mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-08-07 14:32:17 -04:00
attestation: add Azure TDX attestation (#2827)
* Implement Azure TDX attestation primitives * Add default measurements and claims for Azure TDX * Enable Constellation on Azure TDX --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße
GitHub
parent
e07ea4b40f
commit
e350ca0f57
57 changed files with 1604 additions and 681 deletions
|
|
@ -193,6 +193,9 @@ func validateAttestation(sl validator.StructLevel) {
|
|||
if attestation.AzureSEVSNP != nil {
|
||||
attestationCount++
|
||||
}
|
||||
if attestation.AzureTDX != nil {
|
||||
attestationCount++
|
||||
}
|
||||
if attestation.AzureTrustedLaunch != nil {
|
||||
attestationCount++
|
||||
}
|
||||
|
|
@ -244,7 +247,7 @@ func translateNoAttestationError(ut ut.Translator, fe validator.FieldError) stri
|
|||
}
|
||||
|
||||
func registerNoAttestationError(ut ut.Translator) error {
|
||||
return ut.Add("no_attestation", "{0}: No attestation has been defined (requires either awsSEVSNP, awsNitroTPM, azureSEVSNP, azureTrustedLaunch, gcpSEVES, or qemuVTPM)", true)
|
||||
return ut.Add("no_attestation", "{0}: No attestation has been defined (requires either awsSEVSNP, awsNitroTPM, azureSEVSNP, azureTDX, azureTrustedLaunch, gcpSEVES, or qemuVTPM)", true)
|
||||
}
|
||||
|
||||
func translateNoDefaultControlPlaneGroupError(ut ut.Translator, fe validator.FieldError) string {
|
||||
|
|
@ -352,6 +355,9 @@ func (c *Config) translateMoreThanOneAttestationError(ut ut.Translator, fe valid
|
|||
if c.Attestation.AzureSEVSNP != nil {
|
||||
definedAttestations = append(definedAttestations, "AzureSEVSNP")
|
||||
}
|
||||
if c.Attestation.AzureTDX != nil {
|
||||
definedAttestations = append(definedAttestations, "AzureTDX")
|
||||
}
|
||||
if c.Attestation.AzureTrustedLaunch != nil {
|
||||
definedAttestations = append(definedAttestations, "AzureTrustedLaunch")
|
||||
}
|
||||
|
|
@ -508,42 +514,38 @@ func (c *Config) translateMoreThanOneProviderError(ut ut.Translator, fe validato
|
|||
return t
|
||||
}
|
||||
|
||||
func validInstanceTypeForProvider(insType string, acceptNonCVM bool, provider cloudprovider.Provider) bool {
|
||||
switch provider {
|
||||
case cloudprovider.AWS:
|
||||
return isSupportedAWSInstanceType(insType, acceptNonCVM)
|
||||
case cloudprovider.Azure:
|
||||
if acceptNonCVM {
|
||||
for _, instanceType := range instancetypes.AzureTrustedLaunchInstanceTypes {
|
||||
if insType == instanceType {
|
||||
return true
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for _, instanceType := range instancetypes.AzureTDXInstanceTypes {
|
||||
if insType == instanceType {
|
||||
return true
|
||||
}
|
||||
}
|
||||
for _, instanceType := range instancetypes.AzureSNPInstanceTypes {
|
||||
if insType == instanceType {
|
||||
return true
|
||||
}
|
||||
func validInstanceTypeForProvider(insType string, attestation variant.Variant) bool {
|
||||
switch attestation {
|
||||
case variant.AWSSEVSNP{}, variant.AWSNitroTPM{}:
|
||||
return isSupportedAWSInstanceType(insType, attestation.Equal(variant.AWSNitroTPM{}))
|
||||
case variant.AzureSEVSNP{}:
|
||||
for _, instanceType := range instancetypes.AzureSNPInstanceTypes {
|
||||
if insType == instanceType {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
case cloudprovider.GCP:
|
||||
case variant.AzureTDX{}:
|
||||
for _, instanceType := range instancetypes.AzureTDXInstanceTypes {
|
||||
if insType == instanceType {
|
||||
return true
|
||||
}
|
||||
}
|
||||
case variant.AzureTrustedLaunch{}:
|
||||
for _, instanceType := range instancetypes.AzureTrustedLaunchInstanceTypes {
|
||||
if insType == instanceType {
|
||||
return true
|
||||
}
|
||||
}
|
||||
case variant.GCPSEVES{}:
|
||||
for _, instanceType := range instancetypes.GCPInstanceTypes {
|
||||
if insType == instanceType {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
case cloudprovider.OpenStack, cloudprovider.QEMU:
|
||||
case variant.QEMUVTPM{}, variant.QEMUTDX{}:
|
||||
return true
|
||||
default:
|
||||
return false
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// isSupportedAWSInstanceType checks if an AWS instance type passed as user input is in one of the supported instance types.
|
||||
|
|
@ -781,16 +783,7 @@ func (c *Config) validateNodeGroupZoneField(fl validator.FieldLevel) bool {
|
|||
}
|
||||
|
||||
func (c *Config) validateInstanceType(fl validator.FieldLevel) bool {
|
||||
acceptNonCVM := false
|
||||
|
||||
if c.GetAttestationConfig().GetVariant().Equal(variant.AzureTrustedLaunch{}) {
|
||||
acceptNonCVM = true
|
||||
}
|
||||
if c.GetAttestationConfig().GetVariant().Equal(variant.AWSNitroTPM{}) {
|
||||
acceptNonCVM = true
|
||||
}
|
||||
|
||||
return validInstanceTypeForProvider(fl.Field().String(), acceptNonCVM, c.GetProvider())
|
||||
return validInstanceTypeForProvider(fl.Field().String(), c.GetAttestationConfig().GetVariant())
|
||||
}
|
||||
|
||||
func (c *Config) validateStateDiskTypeField(fl validator.FieldLevel) bool {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue