Commit Graph

20 Commits

Author SHA1 Message Date
Otto Bittner
cdc91b50bc verify: move CSP-specific code to internal/verify
With the introduction of SNP-based attestation on AWS
some of the information in the report (MAAToken) is not
applicable to all attestation reports anymore.
Thus, make verify cmd CSP-agnostic and move
CSP-specific logic to internal/verify.
Also make internal/attestation/snp CSP aware.
2023-11-24 15:49:48 +01:00
Otto Bittner
5ce55e3449 attestation: add snp package
The package holds code shared between SNP-based
attestation implementations on AWS and Azure .
2023-11-24 15:49:48 +01:00
Otto Bittner
8341db3c33 attestation: clear certificate cache in azure snp
The unittest was flacky as testcases with valid certs
in the getter property lead to those certs being cached
inside the trust module. Other testcases however,
may want to explicitly use invalid certs. The cache
interferes with this.

Co-authored-by: Moritz Sanft <ms@edgeless.systems>
2023-11-08 13:31:26 +01:00
Moritz Sanft
a5021c52d3
joinservice: cache certificates for Azure SEV-SNP attestation (#2336)
* add ASK caching in joinservice

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use cached ASK in Azure SEV-SNP attestation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update test charts

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix typ

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make caching mechanism less provider-specific

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add `omitempty` flag

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* frontload certificate getter

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* rename frontloaded function

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* pass cached certificates to constructor

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix race condition

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix marshalling of empty certs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix validator usage

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [wip] add certcache tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add certcache tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix validator test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove unused fields in validator

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix certificate precedence

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use separate context

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* linter fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* linter fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Remove unnecessary comment

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* use background context

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Use error format directive

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* `azure` -> `Azure`

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* improve error messages

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add x509 -> PEM util function

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use crypto util functions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix certificate replacement logic

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* only require ASK from certcache

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix comment typo

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-09-29 14:29:50 +02:00
Moritz Sanft
3ed001fa8a
attestation: use go-sev-guest library (#2269)
* wip: switch to  attestation

* add extra comments

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* MAA checks

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use provided functions to parse report / cert chain

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* replace `CommitedTCB` check with `LaunchTCB` check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove debug check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove `LaunchTCB` == `CommitedTCB` check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* custom IdKeyDigests check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* basic test of report parsing from instance info

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* retrieve VCEK from AMD KDS

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove VCEK from `azureInstanceInfo`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use `go-sev-guest` TCB version type

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix validation parsing test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix error message

* fix comment

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove certificate chain from `instanceInfo`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add test for idkeydigest check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* wip: update tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [remove] debug prints

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* wip: fix tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* wip: fix tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix tests, do some clean-up

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add test case for fetching error

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* correct `hack` dependency

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix id key check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [remove] comment out wip unit tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing newline

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* switch to released version of `go-sev-guest`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add constructor test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add VMPL check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add test assertions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* switch to pseudoversion

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use fork with windows fix

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter checks

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use data from THIM

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update embeds

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* verify against ARK in config

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* invalid ASK

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: 3u13r <lc@edgeless.systems>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: 3u13r <lc@edgeless.systems>

* nits

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove unnecessary checks

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* refactoring

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* use upstream library with pseudoversion

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* simplify control flow

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix return error

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix VCEK test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* revert unintentional changes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use new upstream release

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix removed AuthorKeyEn field

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix verification report printing

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: 3u13r <lc@edgeless.systems>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-09-21 14:08:00 +02:00
Malte Poll
75ed8c9f3e attestation: allow "go test" to work with CGO disabled 2023-08-18 16:36:13 +02:00
renovate[bot]
050db3a5d8
deps: update github.com/thomasten/go-tpm digest to f43f8e2 (#2048)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2023-07-07 13:17:58 +02:00
Adrian Stobbe
3fde118b33
config: enable azure snp version fetcher again + minimum age for latest version (#1899)
* fetch latest version when older than 2 weeks

* extend hack upload tool to pass an upload date

* Revert "config: disable user-facing version Azure SEV SNP fetch for v2.8  (#1882)"

This reverts commit c7b22d314a.

* fix tests

* use NewAzureSEVSNPVersionList for type guarantees

* Revert "use NewAzureSEVSNPVersionList for type guarantees"

This reverts commit 942566453f4b4a2b6dc16f8689248abf1dc47db4.

* assure list is sorted

* improve root.go style

* daniel feedback
2023-06-09 12:48:12 +02:00
Adrian Stobbe
c7b22d314a
config: disable user-facing version Azure SEV SNP fetch for v2.8 (#1882)
* config: disable user-facing version fetch for Azure SEV SNP

don't allow "latest" value and disable user-facing version fetcher for Azure SEV SNP

Co-authored-by: @derpsteb

* fix unittests

* attestation: getTrustedKey

---------

Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-06-06 10:44:13 +02:00
Adrian Stobbe
0a6e5ec02e
config: dynamic attestation configuration through S3 backed API (#1808) 2023-05-25 17:43:44 +01:00
Daniel Weiße
ec01c57661
internal: use config to create attestation validators (#1561)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-04-06 17:00:56 +02:00
Daniel Weiße
5a0234b3f2
attestation: add option for MAA fallback to verify azure's snp-sev id key digest (#1257)
* Convert enforceIDKeyDigest setting to enum

* Use MAA fallback in Azure SNP attestation

* Only create MAA provider if MAA fallback is enabled

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 12:46:49 +01:00
Paul Meyer
0036b24266 go: remove unused parameters
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-03-20 08:41:01 -04:00
Thomas Tendyck
2535073df8 attestation: add MachineState to ValidateCVM 2023-03-06 13:09:57 +01:00
3u13r
632090c21b
azure: allow a set of idkeydigest values (#991) 2023-01-18 16:49:55 +01:00
Fabian Kammel
369480a50b
Feat/revive (#212)
* enable revive as linter
* fix var-naming revive issues
* fix blank-imports revive issues
* fix receiver-naming revive issues
* fix exported revive issues
* fix indent-error-flow revive issues
* fix unexported-return revive issues
* fix indent-error-flow revive issues
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-10-05 15:02:46 +02:00
katexochen
ba6e41ed5c Upgrade go module to v2 2022-09-22 09:10:19 +02:00
Otto Bittner
611ec25f22 AB#2380: Add unittest for validateAk
Signed-off-by: Otto Bittner <cobittner@posteo.net>
2022-09-07 13:59:09 +02:00
Otto Bittner
23bf4aa665
AB#2379: Validate version in SNP report (#80)
* AB#2379: Validate version in SNP report

* Check that TCB version in VCEK matches COMMITTED_TCB
* Check that LAUNCH, CURRENT and REPORTED TCB are at least
at the same security level as we are currently.
* Rename variables in snpReport struct
* Use default values in validator_test.go

Signed-off-by: Otto Bittner <cobittner@posteo.net>
2022-09-07 10:39:38 +02:00
Otto Bittner
405db3286e AB#2386: TrustedLaunch support for azure attestation
* There are now two attestation packages on azure.
The issuer on the server side is created base on successfully
querying the idkeydigest from the TPM. Fallback on err: Trusted Launch.
* The bootstrapper's issuer choice is validated by the CLI's validator,
which is created based on the local config.
* Add "azureCVM" field to new "internal-config" cm.
This field is populated by the bootstrapper.
* Group attestation OIDs by CSP (#42)
* Bootstrapper now uses IssuerWrapper type to pass
the issuer (and some context info) to the initserver.
* Introduce VMType package akin to cloudprovider. Used by
IssuerWrapper.
* Extend unittests.
* Remove CSP specific attestation integration tests

Co-authored-by: <dw@edgeless.systems>
Signed-off-by: Otto Bittner <cobittner@posteo.net>
2022-09-05 12:03:48 +02:00