Refactor enforced/expected PCRs (#553)

* Merge enforced and expected measurements

* Update measurement generation to new format

* Write expected measurements hex encoded by default

* Allow hex or base64 encoded expected measurements

* Allow hex or base64 encoded clusterID

* Allow security upgrades to warnOnly flag

* Upload signed measurements in JSON format

* Fetch measurements either from JSON or YAML

* Use yaml.v3 instead of yaml.v2

* Error on invalid enforced selection

* Add placeholder measurements to config

* Update e2e test to new measurement format

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

internal/attestation/vtpm/attestation.go

@@ -16,6 +16,7 @@ import (
 	"fmt"
 	"io"
 
+	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
 	tpmClient "github.com/google/go-tpm-tools/client"
 	"github.com/google/go-tpm-tools/proto/attest"
 	tpmProto "github.com/google/go-tpm-tools/proto/tpm"
@@ -144,8 +145,7 @@ func (i *Issuer) Issue(userData []byte, nonce []byte) ([]byte, error) {
 
 // Validator handles validation of TPM based attestation.
 type Validator struct {
-	expectedPCRs   map[uint32][]byte
-	enforcedPCRs   map[uint32]struct{}
+	expected       measurements.M
 	getTrustedKey  GetTPMTrustedAttestationPublicKey
 	validateCVM    ValidateCVM
 	verifyUserData VerifyUserData
@@ -154,18 +154,11 @@ type Validator struct {
 }
 
 // NewValidator returns a new Validator.
-func NewValidator(expectedPCRs map[uint32][]byte, enforcedPCRs []uint32, getTrustedKey GetTPMTrustedAttestationPublicKey,
+func NewValidator(expected measurements.M, getTrustedKey GetTPMTrustedAttestationPublicKey,
 	validateCVM ValidateCVM, verifyUserData VerifyUserData, log AttestationLogger,
 ) *Validator {
-	// Convert the enforced PCR list to a map for convenient and fast lookup
-	enforcedMap := make(map[uint32]struct{})
-	for _, pcr := range enforcedPCRs {
-		enforcedMap[pcr] = struct{}{}
-	}
-
 	return &Validator{
-		expectedPCRs:   expectedPCRs,
-		enforcedPCRs:   enforcedMap,
+		expected:       expected,
 		getTrustedKey:  getTrustedKey,
 		validateCVM:    validateCVM,
 		verifyUserData: verifyUserData,
@@ -212,9 +205,9 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	for idx, pcr := range v.expectedPCRs {
-		if !bytes.Equal(pcr, attDoc.Attestation.Quotes[quoteIdx].Pcrs.Pcrs[idx]) {
-			if _, ok := v.enforcedPCRs[idx]; ok {
+	for idx, pcr := range v.expected {
+		if !bytes.Equal(pcr.Expected[:], attDoc.Attestation.Quotes[quoteIdx].Pcrs.Pcrs[idx]) {
+			if !pcr.WarnOnly {
 				return nil, fmt.Errorf("untrusted PCR value at PCR index %d", idx)
 			}
 			if v.log != nil {
@@ -263,8 +256,8 @@ func VerifyPKCS1v15(pub crypto.PublicKey, hash crypto.Hash, hashed, sig []byte)
 	return rsa.VerifyPKCS1v15(key, hash, hashed, sig)
 }
 
-// GetSelectedPCRs returns a map of the selected PCR hashes.
-func GetSelectedPCRs(open TPMOpenFunc, selection tpm2.PCRSelection) (map[uint32][]byte, error) {
+// GetSelectedMeasurements returns a map of Measurments for the PCRs in selection.
+func GetSelectedMeasurements(open TPMOpenFunc, selection tpm2.PCRSelection) (measurements.M, error) {
 	tpm, err := open()
 	if err != nil {
 		return nil, err
@@ -276,5 +269,15 @@ func GetSelectedPCRs(open TPMOpenFunc, selection tpm2.PCRSelection) (map[uint32]
 		return nil, err
 	}
 
-	return pcrList.Pcrs, nil
+	m := make(measurements.M)
+	for i, pcr := range pcrList.Pcrs {
+		if len(pcr) != 32 {
+			return nil, fmt.Errorf("invalid measurement: invalid length: %d", len(pcr))
+		}
+		m[i] = measurements.Measurement{
+			Expected: *(*[32]byte)(pcr),
+		}
+	}
+
+	return m, nil
 }

internal/attestation/vtpm/attestation_test.go

@@ -14,6 +14,7 @@ import (
 	"io"
 	"testing"
 
+	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
 	tpmsim "github.com/edgelesssys/constellation/v2/internal/attestation/simulator"
 	tpmclient "github.com/google/go-tpm-tools/client"
 	"github.com/google/go-tpm-tools/proto/attest"
@@ -64,14 +65,14 @@ func TestValidate(t *testing.T) {
 		return pubArea.Key()
 	}
 
-	testExpectedPCRs := map[uint32][]byte{
-		0: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		1: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+	testExpectedPCRs := measurements.M{
+		0: measurements.WithAllBytes(0x00, true),
+		1: measurements.WithAllBytes(0x00, true),
 	}
 	warnLog := &testAttestationLogger{}
 
 	issuer := NewIssuer(newSimTPMWithEventLog, tpmclient.AttestationKeyRSA, fakeGetInstanceInfo)
-	validator := NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog)
+	validator := NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog)
 
 	nonce := []byte{1, 2, 3, 4}
 	challenge := []byte("Constellation")
@@ -89,18 +90,28 @@ func TestValidate(t *testing.T) {
 	require.NoError(err)
 	require.Equal(challenge, out)
 
-	enforcedPCRs := []uint32{0, 1}
-	expectedPCRs := map[uint32][]byte{
-		0: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		1: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		2: {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20},
-		3: {0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40},
-		4: {0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60},
-		5: {0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80},
+	expectedPCRs := measurements.M{
+		0: measurements.WithAllBytes(0x00, true),
+		1: measurements.WithAllBytes(0x00, true),
+		2: measurements.Measurement{
+			Expected: [32]byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20},
+			WarnOnly: true,
+		},
+		3: measurements.Measurement{
+			Expected: [32]byte{0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40},
+			WarnOnly: true,
+		},
+		4: measurements.Measurement{
+			Expected: [32]byte{0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60},
+			WarnOnly: true,
+		},
+		5: measurements.Measurement{
+			Expected: [32]byte{0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80},
+			WarnOnly: true,
+		},
 	}
 	warningValidator := NewValidator(
 		expectedPCRs,
-		enforcedPCRs,
 		fakeGetTrustedKey,
 		fakeValidateCVM,
 		VerifyPKCS1v15,
@@ -109,7 +120,7 @@ func TestValidate(t *testing.T) {
 	out, err = warningValidator.Validate(attDocRaw, nonce)
 	require.NoError(err)
 	assert.Equal(t, challenge, out)
-	assert.Len(t, warnLog.warnings, len(expectedPCRs)-len(enforcedPCRs))
+	assert.Len(t, warnLog.warnings, 4)
 
 	testCases := map[string]struct {
 		validator *Validator
@@ -118,13 +129,13 @@ func TestValidate(t *testing.T) {
 		wantErr   bool
 	}{
 		"invalid nonce": {
-			validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
+			validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
 			attDoc:    mustMarshalAttestation(attDoc, require),
 			nonce:     []byte{4, 3, 2, 1},
 			wantErr:   true,
 		},
 		"invalid signature": {
-			validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
+			validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
 			attDoc: mustMarshalAttestation(AttestationDocument{
 				Attestation:       attDoc.Attestation,
 				InstanceInfo:      attDoc.InstanceInfo,
@@ -137,7 +148,6 @@ func TestValidate(t *testing.T) {
 		"untrusted attestation public key": {
 			validator: NewValidator(
 				testExpectedPCRs,
-				[]uint32{0, 1},
 				func(akPub, instanceInfo []byte) (crypto.PublicKey, error) {
 					return nil, errors.New("untrusted")
 				},
@@ -149,7 +159,6 @@ func TestValidate(t *testing.T) {
 		"not a CVM": {
 			validator: NewValidator(
 				testExpectedPCRs,
-				[]uint32{0, 1},
 				fakeGetTrustedKey,
 				func(attestation AttestationDocument) error {
 					return errors.New("untrusted")
@@ -161,10 +170,12 @@ func TestValidate(t *testing.T) {
 		},
 		"untrusted PCRs": {
 			validator: NewValidator(
-				map[uint32][]byte{
-					0: {0xFF},
+				measurements.M{
+					0: measurements.Measurement{
+						Expected: [32]byte{0xFF},
+						WarnOnly: false,
+					},
 				},
-				[]uint32{0},
 				fakeGetTrustedKey,
 				fakeValidateCVM,
 				VerifyPKCS1v15, warnLog),
@@ -173,7 +184,7 @@ func TestValidate(t *testing.T) {
 			wantErr: true,
 		},
 		"no sha256 quote": {
-			validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
+			validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
 			attDoc: mustMarshalAttestation(AttestationDocument{
 				Attestation: &attest.Attestation{
 					AkPub: attDoc.Attestation.AkPub,
@@ -191,7 +202,7 @@ func TestValidate(t *testing.T) {
 			wantErr: true,
 		},
 		"invalid attestation document": {
-			validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
+			validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
 			attDoc:    []byte("invalid attestation"),
 			nonce:     nonce,
 			wantErr:   true,
@@ -350,7 +361,7 @@ func TestGetSHA256QuoteIndex(t *testing.T) {
 	}
 }
 
-func TestGetSelectedPCRs(t *testing.T) {
+func TestGetSelectedMeasurements(t *testing.T) {
 	testCases := map[string]struct {
 		openFunc     TPMOpenFunc
 		pcrSelection tpm2.PCRSelection
@@ -386,17 +397,13 @@ func TestGetSelectedPCRs(t *testing.T) {
 			require := require.New(t)
 			assert := assert.New(t)
 
-			pcrs, err := GetSelectedPCRs(tc.openFunc, tc.pcrSelection)
+			pcrs, err := GetSelectedMeasurements(tc.openFunc, tc.pcrSelection)
 			if tc.wantErr {
 				assert.Error(err)
-			} else {
-				require.NoError(err)
-
-				assert.Equal(len(pcrs), len(tc.pcrSelection.PCRs))
-				for _, pcr := range pcrs {
-					assert.Len(pcr, 32)
-				}
+				return
 			}
+			require.NoError(err)
+			assert.Len(pcrs, len(tc.pcrSelection.PCRs))
 		})
 	}
 }

internal/attestation/vtpm/initialize.go

@@ -9,18 +9,8 @@ package vtpm
 import (
 	"errors"
 
+	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
 	"github.com/google/go-tpm/tpm2"
-	"github.com/google/go-tpm/tpmutil"
-)
-
-const (
-	// PCRIndexClusterID is a PCR we extend to mark the node as initialized.
-	// The value used to extend is a random generated 32 Byte value.
-	PCRIndexClusterID = tpmutil.Handle(15)
-	// PCRIndexOwnerID is a PCR we extend to mark the node as initialized.
-	// The value used to extend is derived from Constellation's master key.
-	// TODO: move to stable, non-debug PCR before use.
-	PCRIndexOwnerID = tpmutil.Handle(16)
 )
 
 // MarkNodeAsBootstrapped marks a node as initialized by extending PCRs.
@@ -32,7 +22,7 @@ func MarkNodeAsBootstrapped(openTPM TPMOpenFunc, clusterID []byte) error {
 	defer tpm.Close()
 
 	// clusterID is used to uniquely identify this running instance of Constellation
-	return tpm2.PCREvent(tpm, PCRIndexClusterID, clusterID)
+	return tpm2.PCREvent(tpm, measurements.PCRIndexClusterID, clusterID)
 }
 
 // IsNodeBootstrapped checks if a node is already bootstrapped by reading PCRs.
@@ -43,7 +33,7 @@ func IsNodeBootstrapped(openTPM TPMOpenFunc) (bool, error) {
 	}
 	defer tpm.Close()
 
-	idxClusterID := int(PCRIndexClusterID)
+	idxClusterID := int(measurements.PCRIndexClusterID)
 	pcrs, err := tpm2.ReadPCRs(tpm, tpm2.PCRSelection{
 		Hash: tpm2.AlgSHA256,
 		PCRs: []int{idxClusterID},

internal/attestation/vtpm/initialize_test.go

@@ -11,6 +11,7 @@ import (
 	"io"
 	"testing"
 
+	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/simulator"
 	"github.com/google/go-tpm-tools/client"
 	"github.com/google/go-tpm/tpm2"
@@ -45,7 +46,7 @@ func TestMarkNodeAsBootstrapped(t *testing.T) {
 	require.NoError(err)
 
 	for i := range pcrs {
-		assert.NotEqual(pcrs[i].Pcrs[uint32(PCRIndexClusterID)], pcrsInitialized[i].Pcrs[uint32(PCRIndexClusterID)])
+		assert.NotEqual(pcrs[i].Pcrs[uint32(measurements.PCRIndexClusterID)], pcrsInitialized[i].Pcrs[uint32(measurements.PCRIndexClusterID)])
 	}
 }
 
@@ -76,7 +77,7 @@ func TestIsNodeInitialized(t *testing.T) {
 			require.NoError(err)
 			defer tpm.Close()
 			if tc.pcrValueClusterID != nil {
-				require.NoError(tpm2.PCREvent(tpm, PCRIndexClusterID, tc.pcrValueClusterID))
+				require.NoError(tpm2.PCREvent(tpm, measurements.PCRIndexClusterID, tc.pcrValueClusterID))
 			}
 			initialized, err := IsNodeBootstrapped(func() (io.ReadWriteCloser, error) {
 				return &simTPMNOPCloser{tpm}, nil