mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-08-06 14:04:17 -04:00
Refactor enforced/expected PCRs (#553)
* Merge enforced and expected measurements * Update measurement generation to new format * Write expected measurements hex encoded by default * Allow hex or base64 encoded expected measurements * Allow hex or base64 encoded clusterID * Allow security upgrades to warnOnly flag * Upload signed measurements in JSON format * Fetch measurements either from JSON or YAML * Use yaml.v3 instead of yaml.v2 * Error on invalid enforced selection * Add placeholder measurements to config * Update e2e test to new measurement format Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
parent
8ce954e012
commit
f8001efbc0
46 changed files with 1180 additions and 801 deletions
|
@ -14,6 +14,7 @@ import (
|
|||
"io"
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
||||
tpmsim "github.com/edgelesssys/constellation/v2/internal/attestation/simulator"
|
||||
tpmclient "github.com/google/go-tpm-tools/client"
|
||||
"github.com/google/go-tpm-tools/proto/attest"
|
||||
|
@ -64,14 +65,14 @@ func TestValidate(t *testing.T) {
|
|||
return pubArea.Key()
|
||||
}
|
||||
|
||||
testExpectedPCRs := map[uint32][]byte{
|
||||
0: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||
1: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||
testExpectedPCRs := measurements.M{
|
||||
0: measurements.WithAllBytes(0x00, true),
|
||||
1: measurements.WithAllBytes(0x00, true),
|
||||
}
|
||||
warnLog := &testAttestationLogger{}
|
||||
|
||||
issuer := NewIssuer(newSimTPMWithEventLog, tpmclient.AttestationKeyRSA, fakeGetInstanceInfo)
|
||||
validator := NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog)
|
||||
validator := NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog)
|
||||
|
||||
nonce := []byte{1, 2, 3, 4}
|
||||
challenge := []byte("Constellation")
|
||||
|
@ -89,18 +90,28 @@ func TestValidate(t *testing.T) {
|
|||
require.NoError(err)
|
||||
require.Equal(challenge, out)
|
||||
|
||||
enforcedPCRs := []uint32{0, 1}
|
||||
expectedPCRs := map[uint32][]byte{
|
||||
0: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||
1: {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
|
||||
2: {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20},
|
||||
3: {0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40},
|
||||
4: {0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60},
|
||||
5: {0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80},
|
||||
expectedPCRs := measurements.M{
|
||||
0: measurements.WithAllBytes(0x00, true),
|
||||
1: measurements.WithAllBytes(0x00, true),
|
||||
2: measurements.Measurement{
|
||||
Expected: [32]byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20},
|
||||
WarnOnly: true,
|
||||
},
|
||||
3: measurements.Measurement{
|
||||
Expected: [32]byte{0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40},
|
||||
WarnOnly: true,
|
||||
},
|
||||
4: measurements.Measurement{
|
||||
Expected: [32]byte{0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60},
|
||||
WarnOnly: true,
|
||||
},
|
||||
5: measurements.Measurement{
|
||||
Expected: [32]byte{0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80},
|
||||
WarnOnly: true,
|
||||
},
|
||||
}
|
||||
warningValidator := NewValidator(
|
||||
expectedPCRs,
|
||||
enforcedPCRs,
|
||||
fakeGetTrustedKey,
|
||||
fakeValidateCVM,
|
||||
VerifyPKCS1v15,
|
||||
|
@ -109,7 +120,7 @@ func TestValidate(t *testing.T) {
|
|||
out, err = warningValidator.Validate(attDocRaw, nonce)
|
||||
require.NoError(err)
|
||||
assert.Equal(t, challenge, out)
|
||||
assert.Len(t, warnLog.warnings, len(expectedPCRs)-len(enforcedPCRs))
|
||||
assert.Len(t, warnLog.warnings, 4)
|
||||
|
||||
testCases := map[string]struct {
|
||||
validator *Validator
|
||||
|
@ -118,13 +129,13 @@ func TestValidate(t *testing.T) {
|
|||
wantErr bool
|
||||
}{
|
||||
"invalid nonce": {
|
||||
validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
|
||||
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
|
||||
attDoc: mustMarshalAttestation(attDoc, require),
|
||||
nonce: []byte{4, 3, 2, 1},
|
||||
wantErr: true,
|
||||
},
|
||||
"invalid signature": {
|
||||
validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
|
||||
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
|
||||
attDoc: mustMarshalAttestation(AttestationDocument{
|
||||
Attestation: attDoc.Attestation,
|
||||
InstanceInfo: attDoc.InstanceInfo,
|
||||
|
@ -137,7 +148,6 @@ func TestValidate(t *testing.T) {
|
|||
"untrusted attestation public key": {
|
||||
validator: NewValidator(
|
||||
testExpectedPCRs,
|
||||
[]uint32{0, 1},
|
||||
func(akPub, instanceInfo []byte) (crypto.PublicKey, error) {
|
||||
return nil, errors.New("untrusted")
|
||||
},
|
||||
|
@ -149,7 +159,6 @@ func TestValidate(t *testing.T) {
|
|||
"not a CVM": {
|
||||
validator: NewValidator(
|
||||
testExpectedPCRs,
|
||||
[]uint32{0, 1},
|
||||
fakeGetTrustedKey,
|
||||
func(attestation AttestationDocument) error {
|
||||
return errors.New("untrusted")
|
||||
|
@ -161,10 +170,12 @@ func TestValidate(t *testing.T) {
|
|||
},
|
||||
"untrusted PCRs": {
|
||||
validator: NewValidator(
|
||||
map[uint32][]byte{
|
||||
0: {0xFF},
|
||||
measurements.M{
|
||||
0: measurements.Measurement{
|
||||
Expected: [32]byte{0xFF},
|
||||
WarnOnly: false,
|
||||
},
|
||||
},
|
||||
[]uint32{0},
|
||||
fakeGetTrustedKey,
|
||||
fakeValidateCVM,
|
||||
VerifyPKCS1v15, warnLog),
|
||||
|
@ -173,7 +184,7 @@ func TestValidate(t *testing.T) {
|
|||
wantErr: true,
|
||||
},
|
||||
"no sha256 quote": {
|
||||
validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
|
||||
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
|
||||
attDoc: mustMarshalAttestation(AttestationDocument{
|
||||
Attestation: &attest.Attestation{
|
||||
AkPub: attDoc.Attestation.AkPub,
|
||||
|
@ -191,7 +202,7 @@ func TestValidate(t *testing.T) {
|
|||
wantErr: true,
|
||||
},
|
||||
"invalid attestation document": {
|
||||
validator: NewValidator(testExpectedPCRs, []uint32{0, 1}, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
|
||||
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
|
||||
attDoc: []byte("invalid attestation"),
|
||||
nonce: nonce,
|
||||
wantErr: true,
|
||||
|
@ -350,7 +361,7 @@ func TestGetSHA256QuoteIndex(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestGetSelectedPCRs(t *testing.T) {
|
||||
func TestGetSelectedMeasurements(t *testing.T) {
|
||||
testCases := map[string]struct {
|
||||
openFunc TPMOpenFunc
|
||||
pcrSelection tpm2.PCRSelection
|
||||
|
@ -386,17 +397,13 @@ func TestGetSelectedPCRs(t *testing.T) {
|
|||
require := require.New(t)
|
||||
assert := assert.New(t)
|
||||
|
||||
pcrs, err := GetSelectedPCRs(tc.openFunc, tc.pcrSelection)
|
||||
pcrs, err := GetSelectedMeasurements(tc.openFunc, tc.pcrSelection)
|
||||
if tc.wantErr {
|
||||
assert.Error(err)
|
||||
} else {
|
||||
require.NoError(err)
|
||||
|
||||
assert.Equal(len(pcrs), len(tc.pcrSelection.PCRs))
|
||||
for _, pcr := range pcrs {
|
||||
assert.Len(pcr, 32)
|
||||
}
|
||||
return
|
||||
}
|
||||
require.NoError(err)
|
||||
assert.Len(pcrs, len(tc.pcrSelection.PCRs))
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue