* wip: switch to attestation
* add extra comments
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* MAA checks
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use provided functions to parse report / cert chain
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* replace `CommitedTCB` check with `LaunchTCB` check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove debug check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove `LaunchTCB` == `CommitedTCB` check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* custom IdKeyDigests check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* basic test of report parsing from instance info
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* retrieve VCEK from AMD KDS
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove VCEK from `azureInstanceInfo`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use `go-sev-guest` TCB version type
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix validation parsing test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix error message
* fix comment
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove certificate chain from `instanceInfo`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add test for idkeydigest check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* wip: update tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] debug prints
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* wip: fix tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* wip: fix tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix tests, do some clean-up
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add test case for fetching error
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* correct `hack` dependency
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix id key check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] comment out wip unit tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing newline
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* switch to released version of `go-sev-guest`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add constructor test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add VMPL check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add test assertions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* switch to pseudoversion
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use fork with windows fix
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linter checks
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use data from THIM
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update embeds
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* verify against ARK in config
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* invalid ASK
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: 3u13r <lc@edgeless.systems>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: 3u13r <lc@edgeless.systems>
* nits
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove unnecessary checks
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* refactoring
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* use upstream library with pseudoversion
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* Update internal/attestation/azure/snp/validator.go
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* simplify control flow
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix return error
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix VCEK test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* revert unintentional changes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use new upstream release
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix removed AuthorKeyEn field
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix verification report printing
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: 3u13r <lc@edgeless.systems>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* Print measurements as ordered list during verify
* Fix missing safety check in AWS attestation validation
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Previously the timeout was not set in the client's constructor, thus the
zero value was used. The client did not wait for invalidation.
To prevent this in the future a warning is logged if wait is disabled.
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
* Remove signature checks from unittests. Would need to export
signature from client/fetcher (unwanted). Can't figure out a better way.
e2e test completes in ~4sec and runs automatically.
So seems like a acceptable tradeoff.
* list object is now signed, but not verified. If we start to verify the list
we will have to adapt the e2e test to restore the previous list.
Otherwise there could be conflicts between dev and release keys.
Wrapping apiObject does not work as intended as the version field
is when fetching objects from the API. Thus we need to insert
the target path of the signature directly.
* deps: update ghcr.io/edgelesssys/cloud-provider-gcp Docker tag to v26.4.0
* deps: bump gcp ccm for 1.27 and 1.28
---------
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
* refactor `debugd` file structure
* create `hack`-tool to deploy logcollection to non-debug clusters
* integrate changes into CI
* update fields
* update workflow input names
* use `working-directory`
* add opensearch creds to upgrade workflow
* make template func generic
* make templating func generic
* linebreaks
* remove magic defaults
* move `os.Exit` to main package
* make logging index configurable
* make templating generic
* remove excess brace
* update fields
* copy fields
* fix flag name
* fix linter warnings
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* remove unused workflow inputs
* remove makefiles
* fix command
* bazel: fix output paths of container
This fixes the output paths of builds within the container by mounting
directories to paths that exist on the host. We also explicitly set the
output path in a .bazelrc to the user specific path. The rc file is
mounted into the container and overrides the host rc.
Also adding automatic stop in case start is called and a containers
is already running.
Sym links like bazel-out and paths bazel outputs should generally work
with this change.
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* tabs -> spaces
---------
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>