Commit Graph

155 Commits

Author SHA1 Message Date
katexochen
238a3c222b image: update measurements and image version 2023-10-30 11:23:12 +01:00
katexochen
5eb6cc6d08 image: update measurements and image version 2023-10-25 10:54:56 +02:00
edgelessci
5cd70ac58a
image: update measurements and image version (#2482)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-10-20 08:10:51 +02:00
edgelessci
43ee0791c6
image: update measurements and image version (#2477)
Co-authored-by: 3u13r <3u13r@users.noreply.github.com>
2023-10-19 14:50:52 +02:00
edgelessci
e231a24916
image: update measurements and image version (#2428)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-10-11 10:33:54 +02:00
Moritz Sanft
8749cafcbd explicitly initialize struct 2023-10-10 10:33:54 +02:00
Moritz Sanft
6f53dc90cf fix go-sev-guest default product 2023-10-10 10:33:54 +02:00
Moritz Sanft
d0fe6c9272
update list of default idkeydigests (#2415) 2023-10-06 11:32:19 +02:00
katexochen
957f8ad203 image: update measurements and image version 2023-10-06 08:09:28 +02:00
edgelessci
7e899d09c4
image: update measurements and image version (#2405)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-10-04 14:24:57 +02:00
Moritz Sanft
a5021c52d3
joinservice: cache certificates for Azure SEV-SNP attestation (#2336)
* add ASK caching in joinservice

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use cached ASK in Azure SEV-SNP attestation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update test charts

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix typ

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make caching mechanism less provider-specific

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add `omitempty` flag

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* frontload certificate getter

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* rename frontloaded function

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* pass cached certificates to constructor

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix race condition

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix marshalling of empty certs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix validator usage

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [wip] add certcache tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add certcache tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix validator test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove unused fields in validator

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix certificate precedence

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use separate context

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* linter fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* linter fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Remove unnecessary comment

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* use background context

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Use error format directive

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* `azure` -> `Azure`

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* improve error messages

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add x509 -> PEM util function

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use crypto util functions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix certificate replacement logic

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* only require ASK from certcache

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix comment typo

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-09-29 14:29:50 +02:00
edgelessci
f543922944
image: update measurements and image version (#2383)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-09-27 08:28:32 +02:00
edgelessci
df77696620
image: update measurements and image version (#2351)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-09-25 10:18:55 +02:00
Moritz Sanft
3ed001fa8a
attestation: use go-sev-guest library (#2269)
* wip: switch to  attestation

* add extra comments

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* MAA checks

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use provided functions to parse report / cert chain

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* replace `CommitedTCB` check with `LaunchTCB` check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove debug check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove `LaunchTCB` == `CommitedTCB` check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* custom IdKeyDigests check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* basic test of report parsing from instance info

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* retrieve VCEK from AMD KDS

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove VCEK from `azureInstanceInfo`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use `go-sev-guest` TCB version type

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix validation parsing test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix error message

* fix comment

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove certificate chain from `instanceInfo`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add test for idkeydigest check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* wip: update tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [remove] debug prints

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* wip: fix tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* wip: fix tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix tests, do some clean-up

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add test case for fetching error

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* correct `hack` dependency

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix id key check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [remove] comment out wip unit tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing newline

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* switch to released version of `go-sev-guest`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add constructor test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add VMPL check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add test assertions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* switch to pseudoversion

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use fork with windows fix

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter checks

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use data from THIM

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update embeds

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* verify against ARK in config

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* invalid ASK

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: 3u13r <lc@edgeless.systems>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: 3u13r <lc@edgeless.systems>

* nits

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove unnecessary checks

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* refactoring

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* use upstream library with pseudoversion

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* Update internal/attestation/azure/snp/validator.go

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* simplify control flow

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix return error

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix VCEK test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* revert unintentional changes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use new upstream release

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix removed AuthorKeyEn field

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix verification report printing

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: 3u13r <lc@edgeless.systems>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-09-21 14:08:00 +02:00
katexochen
f3f4944239 image: update measurements and image version 2023-09-20 10:52:13 +02:00
katexochen
83cfc86df1 image: update measurements and image version 2023-09-15 08:37:08 +02:00
katexochen
9c54ff06e0 image: update measurements and image version 2023-09-14 10:16:45 +02:00
edgelessci
4813296062
image: update measurements and image version (#2320)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-09-09 15:19:24 +02:00
Daniel Weiße
9765003298
cli: print ordered measurements list during constellation verify (#2302)
* Print measurements as ordered list during verify
* Fix missing safety check in AWS attestation validation

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-08 08:08:09 +02:00
edgelessci
4b48b5fdef
image: update measurements and image version (#2309)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-09-06 08:40:59 +02:00
edgelessci
463833433c
image: update measurements and image version (#2295)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-09-01 08:19:37 +02:00
edgelessci
eed2be0aa3
image: update measurements and image version (#2294)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-08-30 14:03:35 +02:00
edgelessci
0f4bd8296b
image: update measurements and image version (#2284)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-08-25 08:45:50 +02:00
edgelessci
3d5d291891
image: update measurements and image version (#2274)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-08-23 09:38:12 +02:00
Malte Poll
75ed8c9f3e attestation: allow "go test" to work with CGO disabled 2023-08-18 16:36:13 +02:00
edgelessci
04ece90172
image: update measurements and image version (#2247)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-08-17 08:17:28 +02:00
Daniel Weiße
103817a4a5
attestation: print ordered measurement verification warnings and errors (#2237)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-16 10:45:54 +02:00
edgelessci
f270e91724
image: update measurements and image version (#2238)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-08-16 09:41:01 +02:00
edgelessci
aa787a3ea6
image: update measurements and image version (#2206)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-08-11 11:19:57 +02:00
edgelessci
81a13319b7
image: update measurements and image version (#2183)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-08-09 10:14:39 +02:00
Paul Meyer
5dfa0520ce attestation: print pcr value of mismatch
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-08 18:46:13 +02:00
edgelessci
75c49b6515
image: update measurements and image version (#2163)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-08-04 09:58:31 +02:00
edgelessci
d71422667e
image: update measurements and image version (#2157)
Co-authored-by: daniel-weisse <daniel-weisse@users.noreply.github.com>
2023-08-04 08:35:19 +02:00
edgelessci
da1376cd90
image: update measurements and image version (#2151)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-08-02 10:13:56 +02:00
Otto Bittner
dac690656e
api: add functions to transparently handle signatures upon API interaction (#2142) 2023-08-01 16:48:13 +02:00
edgelessci
3324a4eba2
image: update measurements and image version (#2124)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-07-21 16:20:41 +02:00
Daniel Weiße
ea5c83587c Move CSI charts to separate chart and cleanup loader code
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-20 15:47:12 +02:00
edgelessci
2660c1aa87
image: update measurements and image version (#2116)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-07-19 08:35:56 +02:00
renovate[bot]
050db3a5d8
deps: update github.com/thomasten/go-tpm digest to f43f8e2 (#2048)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2023-07-07 13:17:58 +02:00
edgelessci
b71d5cdc17
image: update measurements and image version (#2054)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-07-07 08:13:54 +02:00
edgelessci
37288deacf
image: update measurements and image version (#2019)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-07-05 08:32:25 +02:00
edgelessci
05c43137e4
image: update measurements and image version (#1988)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-06-30 08:48:38 +02:00
Thomas Tendyck
46e144d19b Use term "attestation variant" consistently 2023-06-26 08:54:11 +02:00
Otto Bittner
7388240943
Revert "attestation: add SNP-based attestation for aws-sev-snp (#1916)" (#1957)
This reverts commit c7d12055d1.
2023-06-22 17:08:44 +02:00
Otto Bittner
c7d12055d1
attestation: add SNP-based attestation for aws-sev-snp (#1916)
* config: move AMD root key to global constant
* attestation: add SNP based attestation for aws
* Always enable SNP, regardless of attestation type.
* Make AWSNitroTPM default again

There exists a bug in AWS SNP implementation where sometimes
a host might not be able to produce valid SNP reports.
Since we have to wait for AWS to fix this we are merging SNP
attestation as opt-in feature.
2023-06-21 14:19:55 +02:00
renovate[bot]
4908b5f63c
deps: update golangci/golangci-lint to v1.53.2 (#1924)
* deps: update golangci/golangci-lint to v1.53.2
* deps: tidy all modules
* attestation: silence linter warning


---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2023-06-16 09:40:08 +02:00
edgelessci
a717cefc26
image: update measurements and image version (#1939)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-06-16 08:27:45 +02:00
edgelessci
8910e9bac4
image: update measurements and image version (#1927)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-06-14 08:31:30 +02:00
Otto Bittner
8f21972aec
attestation: add awsSEVSNP as new variant (#1900)
* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP

For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.
2023-06-09 15:41:02 +02:00
Adrian Stobbe
3fde118b33
config: enable azure snp version fetcher again + minimum age for latest version (#1899)
* fetch latest version when older than 2 weeks

* extend hack upload tool to pass an upload date

* Revert "config: disable user-facing version Azure SEV SNP fetch for v2.8  (#1882)"

This reverts commit c7b22d314a.

* fix tests

* use NewAzureSEVSNPVersionList for type guarantees

* Revert "use NewAzureSEVSNPVersionList for type guarantees"

This reverts commit 942566453f4b4a2b6dc16f8689248abf1dc47db4.

* assure list is sorted

* improve root.go style

* daniel feedback
2023-06-09 12:48:12 +02:00