Refactor enforced/expected PCRs (#553)

* Merge enforced and expected measurements * Update measurement generation to new format * Write expected measurements hex encoded by default * Allow hex or base64 encoded expected measurements * Allow hex or base64 encoded clusterID * Allow security upgrades to warnOnly flag * Upload signed measurements in JSON format * Fetch measurements either from JSON or YAML * Use yaml.v3 instead of yaml.v2 * Error on invalid enforced selection * Add placeholder measurements to config * Update e2e test to new measurement format Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-08-14 09:45:34 -04:00 · 2022-11-24 10:57:58 +01:00 · 2022-11-24 10:57:58 +01:00 · f8001efbc0
commit f8001efbc0
parent 8ce954e012
46 changed files with 1180 additions and 801 deletions
--- a/bootstrapper/cmd/bootstrapper/main.go
+++ b/bootstrapper/cmd/bootstrapper/main.go
@ -8,7 +8,6 @@ package main

 import (
 	"context"
-	"encoding/json"
 	"flag"
 	"io"
 	"os"
@ -80,14 +79,10 @@ func main() {

 	switch cloudprovider.FromString(os.Getenv(constellationCSP)) {
 	case cloudprovider.AWS:
-		pcrs, err := vtpm.GetSelectedPCRs(vtpm.OpenVTPM, vtpm.AWSPCRSelection)
+		measurements, err := vtpm.GetSelectedMeasurements(vtpm.OpenVTPM, vtpm.AWSPCRSelection)
 		if err != nil {
 			log.With(zap.Error(err)).Fatalf("Failed to get selected PCRs")
 		}
-		pcrsJSON, err := json.Marshal(pcrs)
-		if err != nil {
-			log.With(zap.Error(err)).Fatalf("Failed to marshal PCRs")
-		}

 		issuer = initserver.NewIssuerWrapper(aws.NewIssuer(), vmtype.Unknown, nil)

@ -104,13 +99,13 @@ func main() {

 		clusterInitJoiner = kubernetes.New(
 			"aws", k8sapi.NewKubernetesUtil(), &k8sapi.KubdeadmConfiguration{}, kubectl.New(),
-			metadata, pcrsJSON, helmClient, &kubewaiter.CloudKubeAPIWaiter{},
+			metadata, measurements, helmClient, &kubewaiter.CloudKubeAPIWaiter{},
 		)
 		openTPM = vtpm.OpenVTPM
 		fs = afero.NewOsFs()

 	case cloudprovider.GCP:
-		pcrs, err := vtpm.GetSelectedPCRs(vtpm.OpenVTPM, vtpm.GCPPCRSelection)
+		measurements, err := vtpm.GetSelectedMeasurements(vtpm.OpenVTPM, vtpm.GCPPCRSelection)
 		if err != nil {
 			log.With(zap.Error(err)).Fatalf("Failed to get selected PCRs")
 		}
@ -129,20 +124,16 @@ func main() {
 		}

 		metadataAPI = metadata
-		pcrsJSON, err := json.Marshal(pcrs)
-		if err != nil {
-			log.With(zap.Error(err)).Fatalf("Failed to marshal PCRs")
-		}
 		clusterInitJoiner = kubernetes.New(
 			"gcp", k8sapi.NewKubernetesUtil(), &k8sapi.KubdeadmConfiguration{}, kubectl.New(),
-			metadata, pcrsJSON, helmClient, &kubewaiter.CloudKubeAPIWaiter{},
+			metadata, measurements, helmClient, &kubewaiter.CloudKubeAPIWaiter{},
 		)
 		openTPM = vtpm.OpenVTPM
 		fs = afero.NewOsFs()
 		log.Infof("Added load balancer IP to routing table")

 	case cloudprovider.Azure:
-		pcrs, err := vtpm.GetSelectedPCRs(vtpm.OpenVTPM, vtpm.AzurePCRSelection)
+		measurements, err := vtpm.GetSelectedMeasurements(vtpm.OpenVTPM, vtpm.AzurePCRSelection)
 		if err != nil {
 			log.With(zap.Error(err)).Fatalf("Failed to get selected PCRs")
 		}
@ -163,20 +154,16 @@ func main() {
 			log.With(zap.Error(err)).Fatalf("Failed to set up cloud logger")
 		}
 		metadataAPI = metadata
-		pcrsJSON, err := json.Marshal(pcrs)
-		if err != nil {
-			log.With(zap.Error(err)).Fatalf("Failed to marshal PCRs")
-		}
 		clusterInitJoiner = kubernetes.New(
 			"azure", k8sapi.NewKubernetesUtil(), &k8sapi.KubdeadmConfiguration{}, kubectl.New(),
-			metadata, pcrsJSON, helmClient, &kubewaiter.CloudKubeAPIWaiter{},
+			metadata, measurements, helmClient, &kubewaiter.CloudKubeAPIWaiter{},
 		)

 		openTPM = vtpm.OpenVTPM
 		fs = afero.NewOsFs()

 	case cloudprovider.QEMU:
-		pcrs, err := vtpm.GetSelectedPCRs(vtpm.OpenVTPM, vtpm.QEMUPCRSelection)
+		measurements, err := vtpm.GetSelectedMeasurements(vtpm.OpenVTPM, vtpm.QEMUPCRSelection)
 		if err != nil {
 			log.With(zap.Error(err)).Fatalf("Failed to get selected PCRs")
 		}
@ -185,13 +172,9 @@ func main() {

 		cloudLogger = qemucloud.NewLogger()
 		metadata := qemucloud.New()
-		pcrsJSON, err := json.Marshal(pcrs)
-		if err != nil {
-			log.With(zap.Error(err)).Fatalf("Failed to marshal PCRs")
-		}
 		clusterInitJoiner = kubernetes.New(
 			"qemu", k8sapi.NewKubernetesUtil(), &k8sapi.KubdeadmConfiguration{}, kubectl.New(),
-			metadata, pcrsJSON, helmClient, &kubewaiter.CloudKubeAPIWaiter{},
+			metadata, measurements, helmClient, &kubewaiter.CloudKubeAPIWaiter{},
 		)
 		metadataAPI = metadata

--- a/bootstrapper/initproto/init.proto
+++ b/bootstrapper/initproto/init.proto
@ -27,9 +27,9 @@ message InitRequest {
 }

 message InitResponse {
-    bytes kubeconfig = 1;
-    bytes owner_id = 2;
-    bytes cluster_id = 3;
+  bytes kubeconfig = 1;
+  bytes owner_id = 2;
+  bytes cluster_id = 3;
 }

 message KubernetesComponent {
--- a/bootstrapper/internal/kubernetes/kubernetes.go
+++ b/bootstrapper/internal/kubernetes/kubernetes.go
@ -20,6 +20,7 @@ import (

 	"github.com/edgelesssys/constellation/v2/bootstrapper/internal/kubernetes/k8sapi"
 	kubewaiter "github.com/edgelesssys/constellation/v2/bootstrapper/internal/kubernetes/kubeWaiter"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/azureshared"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/gcpshared"
@ -52,33 +53,33 @@ type kubeAPIWaiter interface {

 // KubeWrapper implements Cluster interface.
 type KubeWrapper struct {
-	cloudProvider           string
-	clusterUtil             clusterUtil
-	helmClient              helmClient
-	kubeAPIWaiter           kubeAPIWaiter
-	configProvider          configurationProvider
-	client                  k8sapi.Client
-	kubeconfigReader        configReader
-	providerMetadata        ProviderMetadata
-	initialMeasurementsJSON []byte
-	getIPAddr               func() (string, error)
+	cloudProvider       string
+	clusterUtil         clusterUtil
+	helmClient          helmClient
+	kubeAPIWaiter       kubeAPIWaiter
+	configProvider      configurationProvider
+	client              k8sapi.Client
+	kubeconfigReader    configReader
+	providerMetadata    ProviderMetadata
+	initialMeasurements measurements.M
+	getIPAddr           func() (string, error)
 }

 // New creates a new KubeWrapper with real values.
 func New(cloudProvider string, clusterUtil clusterUtil, configProvider configurationProvider, client k8sapi.Client,
-	providerMetadata ProviderMetadata, initialMeasurementsJSON []byte, helmClient helmClient, kubeAPIWaiter kubeAPIWaiter,
+	providerMetadata ProviderMetadata, measurements measurements.M, helmClient helmClient, kubeAPIWaiter kubeAPIWaiter,
 ) *KubeWrapper {
 	return &KubeWrapper{
-		cloudProvider:           cloudProvider,
-		clusterUtil:             clusterUtil,
-		helmClient:              helmClient,
-		kubeAPIWaiter:           kubeAPIWaiter,
-		configProvider:          configProvider,
-		client:                  client,
-		kubeconfigReader:        &KubeconfigReader{fs: afero.Afero{Fs: afero.NewOsFs()}},
-		providerMetadata:        providerMetadata,
-		initialMeasurementsJSON: initialMeasurementsJSON,
-		getIPAddr:               getIPAddr,
+		cloudProvider:       cloudProvider,
+		clusterUtil:         clusterUtil,
+		helmClient:          helmClient,
+		kubeAPIWaiter:       kubeAPIWaiter,
+		configProvider:      configProvider,
+		client:              client,
+		kubeconfigReader:    &KubeconfigReader{fs: afero.Afero{Fs: afero.NewOsFs()}},
+		providerMetadata:    providerMetadata,
+		initialMeasurements: measurements,
+		getIPAddr:           getIPAddr,
 	}
 }

@ -187,7 +188,21 @@ func (k *KubeWrapper) InitCluster(
 	} else {
 		controlPlaneIP = controlPlaneEndpoint
 	}
-	serviceConfig := constellationServicesConfig{k.initialMeasurementsJSON, idKeyDigest, measurementSalt, subnetworkPodCIDR, cloudServiceAccountURI, controlPlaneIP}
+	if err := k.initialMeasurements.SetEnforced(enforcedPCRs); err != nil {
+		return nil, err
+	}
+	measurementsJSON, err := json.Marshal(k.initialMeasurements)
+	if err != nil {
+		return nil, fmt.Errorf("marshaling initial measurements: %w", err)
+	}
+	serviceConfig := constellationServicesConfig{
+		initialMeasurementsJSON: measurementsJSON,
+		idkeydigest:             idKeyDigest,
+		measurementSalt:         measurementSalt,
+		subnetworkPodCIDR:       subnetworkPodCIDR,
+		cloudServiceAccountURI:  cloudServiceAccountURI,
+		loadBalancerIP:          controlPlaneIP,
+	}
 	extraVals, err := k.setupExtraVals(ctx, serviceConfig)
 	if err != nil {
 		return nil, fmt.Errorf("setting up extraVals: %w", err)