Daniel Weiße
e350ca0f57
attestation: add Azure TDX attestation ( #2827 )
...
* Implement Azure TDX attestation primitives
* Add default measurements and claims for Azure TDX
* Enable Constellation on Azure TDX
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-01-24 15:10:15 +01:00
Moritz Sanft
a5021c52d3
joinservice: cache certificates for Azure SEV-SNP attestation ( #2336 )
...
* add ASK caching in joinservice
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use cached ASK in Azure SEV-SNP attestation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update test charts
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linter
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix typ
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* make caching mechanism less provider-specific
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add `omitempty` flag
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* frontload certificate getter
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* rename frontloaded function
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* pass cached certificates to constructor
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix race condition
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix marshalling of empty certs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix validator usage
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [wip] add certcache tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add certcache tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix validator test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove unused fields in validator
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix certificate precedence
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use separate context
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* linter fixes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* linter fixes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Remove unnecessary comment
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* use background context
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Use error format directive
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* `azure` -> `Azure`
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* improve error messages
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add x509 -> PEM util function
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use crypto util functions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix certificate replacement logic
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* only require ASK from certcache
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix comment typo
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-09-29 14:29:50 +02:00
Otto Bittner
8f21972aec
attestation: add awsSEVSNP
as new variant ( #1900 )
...
* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP
For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.
2023-06-09 15:41:02 +02:00
Daniel Weiße
dd2da25ebe
attestation: tdx issuer/validator ( #1265 )
...
* Add TDX validator
* Add TDX issuer
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-05-17 11:37:26 +02:00
Daniel Weiße
d7a2ddd939
config: add separate option for handling attestation parameters ( #1623 )
...
* Add attestation options to config
* Add join-config migration path for clusters with old measurement format
* Always create MAA provider for Azure SNP clusters
* Remove confidential VM option from provider in favor of attestation options
* cli: add config migrate command to handle config migration (#1678 )
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-05-03 11:11:53 +02:00
Daniel Weiße
ec01c57661
internal: use config to create attestation validators ( #1561 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-04-06 17:00:56 +02:00
Daniel Weiße
99b12e4035
internal: refactor oid package to variant package ( #1538 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-29 09:30:13 +02:00
Daniel Weiße
5a0234b3f2
attestation: add option for MAA fallback to verify azure's snp-sev id key digest ( #1257 )
...
* Convert enforceIDKeyDigest setting to enum
* Use MAA fallback in Azure SNP attestation
* Only create MAA provider if MAA fallback is enabled
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
2023-03-21 12:46:49 +01:00
Daniel Weiße
5bad5f768b
attestation: create issuer based on kernel cmd line ( #1355 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-09 09:47:28 +01:00