config: add separate option for handling attestation parameters (#1623)

* Add attestation options to config

* Add join-config migration path for clusters with old measurement format

* Always create MAA provider for Azure SNP clusters

* Remove confidential VM option from provider in favor of attestation options

* cli: add config migrate command to handle config migration (#1678)

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

cli/internal/helm/loader_test.go

@@ -30,7 +30,6 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/deploy/helm"
-	"github.com/edgelesssys/constellation/v2/internal/variant"
 )
 
 // TestLoad checks if the serialized format that Load returns correctly preserves the dependencies of the loaded chart.
@@ -40,7 +39,7 @@ func TestLoad(t *testing.T) {
 
 	config := &config.Config{Provider: config.ProviderConfig{GCP: &config.GCPConfig{}}}
 	chartLoader := ChartLoader{csp: config.GetProvider()}
-	release, err := chartLoader.Load(config, true, []byte("secret"), []byte("salt"), "https://192.0.2.1:8080/maa")
+	release, err := chartLoader.Load(config, true, []byte("secret"), []byte("salt"))
 	require.NoError(err)
 
 	var helmReleases helm.Releases
@@ -63,21 +62,25 @@ func TestConstellationServices(t *testing.T) {
 	}{
 		"AWS": {
 			config: &config.Config{
-				AttestationVariant: variant.AWSNitroTPM{}.String(),
-				Provider:           config.ProviderConfig{AWS: &config.AWSConfig{}},
+				Provider: config.ProviderConfig{AWS: &config.AWSConfig{}},
+				Attestation: config.AttestationConfig{AWSNitroTPM: &config.AWSNitroTPM{
+					Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)},
+				}},
 			},
 			valuesModifier: prepareAWSValues,
 			ccmImage:       "ccmImageForAWS",
 		},
 		"Azure": {
 			config: &config.Config{
-				AttestationVariant: variant.AzureSEVSNP{}.String(),
 				Provider: config.ProviderConfig{Azure: &config.AzureConfig{
-					DeployCSIDriver:    toPtr(true),
-					EnforceIDKeyDigest: idkeydigest.Equal,
-					IDKeyDigest: [][]byte{
-						{0xba, 0xaa, 0xaa, 0xad, 0xba, 0xaa, 0xaa, 0xad, 0xba, 0xaa, 0xaa, 0xad, 0xba, 0xaa, 0xaa, 0xad, 0xba, 0xaa, 0xaa, 0xad, 0xba, 0xaa, 0xaa, 0xad, 0xba, 0xaa, 0xaa, 0xad, 0xba, 0xaa, 0xaa, 0xad},
-						{0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa},
+					DeployCSIDriver: toPtr(true),
+				}},
+				Attestation: config.AttestationConfig{AzureSEVSNP: &config.AzureSEVSNP{
+					Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)},
+					FirmwareSignerConfig: config.SNPFirmwareSignerConfig{
+						AcceptedKeyDigests: idkeydigest.List{bytes.Repeat([]byte{0xAA}, 32)},
+						EnforcementPolicy:  idkeydigest.MAAFallback,
+						MAAURL:             "https://192.0.2.1:8080/maa",
 					},
 				}},
 			},
@@ -88,26 +91,32 @@ func TestConstellationServices(t *testing.T) {
 		},
 		"GCP": {
 			config: &config.Config{
-				AttestationVariant: variant.GCPSEVES{}.String(),
 				Provider: config.ProviderConfig{GCP: &config.GCPConfig{
 					DeployCSIDriver: toPtr(true),
 				}},
+				Attestation: config.AttestationConfig{GCPSEVES: &config.GCPSEVES{
+					Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)},
+				}},
 			},
 			valuesModifier: prepareGCPValues,
 			ccmImage:       "ccmImageForGCP",
 		},
 		"OpenStack": {
 			config: &config.Config{
-				AttestationVariant: variant.QEMUVTPM{}.String(),
-				Provider:           config.ProviderConfig{OpenStack: &config.OpenStackConfig{}},
+				Provider: config.ProviderConfig{OpenStack: &config.OpenStackConfig{}},
+				Attestation: config.AttestationConfig{QEMUVTPM: &config.QEMUVTPM{
+					Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)},
+				}},
 			},
 			valuesModifier: prepareOpenStackValues,
 			ccmImage:       "ccmImageForOpenStack",
 		},
 		"QEMU": {
 			config: &config.Config{
-				AttestationVariant: variant.QEMUVTPM{}.String(),
-				Provider:           config.ProviderConfig{QEMU: &config.QEMUConfig{}},
+				Provider: config.ProviderConfig{QEMU: &config.QEMUConfig{}},
+				Attestation: config.AttestationConfig{QEMUVTPM: &config.QEMUVTPM{
+					Measurements: measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)},
+				}},
 			},
 			valuesModifier: prepareQEMUValues,
 		},
@@ -133,7 +142,7 @@ func TestConstellationServices(t *testing.T) {
 			require.NoError(err)
 			values, err := chartLoader.loadConstellationServicesValues()
 			require.NoError(err)
-			err = extendConstellationServicesValues(values, tc.config, []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), "https://192.0.2.1:8080/maa")
+			err = extendConstellationServicesValues(values, tc.config, []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"))
 			require.NoError(err)
 
 			options := chartutil.ReleaseOptions{
@@ -313,12 +322,7 @@ func prepareAWSValues(values map[string]any) error {
 	if !ok {
 		return errors.New("missing 'join-service' key")
 	}
-	m := measurements.M{1: measurements.WithAllBytes(0xAA, false)}
-	mJSON, err := json.Marshal(m)
-	if err != nil {
-		return err
-	}
-	joinVals["measurements"] = string(mJSON)
+
 	joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 
 	ccmVals, ok := values["ccm"].(map[string]any)
@@ -347,13 +351,7 @@ func prepareAzureValues(values map[string]any) error {
 	if !ok {
 		return errors.New("missing 'join-service' key")
 	}
-	joinVals["idkeydigests"] = "[\"baaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaad\", \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\"]"
-	m := measurements.M{1: measurements.WithAllBytes(0xAA, false)}
-	mJSON, err := json.Marshal(m)
-	if err != nil {
-		return err
-	}
-	joinVals["measurements"] = string(mJSON)
+
 	joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 
 	ccmVals, ok := values["ccm"].(map[string]any)
@@ -459,14 +457,6 @@ func prepareGCPValues(values map[string]any) error {
 		return errors.New("missing 'join-service' key")
 	}
 
-	m := measurements.M{
-		1: measurements.WithAllBytes(0xAA, measurements.Enforce),
-	}
-	mJSON, err := json.Marshal(m)
-	if err != nil {
-		return err
-	}
-	joinVals["measurements"] = string(mJSON)
 	joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 
 	ccmVals, ok := values["ccm"].(map[string]any)
@@ -535,12 +525,7 @@ func prepareOpenStackValues(values map[string]any) error {
 	if !ok {
 		return errors.New("missing 'join-service' key")
 	}
-	m := measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)}
-	mJSON, err := json.Marshal(m)
-	if err != nil {
-		return err
-	}
-	joinVals["measurements"] = string(mJSON)
+
 	joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 
 	ccmVals, ok := values["ccm"].(map[string]any)
@@ -570,12 +555,7 @@ func prepareQEMUValues(values map[string]any) error {
 	if !ok {
 		return errors.New("missing 'join-service' key")
 	}
-	m := measurements.M{1: measurements.WithAllBytes(0xAA, measurements.Enforce)}
-	mJSON, err := json.Marshal(m)
-	if err != nil {
-		return err
-	}
-	joinVals["measurements"] = string(mJSON)
+
 	joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 
 	verificationVals, ok := values["verification-service"].(map[string]any)