Otto Bittner
84d8bd8110
verify: query vlek ASK from KDS if not set
...
The user can choose to supply an intermediate
certificate through the config, like they can
for the root key. If none is supplied,
the KDS is queried for a valid ASK.
2023-11-24 15:49:48 +01:00
Otto Bittner
07eed0e319
attestation: use SNP-based attestation for AWS SNP
2023-11-24 15:49:48 +01:00
Daniel Weiße
671cf36f0a
cli: common backend for init
and upgrade apply
commands ( #2449 )
...
* Use common 'apply' backend for init and upgrades
* Move unit tests to new apply backend
* Only perform Terraform migrations if state exists in cwd (#2457 )
* Rework skipPhases logic
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-10-24 15:39:18 +02:00
Moritz Sanft
a5021c52d3
joinservice: cache certificates for Azure SEV-SNP attestation ( #2336 )
...
* add ASK caching in joinservice
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use cached ASK in Azure SEV-SNP attestation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update test charts
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linter
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix typ
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* make caching mechanism less provider-specific
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add `omitempty` flag
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* frontload certificate getter
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* rename frontloaded function
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* pass cached certificates to constructor
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix race condition
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix marshalling of empty certs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix validator usage
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [wip] add certcache tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add certcache tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix validator test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove unused fields in validator
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix certificate precedence
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use separate context
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* linter fixes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* linter fixes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Remove unnecessary comment
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* use background context
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Use error format directive
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* `azure` -> `Azure`
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* improve error messages
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add x509 -> PEM util function
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use crypto util functions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix certificate replacement logic
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* only require ASK from certcache
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix comment typo
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-09-29 14:29:50 +02:00
Otto Bittner
8f21972aec
attestation: add awsSEVSNP
as new variant ( #1900 )
...
* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP
For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.
2023-06-09 15:41:02 +02:00
Daniel Weiße
1d5af5f0f4
Rebase fixes
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-05-17 11:37:26 +02:00
Daniel Weiße
d7a2ddd939
config: add separate option for handling attestation parameters ( #1623 )
...
* Add attestation options to config
* Add join-config migration path for clusters with old measurement format
* Always create MAA provider for Azure SNP clusters
* Remove confidential VM option from provider in favor of attestation options
* cli: add config migrate command to handle config migration (#1678 )
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-05-03 11:11:53 +02:00
Daniel Weiße
ec01c57661
internal: use config to create attestation validators ( #1561 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-04-06 17:00:56 +02:00