internal: use config to create attestation validators (#1561)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-08-03 20:44:14 -04:00 · 2023-04-06 17:00:56 +02:00 · 2023-04-06 17:00:56 +02:00 · ec01c57661
commit ec01c57661
parent 2b962598bf
38 changed files with 649 additions and 274 deletions
--- a/cli/internal/cloudcmd/validators.go
+++ b/cli/internal/cloudcmd/validators.go
@ -15,7 +15,6 @@ import (

 	"github.com/edgelesssys/constellation/v2/internal/atls"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/choose"
-	"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/variant"
@ -26,7 +25,7 @@ import (
 type Validator struct {
 	attestationVariant variant.Variant
 	pcrs               measurements.M
-	idKeyConfig        idkeydigest.Config
+	idKeyConfig        config.SNPFirmwareSignerConfig
 	validator          atls.Validator
 	log                debugLog
 }
@ -45,10 +44,10 @@ func NewValidator(conf *config.Config, maaURL string, log debugLog) (*Validator,
 	}

 	if v.attestationVariant.Equal(variant.AzureSEVSNP{}) {
-		v.idKeyConfig = idkeydigest.Config{
-			IDKeyDigests:      conf.Provider.Azure.IDKeyDigest,
-			EnforcementPolicy: conf.IDKeyDigestPolicy(),
-			MAAURL:            maaURL,
+		v.idKeyConfig = config.SNPFirmwareSignerConfig{
+			AcceptedKeyDigests: conf.Provider.Azure.IDKeyDigest,
+			EnforcementPolicy:  conf.IDKeyDigestPolicy(),
+			MAAURL:             maaURL,
 		}
 	}

--- a/cli/internal/cloudcmd/validators_test.go
+++ b/cli/internal/cloudcmd/validators_test.go
@ -120,8 +120,8 @@ func TestNewValidator(t *testing.T) {
 				Provider: config.ProviderConfig{
 					Azure: &config.AzureConfig{
 						Measurements:       testPCRs,
-						IDKeyDigest:        idkeydigest.IDKeyDigests{[]byte("414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141")},
-						EnforceIDKeyDigest: idkeydigest.StrictChecking,
+						IDKeyDigest:        idkeydigest.List{[]byte("414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141")},
+						EnforceIDKeyDigest: idkeydigest.Equal,
 					},
 				},
 			},
@ -174,26 +174,31 @@ func TestValidatorV(t *testing.T) {
 		"gcp": {
 			variant: variant.GCPSEVES{},
 			pcrs:    newTestPCRs(),
-			wantVs:  gcp.NewValidator(newTestPCRs(), nil),
+			wantVs:  gcp.NewValidator(config.GCPSEVES{Measurements: newTestPCRs()}, nil),
 		},
 		"azure cvm": {
 			variant: variant.AzureSEVSNP{},
 			pcrs:    newTestPCRs(),
 			wantVs: snp.NewValidator(
-				newTestPCRs(),
-				idkeydigest.Config{IDKeyDigests: idkeydigest.IDKeyDigests{}, EnforcementPolicy: idkeydigest.WarnOnly},
+				config.AzureSEVSNP{
+					Measurements: newTestPCRs(),
+					FirmwareSignerConfig: config.SNPFirmwareSignerConfig{
+						AcceptedKeyDigests: idkeydigest.List{},
+						EnforcementPolicy:  idkeydigest.WarnOnly,
+					},
+				},
 				nil,
 			),
 		},
 		"azure trusted launch": {
 			variant: variant.AzureTrustedLaunch{},
 			pcrs:    newTestPCRs(),
-			wantVs:  trustedlaunch.NewValidator(newTestPCRs(), nil),
+			wantVs:  trustedlaunch.NewValidator(config.AzureTrustedLaunch{Measurements: newTestPCRs()}, nil),
 		},
 		"qemu": {
 			variant: variant.QEMUVTPM{},
 			pcrs:    newTestPCRs(),
-			wantVs:  qemu.NewValidator(newTestPCRs(), nil),
+			wantVs:  qemu.NewValidator(config.QEMUVTPM{Measurements: newTestPCRs()}, nil),
 		},
 	}

--- a/cli/internal/cmd/create.go
+++ b/cli/internal/cmd/create.go
@ -105,7 +105,7 @@ func (c *createCmd) create(cmd *cobra.Command, creator cloudCreator, fileHandler
 	if attestVariant.Equal(variant.AzureTrustedLaunch{}) {
 		cmd.PrintErrln("Disabling Confidential VMs is insecure. Use only for evaluation purposes.")
 		printedAWarning = true
-		if conf.IDKeyDigestPolicy() == idkeydigest.StrictChecking || conf.IDKeyDigestPolicy() == idkeydigest.MAAFallback {
+		if conf.IDKeyDigestPolicy() == idkeydigest.Equal || conf.IDKeyDigestPolicy() == idkeydigest.MAAFallback {
 			cmd.PrintErrln("Your config asks for validating the idkeydigest. This is only available on Confidential VMs. It will not be enforced.")
 		}
 	}
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/values.schema.json
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/values.schema.json
@ -13,7 +13,7 @@
        "idKeyConfig": {
            "description": "Configuration for validating the ID Key Digest of the SEV-SNP attestation.",
            "type": "string",
-            "examples": ["{'EnforcementPolicy': 'MAAFallback', 'MAAURL': 'https://192.0.2.1:8080/maa', 'IDKeyDigests': ['57486a447ec0f1958002a22a06b7673b9fd27d11e1c6527498056054c5fa92d23c50f9de44072760fe2b6fb89740b696', '0356215882a825279a85b300b0b742931d113bf7e32dde2e50ffde7ec743ca491ecdd7f336dc28a6e0b2bb57af7a44a3'}"]
+            "examples": ["{'enforcementPolicy': 'MAAFallback', 'maaURL': 'https://192.0.2.1:8080/maa', 'acceptedKeyDigests': ['57486a447ec0f1958002a22a06b7673b9fd27d11e1c6527498056054c5fa92d23c50f9de44072760fe2b6fb89740b696', '0356215882a825279a85b300b0b742931d113bf7e32dde2e50ffde7ec743ca491ecdd7f336dc28a6e0b2bb57af7a44a3'}"]
        },
        "image": {
            "description": "Container image to use for the spawned pods.",
--- a/cli/internal/helm/client.go
+++ b/cli/internal/helm/client.go
@ -380,16 +380,16 @@ func setAttestationVariant(values map[string]any, variant string) error {

 // TODO: v2.8: remove. This function is only temporarily needed as a migration from 2.6 to 2.7.
 // setIdkeyConfig sets the idkeyconfig value on the join-service value maps.
-func setIdkeyConfig(values map[string]any, config *config.Config, maaURL string) error {
+func setIdkeyConfig(values map[string]any, cfg *config.Config, maaURL string) error {
 	joinServiceVals, ok := values["join-service"].(map[string]any)
 	if !ok {
 		return errors.New("invalid join-service values")
 	}

-	idKeyCfg := idkeydigest.Config{
-		IDKeyDigests:      config.IDKeyDigests(),
-		EnforcementPolicy: config.IDKeyDigestPolicy(),
-		MAAURL:            maaURL,
+	idKeyCfg := config.SNPFirmwareSignerConfig{
+		AcceptedKeyDigests: cfg.IDKeyDigests(),
+		EnforcementPolicy:  cfg.IDKeyDigestPolicy(),
+		MAAURL:             maaURL,
 	}
 	marshalledCfg, err := json.Marshal(idKeyCfg)
 	if err != nil {
--- a/cli/internal/helm/loader.go
+++ b/cli/internal/helm/loader.go
@ -17,7 +17,6 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/edgelesssys/constellation/v2/internal/attestation/idkeydigest"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/compatibility"
 	"github.com/edgelesssys/constellation/v2/internal/config"
@ -466,7 +465,7 @@ func (i *ChartLoader) loadConstellationServicesValues() (map[string]any, error)
 // extendConstellationServicesValues extends the given values map by some values depending on user input.
 // Values set inside this function are only applied during init, not during upgrade.
 func extendConstellationServicesValues(
-	in map[string]any, config *config.Config, masterSecret, salt []byte, maaURL string,
+	in map[string]any, cfg *config.Config, masterSecret, salt []byte, maaURL string,
 ) error {
 	keyServiceValues, ok := in["key-service"].(map[string]any)
 	if !ok {
@ -479,11 +478,11 @@ func extendConstellationServicesValues(
 	if !ok {
 		return errors.New("invalid join-service values")
 	}
-	joinServiceVals["attestationVariant"] = config.AttestationVariant
+	joinServiceVals["attestationVariant"] = cfg.AttestationVariant

 	// measurements are updated separately during upgrade,
 	// so we only set them in Helm during init.
-	measurementsJSON, err := json.Marshal(config.GetMeasurements())
+	measurementsJSON, err := json.Marshal(cfg.GetMeasurements())
 	if err != nil {
 		return fmt.Errorf("marshalling measurements: %w", err)
 	}
@ -493,9 +492,9 @@ func extendConstellationServicesValues(
 	if !ok {
 		return errors.New("invalid verification-service values")
 	}
-	verifyServiceVals["attestationVariant"] = config.AttestationVariant
+	verifyServiceVals["attestationVariant"] = cfg.AttestationVariant

-	csp := config.GetProvider()
+	csp := cfg.GetProvider()
 	switch csp {
 	case cloudprovider.Azure:
 		joinServiceVals, ok := in["join-service"].(map[string]any)
@ -503,10 +502,10 @@ func extendConstellationServicesValues(
 			return errors.New("invalid join-service values")
 		}

-		idKeyCfg := idkeydigest.Config{
-			IDKeyDigests:      config.IDKeyDigests(),
-			EnforcementPolicy: config.IDKeyDigestPolicy(),
-			MAAURL:            maaURL,
+		idKeyCfg := config.SNPFirmwareSignerConfig{
+			AcceptedKeyDigests: cfg.IDKeyDigests(),
+			EnforcementPolicy:  cfg.IDKeyDigestPolicy(),
+			MAAURL:             maaURL,
 		}
 		marshalledCfg, err := json.Marshal(idKeyCfg)
 		if err != nil {
@ -515,12 +514,12 @@ func extendConstellationServicesValues(
 		joinServiceVals["idKeyConfig"] = string(marshalledCfg)

 		in["azure"] = map[string]any{
-			"deployCSIDriver": config.DeployCSIDriver(),
+			"deployCSIDriver": cfg.DeployCSIDriver(),
 		}

 	case cloudprovider.GCP:
 		in["gcp"] = map[string]any{
-			"deployCSIDriver": config.DeployCSIDriver(),
+			"deployCSIDriver": cfg.DeployCSIDriver(),
 		}
 	}

--- a/cli/internal/helm/loader_test.go
+++ b/cli/internal/helm/loader_test.go
@ -74,7 +74,7 @@ func TestConstellationServices(t *testing.T) {
 				AttestationVariant: variant.AzureSEVSNP{}.String(),
 				Provider: config.ProviderConfig{Azure: &config.AzureConfig{
 					DeployCSIDriver:    toPtr(true),
-					EnforceIDKeyDigest: idkeydigest.StrictChecking,
+					EnforceIDKeyDigest: idkeydigest.Equal,
 					IDKeyDigest: [][]byte{
 						{0xba, 0xaa, 0xaa, 0xad, 0xba, 0xaa, 0xaa, 0xad, 0xba, 0xaa, 0xaa, 0xad, 0xba, 0xaa, 0xaa, 0xad, 0xba, 0xaa, 0xaa, 0xad, 0xba, 0xaa, 0xaa, 0xad, 0xba, 0xaa, 0xaa, 0xad, 0xba, 0xaa, 0xaa, 0xad},
 						{0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa},
--- a/cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/configmap.yaml
+++ b/cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/configmap.yaml
@ -5,6 +5,6 @@ metadata:
  namespace: testNamespace
 data:
  measurements: "{\"1\":{\"expected\":\"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\",\"warnOnly\":false}}"
-  idKeyConfig: "{\"idKeyDigests\":[\"baaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaad\",\"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\"],\"enforcementPolicy\":\"StrictChecking\",\"maaURL\":\"https://192.0.2.1:8080/maa\"}"
+  idKeyConfig: "{\"acceptedKeyDigests\":[\"baaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaad\",\"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\"],\"enforcementPolicy\":\"Equal\",\"maaURL\":\"https://192.0.2.1:8080/maa\"}"
 binaryData:
  measurementSalt: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA