Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-08-08 15:02:18 -04:00
Code Issues Projects Releases Packages Wiki Activity

verify: move CSP-specific code to internal/verify

Browse source 
With the introduction of SNP-based attestation on AWS
some of the information in the report (MAAToken) is not
applicable to all attestation reports anymore.
Thus, make verify cmd CSP-agnostic and move
CSP-specific logic to internal/verify.
Also make internal/attestation/snp CSP aware.
This commit is contained in:
Otto Bittner 2023-11-07 15:19:31 +01:00
parent 59b096e279
commit cdc91b50bc
13 changed files with 665 additions and 531 deletions
Download patch file Download diff file Expand all files Collapse all files

434
cli/internal/cmd/verify.go
View file

@ -9,16 +9,11 @@ package cmd
import (
"bytes"
"context"
"crypto/x509"
"encoding/base64"
"encoding/json"
"encoding/pem"
"errors"
"fmt"
"io"
"net"
"net/http"
"net/url"
"sort"
"strconv"
"strings"
@ -40,9 +35,6 @@ import (
"github.com/edgelesssys/constellation/v2/internal/state"
"github.com/edgelesssys/constellation/v2/internal/verify"
"github.com/edgelesssys/constellation/v2/verify/verifyproto"
"github.com/golang-jwt/jwt/v5"
"github.com/google/go-sev-guest/abi"
"github.com/google/go-sev-guest/kds"
"github.com/spf13/afero"
"github.com/spf13/cobra"
"github.com/spf13/pflag"
@ -213,7 +205,7 @@ func (c *verifyCmd) verify(cmd *cobra.Command, verifyClient verifyClient, factor
attDocOutput, err := formatter.format(
cmd.Context(),
rawAttestationDoc,
conf.Provider.Azure == nil,
(conf.Provider.Azure == nil && conf.Provider.AWS == nil),
attConfig.GetMeasurements(),
maaURL,
)
@ -274,34 +266,20 @@ type jsonAttestationDocFormatter struct {
func (f *jsonAttestationDocFormatter) format(ctx context.Context, docString string, _ bool,
_ measurements.M, attestationServiceURL string,
) (string, error) {
instanceInfo, err := extractAzureInstanceInfo(docString)
if err != nil {
return "", fmt.Errorf("unmarshal instance info: %w", err)
var doc attestationDoc
if err := json.Unmarshal([]byte(docString), &doc); err != nil {
return "", fmt.Errorf("unmarshal attestation document: %w", err)
}
snpReport, err := newSNPReport(instanceInfo.AttestationReport)
instanceInfo, err := extractInstanceInfo(doc)
if err != nil {
return "", fmt.Errorf("unmarshalling instance info: %w", err)
}
report, err := verify.NewReport(ctx, instanceInfo, attestationServiceURL, f.log)
if err != nil {
return "", fmt.Errorf("parsing SNP report: %w", err)
}
vcek, err := newCertificates("VCEK certificate", instanceInfo.VCEK, f.log)
if err != nil {
return "", fmt.Errorf("parsing VCEK certificate: %w", err)
}
certChain, err := newCertificates("Certificate chain", instanceInfo.CertChain, f.log)
if err != nil {
return "", fmt.Errorf("parsing certificate chain: %w", err)
}
maaToken, err := newMAAToken(ctx, instanceInfo.MAAToken, attestationServiceURL)
if err != nil {
return "", fmt.Errorf("parsing MAA token: %w", err)
}
report := verify.Report{
SNPReport: snpReport,
VCEK: vcek,
CertChain: certChain,
MAAToken: maaToken,
}
jsonBytes, err := json.Marshal(report)
return string(jsonBytes), err
@ -344,97 +322,17 @@ func (f *defaultAttestationDocFormatter) format(ctx context.Context, docString s
return b.String(), nil
}
instanceInfoString, err := base64.StdEncoding.DecodeString(doc.InstanceInfo)
instanceInfo, err := extractInstanceInfo(doc)
if err != nil {
return "", fmt.Errorf("decode instance info: %w", err)
return "", fmt.Errorf("unmarshalling instance info: %w", err)
}
var instanceInfo snp.InstanceInfo
if err := json.Unmarshal(instanceInfoString, &instanceInfo); err != nil {
return "", fmt.Errorf("unmarshal instance info: %w", err)
}
if err := f.parseCerts(b, "VCEK certificate", instanceInfo.VCEK); err != nil {
return "", fmt.Errorf("print VCEK certificate: %w", err)
}
if err := f.parseCerts(b, "Certificate chain", instanceInfo.CertChain); err != nil {
return "", fmt.Errorf("print certificate chain: %w", err)
}
snpReport, err := newSNPReport(instanceInfo.AttestationReport)
report, err := verify.NewReport(ctx, instanceInfo, attestationServiceURL, f.log)
if err != nil {
return "", fmt.Errorf("parsing SNP report: %w", err)
}
f.buildSNPReport(b, snpReport)
if err := parseMAAToken(ctx, b, instanceInfo.MAAToken, attestationServiceURL); err != nil {
return "", fmt.Errorf("print MAA token: %w", err)
}
return b.String(), nil
}
// parseCerts parses the PEM certificates and writes their details to the output builder.
func (f *defaultAttestationDocFormatter) parseCerts(b *strings.Builder, certTypeName string, cert []byte) error {
newlinesTrimmed := strings.TrimSpace(string(cert))
formattedCert := strings.ReplaceAll(newlinesTrimmed, "\n", "\n\t\t") + "\n"
b.WriteString(fmt.Sprintf("\tRaw %s:\n\t\t%s", certTypeName, formattedCert))
f.log.Debugf("Decoding PEM certificate: %s", certTypeName)
i := 1
var rest []byte
var block *pem.Block
for block, rest = pem.Decode([]byte(newlinesTrimmed)); block != nil; block, rest = pem.Decode(rest) {
f.log.Debugf("Parsing PEM block: %d", i)
if block.Type != "CERTIFICATE" {
return fmt.Errorf("parse %s: expected PEM block type 'CERTIFICATE', got '%s'", certTypeName, block.Type)
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return fmt.Errorf("parse %s: %w", certTypeName, err)
}
writeIndentfln(b, 1, "%s (%d):", certTypeName, i)
writeIndentfln(b, 2, "Serial Number: %s", cert.SerialNumber)
writeIndentfln(b, 2, "Subject: %s", cert.Subject)
writeIndentfln(b, 2, "Issuer: %s", cert.Issuer)
writeIndentfln(b, 2, "Not Before: %s", cert.NotBefore)
writeIndentfln(b, 2, "Not After: %s", cert.NotAfter)
writeIndentfln(b, 2, "Signature Algorithm: %s", cert.SignatureAlgorithm)
writeIndentfln(b, 2, "Public Key Algorithm: %s", cert.PublicKeyAlgorithm)
if certTypeName == "VCEK certificate" {
// Extensions documented in Table 8 and Table 9 of
// https://www.amd.com/system/files/TechDocs/57230.pdf
vcekExts, err := kds.VcekCertificateExtensions(cert)
if err != nil {
return fmt.Errorf("parsing VCEK certificate extensions: %w", err)
}
writeIndentfln(b, 2, "Struct version: %d", vcekExts.StructVersion)
writeIndentfln(b, 2, "Product name: %s", vcekExts.ProductName)
tcb := kds.DecomposeTCBVersion(vcekExts.TCBVersion)
writeIndentfln(b, 2, "Secure Processor bootloader SVN: %d", tcb.BlSpl)
writeIndentfln(b, 2, "Secure Processor operating system SVN: %d", tcb.TeeSpl)
writeIndentfln(b, 2, "SVN 4 (reserved): %d", tcb.Spl4)
writeIndentfln(b, 2, "SVN 5 (reserved): %d", tcb.Spl5)
writeIndentfln(b, 2, "SVN 6 (reserved): %d", tcb.Spl6)
writeIndentfln(b, 2, "SVN 7 (reserved): %d", tcb.Spl7)
writeIndentfln(b, 2, "SEV-SNP firmware SVN: %d", tcb.SnpSpl)
writeIndentfln(b, 2, "Microcode SVN: %d", tcb.UcodeSpl)
writeIndentfln(b, 2, "Hardware ID: %x", vcekExts.HWID)
}
i++
}
if i == 1 {
return fmt.Errorf("parse %s: no PEM blocks found", certTypeName)
}
if len(rest) != 0 {
return fmt.Errorf("parse %s: remaining PEM block is not a valid certificate: %s", certTypeName, rest)
}
return nil
return report.FormatString(b)
}
// parseQuotes parses the base64-encoded quotes and writes their details to the output builder.
@ -465,139 +363,6 @@ func (f *defaultAttestationDocFormatter) parseQuotes(b *strings.Builder, quotes
return nil
}
func (f *defaultAttestationDocFormatter) buildSNPReport(b *strings.Builder, report verify.SNPReport) {
writeTCB := func(tcb verify.TCBVersion) {
writeIndentfln(b, 3, "Secure Processor bootloader SVN: %d", tcb.Bootloader)
writeIndentfln(b, 3, "Secure Processor operating system SVN: %d", tcb.TEE)
writeIndentfln(b, 3, "SVN 4 (reserved): %d", tcb.Spl4)
writeIndentfln(b, 3, "SVN 5 (reserved): %d", tcb.Spl5)
writeIndentfln(b, 3, "SVN 6 (reserved): %d", tcb.Spl6)
writeIndentfln(b, 3, "SVN 7 (reserved): %d", tcb.Spl7)
writeIndentfln(b, 3, "SEV-SNP firmware SVN: %d", tcb.SNP)
writeIndentfln(b, 3, "Microcode SVN: %d", tcb.Microcode)
}
writeIndentfln(b, 1, "SNP Report:")
writeIndentfln(b, 2, "Version: %d", report.Version)
writeIndentfln(b, 2, "Guest SVN: %d", report.GuestSvn)
writeIndentfln(b, 2, "Policy:")
writeIndentfln(b, 3, "ABI Minor: %d", report.PolicyABIMinor)
writeIndentfln(b, 3, "ABI Major: %d", report.PolicyABIMajor)
writeIndentfln(b, 3, "Symmetric Multithreading enabled: %t", report.PolicySMT)
writeIndentfln(b, 3, "Migration agent enabled: %t", report.PolicyMigrationAgent)
writeIndentfln(b, 3, "Debugging enabled (host decryption of VM): %t", report.PolicyDebug)
writeIndentfln(b, 3, "Single socket enabled: %t", report.PolicySingleSocket)
writeIndentfln(b, 2, "Family ID: %x", report.FamilyID)
writeIndentfln(b, 2, "Image ID: %x", report.ImageID)
writeIndentfln(b, 2, "VMPL: %d", report.Vmpl)
writeIndentfln(b, 2, "Signature Algorithm: %d", report.SignatureAlgo)
writeIndentfln(b, 2, "Current TCB:")
writeTCB(report.CurrentTCB)
writeIndentfln(b, 2, "Platform Info:")
writeIndentfln(b, 3, "Symmetric Multithreading enabled (SMT): %t", report.PlatformInfo.SMT)
writeIndentfln(b, 3, "Transparent secure memory encryption (TSME): %t", report.PlatformInfo.TSME)
writeIndentfln(b, 2, "Signer Info:")
writeIndentfln(b, 3, "Author Key Enabled: %t", report.SignerInfo.AuthorKey)
writeIndentfln(b, 3, "Chip ID Masking: %t", report.SignerInfo.MaskChipKey)
writeIndentfln(b, 3, "Signing Type: %s", report.SignerInfo.SigningKey)
writeIndentfln(b, 2, "Report Data: %x", report.ReportData)
writeIndentfln(b, 2, "Measurement: %x", report.Measurement)
writeIndentfln(b, 2, "Host Data: %x", report.HostData)
writeIndentfln(b, 2, "ID Key Digest: %x", report.IDKeyDigest)
writeIndentfln(b, 2, "Author Key Digest: %x", report.AuthorKeyDigest)
writeIndentfln(b, 2, "Report ID: %x", report.ReportID)
writeIndentfln(b, 2, "Report ID MA: %x", report.ReportIDMa)
writeIndentfln(b, 2, "Reported TCB:")
writeTCB(report.ReportedTCB)
writeIndentfln(b, 2, "Chip ID: %x", report.ChipID)
writeIndentfln(b, 2, "Committed TCB:")
writeTCB(report.CommittedTCB)
writeIndentfln(b, 2, "Current Build: %d", report.CurrentBuild)
writeIndentfln(b, 2, "Current Minor: %d", report.CurrentMinor)
writeIndentfln(b, 2, "Current Major: %d", report.CurrentMajor)
writeIndentfln(b, 2, "Committed Build: %d", report.CommittedBuild)
writeIndentfln(b, 2, "Committed Minor: %d", report.CommittedMinor)
writeIndentfln(b, 2, "Committed Major: %d", report.CommittedMajor)
writeIndentfln(b, 2, "Launch TCB:")
writeTCB(report.LaunchTCB)
writeIndentfln(b, 2, "Signature (DER):")
writeIndentfln(b, 3, "%x", report.Signature)
}
func parseMAAToken(ctx context.Context, b *strings.Builder, rawToken, attestationServiceURL string) error {
var claims verify.MaaTokenClaims
_, err := jwt.ParseWithClaims(rawToken, &claims, keyFromJKUFunc(ctx, attestationServiceURL), jwt.WithIssuedAt())
if err != nil {
return fmt.Errorf("parsing token: %w", err)
}
out, err := json.MarshalIndent(claims, "\t\t", " ")
if err != nil {
return fmt.Errorf("marshaling claims: %w", err)
}
b.WriteString("\tMicrosoft Azure Attestation Token:\n\t")
b.WriteString(string(out))
return nil
}
// keyFromJKUFunc returns a function that gets the JSON Web Key URI from the token
// and fetches the key from that URI. The keys are then parsed, and the key with
// the kid that matches the token header is returned.
func keyFromJKUFunc(ctx context.Context, webKeysURLBase string) func(token *jwt.Token) (any, error) {
return func(token *jwt.Token) (any, error) {
webKeysURL, err := url.JoinPath(webKeysURLBase, "certs")
if err != nil {
return nil, fmt.Errorf("joining web keys base URL with path: %w", err)
}
if token.Header["alg"] != "RS256" {
return nil, fmt.Errorf("invalid signing algorithm: %s", token.Header["alg"])
}
kid, ok := token.Header["kid"].(string)
if !ok {
return nil, fmt.Errorf("invalid kid: %v", token.Header["kid"])
}
jku, ok := token.Header["jku"].(string)
if !ok {
return nil, fmt.Errorf("invalid jku: %v", token.Header["jku"])
}
if jku != webKeysURL {
return nil, fmt.Errorf("jku from token (%s) does not match configured attestation service (%s)", jku, webKeysURL)
}
keySetBytes, err := httpGet(ctx, jku)
if err != nil {
return nil, fmt.Errorf("getting signing keys from jku %s: %w", jku, err)
}
var rawKeySet struct {
Keys []struct {
X5c [][]byte
Kid string
}
}
if err := json.Unmarshal(keySetBytes, &rawKeySet); err != nil {
return nil, err
}
for _, key := range rawKeySet.Keys {
if key.Kid != kid {
continue
}
cert, err := x509.ParseCertificate(key.X5c[0])
if err != nil {
return nil, fmt.Errorf("parsing certificate: %w", err)
}
return cert.PublicKey, nil
}
return nil, fmt.Errorf("no key found for kid %s", kid)
}
}
// attestationDoc is the attestation document returned by the verifier.
type attestationDoc struct {
Attestation struct {
@ -664,176 +429,7 @@ func writeIndentfln(b *strings.Builder, indentLvl int, format string, args ...an
b.WriteString(fmt.Sprintf(format+"\n", args...))
}
func httpGet(ctx context.Context, url string) ([]byte, error) {
req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, http.NoBody)
if err != nil {
return nil, err
}
resp, err := http.DefaultClient.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return nil, errors.New(resp.Status)
}
body, err := io.ReadAll(resp.Body)
if err != nil {
return nil, err
}
return body, nil
}
func newCertificates(certTypeName string, cert []byte, log debugLog) (certs []verify.Certificate, err error) {
newlinesTrimmed := strings.TrimSpace(string(cert))
log.Debugf("Decoding PEM certificate: %s", certTypeName)
i := 1
var rest []byte
var block *pem.Block
for block, rest = pem.Decode([]byte(newlinesTrimmed)); block != nil; block, rest = pem.Decode(rest) {
log.Debugf("Parsing PEM block: %d", i)
if block.Type != "CERTIFICATE" {
return certs, fmt.Errorf("parse %s: expected PEM block type 'CERTIFICATE', got '%s'", certTypeName, block.Type)
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return certs, fmt.Errorf("parse %s: %w", certTypeName, err)
}
if certTypeName == "VCEK certificate" {
vcekExts, err := kds.VcekCertificateExtensions(cert)
if err != nil {
return certs, fmt.Errorf("parsing VCEK certificate extensions: %w", err)
}
certPEM := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: cert.Raw,
})
certs = append(certs, verify.Certificate{
CertificatePEM: string(certPEM),
CertTypeName: certTypeName,
StructVersion: vcekExts.StructVersion,
ProductName: vcekExts.ProductName,
TCBVersion: newTCBVersion(vcekExts.TCBVersion),
HardwareID: vcekExts.HWID,
})
} else {
certPEM := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: cert.Raw,
})
certs = append(certs, verify.Certificate{
CertificatePEM: string(certPEM),
CertTypeName: certTypeName,
})
}
i++
}
if i == 1 {
return certs, fmt.Errorf("parse %s: no PEM blocks found", certTypeName)
}
if len(rest) != 0 {
return certs, fmt.Errorf("parse %s: remaining PEM block is not a valid certificate: %s", certTypeName, rest)
}
return certs, nil
}
func newSNPReport(reportBytes []byte) (res verify.SNPReport, err error) {
report, err := abi.ReportToProto(reportBytes)
if err != nil {
return res, fmt.Errorf("parsing report to proto: %w", err)
}
policy, err := abi.ParseSnpPolicy(report.Policy)
if err != nil {
return res, fmt.Errorf("parsing policy: %w", err)
}
platformInfo, err := abi.ParseSnpPlatformInfo(report.PlatformInfo)
if err != nil {
return res, fmt.Errorf("parsing platform info: %w", err)
}
signature, err := abi.ReportToSignatureDER(reportBytes)
if err != nil {
return res, fmt.Errorf("parsing signature: %w", err)
}
signerInfo, err := abi.ParseSignerInfo(report.SignerInfo)
if err != nil {
return res, fmt.Errorf("parsing signer info: %w", err)
}
return verify.SNPReport{
Version: report.Version,
GuestSvn: report.GuestSvn,
PolicyABIMinor: policy.ABIMinor,
PolicyABIMajor: policy.ABIMajor,
PolicySMT: policy.SMT,
PolicyMigrationAgent: policy.MigrateMA,
PolicyDebug: policy.Debug,
PolicySingleSocket: policy.SingleSocket,
FamilyID: report.FamilyId,
ImageID: report.ImageId,
Vmpl: report.Vmpl,
SignatureAlgo: report.SignatureAlgo,
CurrentTCB: newTCBVersion(kds.TCBVersion(report.CurrentTcb)),
PlatformInfo: verify.PlatformInfo{
SMT: platformInfo.SMTEnabled,
TSME: platformInfo.TSMEEnabled,
},
SignerInfo: verify.SignerInfo{
AuthorKey: signerInfo.AuthorKeyEn,
MaskChipKey: signerInfo.MaskChipKey,
SigningKey: signerInfo.SigningKey.String(),
},
ReportData: report.ReportData,
Measurement: report.Measurement,
HostData: report.HostData,
IDKeyDigest: report.IdKeyDigest,
AuthorKeyDigest: report.AuthorKeyDigest,
ReportID: report.ReportId,
ReportIDMa: report.ReportIdMa,
ReportedTCB: newTCBVersion(kds.TCBVersion(report.ReportedTcb)),
ChipID: report.ChipId,
CommittedTCB: newTCBVersion(kds.TCBVersion(report.CommittedTcb)),
CurrentBuild: report.CurrentBuild,
CurrentMinor: report.CurrentMinor,
CurrentMajor: report.CurrentMajor,
CommittedBuild: report.CommittedBuild,
CommittedMinor: report.CommittedMinor,
CommittedMajor: report.CommittedMajor,
LaunchTCB: newTCBVersion(kds.TCBVersion(report.LaunchTcb)),
Signature: signature,
}, nil
}
func newMAAToken(ctx context.Context, rawToken, attestationServiceURL string) (verify.MaaTokenClaims, error) {
var claims verify.MaaTokenClaims
_, err := jwt.ParseWithClaims(rawToken, &claims, keyFromJKUFunc(ctx, attestationServiceURL), jwt.WithIssuedAt())
return claims, err
}
func newTCBVersion(tcbVersion kds.TCBVersion) (res verify.TCBVersion) {
tcb := kds.DecomposeTCBVersion(tcbVersion)
return verify.TCBVersion{
Bootloader: tcb.BlSpl,
TEE: tcb.TeeSpl,
SNP: tcb.SnpSpl,
Microcode: tcb.UcodeSpl,
Spl4: tcb.Spl4,
Spl5: tcb.Spl5,
Spl6: tcb.Spl6,
Spl7: tcb.Spl7,
}
}
func extractAzureInstanceInfo(docString string) (snp.InstanceInfo, error) {
var doc attestationDoc
if err := json.Unmarshal([]byte(docString), &doc); err != nil {
return snp.InstanceInfo{}, fmt.Errorf("unmarshal attestation document: %w", err)
}
func extractInstanceInfo(doc attestationDoc) (snp.InstanceInfo, error) {
instanceInfoString, err := base64.StdEncoding.DecodeString(doc.InstanceInfo)
if err != nil {
return snp.InstanceInfo{}, fmt.Errorf("decode instance info: %w", err)