From c94d1db76d260aba02923d2805487cb8c2fa2a94 Mon Sep 17 00:00:00 2001
From: Thomas Tendyck <tt@edgeless.systems>
Date: Mon, 6 Mar 2023 09:17:32 +0100
Subject: [PATCH] attestation: remove PCR 0 and 10 on GCP
---
.github/workflows/build-os-image.yml | 4 ----
docs/docs/architecture/attestation.md | 2 +-
internal/attestation/measurements/measurements_oss.go | 4 ----
internal/config/testdata/configGCPV2.yaml | 3 ---
4 files changed, 1 insertion(+), 12 deletions(-)
diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml
index b4a58d898..e82092ac4 100644
--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@@ -663,8 +663,6 @@ jobs:
gcp)
yq e '.csp = "GCP" |
.image = "${{ needs.build-settings.outputs.imageNameShort }}" |
- .measurements.0.warnOnly = false |
- .measurements.0.expected = "0f35c214608d93c7a6e68ae7359b4a8be5a0e99eea9107ece427c4dea4e439cf" |
.measurements.1.warnOnly = true |
.measurements.1.expected = "745f2fb4235e4647aa0ad5ace781cd929eb68c28870e7dd5d1a1535854325e56" |
.measurements.2.warnOnly = true |
@@ -680,8 +678,6 @@ jobs:
.measurements.7.expected = "b1e9b305325c51b93da58cbf7f92512d8eebfa01143e4d8844e40e062e9b6cd5" |
.measurements.8.warnOnly = false |
.measurements.9.warnOnly = false |
- .measurements.10.warnOnly = true |
- .measurements.10.expected = "7f96fbc55e1d2a0de46e5d44658c06ef102d1198703efa69f2ea6b5aa1c9a176" |
.measurements.11.warnOnly = false |
.measurements.12.warnOnly = false |
.measurements.13.warnOnly = false |
diff --git a/docs/docs/architecture/attestation.md b/docs/docs/architecture/attestation.md
index b220d2d1d..32a30537a 100644
--- a/docs/docs/architecture/attestation.md
+++ b/docs/docs/architecture/attestation.md
@@ -167,7 +167,7 @@ The latter means that the value can be generated offline and compared to the one
| PCR | Components | Measured by | Reproducible and verifiable |
| ----------- | ---------------------------------------------------------------- | ----------------------------- | --------------------------- |
-| 0 | CVM constant string | GCP | No |
+| 0 | CVM version and technology | GCP | No |
| 1 | Firmware | GCP | No |
| 2 | Firmware | GCP | No |
| 3 | Firmware | GCP | No |
diff --git a/internal/attestation/measurements/measurements_oss.go b/internal/attestation/measurements/measurements_oss.go
index 55bff4697..fa2383e8e 100644
--- a/internal/attestation/measurements/measurements_oss.go
+++ b/internal/attestation/measurements/measurements_oss.go
@@ -35,10 +35,6 @@ func DefaultsFor(provider cloudprovider.Provider) M {
}
case cloudprovider.GCP:
return M{
- 0: {
- Expected: [32]byte{0x0F, 0x35, 0xC2, 0x14, 0x60, 0x8D, 0x93, 0xC7, 0xA6, 0xE6, 0x8A, 0xE7, 0x35, 0x9B, 0x4A, 0x8B, 0xE5, 0xA0, 0xE9, 0x9E, 0xEA, 0x91, 0x07, 0xEC, 0xE4, 0x27, 0xC4, 0xDE, 0xA4, 0xE4, 0x39, 0xCF},
- WarnOnly: false,
- },
4: PlaceHolderMeasurement(),
8: WithAllBytes(0x00, false),
9: PlaceHolderMeasurement(),
diff --git a/internal/config/testdata/configGCPV2.yaml b/internal/config/testdata/configGCPV2.yaml
index 95731e826..155de8e9c 100644
--- a/internal/config/testdata/configGCPV2.yaml
+++ b/internal/config/testdata/configGCPV2.yaml
@@ -13,9 +13,6 @@ provider:
stateDiskType: pd-ssd
deployCSIDriver: true
measurements:
- 0:
- expected: 0f35c214608d93c7a6e68ae7359b4a8be5a0e99eea9107ece427c4dea4e439cf
- warnOnly: false
4:
expected: "1234123412341234123412341234123412341234123412341234123412341234"
warnOnly: false