ -48,29 +48,29 @@ const (
|
|||||||
|
|
||||||
// Manager handles formatting, mapping, mounting and unmounting of state disks.
|
// Manager handles formatting, mapping, mounting and unmounting of state disks.
|
||||||
type Manager struct {
|
type Manager struct {
|
||||||
log *logger.Logger
|
log *logger.Logger
|
||||||
csp string
|
csp string
|
||||||
diskPath string
|
diskPath string
|
||||||
fs afero.Afero
|
fs afero.Afero
|
||||||
mapper DeviceMapper
|
mapper DeviceMapper
|
||||||
mounter Mounter
|
mounter Mounter
|
||||||
config ConfigurationGenerator
|
config ConfigurationGenerator
|
||||||
openTPM vtpm.TPMOpenFunc
|
openDevice vtpm.TPMOpenFunc
|
||||||
}
|
}
|
||||||
|
|
||||||
// New initializes a SetupManager with the given parameters.
|
// New initializes a SetupManager with the given parameters.
|
||||||
func New(log *logger.Logger, csp string, diskPath string, fs afero.Afero,
|
func New(log *logger.Logger, csp string, diskPath string, fs afero.Afero,
|
||||||
mapper DeviceMapper, mounter Mounter, openTPM vtpm.TPMOpenFunc,
|
mapper DeviceMapper, mounter Mounter, openDevice vtpm.TPMOpenFunc,
|
||||||
) *Manager {
|
) *Manager {
|
||||||
return &Manager{
|
return &Manager{
|
||||||
log: log,
|
log: log,
|
||||||
csp: csp,
|
csp: csp,
|
||||||
diskPath: diskPath,
|
diskPath: diskPath,
|
||||||
fs: fs,
|
fs: fs,
|
||||||
mapper: mapper,
|
mapper: mapper,
|
||||||
mounter: mounter,
|
mounter: mounter,
|
||||||
config: systemd.New(fs),
|
config: systemd.New(fs),
|
||||||
openTPM: openTPM,
|
openDevice: openDevice,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -110,7 +110,7 @@ func (s *Manager) PrepareExistingDisk(recover RecoveryDoer) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// taint the node as initialized
|
// taint the node as initialized
|
||||||
if err := initialize.MarkNodeAsBootstrapped(s.openTPM, clusterID); err != nil {
|
if err := initialize.MarkNodeAsBootstrapped(s.openDevice, clusterID); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -43,7 +43,7 @@ func TestPrepareExistingDisk(t *testing.T) {
|
|||||||
mapper *stubMapper
|
mapper *stubMapper
|
||||||
mounter *stubMounter
|
mounter *stubMounter
|
||||||
configGenerator *stubConfigurationGenerator
|
configGenerator *stubConfigurationGenerator
|
||||||
openTPM vtpm.TPMOpenFunc
|
openDevice vtpm.TPMOpenFunc
|
||||||
missingState bool
|
missingState bool
|
||||||
wantErr bool
|
wantErr bool
|
||||||
}{
|
}{
|
||||||
@ -52,14 +52,14 @@ func TestPrepareExistingDisk(t *testing.T) {
|
|||||||
mapper: &stubMapper{uuid: "test"},
|
mapper: &stubMapper{uuid: "test"},
|
||||||
mounter: &stubMounter{},
|
mounter: &stubMounter{},
|
||||||
configGenerator: &stubConfigurationGenerator{},
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
openTPM: vtpm.OpenNOPTPM,
|
openDevice: vtpm.OpenNOPTPM,
|
||||||
},
|
},
|
||||||
"WaitForDecryptionKey fails": {
|
"WaitForDecryptionKey fails": {
|
||||||
recoveryDoer: &stubRecoveryDoer{recoveryErr: someErr},
|
recoveryDoer: &stubRecoveryDoer{recoveryErr: someErr},
|
||||||
mapper: &stubMapper{uuid: "test"},
|
mapper: &stubMapper{uuid: "test"},
|
||||||
mounter: &stubMounter{},
|
mounter: &stubMounter{},
|
||||||
configGenerator: &stubConfigurationGenerator{},
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
openTPM: vtpm.OpenNOPTPM,
|
openDevice: vtpm.OpenNOPTPM,
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"MapDisk fails": {
|
"MapDisk fails": {
|
||||||
@ -70,7 +70,7 @@ func TestPrepareExistingDisk(t *testing.T) {
|
|||||||
},
|
},
|
||||||
mounter: &stubMounter{},
|
mounter: &stubMounter{},
|
||||||
configGenerator: &stubConfigurationGenerator{},
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
openTPM: vtpm.OpenNOPTPM,
|
openDevice: vtpm.OpenNOPTPM,
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"MkdirAll fails": {
|
"MkdirAll fails": {
|
||||||
@ -78,7 +78,7 @@ func TestPrepareExistingDisk(t *testing.T) {
|
|||||||
mapper: &stubMapper{uuid: "test"},
|
mapper: &stubMapper{uuid: "test"},
|
||||||
mounter: &stubMounter{mkdirAllErr: someErr},
|
mounter: &stubMounter{mkdirAllErr: someErr},
|
||||||
configGenerator: &stubConfigurationGenerator{},
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
openTPM: vtpm.OpenNOPTPM,
|
openDevice: vtpm.OpenNOPTPM,
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"Mount fails": {
|
"Mount fails": {
|
||||||
@ -86,7 +86,7 @@ func TestPrepareExistingDisk(t *testing.T) {
|
|||||||
mapper: &stubMapper{uuid: "test"},
|
mapper: &stubMapper{uuid: "test"},
|
||||||
mounter: &stubMounter{mountErr: someErr},
|
mounter: &stubMounter{mountErr: someErr},
|
||||||
configGenerator: &stubConfigurationGenerator{},
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
openTPM: vtpm.OpenNOPTPM,
|
openDevice: vtpm.OpenNOPTPM,
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"Unmount fails": {
|
"Unmount fails": {
|
||||||
@ -94,7 +94,7 @@ func TestPrepareExistingDisk(t *testing.T) {
|
|||||||
mapper: &stubMapper{uuid: "test"},
|
mapper: &stubMapper{uuid: "test"},
|
||||||
mounter: &stubMounter{unmountErr: someErr},
|
mounter: &stubMounter{unmountErr: someErr},
|
||||||
configGenerator: &stubConfigurationGenerator{},
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
openTPM: vtpm.OpenNOPTPM,
|
openDevice: vtpm.OpenNOPTPM,
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"MarkNodeAsBootstrapped fails": {
|
"MarkNodeAsBootstrapped fails": {
|
||||||
@ -102,7 +102,7 @@ func TestPrepareExistingDisk(t *testing.T) {
|
|||||||
mapper: &stubMapper{uuid: "test"},
|
mapper: &stubMapper{uuid: "test"},
|
||||||
mounter: &stubMounter{unmountErr: someErr},
|
mounter: &stubMounter{unmountErr: someErr},
|
||||||
configGenerator: &stubConfigurationGenerator{},
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
openTPM: failOpener,
|
openDevice: failOpener,
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"Generating config fails": {
|
"Generating config fails": {
|
||||||
@ -110,7 +110,7 @@ func TestPrepareExistingDisk(t *testing.T) {
|
|||||||
mapper: &stubMapper{uuid: "test"},
|
mapper: &stubMapper{uuid: "test"},
|
||||||
mounter: &stubMounter{},
|
mounter: &stubMounter{},
|
||||||
configGenerator: &stubConfigurationGenerator{generateErr: someErr},
|
configGenerator: &stubConfigurationGenerator{generateErr: someErr},
|
||||||
openTPM: failOpener,
|
openDevice: failOpener,
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"no state file": {
|
"no state file": {
|
||||||
@ -118,7 +118,7 @@ func TestPrepareExistingDisk(t *testing.T) {
|
|||||||
mapper: &stubMapper{uuid: "test"},
|
mapper: &stubMapper{uuid: "test"},
|
||||||
mounter: &stubMounter{},
|
mounter: &stubMounter{},
|
||||||
configGenerator: &stubConfigurationGenerator{},
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
openTPM: vtpm.OpenNOPTPM,
|
openDevice: vtpm.OpenNOPTPM,
|
||||||
missingState: true,
|
missingState: true,
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
@ -136,14 +136,14 @@ func TestPrepareExistingDisk(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
setupManager := &Manager{
|
setupManager := &Manager{
|
||||||
log: logger.NewTest(t),
|
log: logger.NewTest(t),
|
||||||
csp: "test",
|
csp: "test",
|
||||||
diskPath: "disk-path",
|
diskPath: "disk-path",
|
||||||
fs: fs,
|
fs: fs,
|
||||||
mapper: tc.mapper,
|
mapper: tc.mapper,
|
||||||
mounter: tc.mounter,
|
mounter: tc.mounter,
|
||||||
config: tc.configGenerator,
|
config: tc.configGenerator,
|
||||||
openTPM: tc.openTPM,
|
openDevice: tc.openDevice,
|
||||||
}
|
}
|
||||||
|
|
||||||
err := setupManager.PrepareExistingDisk(tc.recoveryDoer)
|
err := setupManager.PrepareExistingDisk(tc.recoveryDoer)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user