Refactor enforced/expected PCRs (#553)

* Merge enforced and expected measurements * Update measurement generation to new format * Write expected measurements hex encoded by default * Allow hex or base64 encoded expected measurements * Allow hex or base64 encoded clusterID * Allow security upgrades to warnOnly flag * Upload signed measurements in JSON format * Fetch measurements either from JSON or YAML * Use yaml.v3 instead of yaml.v2 * Error on invalid enforced selection * Add placeholder measurements to config * Update e2e test to new measurement format Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-08-09 23:42:21 -04:00 · 2022-11-24 10:57:58 +01:00 · 2022-11-24 10:57:58 +01:00 · f8001efbc0
commit f8001efbc0
parent 8ce954e012
46 changed files with 1180 additions and 801 deletions
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/templates/configmap.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/templates/configmap.yaml
@ -5,7 +5,6 @@ metadata:
  namespace: {{ .Release.Namespace }}
 data:
  # mustToJson is required so the json-strings passed from go are of type string in the rendered yaml.
-  enforcedPCRs: {{ .Values.enforcedPCRs | mustToJson }}
  measurements: {{ .Values.measurements | mustToJson }}
  {{- if eq .Values.csp "Azure" }}
  # ConfigMap.data is of type map[string]string. quote will not quote a quoted string.
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/values.schema.json
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/values.schema.json
@ -5,15 +5,10 @@
            "description": "CSP to which the chart is deployed.",
            "enum": ["Azure", "GCP", "AWS", "QEMU"]
        },
-        "enforcedPCRs": {
-            "description": "JSON-string to describe the enforced PCRs.",
-            "type": "string",
-            "examples": ["[1, 15]"]
-        },
        "measurements": {
            "description": "JSON-string to describe the expected measurements.",
            "type": "string",
-            "examples": ["{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"]
+            "examples": ["{'1':{'expected':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','warnOnly':true},'15':{'expected':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=','warnOnly':true}}"]
        },
        "enforceIdKeyDigest": {
            "description": "Whether or not idkeydigest should be enforced during attestation on azure.",
@ -37,7 +32,6 @@
    },
    "required": [
        "csp",
-        "enforcedPCRs",
        "measurements",
        "measurementSalt",
        "image"