mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-12 16:09:39 -05:00
config: support latest as version value for Azure SEVSNP (#1786)
* support latest as version value
This commit is contained in:
parent
b86b52a598
commit
cfef384f36
@ -5,9 +5,11 @@ go_library(
|
|||||||
name = "config",
|
name = "config",
|
||||||
srcs = [
|
srcs = [
|
||||||
"attestation.go",
|
"attestation.go",
|
||||||
|
"azure.go",
|
||||||
"config.go",
|
"config.go",
|
||||||
"config_doc.go",
|
"config_doc.go",
|
||||||
"image.go",
|
"image.go",
|
||||||
|
"qemu.go",
|
||||||
"validation.go",
|
"validation.go",
|
||||||
],
|
],
|
||||||
importpath = "github.com/edgelesssys/constellation/v2/internal/config",
|
importpath = "github.com/edgelesssys/constellation/v2/internal/config",
|
||||||
@ -19,6 +21,7 @@ go_library(
|
|||||||
"//internal/compatibility",
|
"//internal/compatibility",
|
||||||
"//internal/config/imageversion",
|
"//internal/config/imageversion",
|
||||||
"//internal/config/instancetypes",
|
"//internal/config/instancetypes",
|
||||||
|
"//internal/config/snpversion",
|
||||||
"//internal/constants",
|
"//internal/constants",
|
||||||
"//internal/file",
|
"//internal/file",
|
||||||
"//internal/variant",
|
"//internal/variant",
|
||||||
|
228
internal/config/azure.go
Normal file
228
internal/config/azure.go
Normal file
@ -0,0 +1,228 @@
|
|||||||
|
/*
|
||||||
|
Copyright (c) Edgeless Systems GmbH
|
||||||
|
|
||||||
|
SPDX-License-Identifier: AGPL-3.0-only
|
||||||
|
*/
|
||||||
|
|
||||||
|
package config
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"fmt"
|
||||||
|
"strconv"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
|
||||||
|
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||||
|
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||||
|
"github.com/edgelesssys/constellation/v2/internal/config/snpversion"
|
||||||
|
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||||
|
)
|
||||||
|
|
||||||
|
// AzureSEVSNP is the configuration for Azure SEV-SNP attestation.
|
||||||
|
type AzureSEVSNP struct {
|
||||||
|
// description: |
|
||||||
|
// Expected TPM measurements.
|
||||||
|
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
||||||
|
// description: |
|
||||||
|
// Lowest acceptable bootloader version.
|
||||||
|
BootloaderVersion uint8 `json:"bootloaderVersion" yaml:"bootloaderVersion"`
|
||||||
|
// description: |
|
||||||
|
// Lowest acceptable TEE version.
|
||||||
|
TEEVersion uint8 `json:"teeVersion" yaml:"teeVersion"`
|
||||||
|
// description: |
|
||||||
|
// Lowest acceptable SEV-SNP version.
|
||||||
|
SNPVersion uint8 `json:"snpVersion" yaml:"snpVersion"`
|
||||||
|
// description: |
|
||||||
|
// Lowest acceptable microcode version.
|
||||||
|
MicrocodeVersion uint8 `json:"microcodeVersion" yaml:"microcodeVersion"`
|
||||||
|
// description: |
|
||||||
|
// Configuration for validating the firmware signature.
|
||||||
|
FirmwareSignerConfig SNPFirmwareSignerConfig `json:"firmwareSignerConfig" yaml:"firmwareSignerConfig"`
|
||||||
|
// description: |
|
||||||
|
// AMD Root Key certificate used to verify the SEV-SNP certificate chain.
|
||||||
|
AMDRootKey Certificate `json:"amdRootKey" yaml:"amdRootKey"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// DefaultForAzureSEVSNP returns the default configuration for Azure SEV-SNP attestation.
|
||||||
|
// Version numbers are hard coded and should be updated with each new release.
|
||||||
|
func DefaultForAzureSEVSNP() *AzureSEVSNP {
|
||||||
|
return &AzureSEVSNP{
|
||||||
|
Measurements: measurements.DefaultsFor(cloudprovider.Azure, variant.AzureSEVSNP{}),
|
||||||
|
BootloaderVersion: snpversion.GetLatest(snpversion.Bootloader),
|
||||||
|
TEEVersion: snpversion.GetLatest(snpversion.TEE),
|
||||||
|
SNPVersion: snpversion.GetLatest(snpversion.SNP),
|
||||||
|
MicrocodeVersion: snpversion.GetLatest(snpversion.Microcode),
|
||||||
|
FirmwareSignerConfig: SNPFirmwareSignerConfig{
|
||||||
|
AcceptedKeyDigests: idkeydigest.DefaultList(),
|
||||||
|
EnforcementPolicy: idkeydigest.MAAFallback,
|
||||||
|
},
|
||||||
|
// AMD root key. Received from the AMD Key Distribution System API (KDS).
|
||||||
|
AMDRootKey: mustParsePEM(`-----BEGIN CERTIFICATE-----\nMIIGYzCCBBKgAwIBAgIDAQAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC\nBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS\nBgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg\nQ2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp\nY2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTcyMzA1WhcNNDUxMDIy\nMTcyMzA1WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS\nBgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j\nZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLU1pbGFuMIICIjANBgkqhkiG\n9w0BAQEFAAOCAg8AMIICCgKCAgEA0Ld52RJOdeiJlqK2JdsVmD7FktuotWwX1fNg\nW41XY9Xz1HEhSUmhLz9Cu9DHRlvgJSNxbeYYsnJfvyjx1MfU0V5tkKiU1EesNFta\n1kTA0szNisdYc9isqk7mXT5+KfGRbfc4V/9zRIcE8jlHN61S1ju8X93+6dxDUrG2\nSzxqJ4BhqyYmUDruPXJSX4vUc01P7j98MpqOS95rORdGHeI52Naz5m2B+O+vjsC0\n60d37jY9LFeuOP4Meri8qgfi2S5kKqg/aF6aPtuAZQVR7u3KFYXP59XmJgtcog05\ngmI0T/OitLhuzVvpZcLph0odh/1IPXqx3+MnjD97A7fXpqGd/y8KxX7jksTEzAOg\nbKAeam3lm+3yKIcTYMlsRMXPcjNbIvmsBykD//xSniusuHBkgnlENEWx1UcbQQrs\n+gVDkuVPhsnzIRNgYvM48Y+7LGiJYnrmE8xcrexekBxrva2V9TJQqnN3Q53kt5vi\nQi3+gCfmkwC0F0tirIZbLkXPrPwzZ0M9eNxhIySb2npJfgnqz55I0u33wh4r0ZNQ\neTGfw03MBUtyuzGesGkcw+loqMaq1qR4tjGbPYxCvpCq7+OgpCCoMNit2uLo9M18\nfHz10lOMT8nWAUvRZFzteXCm+7PHdYPlmQwUw3LvenJ/ILXoQPHfbkH0CyPfhl1j\nWhJFZasCAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSFrBrRQ/fI\nrFXUxR1BSKvVeErUUzAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG\nKWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvTWlsYW4vY3JsMEYGCSqG\nSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI\nAWUDBAICBQCiAwIBMKMDAgEBA4ICAQC6m0kDp6zv4Ojfgy+zleehsx6ol0ocgVel\nETobpx+EuCsqVFRPK1jZ1sp/lyd9+0fQ0r66n7kagRk4Ca39g66WGTJMeJdqYriw\nSTjjDCKVPSesWXYPVAyDhmP5n2v+BYipZWhpvqpaiO+EGK5IBP+578QeW/sSokrK\ndHaLAxG2LhZxj9aF73fqC7OAJZ5aPonw4RE299FVarh1Tx2eT3wSgkDgutCTB1Yq\nzT5DuwvAe+co2CIVIzMDamYuSFjPN0BCgojl7V+bTou7dMsqIu/TW/rPCX9/EUcp\nKGKqPQ3P+N9r1hjEFY1plBg93t53OOo49GNI+V1zvXPLI6xIFVsh+mto2RtgEX/e\npmMKTNN6psW88qg7c1hTWtN6MbRuQ0vm+O+/2tKBF2h8THb94OvvHHoFDpbCELlq\nHnIYhxy0YKXGyaW1NjfULxrrmxVW4wcn5E8GddmvNa6yYm8scJagEi13mhGu4Jqh\n3QU3sf8iUSUr09xQDwHtOQUVIqx4maBZPBtSMf+qUDtjXSSq8lfWcd8bLr9mdsUn\nJZJ0+tuPMKmBnSH860llKk+VpVQsgqbzDIvOLvD6W1Umq25boxCYJ+TuBoa4s+HH\nCViAvgT9kf/rBq1d+ivj6skkHxuzcxbk1xv6ZGxrteJxVH7KlX7YRdZ6eARKwLe4\nAFZEAwoKCQ==\n-----END CERTIFICATE-----\n`),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetVariant returns azure-sev-snp as the variant.
|
||||||
|
func (AzureSEVSNP) GetVariant() variant.Variant {
|
||||||
|
return variant.AzureSEVSNP{}
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetMeasurements returns the measurements used for attestation.
|
||||||
|
func (c AzureSEVSNP) GetMeasurements() measurements.M {
|
||||||
|
return c.Measurements
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetMeasurements updates a config's measurements using the given measurements.
|
||||||
|
func (c *AzureSEVSNP) SetMeasurements(m measurements.M) {
|
||||||
|
c.Measurements = m
|
||||||
|
}
|
||||||
|
|
||||||
|
// EqualTo returns true if the config is equal to the given config.
|
||||||
|
func (c AzureSEVSNP) EqualTo(old AttestationCfg) (bool, error) {
|
||||||
|
otherCfg, ok := old.(*AzureSEVSNP)
|
||||||
|
if !ok {
|
||||||
|
return false, fmt.Errorf("cannot compare %T with %T", c, old)
|
||||||
|
}
|
||||||
|
|
||||||
|
firmwareSignerCfgEqual := c.FirmwareSignerConfig.EqualTo(otherCfg.FirmwareSignerConfig)
|
||||||
|
measurementsEqual := c.Measurements.EqualTo(otherCfg.Measurements)
|
||||||
|
bootloaderEqual := c.BootloaderVersion == otherCfg.BootloaderVersion
|
||||||
|
teeEqual := c.TEEVersion == otherCfg.TEEVersion
|
||||||
|
snpEqual := c.SNPVersion == otherCfg.SNPVersion
|
||||||
|
microcodeEqual := c.MicrocodeVersion == otherCfg.MicrocodeVersion
|
||||||
|
rootKeyEqual := bytes.Equal(c.AMDRootKey.Raw, otherCfg.AMDRootKey.Raw)
|
||||||
|
|
||||||
|
return firmwareSignerCfgEqual && measurementsEqual && bootloaderEqual && teeEqual && snpEqual && microcodeEqual && rootKeyEqual, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// UnmarshalYAML implements a custom unmarshaler to support setting "latest" as version.
|
||||||
|
func (c *AzureSEVSNP) UnmarshalYAML(unmarshal func(any) error) error {
|
||||||
|
aux := &fusedAzureSEVSNP{
|
||||||
|
auxAzureSEVSNP: (*auxAzureSEVSNP)(c),
|
||||||
|
}
|
||||||
|
if err := unmarshal(aux); err != nil {
|
||||||
|
return fmt.Errorf("unmarshal AzureSEVSNP: %w", err)
|
||||||
|
}
|
||||||
|
c = (*AzureSEVSNP)(aux.auxAzureSEVSNP)
|
||||||
|
|
||||||
|
for _, versionType := range []snpversion.Type{snpversion.Bootloader, snpversion.TEE, snpversion.SNP, snpversion.Microcode} {
|
||||||
|
if !convertLatestToNumber(c, versionType, aux) {
|
||||||
|
if err := convertStringToUint(c, versionType, aux); err != nil {
|
||||||
|
return fmt.Errorf("convert %s version to number: %w", versionType, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// AzureTrustedLaunch is the configuration for Azure Trusted Launch attestation.
|
||||||
|
type AzureTrustedLaunch struct {
|
||||||
|
// description: |
|
||||||
|
// Expected TPM measurements.
|
||||||
|
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetVariant returns azure-trusted-launch as the variant.
|
||||||
|
func (AzureTrustedLaunch) GetVariant() variant.Variant {
|
||||||
|
return variant.AzureTrustedLaunch{}
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetMeasurements returns the measurements used for attestation.
|
||||||
|
func (c AzureTrustedLaunch) GetMeasurements() measurements.M {
|
||||||
|
return c.Measurements
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetMeasurements updates a config's measurements using the given measurements.
|
||||||
|
func (c *AzureTrustedLaunch) SetMeasurements(m measurements.M) {
|
||||||
|
c.Measurements = m
|
||||||
|
}
|
||||||
|
|
||||||
|
// EqualTo returns true if the config is equal to the given config.
|
||||||
|
func (c AzureTrustedLaunch) EqualTo(other AttestationCfg) (bool, error) {
|
||||||
|
otherCfg, ok := other.(*AzureTrustedLaunch)
|
||||||
|
if !ok {
|
||||||
|
return false, fmt.Errorf("cannot compare %T with %T", c, other)
|
||||||
|
}
|
||||||
|
return c.Measurements.EqualTo(otherCfg.Measurements), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// auxAzureSEVSNP is a helper struct for unmarshaling the config from YAML for handling the version parsing.
|
||||||
|
// The version fields are kept to make it convertable to the native AzureSEVSNP struct.
|
||||||
|
type auxAzureSEVSNP struct {
|
||||||
|
// description: |
|
||||||
|
// Expected TPM measurements.
|
||||||
|
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
||||||
|
// description: |
|
||||||
|
// Lowest acceptable bootloader version.
|
||||||
|
BootloaderVersion uint8 `yaml:"-"`
|
||||||
|
// description: |
|
||||||
|
// Lowest acceptable TEE version.
|
||||||
|
TEEVersion uint8 `json:"teeVersion" yaml:"-"`
|
||||||
|
// description: |
|
||||||
|
// Lowest acceptable SEV-SNP version.
|
||||||
|
SNPVersion uint8 `json:"snpVersion" yaml:"-"`
|
||||||
|
// description: |
|
||||||
|
// Lowest acceptable microcode version.
|
||||||
|
MicrocodeVersion uint8 `json:"microcodeVersion" yaml:"-"`
|
||||||
|
// description: |
|
||||||
|
// Configuration for validating the firmware signature.
|
||||||
|
FirmwareSignerConfig SNPFirmwareSignerConfig `json:"firmwareSignerConfig" yaml:"firmwareSignerConfig"`
|
||||||
|
// description: |
|
||||||
|
// AMD Root Key certificate used to verify the SEV-SNP certificate chain.
|
||||||
|
AMDRootKey Certificate `json:"amdRootKey" yaml:"amdRootKey"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// fusedAzureSEVSNP is a helper struct for unmarshaling the config from YAML for handling the version parsing.
|
||||||
|
type fusedAzureSEVSNP struct {
|
||||||
|
*auxAzureSEVSNP `yaml:",inline"`
|
||||||
|
// description: |
|
||||||
|
// Lowest acceptable bootloader version.
|
||||||
|
BootloaderVersion string `yaml:"bootloaderVersion"`
|
||||||
|
// description: |
|
||||||
|
// Lowest acceptable bootloader version.
|
||||||
|
TEEVersion string `yaml:"teeVersion"`
|
||||||
|
// description: |
|
||||||
|
// Lowest acceptable bootloader version.
|
||||||
|
SNPVersion string `yaml:"snpVersion"`
|
||||||
|
// description: |
|
||||||
|
// Lowest acceptable bootloader version.
|
||||||
|
MicrocodeVersion string `yaml:"microcodeVersion"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func convertStringToUint(c *AzureSEVSNP, versionType snpversion.Type, aux *fusedAzureSEVSNP) error {
|
||||||
|
v, stringV := getUintAndStringPtrToVersion(c, versionType, aux)
|
||||||
|
|
||||||
|
bvInt, err := strconv.ParseInt(*stringV, 10, 8)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
*v = uint8(bvInt)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func convertLatestToNumber(c *AzureSEVSNP, versionType snpversion.Type, aux *fusedAzureSEVSNP) bool {
|
||||||
|
v, stringV := getUintAndStringPtrToVersion(c, versionType, aux)
|
||||||
|
if strings.ToLower(*stringV) == "latest" {
|
||||||
|
*v = snpversion.GetLatest(versionType)
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
func getUintAndStringPtrToVersion(c *AzureSEVSNP, versionType snpversion.Type, aux *fusedAzureSEVSNP) (versionUint *uint8, versionString *string) {
|
||||||
|
switch versionType {
|
||||||
|
case snpversion.Bootloader:
|
||||||
|
versionUint = &c.BootloaderVersion
|
||||||
|
versionString = &aux.BootloaderVersion
|
||||||
|
case snpversion.TEE:
|
||||||
|
versionUint = &c.TEEVersion
|
||||||
|
versionString = &aux.TEEVersion
|
||||||
|
case snpversion.SNP:
|
||||||
|
versionUint = &c.SNPVersion
|
||||||
|
versionString = &aux.SNPVersion
|
||||||
|
case snpversion.Microcode:
|
||||||
|
versionUint = &c.MicrocodeVersion
|
||||||
|
versionString = &aux.MicrocodeVersion
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
@ -19,7 +19,6 @@ All config relevant definitions, parsing and validation functions should go here
|
|||||||
package config
|
package config
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/fs"
|
"io/fs"
|
||||||
@ -725,83 +724,6 @@ func (c AWSNitroTPM) EqualTo(other AttestationCfg) (bool, error) {
|
|||||||
return c.Measurements.EqualTo(otherCfg.Measurements), nil
|
return c.Measurements.EqualTo(otherCfg.Measurements), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// AzureSEVSNP is the configuration for Azure SEV-SNP attestation.
|
|
||||||
type AzureSEVSNP struct {
|
|
||||||
// description: |
|
|
||||||
// Expected TPM measurements.
|
|
||||||
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
|
||||||
// description: |
|
|
||||||
// Lowest acceptable bootloader version.
|
|
||||||
BootloaderVersion uint8 `json:"bootloaderVersion" yaml:"bootloaderVersion"`
|
|
||||||
// description: |
|
|
||||||
// Lowest acceptable TEE version.
|
|
||||||
TEEVersion uint8 `json:"teeVersion" yaml:"teeVersion"`
|
|
||||||
// description: |
|
|
||||||
// Lowest acceptable SEV-SNP version.
|
|
||||||
SNPVersion uint8 `json:"snpVersion" yaml:"snpVersion"`
|
|
||||||
// description: |
|
|
||||||
// Lowest acceptable microcode version.
|
|
||||||
MicrocodeVersion uint8 `json:"microcodeVersion" yaml:"microcodeVersion"`
|
|
||||||
// description: |
|
|
||||||
// Configuration for validating the firmware signature.
|
|
||||||
FirmwareSignerConfig SNPFirmwareSignerConfig `json:"firmwareSignerConfig" yaml:"firmwareSignerConfig"`
|
|
||||||
// description: |
|
|
||||||
// AMD Root Key certificate used to verify the SEV-SNP certificate chain.
|
|
||||||
AMDRootKey Certificate `json:"amdRootKey" yaml:"amdRootKey"`
|
|
||||||
}
|
|
||||||
|
|
||||||
// DefaultForAzureSEVSNP returns the default configuration for Azure SEV-SNP attestation.
|
|
||||||
// Version numbers are hard coded and should be updated with each new release.
|
|
||||||
// TODO(AB#3042): replace with dynamic lookup for configurable values.
|
|
||||||
func DefaultForAzureSEVSNP() *AzureSEVSNP {
|
|
||||||
return &AzureSEVSNP{
|
|
||||||
Measurements: measurements.DefaultsFor(cloudprovider.Azure, variant.AzureSEVSNP{}),
|
|
||||||
BootloaderVersion: 2,
|
|
||||||
TEEVersion: 0,
|
|
||||||
SNPVersion: 6,
|
|
||||||
MicrocodeVersion: 93,
|
|
||||||
FirmwareSignerConfig: SNPFirmwareSignerConfig{
|
|
||||||
AcceptedKeyDigests: idkeydigest.DefaultList(),
|
|
||||||
EnforcementPolicy: idkeydigest.MAAFallback,
|
|
||||||
},
|
|
||||||
// AMD root key. Received from the AMD Key Distribution System API (KDS).
|
|
||||||
AMDRootKey: mustParsePEM(`-----BEGIN CERTIFICATE-----\nMIIGYzCCBBKgAwIBAgIDAQAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC\nBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS\nBgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg\nQ2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp\nY2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTcyMzA1WhcNNDUxMDIy\nMTcyMzA1WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS\nBgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j\nZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLU1pbGFuMIICIjANBgkqhkiG\n9w0BAQEFAAOCAg8AMIICCgKCAgEA0Ld52RJOdeiJlqK2JdsVmD7FktuotWwX1fNg\nW41XY9Xz1HEhSUmhLz9Cu9DHRlvgJSNxbeYYsnJfvyjx1MfU0V5tkKiU1EesNFta\n1kTA0szNisdYc9isqk7mXT5+KfGRbfc4V/9zRIcE8jlHN61S1ju8X93+6dxDUrG2\nSzxqJ4BhqyYmUDruPXJSX4vUc01P7j98MpqOS95rORdGHeI52Naz5m2B+O+vjsC0\n60d37jY9LFeuOP4Meri8qgfi2S5kKqg/aF6aPtuAZQVR7u3KFYXP59XmJgtcog05\ngmI0T/OitLhuzVvpZcLph0odh/1IPXqx3+MnjD97A7fXpqGd/y8KxX7jksTEzAOg\nbKAeam3lm+3yKIcTYMlsRMXPcjNbIvmsBykD//xSniusuHBkgnlENEWx1UcbQQrs\n+gVDkuVPhsnzIRNgYvM48Y+7LGiJYnrmE8xcrexekBxrva2V9TJQqnN3Q53kt5vi\nQi3+gCfmkwC0F0tirIZbLkXPrPwzZ0M9eNxhIySb2npJfgnqz55I0u33wh4r0ZNQ\neTGfw03MBUtyuzGesGkcw+loqMaq1qR4tjGbPYxCvpCq7+OgpCCoMNit2uLo9M18\nfHz10lOMT8nWAUvRZFzteXCm+7PHdYPlmQwUw3LvenJ/ILXoQPHfbkH0CyPfhl1j\nWhJFZasCAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSFrBrRQ/fI\nrFXUxR1BSKvVeErUUzAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG\nKWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvTWlsYW4vY3JsMEYGCSqG\nSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI\nAWUDBAICBQCiAwIBMKMDAgEBA4ICAQC6m0kDp6zv4Ojfgy+zleehsx6ol0ocgVel\nETobpx+EuCsqVFRPK1jZ1sp/lyd9+0fQ0r66n7kagRk4Ca39g66WGTJMeJdqYriw\nSTjjDCKVPSesWXYPVAyDhmP5n2v+BYipZWhpvqpaiO+EGK5IBP+578QeW/sSokrK\ndHaLAxG2LhZxj9aF73fqC7OAJZ5aPonw4RE299FVarh1Tx2eT3wSgkDgutCTB1Yq\nzT5DuwvAe+co2CIVIzMDamYuSFjPN0BCgojl7V+bTou7dMsqIu/TW/rPCX9/EUcp\nKGKqPQ3P+N9r1hjEFY1plBg93t53OOo49GNI+V1zvXPLI6xIFVsh+mto2RtgEX/e\npmMKTNN6psW88qg7c1hTWtN6MbRuQ0vm+O+/2tKBF2h8THb94OvvHHoFDpbCELlq\nHnIYhxy0YKXGyaW1NjfULxrrmxVW4wcn5E8GddmvNa6yYm8scJagEi13mhGu4Jqh\n3QU3sf8iUSUr09xQDwHtOQUVIqx4maBZPBtSMf+qUDtjXSSq8lfWcd8bLr9mdsUn\nJZJ0+tuPMKmBnSH860llKk+VpVQsgqbzDIvOLvD6W1Umq25boxCYJ+TuBoa4s+HH\nCViAvgT9kf/rBq1d+ivj6skkHxuzcxbk1xv6ZGxrteJxVH7KlX7YRdZ6eARKwLe4\nAFZEAwoKCQ==\n-----END CERTIFICATE-----\n`),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// GetVariant returns azure-sev-snp as the variant.
|
|
||||||
func (AzureSEVSNP) GetVariant() variant.Variant {
|
|
||||||
return variant.AzureSEVSNP{}
|
|
||||||
}
|
|
||||||
|
|
||||||
// GetMeasurements returns the measurements used for attestation.
|
|
||||||
func (c AzureSEVSNP) GetMeasurements() measurements.M {
|
|
||||||
return c.Measurements
|
|
||||||
}
|
|
||||||
|
|
||||||
// SetMeasurements updates a config's measurements using the given measurements.
|
|
||||||
func (c *AzureSEVSNP) SetMeasurements(m measurements.M) {
|
|
||||||
c.Measurements = m
|
|
||||||
}
|
|
||||||
|
|
||||||
// EqualTo returns true if the config is equal to the given config.
|
|
||||||
func (c AzureSEVSNP) EqualTo(old AttestationCfg) (bool, error) {
|
|
||||||
otherCfg, ok := old.(*AzureSEVSNP)
|
|
||||||
if !ok {
|
|
||||||
return false, fmt.Errorf("cannot compare %T with %T", c, old)
|
|
||||||
}
|
|
||||||
|
|
||||||
firmwareSignerCfgEqual := c.FirmwareSignerConfig.EqualTo(otherCfg.FirmwareSignerConfig)
|
|
||||||
measurementsEqual := c.Measurements.EqualTo(otherCfg.Measurements)
|
|
||||||
bootloaderEqual := c.BootloaderVersion == otherCfg.BootloaderVersion
|
|
||||||
teeEqual := c.TEEVersion == otherCfg.TEEVersion
|
|
||||||
snpEqual := c.SNPVersion == otherCfg.SNPVersion
|
|
||||||
microcodeEqual := c.MicrocodeVersion == otherCfg.MicrocodeVersion
|
|
||||||
rootKeyEqual := bytes.Equal(c.AMDRootKey.Raw, otherCfg.AMDRootKey.Raw)
|
|
||||||
|
|
||||||
return firmwareSignerCfgEqual && measurementsEqual && bootloaderEqual && teeEqual && snpEqual && microcodeEqual && rootKeyEqual, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// SNPFirmwareSignerConfig is the configuration for validating the firmware signer.
|
// SNPFirmwareSignerConfig is the configuration for validating the firmware signer.
|
||||||
type SNPFirmwareSignerConfig struct {
|
type SNPFirmwareSignerConfig struct {
|
||||||
// description: |
|
// description: |
|
||||||
@ -820,37 +742,6 @@ func (c SNPFirmwareSignerConfig) EqualTo(other SNPFirmwareSignerConfig) bool {
|
|||||||
return c.AcceptedKeyDigests.EqualTo(other.AcceptedKeyDigests) && c.EnforcementPolicy == other.EnforcementPolicy && c.MAAURL == other.MAAURL
|
return c.AcceptedKeyDigests.EqualTo(other.AcceptedKeyDigests) && c.EnforcementPolicy == other.EnforcementPolicy && c.MAAURL == other.MAAURL
|
||||||
}
|
}
|
||||||
|
|
||||||
// AzureTrustedLaunch is the configuration for Azure Trusted Launch attestation.
|
|
||||||
type AzureTrustedLaunch struct {
|
|
||||||
// description: |
|
|
||||||
// Expected TPM measurements.
|
|
||||||
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
|
||||||
}
|
|
||||||
|
|
||||||
// GetVariant returns azure-trusted-launch as the variant.
|
|
||||||
func (AzureTrustedLaunch) GetVariant() variant.Variant {
|
|
||||||
return variant.AzureTrustedLaunch{}
|
|
||||||
}
|
|
||||||
|
|
||||||
// GetMeasurements returns the measurements used for attestation.
|
|
||||||
func (c AzureTrustedLaunch) GetMeasurements() measurements.M {
|
|
||||||
return c.Measurements
|
|
||||||
}
|
|
||||||
|
|
||||||
// SetMeasurements updates a config's measurements using the given measurements.
|
|
||||||
func (c *AzureTrustedLaunch) SetMeasurements(m measurements.M) {
|
|
||||||
c.Measurements = m
|
|
||||||
}
|
|
||||||
|
|
||||||
// EqualTo returns true if the config is equal to the given config.
|
|
||||||
func (c AzureTrustedLaunch) EqualTo(other AttestationCfg) (bool, error) {
|
|
||||||
otherCfg, ok := other.(*AzureTrustedLaunch)
|
|
||||||
if !ok {
|
|
||||||
return false, fmt.Errorf("cannot compare %T with %T", c, other)
|
|
||||||
}
|
|
||||||
return c.Measurements.EqualTo(otherCfg.Measurements), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// GCPSEVES is the configuration for GCP SEV-ES attestation.
|
// GCPSEVES is the configuration for GCP SEV-ES attestation.
|
||||||
type GCPSEVES struct {
|
type GCPSEVES struct {
|
||||||
// description: |
|
// description: |
|
||||||
@ -882,68 +773,6 @@ func (c GCPSEVES) EqualTo(other AttestationCfg) (bool, error) {
|
|||||||
return c.Measurements.EqualTo(otherCfg.Measurements), nil
|
return c.Measurements.EqualTo(otherCfg.Measurements), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// QEMUVTPM is the configuration for QEMU vTPM attestation.
|
|
||||||
type QEMUVTPM struct {
|
|
||||||
// description: |
|
|
||||||
// Expected TPM measurements.
|
|
||||||
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
|
||||||
}
|
|
||||||
|
|
||||||
// GetVariant returns qemu-vtpm as the variant.
|
|
||||||
func (QEMUVTPM) GetVariant() variant.Variant {
|
|
||||||
return variant.QEMUVTPM{}
|
|
||||||
}
|
|
||||||
|
|
||||||
// GetMeasurements returns the measurements used for attestation.
|
|
||||||
func (c QEMUVTPM) GetMeasurements() measurements.M {
|
|
||||||
return c.Measurements
|
|
||||||
}
|
|
||||||
|
|
||||||
// SetMeasurements updates a config's measurements using the given measurements.
|
|
||||||
func (c *QEMUVTPM) SetMeasurements(m measurements.M) {
|
|
||||||
c.Measurements = m
|
|
||||||
}
|
|
||||||
|
|
||||||
// EqualTo returns true if the config is equal to the given config.
|
|
||||||
func (c QEMUVTPM) EqualTo(other AttestationCfg) (bool, error) {
|
|
||||||
otherCfg, ok := other.(*QEMUVTPM)
|
|
||||||
if !ok {
|
|
||||||
return false, fmt.Errorf("cannot compare %T with %T", c, other)
|
|
||||||
}
|
|
||||||
return c.Measurements.EqualTo(otherCfg.Measurements), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// QEMUTDX is the configuration for QEMU TDX attestation.
|
|
||||||
type QEMUTDX struct {
|
|
||||||
// description: |
|
|
||||||
// Expected TDX measurements.
|
|
||||||
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
|
||||||
}
|
|
||||||
|
|
||||||
// GetVariant returns qemu-tdx as the variant.
|
|
||||||
func (QEMUTDX) GetVariant() variant.Variant {
|
|
||||||
return variant.QEMUTDX{}
|
|
||||||
}
|
|
||||||
|
|
||||||
// GetMeasurements returns the measurements used for attestation.
|
|
||||||
func (c QEMUTDX) GetMeasurements() measurements.M {
|
|
||||||
return c.Measurements
|
|
||||||
}
|
|
||||||
|
|
||||||
// SetMeasurements updates a config's measurements using the given measurements.
|
|
||||||
func (c *QEMUTDX) SetMeasurements(m measurements.M) {
|
|
||||||
c.Measurements = m
|
|
||||||
}
|
|
||||||
|
|
||||||
// EqualTo returns true if the config is equal to the given config.
|
|
||||||
func (c QEMUTDX) EqualTo(other AttestationCfg) (bool, error) {
|
|
||||||
otherCfg, ok := other.(*QEMUTDX)
|
|
||||||
if !ok {
|
|
||||||
return false, fmt.Errorf("cannot compare %T with %T", c, other)
|
|
||||||
}
|
|
||||||
return c.Measurements.EqualTo(otherCfg.Measurements), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func toPtr[T any](v T) *T {
|
func toPtr[T any](v T) *T {
|
||||||
return &v
|
return &v
|
||||||
}
|
}
|
||||||
|
@ -20,12 +20,8 @@ var (
|
|||||||
QEMUConfigDoc encoder.Doc
|
QEMUConfigDoc encoder.Doc
|
||||||
AttestationConfigDoc encoder.Doc
|
AttestationConfigDoc encoder.Doc
|
||||||
AWSNitroTPMDoc encoder.Doc
|
AWSNitroTPMDoc encoder.Doc
|
||||||
AzureSEVSNPDoc encoder.Doc
|
|
||||||
SNPFirmwareSignerConfigDoc encoder.Doc
|
SNPFirmwareSignerConfigDoc encoder.Doc
|
||||||
AzureTrustedLaunchDoc encoder.Doc
|
|
||||||
GCPSEVESDoc encoder.Doc
|
GCPSEVESDoc encoder.Doc
|
||||||
QEMUVTPMDoc encoder.Doc
|
|
||||||
QEMUTDXDoc encoder.Doc
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
@ -477,61 +473,9 @@ func init() {
|
|||||||
AWSNitroTPMDoc.Fields[0].Description = "Expected TPM measurements."
|
AWSNitroTPMDoc.Fields[0].Description = "Expected TPM measurements."
|
||||||
AWSNitroTPMDoc.Fields[0].Comments[encoder.LineComment] = "Expected TPM measurements."
|
AWSNitroTPMDoc.Fields[0].Comments[encoder.LineComment] = "Expected TPM measurements."
|
||||||
|
|
||||||
AzureSEVSNPDoc.Type = "AzureSEVSNP"
|
|
||||||
AzureSEVSNPDoc.Comments[encoder.LineComment] = "AzureSEVSNP is the configuration for Azure SEV-SNP attestation."
|
|
||||||
AzureSEVSNPDoc.Description = "AzureSEVSNP is the configuration for Azure SEV-SNP attestation."
|
|
||||||
AzureSEVSNPDoc.AppearsIn = []encoder.Appearance{
|
|
||||||
{
|
|
||||||
TypeName: "AttestationConfig",
|
|
||||||
FieldName: "azureSEVSNP",
|
|
||||||
},
|
|
||||||
}
|
|
||||||
AzureSEVSNPDoc.Fields = make([]encoder.Doc, 7)
|
|
||||||
AzureSEVSNPDoc.Fields[0].Name = "measurements"
|
|
||||||
AzureSEVSNPDoc.Fields[0].Type = "M"
|
|
||||||
AzureSEVSNPDoc.Fields[0].Note = ""
|
|
||||||
AzureSEVSNPDoc.Fields[0].Description = "Expected TPM measurements."
|
|
||||||
AzureSEVSNPDoc.Fields[0].Comments[encoder.LineComment] = "Expected TPM measurements."
|
|
||||||
AzureSEVSNPDoc.Fields[1].Name = "bootloaderVersion"
|
|
||||||
AzureSEVSNPDoc.Fields[1].Type = "uint8"
|
|
||||||
AzureSEVSNPDoc.Fields[1].Note = ""
|
|
||||||
AzureSEVSNPDoc.Fields[1].Description = "Lowest acceptable bootloader version."
|
|
||||||
AzureSEVSNPDoc.Fields[1].Comments[encoder.LineComment] = "Lowest acceptable bootloader version."
|
|
||||||
AzureSEVSNPDoc.Fields[2].Name = "teeVersion"
|
|
||||||
AzureSEVSNPDoc.Fields[2].Type = "uint8"
|
|
||||||
AzureSEVSNPDoc.Fields[2].Note = ""
|
|
||||||
AzureSEVSNPDoc.Fields[2].Description = "Lowest acceptable TEE version."
|
|
||||||
AzureSEVSNPDoc.Fields[2].Comments[encoder.LineComment] = "Lowest acceptable TEE version."
|
|
||||||
AzureSEVSNPDoc.Fields[3].Name = "snpVersion"
|
|
||||||
AzureSEVSNPDoc.Fields[3].Type = "uint8"
|
|
||||||
AzureSEVSNPDoc.Fields[3].Note = ""
|
|
||||||
AzureSEVSNPDoc.Fields[3].Description = "Lowest acceptable SEV-SNP version."
|
|
||||||
AzureSEVSNPDoc.Fields[3].Comments[encoder.LineComment] = "Lowest acceptable SEV-SNP version."
|
|
||||||
AzureSEVSNPDoc.Fields[4].Name = "microcodeVersion"
|
|
||||||
AzureSEVSNPDoc.Fields[4].Type = "uint8"
|
|
||||||
AzureSEVSNPDoc.Fields[4].Note = ""
|
|
||||||
AzureSEVSNPDoc.Fields[4].Description = "Lowest acceptable microcode version."
|
|
||||||
AzureSEVSNPDoc.Fields[4].Comments[encoder.LineComment] = "Lowest acceptable microcode version."
|
|
||||||
AzureSEVSNPDoc.Fields[5].Name = "firmwareSignerConfig"
|
|
||||||
AzureSEVSNPDoc.Fields[5].Type = "SNPFirmwareSignerConfig"
|
|
||||||
AzureSEVSNPDoc.Fields[5].Note = ""
|
|
||||||
AzureSEVSNPDoc.Fields[5].Description = "Configuration for validating the firmware signature."
|
|
||||||
AzureSEVSNPDoc.Fields[5].Comments[encoder.LineComment] = "Configuration for validating the firmware signature."
|
|
||||||
AzureSEVSNPDoc.Fields[6].Name = "amdRootKey"
|
|
||||||
AzureSEVSNPDoc.Fields[6].Type = "Certificate"
|
|
||||||
AzureSEVSNPDoc.Fields[6].Note = ""
|
|
||||||
AzureSEVSNPDoc.Fields[6].Description = "AMD Root Key certificate used to verify the SEV-SNP certificate chain."
|
|
||||||
AzureSEVSNPDoc.Fields[6].Comments[encoder.LineComment] = "AMD Root Key certificate used to verify the SEV-SNP certificate chain."
|
|
||||||
|
|
||||||
SNPFirmwareSignerConfigDoc.Type = "SNPFirmwareSignerConfig"
|
SNPFirmwareSignerConfigDoc.Type = "SNPFirmwareSignerConfig"
|
||||||
SNPFirmwareSignerConfigDoc.Comments[encoder.LineComment] = "SNPFirmwareSignerConfig is the configuration for validating the firmware signer."
|
SNPFirmwareSignerConfigDoc.Comments[encoder.LineComment] = "SNPFirmwareSignerConfig is the configuration for validating the firmware signer."
|
||||||
SNPFirmwareSignerConfigDoc.Description = "SNPFirmwareSignerConfig is the configuration for validating the firmware signer."
|
SNPFirmwareSignerConfigDoc.Description = "SNPFirmwareSignerConfig is the configuration for validating the firmware signer."
|
||||||
SNPFirmwareSignerConfigDoc.AppearsIn = []encoder.Appearance{
|
|
||||||
{
|
|
||||||
TypeName: "AzureSEVSNP",
|
|
||||||
FieldName: "firmwareSignerConfig",
|
|
||||||
},
|
|
||||||
}
|
|
||||||
SNPFirmwareSignerConfigDoc.Fields = make([]encoder.Doc, 3)
|
SNPFirmwareSignerConfigDoc.Fields = make([]encoder.Doc, 3)
|
||||||
SNPFirmwareSignerConfigDoc.Fields[0].Name = "acceptedKeyDigests"
|
SNPFirmwareSignerConfigDoc.Fields[0].Name = "acceptedKeyDigests"
|
||||||
SNPFirmwareSignerConfigDoc.Fields[0].Type = "List"
|
SNPFirmwareSignerConfigDoc.Fields[0].Type = "List"
|
||||||
@ -549,22 +493,6 @@ func init() {
|
|||||||
SNPFirmwareSignerConfigDoc.Fields[2].Description = "URL of the Microsoft Azure Attestation (MAA) instance to use for fallback validation. Only used if 'enforcementPolicy' is set to 'maaFallback'."
|
SNPFirmwareSignerConfigDoc.Fields[2].Description = "URL of the Microsoft Azure Attestation (MAA) instance to use for fallback validation. Only used if 'enforcementPolicy' is set to 'maaFallback'."
|
||||||
SNPFirmwareSignerConfigDoc.Fields[2].Comments[encoder.LineComment] = "URL of the Microsoft Azure Attestation (MAA) instance to use for fallback validation. Only used if 'enforcementPolicy' is set to 'maaFallback'."
|
SNPFirmwareSignerConfigDoc.Fields[2].Comments[encoder.LineComment] = "URL of the Microsoft Azure Attestation (MAA) instance to use for fallback validation. Only used if 'enforcementPolicy' is set to 'maaFallback'."
|
||||||
|
|
||||||
AzureTrustedLaunchDoc.Type = "AzureTrustedLaunch"
|
|
||||||
AzureTrustedLaunchDoc.Comments[encoder.LineComment] = "AzureTrustedLaunch is the configuration for Azure Trusted Launch attestation."
|
|
||||||
AzureTrustedLaunchDoc.Description = "AzureTrustedLaunch is the configuration for Azure Trusted Launch attestation."
|
|
||||||
AzureTrustedLaunchDoc.AppearsIn = []encoder.Appearance{
|
|
||||||
{
|
|
||||||
TypeName: "AttestationConfig",
|
|
||||||
FieldName: "azureTrustedLaunch",
|
|
||||||
},
|
|
||||||
}
|
|
||||||
AzureTrustedLaunchDoc.Fields = make([]encoder.Doc, 1)
|
|
||||||
AzureTrustedLaunchDoc.Fields[0].Name = "measurements"
|
|
||||||
AzureTrustedLaunchDoc.Fields[0].Type = "M"
|
|
||||||
AzureTrustedLaunchDoc.Fields[0].Note = ""
|
|
||||||
AzureTrustedLaunchDoc.Fields[0].Description = "Expected TPM measurements."
|
|
||||||
AzureTrustedLaunchDoc.Fields[0].Comments[encoder.LineComment] = "Expected TPM measurements."
|
|
||||||
|
|
||||||
GCPSEVESDoc.Type = "GCPSEVES"
|
GCPSEVESDoc.Type = "GCPSEVES"
|
||||||
GCPSEVESDoc.Comments[encoder.LineComment] = "GCPSEVES is the configuration for GCP SEV-ES attestation."
|
GCPSEVESDoc.Comments[encoder.LineComment] = "GCPSEVES is the configuration for GCP SEV-ES attestation."
|
||||||
GCPSEVESDoc.Description = "GCPSEVES is the configuration for GCP SEV-ES attestation."
|
GCPSEVESDoc.Description = "GCPSEVES is the configuration for GCP SEV-ES attestation."
|
||||||
@ -580,38 +508,6 @@ func init() {
|
|||||||
GCPSEVESDoc.Fields[0].Note = ""
|
GCPSEVESDoc.Fields[0].Note = ""
|
||||||
GCPSEVESDoc.Fields[0].Description = "Expected TPM measurements."
|
GCPSEVESDoc.Fields[0].Description = "Expected TPM measurements."
|
||||||
GCPSEVESDoc.Fields[0].Comments[encoder.LineComment] = "Expected TPM measurements."
|
GCPSEVESDoc.Fields[0].Comments[encoder.LineComment] = "Expected TPM measurements."
|
||||||
|
|
||||||
QEMUVTPMDoc.Type = "QEMUVTPM"
|
|
||||||
QEMUVTPMDoc.Comments[encoder.LineComment] = "QEMUVTPM is the configuration for QEMU vTPM attestation."
|
|
||||||
QEMUVTPMDoc.Description = "QEMUVTPM is the configuration for QEMU vTPM attestation."
|
|
||||||
QEMUVTPMDoc.AppearsIn = []encoder.Appearance{
|
|
||||||
{
|
|
||||||
TypeName: "AttestationConfig",
|
|
||||||
FieldName: "qemuVTPM",
|
|
||||||
},
|
|
||||||
}
|
|
||||||
QEMUVTPMDoc.Fields = make([]encoder.Doc, 1)
|
|
||||||
QEMUVTPMDoc.Fields[0].Name = "measurements"
|
|
||||||
QEMUVTPMDoc.Fields[0].Type = "M"
|
|
||||||
QEMUVTPMDoc.Fields[0].Note = ""
|
|
||||||
QEMUVTPMDoc.Fields[0].Description = "Expected TPM measurements."
|
|
||||||
QEMUVTPMDoc.Fields[0].Comments[encoder.LineComment] = "Expected TPM measurements."
|
|
||||||
|
|
||||||
QEMUTDXDoc.Type = "QEMUTDX"
|
|
||||||
QEMUTDXDoc.Comments[encoder.LineComment] = "QEMUTDX is the configuration for QEMU TDX attestation."
|
|
||||||
QEMUTDXDoc.Description = "QEMUTDX is the configuration for QEMU TDX attestation."
|
|
||||||
QEMUTDXDoc.AppearsIn = []encoder.Appearance{
|
|
||||||
{
|
|
||||||
TypeName: "AttestationConfig",
|
|
||||||
FieldName: "qemuTDX",
|
|
||||||
},
|
|
||||||
}
|
|
||||||
QEMUTDXDoc.Fields = make([]encoder.Doc, 1)
|
|
||||||
QEMUTDXDoc.Fields[0].Name = "measurements"
|
|
||||||
QEMUTDXDoc.Fields[0].Type = "M"
|
|
||||||
QEMUTDXDoc.Fields[0].Note = ""
|
|
||||||
QEMUTDXDoc.Fields[0].Description = "Expected TDX measurements."
|
|
||||||
QEMUTDXDoc.Fields[0].Comments[encoder.LineComment] = "Expected TDX measurements."
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (_ Config) Doc() *encoder.Doc {
|
func (_ Config) Doc() *encoder.Doc {
|
||||||
@ -650,30 +546,14 @@ func (_ AWSNitroTPM) Doc() *encoder.Doc {
|
|||||||
return &AWSNitroTPMDoc
|
return &AWSNitroTPMDoc
|
||||||
}
|
}
|
||||||
|
|
||||||
func (_ AzureSEVSNP) Doc() *encoder.Doc {
|
|
||||||
return &AzureSEVSNPDoc
|
|
||||||
}
|
|
||||||
|
|
||||||
func (_ SNPFirmwareSignerConfig) Doc() *encoder.Doc {
|
func (_ SNPFirmwareSignerConfig) Doc() *encoder.Doc {
|
||||||
return &SNPFirmwareSignerConfigDoc
|
return &SNPFirmwareSignerConfigDoc
|
||||||
}
|
}
|
||||||
|
|
||||||
func (_ AzureTrustedLaunch) Doc() *encoder.Doc {
|
|
||||||
return &AzureTrustedLaunchDoc
|
|
||||||
}
|
|
||||||
|
|
||||||
func (_ GCPSEVES) Doc() *encoder.Doc {
|
func (_ GCPSEVES) Doc() *encoder.Doc {
|
||||||
return &GCPSEVESDoc
|
return &GCPSEVESDoc
|
||||||
}
|
}
|
||||||
|
|
||||||
func (_ QEMUVTPM) Doc() *encoder.Doc {
|
|
||||||
return &QEMUVTPMDoc
|
|
||||||
}
|
|
||||||
|
|
||||||
func (_ QEMUTDX) Doc() *encoder.Doc {
|
|
||||||
return &QEMUTDXDoc
|
|
||||||
}
|
|
||||||
|
|
||||||
// GetConfigurationDoc returns documentation for the file ./config_doc.go.
|
// GetConfigurationDoc returns documentation for the file ./config_doc.go.
|
||||||
func GetConfigurationDoc() *encoder.FileDoc {
|
func GetConfigurationDoc() *encoder.FileDoc {
|
||||||
return &encoder.FileDoc{
|
return &encoder.FileDoc{
|
||||||
@ -689,12 +569,8 @@ func GetConfigurationDoc() *encoder.FileDoc {
|
|||||||
&QEMUConfigDoc,
|
&QEMUConfigDoc,
|
||||||
&AttestationConfigDoc,
|
&AttestationConfigDoc,
|
||||||
&AWSNitroTPMDoc,
|
&AWSNitroTPMDoc,
|
||||||
&AzureSEVSNPDoc,
|
|
||||||
&SNPFirmwareSignerConfigDoc,
|
&SNPFirmwareSignerConfigDoc,
|
||||||
&AzureTrustedLaunchDoc,
|
|
||||||
&GCPSEVESDoc,
|
&GCPSEVESDoc,
|
||||||
&QEMUVTPMDoc,
|
|
||||||
&QEMUTDXDoc,
|
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -18,6 +18,7 @@ import (
|
|||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
"go.uber.org/goleak"
|
"go.uber.org/goleak"
|
||||||
|
"gopkg.in/yaml.v3"
|
||||||
|
|
||||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||||
@ -36,6 +37,76 @@ func TestDefaultConfig(t *testing.T) {
|
|||||||
assert.NotNil(def)
|
assert.NotNil(def)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestSettingLatestAsVersion(t *testing.T) {
|
||||||
|
testCases := map[string]struct {
|
||||||
|
config map[string]interface{}
|
||||||
|
configName string
|
||||||
|
wantResult *Config
|
||||||
|
wantErr bool
|
||||||
|
}{
|
||||||
|
"mix of latest and uint as version value": {
|
||||||
|
config: func() map[string]interface{} {
|
||||||
|
conf := Default()
|
||||||
|
// modify versions as string
|
||||||
|
m := getConfigAsMap(conf, t)
|
||||||
|
m["attestation"].(map[string]interface{})["azureSEVSNP"].(map[string]interface{})["microcodeVersion"] = "latest"
|
||||||
|
m["attestation"].(map[string]interface{})["azureSEVSNP"].(map[string]interface{})["teeVersion"] = "latest"
|
||||||
|
m["attestation"].(map[string]interface{})["azureSEVSNP"].(map[string]interface{})["snpVersion"] = "latest"
|
||||||
|
m["attestation"].(map[string]interface{})["azureSEVSNP"].(map[string]interface{})["bootloaderVersion"] = 1
|
||||||
|
return m
|
||||||
|
}(),
|
||||||
|
|
||||||
|
configName: constants.ConfigFilename,
|
||||||
|
wantResult: func() *Config {
|
||||||
|
conf := Default()
|
||||||
|
conf.Attestation.AzureSEVSNP.BootloaderVersion = 1
|
||||||
|
return conf
|
||||||
|
}(),
|
||||||
|
},
|
||||||
|
"refuse invalid version value": {
|
||||||
|
config: func() map[string]interface{} {
|
||||||
|
conf := Default()
|
||||||
|
m := getConfigAsMap(conf, t)
|
||||||
|
m["attestation"].(map[string]interface{})["azureSEVSNP"].(map[string]interface{})["microcodeVersion"] = "1a"
|
||||||
|
return m
|
||||||
|
}(),
|
||||||
|
configName: constants.ConfigFilename,
|
||||||
|
wantErr: true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
for name, tc := range testCases {
|
||||||
|
t.Run(name, func(t *testing.T) {
|
||||||
|
assert := assert.New(t)
|
||||||
|
require := require.New(t)
|
||||||
|
|
||||||
|
fileHandler := file.NewHandler(afero.NewMemMapFs())
|
||||||
|
if tc.config != nil {
|
||||||
|
require.NoError(fileHandler.WriteYAML(tc.configName, tc.config, file.OptNone))
|
||||||
|
}
|
||||||
|
result, err := fromFile(fileHandler, tc.configName)
|
||||||
|
|
||||||
|
if tc.wantErr {
|
||||||
|
assert.Error(err)
|
||||||
|
} else {
|
||||||
|
require.NoError(err)
|
||||||
|
assert.Equal(tc.wantResult, result)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// getConfigAsMap returns a map of the config.
|
||||||
|
func getConfigAsMap(conf *Config, t *testing.T) (res map[string]interface{}) {
|
||||||
|
bytes, err := yaml.Marshal(&conf)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
if err := yaml.Unmarshal(bytes, &res); err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
func TestFromFile(t *testing.T) {
|
func TestFromFile(t *testing.T) {
|
||||||
testCases := map[string]struct {
|
testCases := map[string]struct {
|
||||||
config *Config
|
config *Config
|
||||||
|
76
internal/config/qemu.go
Normal file
76
internal/config/qemu.go
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
/*
|
||||||
|
Copyright (c) Edgeless Systems GmbH
|
||||||
|
|
||||||
|
SPDX-License-Identifier: AGPL-3.0-only
|
||||||
|
*/
|
||||||
|
|
||||||
|
package config
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||||
|
"github.com/edgelesssys/constellation/v2/internal/variant"
|
||||||
|
)
|
||||||
|
|
||||||
|
// QEMUVTPM is the configuration for QEMU vTPM attestation.
|
||||||
|
type QEMUVTPM struct {
|
||||||
|
// description: |
|
||||||
|
// Expected TPM measurements.
|
||||||
|
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetVariant returns qemu-vtpm as the variant.
|
||||||
|
func (QEMUVTPM) GetVariant() variant.Variant {
|
||||||
|
return variant.QEMUVTPM{}
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetMeasurements returns the measurements used for attestation.
|
||||||
|
func (c QEMUVTPM) GetMeasurements() measurements.M {
|
||||||
|
return c.Measurements
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetMeasurements updates a config's measurements using the given measurements.
|
||||||
|
func (c *QEMUVTPM) SetMeasurements(m measurements.M) {
|
||||||
|
c.Measurements = m
|
||||||
|
}
|
||||||
|
|
||||||
|
// EqualTo returns true if the config is equal to the given config.
|
||||||
|
func (c QEMUVTPM) EqualTo(other AttestationCfg) (bool, error) {
|
||||||
|
otherCfg, ok := other.(*QEMUVTPM)
|
||||||
|
if !ok {
|
||||||
|
return false, fmt.Errorf("cannot compare %T with %T", c, other)
|
||||||
|
}
|
||||||
|
return c.Measurements.EqualTo(otherCfg.Measurements), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// QEMUTDX is the configuration for QEMU TDX attestation.
|
||||||
|
type QEMUTDX struct {
|
||||||
|
// description: |
|
||||||
|
// Expected TDX measurements.
|
||||||
|
Measurements measurements.M `json:"measurements" yaml:"measurements" validate:"required,no_placeholders"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetVariant returns qemu-tdx as the variant.
|
||||||
|
func (QEMUTDX) GetVariant() variant.Variant {
|
||||||
|
return variant.QEMUTDX{}
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetMeasurements returns the measurements used for attestation.
|
||||||
|
func (c QEMUTDX) GetMeasurements() measurements.M {
|
||||||
|
return c.Measurements
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetMeasurements updates a config's measurements using the given measurements.
|
||||||
|
func (c *QEMUTDX) SetMeasurements(m measurements.M) {
|
||||||
|
c.Measurements = m
|
||||||
|
}
|
||||||
|
|
||||||
|
// EqualTo returns true if the config is equal to the given config.
|
||||||
|
func (c QEMUTDX) EqualTo(other AttestationCfg) (bool, error) {
|
||||||
|
otherCfg, ok := other.(*QEMUTDX)
|
||||||
|
if !ok {
|
||||||
|
return false, fmt.Errorf("cannot compare %T with %T", c, other)
|
||||||
|
}
|
||||||
|
return c.Measurements.EqualTo(otherCfg.Measurements), nil
|
||||||
|
}
|
8
internal/config/snpversion/BUILD.bazel
Normal file
8
internal/config/snpversion/BUILD.bazel
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
load("@io_bazel_rules_go//go:def.bzl", "go_library")
|
||||||
|
|
||||||
|
go_library(
|
||||||
|
name = "snpversion",
|
||||||
|
srcs = ["snpversion.go"],
|
||||||
|
importpath = "github.com/edgelesssys/constellation/v2/internal/config/snpversion",
|
||||||
|
visibility = ["//:__subpackages__"],
|
||||||
|
)
|
33
internal/config/snpversion/snpversion.go
Normal file
33
internal/config/snpversion/snpversion.go
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
/*
|
||||||
|
Copyright (c) Edgeless Systems GmbH
|
||||||
|
|
||||||
|
SPDX-License-Identifier: AGPL-3.0-only
|
||||||
|
*/
|
||||||
|
|
||||||
|
package snpversion
|
||||||
|
|
||||||
|
const (
|
||||||
|
Bootloader Type = "bootloader" // Bootloader is the version of the Azure SEVSNP bootloader.
|
||||||
|
TEE Type = "tee" // TEE is the version of the Azure SEVSNP TEE.
|
||||||
|
SNP Type = "snp" // SNP is the version of the Azure SEVSNP SNP.
|
||||||
|
Microcode Type = "microcode" // Microcode is the version of the Azure SEVSNP microcode.
|
||||||
|
)
|
||||||
|
|
||||||
|
// Type is the type of the version to be requested.
|
||||||
|
type Type string
|
||||||
|
|
||||||
|
// GetLatest returns the version of the given type.
|
||||||
|
func GetLatest(t Type) uint8 {
|
||||||
|
switch t {
|
||||||
|
case Bootloader:
|
||||||
|
return 2
|
||||||
|
case TEE:
|
||||||
|
return 0
|
||||||
|
case SNP:
|
||||||
|
return 6
|
||||||
|
case Microcode:
|
||||||
|
return 93
|
||||||
|
default:
|
||||||
|
panic("invalid version type")
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user