Refactor enforced/expected PCRs (#553)

* Merge enforced and expected measurements * Update measurement generation to new format * Write expected measurements hex encoded by default * Allow hex or base64 encoded expected measurements * Allow hex or base64 encoded clusterID * Allow security upgrades to warnOnly flag * Upload signed measurements in JSON format * Fetch measurements either from JSON or YAML * Use yaml.v3 instead of yaml.v2 * Error on invalid enforced selection * Add placeholder measurements to config * Update e2e test to new measurement format Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-05-03 14:54:53 -04:00 · 2022-11-24 10:57:58 +01:00 · 2022-11-24 10:57:58 +01:00 · f8001efbc0
commit f8001efbc0
parent 8ce954e012
46 changed files with 1180 additions and 801 deletions
--- a/cli/internal/cloudcmd/upgrade_test.go
+++ b/cli/internal/cloudcmd/upgrade_test.go
@ -33,12 +33,12 @@ func TestUpdateMeasurements(t *testing.T) {
 			updater: &stubMeasurementsUpdater{
 				oldMeasurements: &corev1.ConfigMap{
 					Data: map[string]string{
-						constants.MeasurementsFilename: `{"0":"AAAAAA=="}`,
+						constants.MeasurementsFilename: `{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}`,
 					},
 				},
 			},
 			newMeasurements: measurements.M{
-				0: []byte("1"),
+				0: measurements.WithAllBytes(0xBB, false),
 			},
 			wantUpdate: true,
 		},
@ -46,14 +46,40 @@ func TestUpdateMeasurements(t *testing.T) {
 			updater: &stubMeasurementsUpdater{
 				oldMeasurements: &corev1.ConfigMap{
 					Data: map[string]string{
-						constants.MeasurementsFilename: `{"0":"MQ=="}`,
+						constants.MeasurementsFilename: `{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}`,
 					},
 				},
 			},
 			newMeasurements: measurements.M{
-				0: []byte("1"),
+				0: measurements.WithAllBytes(0xAA, false),
 			},
 		},
+		"trying to set warnOnly to true results in error": {
+			updater: &stubMeasurementsUpdater{
+				oldMeasurements: &corev1.ConfigMap{
+					Data: map[string]string{
+						constants.MeasurementsFilename: `{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}`,
+					},
+				},
+			},
+			newMeasurements: measurements.M{
+				0: measurements.WithAllBytes(0xAA, true),
+			},
+			wantErr: true,
+		},
+		"setting warnOnly to false is allowed": {
+			updater: &stubMeasurementsUpdater{
+				oldMeasurements: &corev1.ConfigMap{
+					Data: map[string]string{
+						constants.MeasurementsFilename: `{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":true}}`,
+					},
+				},
+			},
+			newMeasurements: measurements.M{
+				0: measurements.WithAllBytes(0xAA, false),
+			},
+			wantUpdate: true,
+		},
 		"getCurrent error": {
 			updater: &stubMeasurementsUpdater{getErr: someErr},
 			wantErr: true,
@ -62,7 +88,7 @@ func TestUpdateMeasurements(t *testing.T) {
 			updater: &stubMeasurementsUpdater{
 				oldMeasurements: &corev1.ConfigMap{
 					Data: map[string]string{
-						constants.MeasurementsFilename: `{"0":"AAAAAA=="}`,
+						constants.MeasurementsFilename: `{"0":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","warnOnly":false}}`,
 					},
 				},
 				updateErr: someErr,
@ -82,7 +108,7 @@ func TestUpdateMeasurements(t *testing.T) {

 			err := upgrader.updateMeasurements(context.Background(), tc.newMeasurements)
 			if tc.wantErr {
-				assert.ErrorIs(err, someErr)
+				assert.Error(err)
 				return
 			}