From 8db20665fd206332af59233856b89d2d929a1507 Mon Sep 17 00:00:00 2001 From: edgelessci Date: Thu, 29 Feb 2024 08:59:20 +0000 Subject: [PATCH 01/47] chore: update version.txt to v2.16.0 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 79fa94a5c..0c29db780 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -v2.16.0-pre +v2.16.0 From 228f168b0f35f495460bdfab153b7985ed3a4d91 Mon Sep 17 00:00:00 2001 From: edgelessci Date: Thu, 29 Feb 2024 08:59:30 +0000 Subject: [PATCH 02/47] deps: update versions to v2.16.0 --- internal/config/image_enterprise.go | 2 +- s3proxy/deploy/s3proxy/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/config/image_enterprise.go b/internal/config/image_enterprise.go index 6b6efd6ce..db52b2f71 100644 --- a/internal/config/image_enterprise.go +++ b/internal/config/image_enterprise.go @@ -10,5 +10,5 @@ package config const ( // defaultImage is the default image to use. - defaultImage = "ref/main/stream/nightly/v2.16.0-pre.0.20240227085922-80518379c44d" + defaultImage = "v2.16.0" ) diff --git a/s3proxy/deploy/s3proxy/Chart.yaml b/s3proxy/deploy/s3proxy/Chart.yaml index f07afba51..298c854b0 100644 --- a/s3proxy/deploy/s3proxy/Chart.yaml +++ b/s3proxy/deploy/s3proxy/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: s3proxy description: Helm chart to deploy s3proxy. type: application -version: 0.0.0 +version: 2.16.0 From 839543dcc1f09814f66f42a69b36a5c93722ef07 Mon Sep 17 00:00:00 2001 From: edgelessci Date: Thu, 29 Feb 2024 09:29:24 +0000 Subject: [PATCH 03/47] attestation: hardcode measurements for v2.16.0 --- .../measurements/measurements_enterprise.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/internal/attestation/measurements/measurements_enterprise.go b/internal/attestation/measurements/measurements_enterprise.go index 8e676cd04..be6643b4d 100644 --- a/internal/attestation/measurements/measurements_enterprise.go +++ b/internal/attestation/measurements/measurements_enterprise.go @@ -16,13 +16,13 @@ package measurements // revive:disable:var-naming var ( - aws_AWSNitroTPM = M{0: {Expected: []byte{0x73, 0x7f, 0x76, 0x7a, 0x12, 0xf5, 0x4e, 0x70, 0xee, 0xcb, 0xc8, 0x68, 0x40, 0x11, 0x32, 0x3a, 0xe2, 0xfe, 0x2d, 0xd9, 0xf9, 0x07, 0x85, 0x57, 0x79, 0x69, 0xd7, 0xa2, 0x01, 0x3e, 0x8c, 0x12}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x82, 0x51, 0xcf, 0x40, 0x53, 0x18, 0x0d, 0x53, 0x64, 0x75, 0x03, 0x45, 0xa5, 0xa8, 0x16, 0xe2, 0x4b, 0x23, 0x40, 0x83, 0x43, 0x83, 0xbd, 0x43, 0x49, 0x8b, 0x8f, 0xb7, 0xc9, 0x4d, 0x57, 0xdd}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x5d, 0x1b, 0xbe, 0xd7, 0xec, 0x13, 0xc8, 0xd5, 0xea, 0x93, 0x71, 0xce, 0x79, 0x02, 0x13, 0xbe, 0x82, 0x5b, 0xed, 0x55, 0x26, 0x77, 0x0a, 0x87, 0x7c, 0x45, 0xdf, 0x76, 0xdd, 0x1b, 0x2a, 0x12}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x8a, 0x2b, 0xe4, 0xe4, 0x71, 0x23, 0xbd, 0xc8, 0x99, 0x0d, 0xbe, 0x36, 0xad, 0x77, 0xee, 0x04, 0xc5, 0x4e, 0x7d, 0x68, 0xc6, 0x1d, 0x86, 0xde, 0x9d, 0x0a, 0xf3, 0x48, 0xe6, 0xdf, 0x60, 0x15}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - aws_AWSSEVSNP = M{0: {Expected: []byte{0x7b, 0x06, 0x8c, 0x0c, 0x3a, 0xc2, 0x9a, 0xfe, 0x26, 0x41, 0x34, 0x53, 0x6b, 0x9b, 0xe2, 0x6f, 0x1d, 0x4c, 0xcd, 0x57, 0x5b, 0x88, 0xd3, 0xc3, 0xce, 0xab, 0xf3, 0x6a, 0xc9, 0x9c, 0x02, 0x78}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x74, 0x17, 0x6b, 0x8a, 0x77, 0xd9, 0x49, 0x1a, 0xd3, 0xe5, 0x62, 0xd2, 0xea, 0xba, 0x5f, 0x85, 0xd7, 0x3d, 0x26, 0x4e, 0x30, 0xaf, 0x78, 0x7e, 0x58, 0x33, 0x47, 0x13, 0x8e, 0x56, 0x23, 0x8a}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x3e, 0xc6, 0xf2, 0xe4, 0xf0, 0x59, 0xee, 0xf7, 0x29, 0xe4, 0xde, 0x5f, 0x70, 0x67, 0x15, 0x8d, 0x1f, 0x10, 0x1d, 0x7d, 0xd1, 0x40, 0x3c, 0x9f, 0x87, 0x48, 0xfb, 0xf5, 0x77, 0xa6, 0x03, 0xbb}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x84, 0xae, 0x81, 0x49, 0x2f, 0x9c, 0x6e, 0x2c, 0x8c, 0x49, 0x39, 0x27, 0x79, 0x7e, 0x85, 0x8d, 0xbc, 0xf1, 0x2f, 0x80, 0xde, 0x43, 0xd0, 0xbb, 0x47, 0xe7, 0xf0, 0x50, 0x3e, 0xa2, 0xa8, 0x6a}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - azure_AzureSEVSNP = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x4b, 0xdf, 0xb0, 0xb8, 0x91, 0xde, 0x2a, 0xaa, 0xc7, 0x3f, 0x1a, 0xb6, 0x9c, 0xde, 0xb2, 0xed, 0x66, 0x62, 0x29, 0xf5, 0x83, 0x40, 0x9e, 0x95, 0x00, 0xca, 0x21, 0xdb, 0xb1, 0xf7, 0x06, 0x7d}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x3c, 0xb3, 0x7a, 0xfe, 0xeb, 0x1c, 0xb7, 0xf8, 0x98, 0xb5, 0x0d, 0x3b, 0x9d, 0x17, 0xa7, 0x3b, 0x83, 0x61, 0x2d, 0xef, 0xaa, 0x3a, 0xeb, 0x1c, 0xcd, 0x61, 0x99, 0xbf, 0x48, 0x9e, 0x28, 0xd2}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x2c, 0xbe, 0x09, 0x13, 0xac, 0xfb, 0x6f, 0xcf, 0x6d, 0xa9, 0x55, 0xbc, 0x77, 0xf4, 0xed, 0x27, 0x0b, 0xfc, 0x1c, 0xe4, 0xf8, 0x02, 0xd4, 0xc9, 0xf5, 0x37, 0xde, 0x1f, 0x85, 0xa2, 0x66, 0x25}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - azure_AzureTDX = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x2f, 0xda, 0xe7, 0x93, 0xbe, 0x8d, 0x3d, 0x81, 0xaf, 0x62, 0x5d, 0x37, 0x95, 0x26, 0x37, 0x02, 0x36, 0xe2, 0x22, 0x99, 0x49, 0x36, 0x7a, 0x09, 0x90, 0x1b, 0x4c, 0x6d, 0xf1, 0xfa, 0x43, 0x7e}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x76, 0xcd, 0x4f, 0xe2, 0x88, 0xa6, 0xa5, 0xc0, 0x0f, 0x63, 0x0d, 0x75, 0x0c, 0xe8, 0x24, 0xc0, 0x96, 0x2b, 0xbf, 0xbd, 0x78, 0xda, 0xd9, 0x1b, 0x18, 0x20, 0x4b, 0x2e, 0xf9, 0x00, 0x49, 0xbf}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xf0, 0x93, 0x1f, 0xfc, 0x64, 0x30, 0xff, 0x44, 0xbd, 0xca, 0xe0, 0x50, 0xa9, 0xe2, 0xd6, 0x2a, 0xd2, 0xae, 0x64, 0x08, 0xc1, 0x0e, 0x33, 0x4f, 0x9b, 0xc6, 0x2b, 0xb6, 0xae, 0x88, 0x60, 0x8c}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + aws_AWSNitroTPM = M{0: {Expected: []byte{0x73, 0x7f, 0x76, 0x7a, 0x12, 0xf5, 0x4e, 0x70, 0xee, 0xcb, 0xc8, 0x68, 0x40, 0x11, 0x32, 0x3a, 0xe2, 0xfe, 0x2d, 0xd9, 0xf9, 0x07, 0x85, 0x57, 0x79, 0x69, 0xd7, 0xa2, 0x01, 0x3e, 0x8c, 0x12}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x20, 0x99, 0xa0, 0xe2, 0x34, 0x48, 0xe4, 0xc2, 0xdf, 0xe3, 0x7e, 0xf8, 0x89, 0x9d, 0x16, 0x0a, 0x71, 0x7c, 0x75, 0xc4, 0xb1, 0x27, 0x7b, 0xfa, 0xf7, 0xb0, 0x0a, 0x6f, 0x41, 0xb8, 0x64, 0x13}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x85, 0x2c, 0xd0, 0xa3, 0xa7, 0x3d, 0xb1, 0xea, 0x45, 0x7c, 0xeb, 0xec, 0x46, 0xed, 0x7b, 0x5e, 0xb0, 0x79, 0x2c, 0x54, 0x78, 0x25, 0xca, 0x24, 0x44, 0x48, 0x69, 0x92, 0x23, 0x30, 0x04, 0xca}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x5c, 0x60, 0xda, 0x66, 0x89, 0xac, 0x4a, 0xc7, 0xd8, 0xaa, 0x00, 0xc6, 0xea, 0x96, 0x5b, 0xf8, 0x52, 0x25, 0xbe, 0xe6, 0xde, 0x18, 0xc8, 0xd6, 0x5a, 0x56, 0x42, 0x9e, 0x04, 0x8a, 0x6d, 0x09}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + aws_AWSSEVSNP = M{0: {Expected: []byte{0x7b, 0x06, 0x8c, 0x0c, 0x3a, 0xc2, 0x9a, 0xfe, 0x26, 0x41, 0x34, 0x53, 0x6b, 0x9b, 0xe2, 0x6f, 0x1d, 0x4c, 0xcd, 0x57, 0x5b, 0x88, 0xd3, 0xc3, 0xce, 0xab, 0xf3, 0x6a, 0xc9, 0x9c, 0x02, 0x78}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x99, 0xe5, 0x44, 0x49, 0x5f, 0xd9, 0x04, 0x16, 0x40, 0xdc, 0xf7, 0x3f, 0xfa, 0x13, 0x3e, 0x72, 0xd0, 0xf4, 0x45, 0xc7, 0x01, 0xd8, 0x28, 0x5c, 0xcb, 0x67, 0xf2, 0x46, 0x53, 0x48, 0x84, 0xb5}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xab, 0x3e, 0xd4, 0x9d, 0xe4, 0x35, 0x94, 0x73, 0x41, 0x16, 0x23, 0x29, 0x96, 0x3c, 0x39, 0x57, 0x0f, 0xd2, 0x3c, 0xa0, 0x0e, 0x98, 0xbc, 0x69, 0x80, 0xe8, 0xb0, 0xf2, 0x31, 0x20, 0xe9, 0x19}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x2b, 0xe6, 0x62, 0x6c, 0x18, 0x37, 0xf2, 0x68, 0xbe, 0x67, 0x74, 0x06, 0x09, 0xb5, 0xd7, 0xb9, 0xae, 0xf2, 0x9e, 0xc0, 0xa9, 0x88, 0xc1, 0x47, 0x07, 0x3d, 0xe0, 0x45, 0x0e, 0xa3, 0x75, 0xa1}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + azure_AzureSEVSNP = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xc5, 0x23, 0x7c, 0xe4, 0x13, 0x51, 0x73, 0xa9, 0x3d, 0x2b, 0xc2, 0x66, 0x33, 0x70, 0x8f, 0x38, 0xba, 0x98, 0xdf, 0x08, 0x09, 0xcf, 0x31, 0x20, 0x96, 0x3c, 0xc6, 0xb1, 0xf3, 0x58, 0xcf, 0xd2}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xfc, 0x61, 0xc9, 0xd5, 0x69, 0x40, 0x97, 0x60, 0xf0, 0x12, 0x39, 0x39, 0xf3, 0x29, 0xd1, 0x76, 0xa0, 0xf9, 0x1e, 0x0e, 0x67, 0xaf, 0xb9, 0x88, 0x01, 0x21, 0xbd, 0x70, 0x39, 0xf8, 0x62, 0x60}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x40, 0xc8, 0x4c, 0xe4, 0x12, 0xc2, 0x62, 0x7a, 0xe2, 0x41, 0x5a, 0xb0, 0x4c, 0xc2, 0x39, 0xe6, 0x2b, 0x1f, 0x91, 0xa8, 0x85, 0xdb, 0x0e, 0xb3, 0x4b, 0x92, 0x4d, 0x57, 0xbe, 0x8c, 0x6b, 0x86}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + azure_AzureTDX = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x60, 0xd1, 0x8d, 0xaa, 0x20, 0x56, 0x27, 0x23, 0x39, 0x5b, 0xfa, 0xf2, 0xe1, 0x8a, 0xe2, 0xb1, 0xa6, 0x96, 0x53, 0x49, 0x70, 0xd0, 0xf0, 0xcf, 0x67, 0xd4, 0x47, 0x91, 0x9a, 0x1a, 0xbf, 0xa7}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xe9, 0xfd, 0x43, 0x16, 0x12, 0xd1, 0xc4, 0x9c, 0xfd, 0x6b, 0xa2, 0x3b, 0xed, 0xe3, 0x19, 0x15, 0x7c, 0x06, 0xd0, 0xb3, 0x94, 0x93, 0xc2, 0xf9, 0xbd, 0xa4, 0x44, 0x98, 0xb2, 0x9c, 0xef, 0x8d}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x18, 0x6a, 0x1e, 0xc9, 0xa6, 0xec, 0xaa, 0x93, 0xe3, 0xea, 0x78, 0x02, 0x79, 0xd8, 0x4a, 0xd8, 0xd0, 0xe4, 0x14, 0xcc, 0x6d, 0x89, 0xfe, 0xdf, 0xb6, 0x69, 0x12, 0x8f, 0xc9, 0x7c, 0x7f, 0x99}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} azure_AzureTrustedLaunch M - gcp_GCPSEVES = M{1: {Expected: []byte{0x36, 0x95, 0xdc, 0xc5, 0x5e, 0x3a, 0xa3, 0x40, 0x27, 0xc2, 0x77, 0x93, 0xc8, 0x5c, 0x72, 0x3c, 0x69, 0x7d, 0x70, 0x8c, 0x42, 0xd1, 0xf7, 0x3b, 0xd6, 0xfa, 0x4f, 0x26, 0x60, 0x8a, 0x5b, 0x24}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x4b, 0x86, 0x61, 0xc4, 0xa5, 0xcf, 0xf5, 0xab, 0x94, 0x66, 0x89, 0xf9, 0x03, 0xac, 0x96, 0xda, 0x3f, 0x39, 0xbb, 0xf6, 0xa0, 0xf6, 0x9a, 0x6d, 0x56, 0x01, 0xd4, 0x21, 0xbd, 0xb2, 0x03, 0x61}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xfd, 0xce, 0x5f, 0xe7, 0xe9, 0xfa, 0x32, 0xb6, 0x38, 0xc9, 0x96, 0x6a, 0x7b, 0x33, 0xbb, 0x39, 0x83, 0xa3, 0x78, 0x69, 0x2a, 0xa7, 0x4e, 0x91, 0xfd, 0x8c, 0xc7, 0x96, 0xa2, 0x46, 0xc5, 0x33}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x0d, 0xbc, 0xbe, 0x7f, 0x07, 0x46, 0xa1, 0x83, 0x4f, 0xfa, 0x4d, 0x88, 0xdb, 0xee, 0xa1, 0xb8, 0x0c, 0x9a, 0x6b, 0xac, 0x1f, 0x06, 0x88, 0x41, 0xb9, 0x69, 0x0a, 0xdb, 0xfe, 0xab, 0x09, 0x28}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - openstack_QEMUVTPM = M{4: {Expected: []byte{0x85, 0x68, 0x3d, 0xec, 0xd8, 0x84, 0x84, 0xeb, 0x89, 0x71, 0x53, 0x1e, 0x33, 0x84, 0x27, 0x40, 0x70, 0x26, 0xce, 0x88, 0xd1, 0x6e, 0x75, 0x24, 0xcd, 0xb3, 0xbc, 0x7a, 0x7e, 0x53, 0x45, 0x7c}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xa2, 0x83, 0x80, 0x53, 0x68, 0xff, 0x7f, 0xc3, 0xe1, 0x9d, 0xdf, 0x49, 0x6d, 0x7a, 0x8c, 0x42, 0x53, 0x02, 0xc4, 0x5d, 0x2e, 0xd4, 0x2d, 0x3e, 0x85, 0xc8, 0x67, 0xf6, 0x6e, 0x88, 0x29, 0x1c}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x52, 0x9b, 0x1e, 0x7a, 0x81, 0xb5, 0xca, 0x2f, 0x12, 0x56, 0x7d, 0x73, 0xe5, 0x0f, 0xf0, 0x83, 0x77, 0x1f, 0x2e, 0x54, 0x1d, 0x19, 0xd7, 0x99, 0xfd, 0xb3, 0xc6, 0x87, 0xf6, 0x33, 0x2f, 0x7c}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + gcp_GCPSEVES = M{1: {Expected: []byte{0x36, 0x95, 0xdc, 0xc5, 0x5e, 0x3a, 0xa3, 0x40, 0x27, 0xc2, 0x77, 0x93, 0xc8, 0x5c, 0x72, 0x3c, 0x69, 0x7d, 0x70, 0x8c, 0x42, 0xd1, 0xf7, 0x3b, 0xd6, 0xfa, 0x4f, 0x26, 0x60, 0x8a, 0x5b, 0x24}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x68, 0x8b, 0x88, 0x38, 0x8a, 0xe1, 0x2e, 0x61, 0x5f, 0xee, 0x8d, 0x73, 0xa1, 0xa1, 0xb7, 0x67, 0x79, 0x16, 0x63, 0xe5, 0x87, 0xce, 0x00, 0x0e, 0x6c, 0x1c, 0x92, 0x07, 0x9e, 0xf8, 0x79, 0x72}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x3d, 0x30, 0xf1, 0x45, 0x78, 0xcb, 0x21, 0x9a, 0xd0, 0xdd, 0xbd, 0xde, 0x0c, 0x46, 0x55, 0xfc, 0xbd, 0xc9, 0x15, 0xbe, 0x5a, 0xf7, 0xcf, 0xe0, 0x10, 0x18, 0x31, 0x59, 0x38, 0x0d, 0x71, 0xe6}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xc9, 0x68, 0x53, 0x48, 0xd2, 0x1b, 0x83, 0xd7, 0xe9, 0xea, 0xc1, 0xf9, 0x2a, 0x0b, 0x88, 0xe1, 0x7f, 0xcd, 0xdf, 0x66, 0x2b, 0xc4, 0x43, 0x5c, 0x92, 0xe6, 0xb3, 0x68, 0x83, 0x84, 0xee, 0x84}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + openstack_QEMUVTPM = M{4: {Expected: []byte{0x2b, 0x30, 0x0b, 0xed, 0x76, 0x14, 0xfd, 0xc4, 0xd7, 0xbd, 0x6a, 0x79, 0x0b, 0x6a, 0x05, 0xda, 0xeb, 0x48, 0xfc, 0x18, 0xac, 0xf9, 0x93, 0x2b, 0x1a, 0xb9, 0x56, 0xce, 0xdb, 0x79, 0xe0, 0xba}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xce, 0xfb, 0xc5, 0xde, 0x58, 0x19, 0xe7, 0x11, 0x6a, 0x7a, 0x5e, 0x63, 0xbd, 0xf3, 0xb0, 0xa4, 0xab, 0xa6, 0x71, 0x7a, 0x34, 0xb3, 0x5d, 0xf3, 0x1c, 0x18, 0x05, 0x87, 0x57, 0xf0, 0xa0, 0xbe}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x58, 0x60, 0x97, 0x36, 0xdd, 0xcf, 0x2c, 0x8c, 0xb6, 0xd7, 0xce, 0x91, 0xc1, 0x70, 0x65, 0xc8, 0x23, 0x35, 0xf1, 0xd1, 0x11, 0x14, 0xde, 0x0f, 0xfe, 0xb6, 0x71, 0xb9, 0x05, 0xf2, 0xf2, 0xaa}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} qemu_QEMUTDX M - qemu_QEMUVTPM = M{4: {Expected: []byte{0xa5, 0xb1, 0x6b, 0x64, 0x66, 0x8c, 0x31, 0x59, 0xc6, 0xbd, 0x69, 0x9b, 0x4d, 0x26, 0x77, 0x0e, 0xf0, 0xbf, 0xe9, 0xdf, 0x32, 0x2d, 0xa6, 0x8c, 0x11, 0x1d, 0x9c, 0x9e, 0x89, 0x0e, 0x7b, 0x93}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xfc, 0x4b, 0xe9, 0x6f, 0xd0, 0x3e, 0x90, 0x6e, 0xdc, 0x50, 0xbc, 0x6c, 0xdd, 0x0d, 0x6d, 0xe2, 0x9f, 0x7b, 0xcb, 0xbc, 0x8a, 0xd2, 0x42, 0x3a, 0x0a, 0x04, 0xcd, 0x3b, 0xb6, 0xf2, 0x3d, 0x49}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xd8, 0xa6, 0x91, 0x12, 0x82, 0x4b, 0x98, 0xd3, 0x85, 0x7f, 0xa0, 0x85, 0x49, 0x4a, 0x76, 0x86, 0xa0, 0xfc, 0xa8, 0x07, 0x14, 0x88, 0xc1, 0x39, 0x3f, 0x20, 0x34, 0x48, 0x42, 0x12, 0xf0, 0x84}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + qemu_QEMUVTPM = M{4: {Expected: []byte{0x7a, 0xbf, 0xb1, 0x50, 0x3b, 0x4e, 0xad, 0xaa, 0x39, 0x91, 0x47, 0x27, 0xda, 0x13, 0xdc, 0x53, 0x6a, 0xa3, 0x4d, 0x96, 0x07, 0x07, 0x6f, 0xa5, 0xac, 0xd8, 0xfd, 0xec, 0x79, 0x30, 0x5b, 0xdd}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x2a, 0xe1, 0xdb, 0x98, 0x4c, 0xe3, 0xa3, 0xcc, 0xe1, 0x63, 0x52, 0x9d, 0x41, 0x1f, 0x64, 0x43, 0x3a, 0x14, 0x21, 0x43, 0x11, 0xb8, 0x32, 0x64, 0xad, 0x4f, 0xe0, 0xd4, 0xcf, 0xe7, 0x8f, 0x36}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x5f, 0xb8, 0x2a, 0x4f, 0x59, 0x46, 0xae, 0x89, 0x12, 0xfc, 0xe6, 0x43, 0x80, 0x8e, 0x5b, 0x00, 0x79, 0x11, 0x72, 0xad, 0x3a, 0x03, 0xb6, 0xb9, 0x28, 0x82, 0xd6, 0x58, 0x2c, 0x18, 0x92, 0x13}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} ) From e9dc722b1ff198ae41b9aeed19e60af3eefd89ec Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Fri, 1 Mar 2024 10:59:06 +0100 Subject: [PATCH 04/47] docs: update STACKIT flavors (#2964) --- docs/docs/workflows/config.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/docs/workflows/config.md b/docs/docs/workflows/config.md index 872504834..f124e4d78 100644 --- a/docs/docs/workflows/config.md +++ b/docs/docs/workflows/config.md @@ -77,17 +77,17 @@ The Constellation CLI can also print the supported instance types with: `constel -By default, Constellation uses `m1a.4cd` VMs (4 vCPUs, 32 GB RAM) to create your cluster. +By default, Constellation uses `m1a.4cd` VMs (4 vCPUs, 30 GB RAM) to create your cluster. Optionally, you can switch to a different VM type by modifying `instanceType` in the configuration file. The following instance types are known to be supported: | name | vCPUs | GB RAM | |----------|-------|--------| -| m1a.4cd | 4 | 32 | -| m1a.8cd | 8 | 64 | +| m1a.4cd | 4 | 30 | +| m1a.8cd | 8 | 60 | | m1a.16cd | 16 | 120 | -| m1a.30cd | 30 | 238 | +| m1a.30cd | 30 | 230 | You can choose any of the SEV-enabled instance types. You can find a list of all supported instance types in the [STACKIT documentation](https://docs.stackit.cloud/stackit/en/virtual-machine-flavors-75137231.html). From 1f623c8658bbf1c466e6762ca9f62a6ebca0bcf7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= <66256922+daniel-weisse@users.noreply.github.com> Date: Mon, 4 Mar 2024 13:48:30 +0100 Subject: [PATCH 05/47] ci: use collision resistant name for Terraform e2e test (#2967) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Use collision resistant name for Terraform e2e test * Remove test suffix from Terraform provider examples --------- Signed-off-by: Daniel Weiße --- .../workflows/e2e-test-provider-example.yml | 18 ++++++++++-------- .../examples/full/azure/main.tf | 4 ++-- .../examples/full/gcp/main.tf | 2 +- 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/.github/workflows/e2e-test-provider-example.yml b/.github/workflows/e2e-test-provider-example.yml index 6f2d92063..5359358c8 100644 --- a/.github/workflows/e2e-test-provider-example.yml +++ b/.github/workflows/e2e-test-provider-example.yml @@ -83,14 +83,6 @@ jobs: ref: main stream: nightly - - name: Create resource prefix - id: create-prefix - shell: bash - run: | - run_id=${{ github.run_id }} - last_three="${run_id: -3}" - echo "prefix=e2e-${last_three}" | tee -a "$GITHUB_OUTPUT" - - name: Determine cloudprovider from attestation variant id: determine shell: bash @@ -124,6 +116,16 @@ jobs: buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} nixTools: terraform + - name: Create prefix + id: create-prefix + shell: bash + run: | + uuid=$(uuidgen | tr "[:upper:]" "[:lower:]") + uuid="${uuid%%-*}" + uuid="${uuid: -3}" # Final resource name must be no longer than 10 characters on AWS + echo "uuid=${uuid}" | tee -a "${GITHUB_OUTPUT}" + echo "prefix=e2e-${uuid}" | tee -a "${GITHUB_OUTPUT}" + - name: Build Constellation provider and CLI # CLI is needed for the upgrade assert and container push is needed for the microservice upgrade working-directory: ${{ github.workspace }} id: build diff --git a/terraform-provider-constellation/examples/full/azure/main.tf b/terraform-provider-constellation/examples/full/azure/main.tf index 629f07e2d..46a5f8f9b 100644 --- a/terraform-provider-constellation/examples/full/azure/main.tf +++ b/terraform-provider-constellation/examples/full/azure/main.tf @@ -44,8 +44,8 @@ module "azure_iam" { // replace $VERSION with the Constellation version you want to use, e.g., v2.14.0 source = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/iam/azure" location = local.location - service_principal_name = "${local.name}-test-sp" - resource_group_name = "${local.name}-test-rg" + service_principal_name = "${local.name}-sp" + resource_group_name = "${local.name}-rg" } module "azure_infrastructure" { diff --git a/terraform-provider-constellation/examples/full/gcp/main.tf b/terraform-provider-constellation/examples/full/gcp/main.tf index 1db0f63fb..f7ac80b04 100644 --- a/terraform-provider-constellation/examples/full/gcp/main.tf +++ b/terraform-provider-constellation/examples/full/gcp/main.tf @@ -46,7 +46,7 @@ module "gcp_iam" { // replace $VERSION with the Constellation version you want to use, e.g., v2.14.0 source = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/iam/gcp" project_id = local.project_id - service_account_id = "${local.name}-test-sa" + service_account_id = "${local.name}-sa" zone = local.zone region = local.region } From 3d7b8c3596b3426753256be71fc15d7bb3cda06e Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Fri, 1 Mar 2024 16:05:08 +0100 Subject: [PATCH 06/47] cli: add STACKIT to constellation config instance-types --- cli/internal/cmd/configinstancetypes.go | 3 +++ internal/config/instancetypes/BUILD.bazel | 1 + internal/config/instancetypes/stackit.go | 16 ++++++++++++++++ 3 files changed, 20 insertions(+) create mode 100644 internal/config/instancetypes/stackit.go diff --git a/cli/internal/cmd/configinstancetypes.go b/cli/internal/cmd/configinstancetypes.go index 0d768d2b1..555ad5bb2 100644 --- a/cli/internal/cmd/configinstancetypes.go +++ b/cli/internal/cmd/configinstancetypes.go @@ -38,6 +38,8 @@ Azure Trusted Launch instance types: %v GCP instance types: %v +STACKIT instance types: +%v `, formatInstanceTypes(instancetypes.AWSSNPSupportedInstanceFamilies), formatInstanceTypes(instancetypes.AWSSupportedInstanceFamilies), @@ -45,6 +47,7 @@ GCP instance types: formatInstanceTypes(instancetypes.AzureSNPInstanceTypes), formatInstanceTypes(instancetypes.AzureTrustedLaunchInstanceTypes), formatInstanceTypes(instancetypes.GCPInstanceTypes), + formatInstanceTypes(instancetypes.STACKITInstanceTypes), ) } diff --git a/internal/config/instancetypes/BUILD.bazel b/internal/config/instancetypes/BUILD.bazel index 7080f5bb8..609892693 100644 --- a/internal/config/instancetypes/BUILD.bazel +++ b/internal/config/instancetypes/BUILD.bazel @@ -6,6 +6,7 @@ go_library( "aws.go", "azure.go", "gcp.go", + "stackit.go", ], importpath = "github.com/edgelesssys/constellation/v2/internal/config/instancetypes", visibility = ["//:__subpackages__"], diff --git a/internal/config/instancetypes/stackit.go b/internal/config/instancetypes/stackit.go new file mode 100644 index 000000000..68ea21d94 --- /dev/null +++ b/internal/config/instancetypes/stackit.go @@ -0,0 +1,16 @@ +/* +Copyright (c) Edgeless Systems GmbH + +SPDX-License-Identifier: AGPL-3.0-only +*/ + +package instancetypes + +// STACKITInstanceTypes are valid STACKIT instance types. +var STACKITInstanceTypes = []string{ + "m1a.2cd", + "m1a.4cd", + "m1a.8cd", + "m1a.16cd", + "m1a.30cd", +} From e7897a746804e4753329e05ee7f6f7871982ed9b Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Fri, 1 Mar 2024 17:06:02 +0100 Subject: [PATCH 07/47] misc: skip message about community license with marketplace image --- cli/internal/cmd/apply.go | 4 +-- cli/internal/cmd/license_enterprise.go | 18 +++++++---- cli/internal/cmd/license_oss.go | 2 +- internal/config/config.go | 3 +- internal/imagefetcher/imagefetcher.go | 3 ++ internal/license/license.go | 2 ++ .../docs/data-sources/attestation.md | 4 +++ .../docs/data-sources/image.md | 4 +++ .../docs/resources/cluster.md | 4 +++ .../internal/provider/cluster_resource.go | 31 ++++++++++++------- .../provider/cluster_resource_test.go | 7 +++-- .../internal/provider/shared_attributes.go | 12 +++++-- 12 files changed, 66 insertions(+), 28 deletions(-) diff --git a/cli/internal/cmd/apply.go b/cli/internal/cmd/apply.go index ea7679a50..b15ae249d 100644 --- a/cli/internal/cmd/apply.go +++ b/cli/internal/cmd/apply.go @@ -40,7 +40,7 @@ import ( "github.com/edgelesssys/constellation/v2/internal/kms/uri" "github.com/edgelesssys/constellation/v2/internal/semver" "github.com/edgelesssys/constellation/v2/internal/versions" - "github.com/samber/slog-multi" + slogmulti "github.com/samber/slog-multi" "github.com/spf13/afero" "github.com/spf13/cobra" "github.com/spf13/pflag" @@ -365,7 +365,7 @@ func (a *applyCmd) apply( } // Check license - a.checkLicenseFile(cmd, conf.GetProvider()) + a.checkLicenseFile(cmd, conf.GetProvider(), conf.UseMarketplaceImage()) // Now start actually running the apply command diff --git a/cli/internal/cmd/license_enterprise.go b/cli/internal/cmd/license_enterprise.go index 79ae2bf7c..d4afe973e 100644 --- a/cli/internal/cmd/license_enterprise.go +++ b/cli/internal/cmd/license_enterprise.go @@ -22,18 +22,22 @@ import ( // with the license server. If no license file is present or if errors // occur during the check, the user is informed and the community license // is used. It is a no-op in the open source version of Constellation. -func (a *applyCmd) checkLicenseFile(cmd *cobra.Command, csp cloudprovider.Provider) { +func (a *applyCmd) checkLicenseFile(cmd *cobra.Command, csp cloudprovider.Provider, useMarketplaceImage bool) { var licenseID string a.log.Debug("Running license check") readBytes, err := a.fileHandler.Read(constants.LicenseFilename) - if errors.Is(err, fs.ErrNotExist) { - cmd.Printf("Using community license.\n") + switch { + case useMarketplaceImage: + cmd.Println("Using marketplace image billing.") + licenseID = license.MarketplaceLicense + case errors.Is(err, fs.ErrNotExist): + cmd.Println("Using community license.") licenseID = license.CommunityLicense - } else if err != nil { + case err != nil: cmd.Printf("Error: %v\nContinuing with community license.\n", err) licenseID = license.CommunityLicense - } else { + default: cmd.Printf("Constellation license found!\n") licenseID, err = license.FromBytes(readBytes) if err != nil { @@ -43,9 +47,11 @@ func (a *applyCmd) checkLicenseFile(cmd *cobra.Command, csp cloudprovider.Provid } quota, err := a.applier.CheckLicense(cmd.Context(), csp, !a.flags.skipPhases.contains(skipInitPhase), licenseID) - if err != nil { + if err != nil && !useMarketplaceImage { cmd.Printf("Unable to contact license server.\n") cmd.Printf("Please keep your vCPU quota in mind.\n") + } else if licenseID == license.MarketplaceLicense { + // Do nothing. Billing is handled by the marketplace. } else if licenseID == license.CommunityLicense { cmd.Printf("For details, see https://docs.edgeless.systems/constellation/overview/license\n") } else { diff --git a/cli/internal/cmd/license_oss.go b/cli/internal/cmd/license_oss.go index 8fba56114..fd14d35bc 100644 --- a/cli/internal/cmd/license_oss.go +++ b/cli/internal/cmd/license_oss.go @@ -17,4 +17,4 @@ import ( // with the license server. If no license file is present or if errors // occur during the check, the user is informed and the community license // is used. It is a no-op in the open source version of Constellation. -func (a *applyCmd) checkLicenseFile(*cobra.Command, cloudprovider.Provider) {} +func (a *applyCmd) checkLicenseFile(*cobra.Command, cloudprovider.Provider, bool) {} diff --git a/internal/config/config.go b/internal/config/config.go index 611ccc39f..d4a8cab40 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -720,7 +720,8 @@ func (c *Config) DeployYawolLoadBalancer() bool { func (c *Config) UseMarketplaceImage() bool { return (c.Provider.Azure != nil && c.Provider.Azure.UseMarketplaceImage != nil && *c.Provider.Azure.UseMarketplaceImage) || (c.Provider.GCP != nil && c.Provider.GCP.UseMarketplaceImage != nil && *c.Provider.GCP.UseMarketplaceImage) || - (c.Provider.AWS != nil && c.Provider.AWS.UseMarketplaceImage != nil && *c.Provider.AWS.UseMarketplaceImage) + (c.Provider.AWS != nil && c.Provider.AWS.UseMarketplaceImage != nil && *c.Provider.AWS.UseMarketplaceImage) || + (c.Provider.OpenStack != nil && c.Provider.OpenStack.Cloud == "stackit") } // Validate checks the config values and returns validation errors. diff --git a/internal/imagefetcher/imagefetcher.go b/internal/imagefetcher/imagefetcher.go index 643e7c1b4..2d1364ca5 100644 --- a/internal/imagefetcher/imagefetcher.go +++ b/internal/imagefetcher/imagefetcher.go @@ -131,6 +131,9 @@ func buildMarketplaceImage(payload marketplaceImagePayload) (string, error) { case cloudprovider.AWS: // For AWS, we use the AMI alias, which just needs the version and infers the rest transparently. return fmt.Sprintf("resolve:ssm:/aws/service/marketplace/prod-77ylkenlkgufs/%s", payload.imgInfo.Version), nil + case cloudprovider.OpenStack: + // For OpenStack / STACKIT, we use the image reference directly. + return getReferenceFromImageInfo(payload.provider, payload.attestationVariant.String(), payload.imgInfo, payload.filters...) default: return "", fmt.Errorf("marketplace images are not supported for csp %s", payload.provider.String()) } diff --git a/internal/license/license.go b/internal/license/license.go index 0bf1cb3fe..0010bd2d0 100644 --- a/internal/license/license.go +++ b/internal/license/license.go @@ -13,6 +13,8 @@ type Action string const ( // CommunityLicense is used by everyone who has not bought an enterprise license. CommunityLicense = "00000000-0000-0000-0000-000000000000" + // MarketplaceLicense is used by everyone who uses a marketplace image. + MarketplaceLicense = "11111111-1111-1111-1111-111111111111" // Init action denotes the initialization of a Constellation cluster. Init Action = "init" diff --git a/terraform-provider-constellation/docs/data-sources/attestation.md b/terraform-provider-constellation/docs/data-sources/attestation.md index bd578314c..7ad4d491e 100644 --- a/terraform-provider-constellation/docs/data-sources/attestation.md +++ b/terraform-provider-constellation/docs/data-sources/attestation.md @@ -58,6 +58,10 @@ Required: - `$SEMANTIC_VERSION` is the semantic version of the image, e.g. `vX.Y.Z` or `vX.Y.Z-pre...`. - `version` (String) Semantic version of the image. +Optional: + +- `marketplace_image` (Boolean) Whether a marketplace image should be used. + ### Nested Schema for `attestation` diff --git a/terraform-provider-constellation/docs/data-sources/image.md b/terraform-provider-constellation/docs/data-sources/image.md index 8eb48929e..d72b9ca91 100644 --- a/terraform-provider-constellation/docs/data-sources/image.md +++ b/terraform-provider-constellation/docs/data-sources/image.md @@ -49,6 +49,10 @@ The Constellation OS image must be [replicated to the region](https://docs.edgel ### Nested Schema for `image` +Optional: + +- `marketplace_image` (Boolean) Whether a marketplace image should be used. + Read-Only: - `reference` (String) CSP-specific unique reference to the image. The format differs per CSP. diff --git a/terraform-provider-constellation/docs/resources/cluster.md b/terraform-provider-constellation/docs/resources/cluster.md index d5deed553..282493ce8 100644 --- a/terraform-provider-constellation/docs/resources/cluster.md +++ b/terraform-provider-constellation/docs/resources/cluster.md @@ -162,6 +162,10 @@ Required: - `$SEMANTIC_VERSION` is the semantic version of the image, e.g. `vX.Y.Z` or `vX.Y.Z-pre...`. - `version` (String) Semantic version of the image. +Optional: + +- `marketplace_image` (Boolean) Whether a marketplace image should be used. + ### Nested Schema for `network_config` diff --git a/terraform-provider-constellation/internal/provider/cluster_resource.go b/terraform-provider-constellation/internal/provider/cluster_resource.go index 9f51aa848..f2dfb91c8 100644 --- a/terraform-provider-constellation/internal/provider/cluster_resource.go +++ b/terraform-provider-constellation/internal/provider/cluster_resource.go @@ -447,28 +447,31 @@ func (r *ClusterResource) ModifyPlan(ctx context.Context, req resource.ModifyPla return } - licenseID := plannedState.LicenseID.ValueString() - if licenseID == "" { - resp.Diagnostics.AddWarning("Constellation license ID not set.", - "Continuing with community license.") - } - if licenseID == license.CommunityLicense { - resp.Diagnostics.AddWarning("Using community license.", - "For details, see https://docs.edgeless.systems/constellation/overview/license") - } - // Validate during plan. Must be done in ModifyPlan to read provider data. // See https://developer.hashicorp.com/terraform/plugin/framework/resources/configure#define-resource-configure-method. _, diags := r.getMicroserviceVersion(&plannedState) resp.Diagnostics.Append(diags...) - _, _, diags = r.getImageVersion(ctx, &plannedState) + var image imageAttribute + image, _, diags = r.getImageVersion(ctx, &plannedState) resp.Diagnostics.Append(diags...) if resp.Diagnostics.HasError() { return } + licenseID := plannedState.LicenseID.ValueString() + switch { + case image.MarketplaceImage != nil && *image.MarketplaceImage: + // Marketplace images do not require a license. + case licenseID == "": + resp.Diagnostics.AddWarning("Constellation license ID not set.", + "Continuing with community license.") + case licenseID == license.CommunityLicense: + resp.Diagnostics.AddWarning("Using community license.", + "For details, see https://docs.edgeless.systems/constellation/overview/license") + } + // Checks running on updates to the resource. (i.e. state and plan != nil) if !req.State.Raw.IsNull() { // Read currentState supplied by Terraform runtime into the model @@ -759,9 +762,13 @@ func (r *ClusterResource) apply(ctx context.Context, data *ClusterResourceModel, // parse license ID licenseID := data.LicenseID.ValueString() - if licenseID == "" { + switch { + case image.MarketplaceImage != nil && *image.MarketplaceImage: + licenseID = license.MarketplaceLicense + case licenseID == "": licenseID = license.CommunityLicense } + // license ID can be base64-encoded licenseIDFromB64, err := base64.StdEncoding.DecodeString(licenseID) if err == nil { diff --git a/terraform-provider-constellation/internal/provider/cluster_resource_test.go b/terraform-provider-constellation/internal/provider/cluster_resource_test.go index 9cc197bb5..d9df71713 100644 --- a/terraform-provider-constellation/internal/provider/cluster_resource_test.go +++ b/terraform-provider-constellation/internal/provider/cluster_resource_test.go @@ -97,9 +97,10 @@ func TestViolatedImageConstraint(t *testing.T) { } input, diags := basetypes.NewObjectValueFrom(context.Background(), map[string]attr.Type{ - "version": basetypes.StringType{}, - "reference": basetypes.StringType{}, - "short_path": basetypes.StringType{}, + "version": basetypes.StringType{}, + "reference": basetypes.StringType{}, + "short_path": basetypes.StringType{}, + "marketplace_image": basetypes.BoolType{}, }, img) require.Equal(t, 0, diags.ErrorsCount()) _, _, diags2 := sut.getImageVersion(context.Background(), &ClusterResourceModel{ diff --git a/terraform-provider-constellation/internal/provider/shared_attributes.go b/terraform-provider-constellation/internal/provider/shared_attributes.go index 79535a53c..163794e9b 100644 --- a/terraform-provider-constellation/internal/provider/shared_attributes.go +++ b/terraform-provider-constellation/internal/provider/shared_attributes.go @@ -229,13 +229,19 @@ func newImageAttributeSchema(t attributeType) schema.Attribute { Computed: !isInput, Required: isInput, }, + "marketplace_image": schema.BoolAttribute{ + Description: "Whether a marketplace image should be used.", + MarkdownDescription: "Whether a marketplace image should be used.", + Optional: true, + }, }, } } // imageAttribute is the image attribute's data model. type imageAttribute struct { - Reference string `tfsdk:"reference"` - Version string `tfsdk:"version"` - ShortPath string `tfsdk:"short_path"` + Reference string `tfsdk:"reference"` + Version string `tfsdk:"version"` + ShortPath string `tfsdk:"short_path"` + MarketplaceImage *bool `tfsdk:"marketplace_image"` } From e893b03eda906a45e718848165fa45a73f06e420 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Fri, 1 Mar 2024 17:45:12 +0100 Subject: [PATCH 08/47] cli: correct measurements in config generate stackit --- cli/internal/cmd/configgenerate.go | 2 +- cli/internal/cmd/configgenerate_test.go | 2 +- internal/config/config.go | 6 +++++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/cli/internal/cmd/configgenerate.go b/cli/internal/cmd/configgenerate.go index 666b7284d..cfbe10b59 100644 --- a/cli/internal/cmd/configgenerate.go +++ b/cli/internal/cmd/configgenerate.go @@ -128,7 +128,7 @@ func (cg *configGenerateCmd) configGenerate(cmd *cobra.Command, fileHandler file // createConfigWithAttestationVariant creates a config file for the given provider. func createConfigWithAttestationVariant(provider cloudprovider.Provider, rawProvider string, attestationVariant variant.Variant) (*config.Config, error) { - conf := config.Default().WithOpenStackProviderDefaults(rawProvider) + conf := config.Default().WithOpenStackProviderDefaults(provider, rawProvider) conf.RemoveProviderExcept(provider) // set a lower default for QEMU's state disk diff --git a/cli/internal/cmd/configgenerate_test.go b/cli/internal/cmd/configgenerate_test.go index 2533cffcb..d1a4fbc92 100644 --- a/cli/internal/cmd/configgenerate_test.go +++ b/cli/internal/cmd/configgenerate_test.go @@ -140,7 +140,7 @@ func TestConfigGenerateDefaultProviderSpecific(t *testing.T) { fileHandler := file.NewHandler(afero.NewMemMapFs()) cmd := newConfigGenerateCmd() - wantConf := config.Default().WithOpenStackProviderDefaults(tc.rawProvider) + wantConf := config.Default().WithOpenStackProviderDefaults(cloudprovider.OpenStack, tc.rawProvider) wantConf.RemoveProviderAndAttestationExcept(tc.provider) cg := &configGenerateCmd{ diff --git a/internal/config/config.go b/internal/config/config.go index d4a8cab40..753156dd3 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -900,7 +900,11 @@ func (c *Config) Validate(force bool) error { // WithOpenStackProviderDefaults fills the default values for the specific OpenStack provider. // If the provider is not supported or not an OpenStack provider, the config is returned unchanged. -func (c *Config) WithOpenStackProviderDefaults(openStackProvider string) *Config { +func (c *Config) WithOpenStackProviderDefaults(csp cloudprovider.Provider, openStackProvider string) *Config { + if csp != cloudprovider.OpenStack { + return c + } + c.Attestation.QEMUVTPM = &QEMUVTPM{Measurements: measurements.DefaultsFor(cloudprovider.OpenStack, variant.QEMUVTPM{})} switch openStackProvider { case "stackit": c.Provider.OpenStack.Cloud = "stackit" From a5e73b48da30ad0fbb1b3da43b8d2074194ee64f Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Tue, 5 Mar 2024 09:14:01 +0100 Subject: [PATCH 09/47] bootstrapper: bounded retry of k8s join (#2968) --- .../internal/joinclient/joinclient.go | 11 ++++++- .../internal/joinclient/joinclient_test.go | 33 ++++++++++++++++--- 2 files changed, 38 insertions(+), 6 deletions(-) diff --git a/bootstrapper/internal/joinclient/joinclient.go b/bootstrapper/internal/joinclient/joinclient.go index 110b52a66..8f44fa115 100644 --- a/bootstrapper/internal/joinclient/joinclient.go +++ b/bootstrapper/internal/joinclient/joinclient.go @@ -150,6 +150,7 @@ func (c *JoinClient) Start(cleaner cleaner) { return } else if isUnrecoverable(err) { c.log.With(slog.Any("error", err)).Error("Unrecoverable error occurred") + // TODO(burgerdev): this should eventually lead to a full node reset return } c.log.With(slog.Any("error", err)).Warn("Join failed for all available endpoints") @@ -310,7 +311,15 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse, CACertHashes: []string{ticket.DiscoveryTokenCaCertHash}, } - if err := c.joiner.JoinCluster(ctx, btd, c.role, ticket.KubernetesComponents, c.log); err != nil { + // We currently cannot recover from any failure in this function. Joining the k8s cluster + // sometimes fails transiently, and we don't want to brick the node because of that. + for i := 0; i < 3; i++ { + err = c.joiner.JoinCluster(ctx, btd, c.role, ticket.KubernetesComponents, c.log) + if err != nil { + c.log.Error("failed to join k8s cluster", "role", c.role, "attempt", i, "error", err) + } + } + if err != nil { return fmt.Errorf("joining Kubernetes cluster: %w", err) } diff --git a/bootstrapper/internal/joinclient/joinclient_test.go b/bootstrapper/internal/joinclient/joinclient_test.go index 4684b2eb4..d22ed4fb9 100644 --- a/bootstrapper/internal/joinclient/joinclient_test.go +++ b/bootstrapper/internal/joinclient/joinclient_test.go @@ -62,6 +62,7 @@ func TestClient(t *testing.T) { apiAnswers []any wantLock bool wantJoin bool + wantNumJoins int }{ "on worker: metadata self: errors occur": { role: role.Worker, @@ -168,12 +169,26 @@ func TestClient(t *testing.T) { listAnswer{instances: peers}, issueJoinTicketAnswer{}, }, - clusterJoiner: &stubClusterJoiner{joinClusterErr: someErr}, + clusterJoiner: &stubClusterJoiner{numBadCalls: -1, joinClusterErr: someErr}, nodeLock: newFakeLock(), disk: &stubDisk{}, wantJoin: true, wantLock: true, }, + "on control plane: joinCluster fails transiently": { + role: role.ControlPlane, + apiAnswers: []any{ + selfAnswer{instance: controlSelf}, + listAnswer{instances: peers}, + issueJoinTicketAnswer{}, + }, + clusterJoiner: &stubClusterJoiner{numBadCalls: 1, joinClusterErr: someErr}, + nodeLock: newFakeLock(), + disk: &stubDisk{}, + wantJoin: true, + wantLock: true, + wantNumJoins: 2, + }, "on control plane: node already locked": { role: role.ControlPlane, apiAnswers: []any{ @@ -250,9 +265,12 @@ func TestClient(t *testing.T) { client.Stop() if tc.wantJoin { - assert.True(tc.clusterJoiner.joinClusterCalled) + assert.Greater(tc.clusterJoiner.joinClusterCalled, 0) } else { - assert.False(tc.clusterJoiner.joinClusterCalled) + assert.Equal(0, tc.clusterJoiner.joinClusterCalled) + } + if tc.wantNumJoins > 0 { + assert.GreaterOrEqual(tc.clusterJoiner.joinClusterCalled, tc.wantNumJoins) } if tc.wantLock { assert.False(client.nodeLock.TryLockOnce(nil)) // lock should be locked @@ -398,12 +416,17 @@ type issueJoinTicketAnswer struct { } type stubClusterJoiner struct { - joinClusterCalled bool + joinClusterCalled int + numBadCalls int joinClusterErr error } func (j *stubClusterJoiner) JoinCluster(context.Context, *kubeadm.BootstrapTokenDiscovery, role.Role, components.Components, *slog.Logger) error { - j.joinClusterCalled = true + j.joinClusterCalled++ + if j.numBadCalls == 0 { + return nil + } + j.numBadCalls-- return j.joinClusterErr } From 643b1ed4ac38d39c2a58bdd3bc4193f8c589c6e2 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Wed, 6 Mar 2024 13:37:11 +0100 Subject: [PATCH 10/47] deps: update protobuf to v1.33.0 --- bazel/toolchains/go_module_deps.bzl | 4 ++-- bootstrapper/initproto/init.pb.go | 2 +- debugd/service/debugd.pb.go | 2 +- disk-mapper/recoverproto/recover.pb.go | 2 +- go.mod | 2 +- go.sum | 4 ++-- hack/tools/go.mod | 2 +- hack/tools/go.sum | 4 ++-- internal/versions/components/components.pb.go | 2 +- joinservice/joinproto/join.pb.go | 2 +- keyservice/keyserviceproto/keyservice.pb.go | 2 +- upgrade-agent/upgradeproto/upgrade.pb.go | 2 +- verify/verifyproto/verify.pb.go | 2 +- 13 files changed, 16 insertions(+), 16 deletions(-) diff --git a/bazel/toolchains/go_module_deps.bzl b/bazel/toolchains/go_module_deps.bzl index c273f17c1..4d432be73 100644 --- a/bazel/toolchains/go_module_deps.bzl +++ b/bazel/toolchains/go_module_deps.bzl @@ -6933,8 +6933,8 @@ def go_dependencies(): build_file_generation = "on", build_file_proto_mode = "disable_global", importpath = "google.golang.org/protobuf", - sum = "h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=", - version = "v1.32.0", + sum = "h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=", + version = "v1.33.0", ) go_repository( name = "org_golang_x_crypto", diff --git a/bootstrapper/initproto/init.pb.go b/bootstrapper/initproto/init.pb.go index 49401ec0a..e2d1e2cf6 100644 --- a/bootstrapper/initproto/init.pb.go +++ b/bootstrapper/initproto/init.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.32.0 +// protoc-gen-go v1.33.0 // protoc v4.22.1 // source: bootstrapper/initproto/init.proto diff --git a/debugd/service/debugd.pb.go b/debugd/service/debugd.pb.go index cf7637ffd..fb95a1221 100644 --- a/debugd/service/debugd.pb.go +++ b/debugd/service/debugd.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.32.0 +// protoc-gen-go v1.33.0 // protoc v4.22.1 // source: debugd/service/debugd.proto diff --git a/disk-mapper/recoverproto/recover.pb.go b/disk-mapper/recoverproto/recover.pb.go index fa62e6d69..2a22120de 100644 --- a/disk-mapper/recoverproto/recover.pb.go +++ b/disk-mapper/recoverproto/recover.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.32.0 +// protoc-gen-go v1.33.0 // protoc v4.22.1 // source: disk-mapper/recoverproto/recover.proto diff --git a/go.mod b/go.mod index 5bb697ee2..e0b5c85b8 100644 --- a/go.mod +++ b/go.mod @@ -134,7 +134,7 @@ require ( golang.org/x/tools v0.18.0 google.golang.org/api v0.165.0 google.golang.org/grpc v1.61.1 - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm v2.17.0+incompatible helm.sh/helm/v3 v3.14.2 diff --git a/go.sum b/go.sum index d868f4ccd..ca449d14a 100644 --- a/go.sum +++ b/go.sum @@ -1008,8 +1008,8 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= -google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/hack/tools/go.mod b/hack/tools/go.mod index a18f50a6d..a18b99dc7 100644 --- a/hack/tools/go.mod +++ b/hack/tools/go.mod @@ -46,7 +46,7 @@ require ( golang.org/x/sys v0.17.0 // indirect golang.org/x/term v0.17.0 // indirect golang.org/x/text v0.14.0 // indirect - google.golang.org/protobuf v1.32.0 // indirect + google.golang.org/protobuf v1.33.0 // indirect gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect gopkg.in/src-d/go-billy.v4 v4.3.2 // indirect gopkg.in/src-d/go-git.v4 v4.13.1 // indirect diff --git a/hack/tools/go.sum b/hack/tools/go.sum index 288fbb4bd..c0750a1c3 100644 --- a/hack/tools/go.sum +++ b/hack/tools/go.sum @@ -813,8 +813,8 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= -google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/internal/versions/components/components.pb.go b/internal/versions/components/components.pb.go index 8293a1675..76fe28755 100644 --- a/internal/versions/components/components.pb.go +++ b/internal/versions/components/components.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.32.0 +// protoc-gen-go v1.33.0 // protoc v4.22.1 // source: internal/versions/components/components.proto diff --git a/joinservice/joinproto/join.pb.go b/joinservice/joinproto/join.pb.go index 8afb7df19..5fe259256 100644 --- a/joinservice/joinproto/join.pb.go +++ b/joinservice/joinproto/join.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.32.0 +// protoc-gen-go v1.33.0 // protoc v4.22.1 // source: joinservice/joinproto/join.proto diff --git a/keyservice/keyserviceproto/keyservice.pb.go b/keyservice/keyserviceproto/keyservice.pb.go index 59faea21d..65beb0c55 100644 --- a/keyservice/keyserviceproto/keyservice.pb.go +++ b/keyservice/keyserviceproto/keyservice.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.32.0 +// protoc-gen-go v1.33.0 // protoc v4.22.1 // source: keyservice/keyserviceproto/keyservice.proto diff --git a/upgrade-agent/upgradeproto/upgrade.pb.go b/upgrade-agent/upgradeproto/upgrade.pb.go index faba2c104..a110b3cd0 100644 --- a/upgrade-agent/upgradeproto/upgrade.pb.go +++ b/upgrade-agent/upgradeproto/upgrade.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.32.0 +// protoc-gen-go v1.33.0 // protoc v4.22.1 // source: upgrade-agent/upgradeproto/upgrade.proto diff --git a/verify/verifyproto/verify.pb.go b/verify/verifyproto/verify.pb.go index 8a4d9fc84..cc121d32f 100644 --- a/verify/verifyproto/verify.pb.go +++ b/verify/verifyproto/verify.pb.go @@ -1,6 +1,6 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.32.0 +// protoc-gen-go v1.33.0 // protoc v4.22.1 // source: verify/verifyproto/verify.proto From 7238e2f8955e036a152b4af177b68b47a64e26e0 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Wed, 6 Mar 2024 13:45:06 +0100 Subject: [PATCH 11/47] deps: update Go to v1.22.1 --- .github/actions/versionsapi/Dockerfile | 2 +- .github/workflows/build-ccm-gcp.yml | 2 +- .github/workflows/build-os-image-scheduled.yml | 2 +- .github/workflows/codeql.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/test-operator-codegen.yml | 2 +- 3rdparty/gcp-guest-agent/Dockerfile | 2 +- WORKSPACE.bazel | 2 +- go.work | 4 ++-- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/actions/versionsapi/Dockerfile b/.github/actions/versionsapi/Dockerfile index 759170058..b1018466a 100644 --- a/.github/actions/versionsapi/Dockerfile +++ b/.github/actions/versionsapi/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.22.0@sha256:7b297d9abee021bab9046e492506b3c2da8a3722cbf301653186545ecc1e00bb as builder +FROM golang:1.22.1@sha256:34ce21a9696a017249614876638ea37ceca13cdd88f582caad06f87a8aa45bf3 as builder # Download project root dependencies WORKDIR /workspace diff --git a/.github/workflows/build-ccm-gcp.yml b/.github/workflows/build-ccm-gcp.yml index 312bd4a90..52d33a5af 100644 --- a/.github/workflows/build-ccm-gcp.yml +++ b/.github/workflows/build-ccm-gcp.yml @@ -31,7 +31,7 @@ jobs: - name: Setup Go environment uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: "1.22.0" + go-version: "1.22.1" cache: false - name: Install Crane diff --git a/.github/workflows/build-os-image-scheduled.yml b/.github/workflows/build-os-image-scheduled.yml index 577cb9f29..5e3d79c45 100644 --- a/.github/workflows/build-os-image-scheduled.yml +++ b/.github/workflows/build-os-image-scheduled.yml @@ -69,7 +69,7 @@ jobs: - name: Setup Go environment uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: "1.22.0" + go-version: "1.22.1" cache: false - name: Determine version diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6fa0c6a9e..de17bf19c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -40,7 +40,7 @@ jobs: if: matrix.language == 'go' uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: "1.22.0" + go-version: "1.22.1" cache: false - name: Initialize CodeQL diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cda56fea0..a09cbff11 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -233,7 +233,7 @@ jobs: - name: Setup Go environment uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: "1.22.0" + go-version: "1.22.1" cache: true - name: Build generateMeasurements tool diff --git a/.github/workflows/test-operator-codegen.yml b/.github/workflows/test-operator-codegen.yml index d8d583b9b..028ef981c 100644 --- a/.github/workflows/test-operator-codegen.yml +++ b/.github/workflows/test-operator-codegen.yml @@ -28,7 +28,7 @@ jobs: - name: Setup Go environment uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: "1.22.0" + go-version: "1.22.1" cache: true - name: Run code generation diff --git a/3rdparty/gcp-guest-agent/Dockerfile b/3rdparty/gcp-guest-agent/Dockerfile index 178da4463..e435bfbc3 100644 --- a/3rdparty/gcp-guest-agent/Dockerfile +++ b/3rdparty/gcp-guest-agent/Dockerfile @@ -6,7 +6,7 @@ RUN apt-get update && apt-get install -y \ git # Install Go -ARG GO_VER=1.22.0 +ARG GO_VER=1.22.1 RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \ tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \ rm go${GO_VER}.linux-amd64.tar.gz diff --git a/WORKSPACE.bazel b/WORKSPACE.bazel index 51db5ca5e..e65cf4f10 100644 --- a/WORKSPACE.bazel +++ b/WORKSPACE.bazel @@ -169,7 +169,7 @@ load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains", "go_rules_depe go_rules_dependencies() -go_register_toolchains(version = "1.22.0") +go_register_toolchains(version = "1.22.1") load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies") diff --git a/go.work b/go.work index 22d5025da..efe4516e1 100644 --- a/go.work +++ b/go.work @@ -1,6 +1,6 @@ -go 1.22.0 +go 1.22.1 -toolchain go1.22.0 +toolchain go1.22.1 use ( . From c1238663585166f0415558f498e70921ded72f34 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Wed, 6 Mar 2024 11:01:13 +0100 Subject: [PATCH 12/47] disk-mapper: write failure message to syslog and sleep before reboot --- disk-mapper/cmd/main.go | 46 ++++++++++++++++++++++++++++------------- 1 file changed, 32 insertions(+), 14 deletions(-) diff --git a/disk-mapper/cmd/main.go b/disk-mapper/cmd/main.go index 56b1c1812..f20bf9cfa 100644 --- a/disk-mapper/cmd/main.go +++ b/disk-mapper/cmd/main.go @@ -12,9 +12,11 @@ import ( "fmt" "io" "log/slog" + "log/syslog" "net" "os" "path/filepath" + "time" "github.com/edgelesssys/constellation/v2/disk-mapper/internal/diskencryption" "github.com/edgelesssys/constellation/v2/disk-mapper/internal/recoveryserver" @@ -48,6 +50,21 @@ const ( ) func main() { + runErr := run() + if runErr == nil { + return + } + syslogWriter, err := syslog.New(syslog.LOG_EMERG|syslog.LOG_KERN, "disk-mapper") + if err != nil { + os.Exit(1) + } + _ = syslogWriter.Err(runErr.Error()) + _ = syslogWriter.Emerg("disk-mapper has failed. In most cases, this is due to a misconfiguration or transient error with the infrastructure.") + time.Sleep(time.Minute) // sleep to allow the message to be written to syslog and seen by the user + os.Exit(1) +} + +func run() error { csp := flag.String("csp", "", "Cloud Service Provider the image is running on") verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription) @@ -60,12 +77,12 @@ func main() { attestVariant, err := variant.FromString(os.Getenv(constants.AttestationVariant)) if err != nil { log.With(slog.Any("error", err)).Error("Failed to parse attestation variant") - os.Exit(1) + return err } issuer, err := choose.Issuer(attestVariant, log) if err != nil { log.With(slog.Any("error", err)).Error("Failed to select issuer") - os.Exit(1) + return err } // set up metadata API @@ -78,36 +95,36 @@ func main() { diskPath, err = filepath.EvalSymlinks(awsStateDiskPath) if err != nil { log.With(slog.Any("error", err)).Error("Unable to resolve Azure state disk path") - os.Exit(1) + return err } metadataClient, err = awscloud.New(context.Background()) if err != nil { log.With(slog.Any("error", err)).Error("Failed to set up AWS metadata client") - os.Exit(1) + return err } case cloudprovider.Azure: diskPath, err = filepath.EvalSymlinks(azureStateDiskPath) if err != nil { log.With(slog.Any("error", err)).Error("Unable to resolve Azure state disk path") - os.Exit(1) + return err } metadataClient, err = azurecloud.New(context.Background()) if err != nil { log.With(slog.Any("error", err)).Error("Failed to set up Azure metadata client") - os.Exit(1) + return err } case cloudprovider.GCP: diskPath, err = filepath.EvalSymlinks(gcpStateDiskPath) if err != nil { log.With(slog.Any("error", err)).Error("Unable to resolve GCP state disk path") - os.Exit(1) + return err } gcpMeta, err := gcpcloud.New(context.Background()) if err != nil { log.With(slog.Any("error", err)).Error(("Failed to create GCP metadata client")) - os.Exit(1) + return err } defer gcpMeta.Close() metadataClient = gcpMeta @@ -117,7 +134,7 @@ func main() { metadataClient, err = openstack.New(context.Background()) if err != nil { log.With(slog.Any("error", err)).Error(("Failed to create OpenStack metadata client")) - os.Exit(1) + return err } case cloudprovider.QEMU: @@ -126,14 +143,14 @@ func main() { default: log.Error(fmt.Sprintf("CSP %s is not supported by Constellation", *csp)) - os.Exit(1) + return err } // initialize device mapper mapper, free, err := diskencryption.New(diskPath, log) if err != nil { log.With(slog.Any("error", err)).Error(("Failed to initialize device mapper")) - os.Exit(1) + return err } defer free() @@ -156,7 +173,7 @@ func main() { if err := setupManger.LogDevices(); err != nil { log.With(slog.Any("error", err)).Error(("Failed to log devices")) - os.Exit(1) + return err } // prepare the state disk @@ -166,7 +183,7 @@ func main() { self, err = metadataClient.Self(context.Background()) if err != nil { log.With(slog.Any("error", err)).Error(("Failed to get self metadata")) - os.Exit(1) + return err } rejoinClient := rejoinclient.New( dialer.New(issuer, nil, &net.Dialer{}), @@ -189,6 +206,7 @@ func main() { } if err != nil { log.With(slog.Any("error", err)).Error(("Failed to prepare state disk")) - os.Exit(1) + return err } + return nil } From 536bf6a35a039865785cf82bd0447b27191bede5 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Wed, 6 Mar 2024 12:12:19 +0100 Subject: [PATCH 13/47] image: special case OpenStack serial console to include ttyS1 --- image/system/mkosi.conf | 2 +- image/system/variants.bzl | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/image/system/mkosi.conf b/image/system/mkosi.conf index f49c9ebd8..b23cf00a3 100644 --- a/image/system/mkosi.conf +++ b/image/system/mkosi.conf @@ -13,7 +13,7 @@ Seed=0e9a6fe0-68f6-408c-bbeb-136054d20445 SourceDateEpoch=0 Bootable=yes Bootloader=uki -KernelCommandLine=preempt=full rd.shell=0 rd.emergency=reboot loglevel=8 console=ttyS0 +KernelCommandLine=preempt=full rd.shell=0 rd.emergency=reboot loglevel=8 RemoveFiles=/var/log RemoveFiles=/var/cache RemoveFiles=/etc/pki/ca-trust/extracted/java/cacerts diff --git a/image/system/variants.bzl b/image/system/variants.bzl index 75dd7c21e..3cca05c95 100644 --- a/image/system/variants.bzl +++ b/image/system/variants.bzl @@ -55,6 +55,7 @@ base_cmdline = "selinux=1 enforcing=0 audit=0" csp_settings = { "aws": { "kernel_command_line_dict": { + "console": "ttyS0", "constel.csp": "aws", "idle": "poll", "mitigations": "auto", @@ -62,20 +63,21 @@ csp_settings = { }, "azure": { "kernel_command_line_dict": { + "console": "ttyS0", "constel.csp": "azure", "mitigations": "auto,nosmt", }, }, "gcp": { "kernel_command_line_dict": { + "console": "ttyS0", "constel.csp": "gcp", "mitigations": "auto,nosmt", }, }, "openstack": { - "kernel_command_line": "console=tty0 console=ttyS0", + "kernel_command_line": "console=tty0 console=ttyS0 console=ttyS1", "kernel_command_line_dict": { - "console": "tty0", "constel.csp": "openstack", "kvm_amd.sev": "1", "mem_encrypt": "on", @@ -86,6 +88,7 @@ csp_settings = { "qemu": { "autologin": True, "kernel_command_line_dict": { + "console": "ttyS0", "constel.csp": "qemu", "mitigations": "auto,nosmt", }, From a3c5f3d445606c9b61fa140b370e5afb56b851a2 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Wed, 6 Mar 2024 12:14:16 +0100 Subject: [PATCH 14/47] imagefetcher: allow any marketplace image for OpenStack --- internal/imagefetcher/imagefetcher.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/imagefetcher/imagefetcher.go b/internal/imagefetcher/imagefetcher.go index 2d1364ca5..ebbf74e41 100644 --- a/internal/imagefetcher/imagefetcher.go +++ b/internal/imagefetcher/imagefetcher.go @@ -111,7 +111,7 @@ func buildMarketplaceImage(payload marketplaceImagePayload) (string, error) { return "", fmt.Errorf("parsing image version: %w", err) } - if sv.Prerelease() != "" { + if sv.Prerelease() != "" && payload.provider != cloudprovider.OpenStack { return "", fmt.Errorf("marketplace images are not supported for prerelease versions") } From 07db82575682e5ecc7b3928f109aa6f5851ec945 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Wed, 6 Mar 2024 13:20:42 +0100 Subject: [PATCH 15/47] openstack: improve error message on IMDS failures --- internal/cloud/openstack/imds.go | 7 +++-- internal/cloud/openstack/imds_test.go | 43 +++++++++++++++++++-------- 2 files changed, 35 insertions(+), 15 deletions(-) diff --git a/internal/cloud/openstack/imds.go b/internal/cloud/openstack/imds.go index c9e3332c8..e977558d9 100644 --- a/internal/cloud/openstack/imds.go +++ b/internal/cloud/openstack/imds.go @@ -211,7 +211,7 @@ func (c *imdsClient) update(ctx context.Context) error { } var metadataResp metadataResponse if err := json.Unmarshal(resp, &metadataResp); err != nil { - return err + return fmt.Errorf("unmarshalling IMDS metadata response %q: %w", string(resp), err) } c.cache = metadataResp c.cacheTime = time.Now() @@ -244,7 +244,10 @@ func httpGet(ctx context.Context, c httpClient, url string) ([]byte, error) { } resp, err := c.Do(req) if err != nil { - return nil, err + return nil, fmt.Errorf("querying the OpenStack IMDS api failed for %q: %w", url, err) + } + if resp.StatusCode < 200 || resp.StatusCode >= 300 { + return nil, fmt.Errorf("IMDS api might be broken for this server. Recreate the cluster if this issue persists. Querying the OpenStack IMDS api failed for %q with error code %d", url, resp.StatusCode) } defer resp.Body.Close() return io.ReadAll(resp.Body) diff --git a/internal/cloud/openstack/imds_test.go b/internal/cloud/openstack/imds_test.go index 57430bb8c..94caaa108 100644 --- a/internal/cloud/openstack/imds_test.go +++ b/internal/cloud/openstack/imds_test.go @@ -43,30 +43,30 @@ func TestProviderID(t *testing.T) { wantCall: false, }, "from http": { - newClient: newStubHTTPClientJSONFunc(mResp1, nil), + newClient: newStubHTTPClientJSONFunc(mResp1, 200, nil), wantResult: expect1, wantCall: true, }, "cache outdated": { cache: mResp1, cacheTime: time.Now().AddDate(0, 0, -1), - newClient: newStubHTTPClientJSONFunc(mResp2, nil), + newClient: newStubHTTPClientJSONFunc(mResp2, 200, nil), wantResult: expect2, wantCall: true, }, "cache empty": { cacheTime: time.Now(), - newClient: newStubHTTPClientJSONFunc(mResp1, nil), + newClient: newStubHTTPClientJSONFunc(mResp1, 200, nil), wantResult: expect1, wantCall: true, }, "http error": { - newClient: newStubHTTPClientJSONFunc(metadataResponse{}, someErr), + newClient: newStubHTTPClientJSONFunc(metadataResponse{}, 200, someErr), wantCall: true, wantErr: true, }, "http empty response": { - newClient: newStubHTTPClientJSONFunc(metadataResponse{}, nil), + newClient: newStubHTTPClientJSONFunc(metadataResponse{}, 200, nil), wantCall: true, wantErr: true, }, @@ -207,30 +207,35 @@ func TestRole(t *testing.T) { wantCall: false, }, "from http": { - newClient: newStubHTTPClientJSONFunc(mResp1, nil), + newClient: newStubHTTPClientJSONFunc(mResp1, 200, nil), wantResult: expect1, wantCall: true, }, "cache outdated": { cache: mResp1, cacheTime: time.Now().AddDate(0, 0, -1), - newClient: newStubHTTPClientJSONFunc(mResp2, nil), + newClient: newStubHTTPClientJSONFunc(mResp2, 200, nil), wantResult: expect2, wantCall: true, }, "cache empty": { cacheTime: time.Now(), - newClient: newStubHTTPClientJSONFunc(mResp1, nil), + newClient: newStubHTTPClientJSONFunc(mResp1, 200, nil), wantResult: expect1, wantCall: true, }, "http error": { - newClient: newStubHTTPClientJSONFunc(metadataResponse{}, someErr), + newClient: newStubHTTPClientJSONFunc(metadataResponse{}, 200, someErr), + wantCall: true, + wantErr: true, + }, + "http status code 500": { + newClient: newStubHTTPClientJSONFunc(metadataResponse{}, 500, nil), wantCall: true, wantErr: true, }, "http empty response": { - newClient: newStubHTTPClientJSONFunc(metadataResponse{}, nil), + newClient: newStubHTTPClientJSONFunc(metadataResponse{}, 200, nil), wantCall: true, wantErr: true, }, @@ -369,14 +374,16 @@ type httpClientJSONCreateFunc func(r *require.Assertions) *stubHTTPClientJSON type stubHTTPClientJSON struct { require *require.Assertions response metadataResponse + code int err error called bool } -func newStubHTTPClientJSONFunc(response metadataResponse, err error) httpClientJSONCreateFunc { +func newStubHTTPClientJSONFunc(response metadataResponse, statusCode int, err error) httpClientJSONCreateFunc { return func(r *require.Assertions) *stubHTTPClientJSON { return &stubHTTPClientJSON{ response: response, + code: statusCode, err: err, require: r, } @@ -387,16 +394,26 @@ func (c *stubHTTPClientJSON) Do(_ *http.Request) (*http.Response, error) { c.called = true body, err := json.Marshal(c.response) c.require.NoError(err) - return &http.Response{Body: io.NopCloser(bytes.NewReader(body))}, c.err + code := 200 + if c.code != 0 { + code = c.code + } + return &http.Response{StatusCode: code, Status: http.StatusText(code), Body: io.NopCloser(bytes.NewReader(body))}, c.err } type stubHTTPClient struct { response string + code int err error called bool } func (c *stubHTTPClient) Do(_ *http.Request) (*http.Response, error) { c.called = true - return &http.Response{Body: io.NopCloser(strings.NewReader(c.response))}, c.err + code := 200 + if c.code != 0 { + code = c.code + } + + return &http.Response{StatusCode: code, Status: http.StatusText(code), Body: io.NopCloser(strings.NewReader(c.response))}, c.err } From f15380a70ef587f9a3804a419daf0174b51e3ffc Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Wed, 6 Mar 2024 10:23:31 +0100 Subject: [PATCH 16/47] docs: add installation instructions for the Windows CLI variant --- docs/docs/getting-started/install.md | 25 ++++++++++++++++++++++++- docs/docs/workflows/verify-cli.md | 4 ++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/docs/docs/getting-started/install.md b/docs/docs/getting-started/install.md index 8d41e3c8e..94110617c 100644 --- a/docs/docs/getting-started/install.md +++ b/docs/docs/getting-started/install.md @@ -6,7 +6,7 @@ Constellation runs entirely in your cloud environment and can be controlled via Make sure the following requirements are met: -* Your machine is running Linux or macOS +* Your machine is running Linux, macOS, or Windows * You have admin rights on your machine * [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed * Your CSP is Microsoft Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), or STACKIT @@ -92,6 +92,29 @@ curl -LO https://github.com/edgelesssys/constellation/releases/latest/download/c sudo install constellation-darwin-amd64 /usr/local/bin/constellation ``` + + + + +1. Download the CLI: + +```bash +Invoke-WebRequest -OutFile ./constellation.exe -Uri 'https://github.com/edgelesssys/constellation/releases/latest/download/constellation-windows-amd64.exe' +``` + +2. [Verify the signature](../workflows/verify-cli.md) (optional) + +3. Install the CLI under `C:\Program Files\Constellation\bin\constellation.exe` + +3. Add the CLI to your PATH: + + 1. Open `Advanced system settings` by searching for the App in the Windows search + 2. Go to the `Advanced` tab + 3. Click `Environment Variables…` + 4. Click variable called `Path` and click `Edit…` + 5. Click `New` + 6. Enter the path to the folder containing the binary you want on your PATH: `C:\Program Files\Constellation\bin` + diff --git a/docs/docs/workflows/verify-cli.md b/docs/docs/workflows/verify-cli.md index 1280c51b0..78341f314 100644 --- a/docs/docs/workflows/verify-cli.md +++ b/docs/docs/workflows/verify-cli.md @@ -33,6 +33,10 @@ You don't need to verify the Constellation node images. This is done automatical ## Verify the signature +:::info +This guide assumes Linux on an amd64 processor. The exact steps for other platforms differ slightly. +::: + First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: ```shell-session From a546648074c84d0a3dc754be46cb5e44908ff442 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= <66256922+daniel-weisse@users.noreply.github.com> Date: Fri, 8 Mar 2024 13:15:06 +0100 Subject: [PATCH 17/47] cli: retry auth handshake deadline exceeded errors in CLI and Terraform (#2976) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Daniel Weiße --- internal/grpc/retry/retry.go | 17 ++++++++++++++--- internal/grpc/retry/retry_test.go | 8 ++++++++ 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/internal/grpc/retry/retry.go b/internal/grpc/retry/retry.go index 9d03279a4..b7457fc1f 100644 --- a/internal/grpc/retry/retry.go +++ b/internal/grpc/retry/retry.go @@ -16,9 +16,10 @@ import ( ) const ( - authEOFErr = `connection error: desc = "transport: authentication handshake failed: EOF"` - authReadTCPErr = `connection error: desc = "transport: authentication handshake failed: read tcp` - authHandshakeErr = `connection error: desc = "transport: authentication handshake failed` + authEOFErr = `connection error: desc = "transport: authentication handshake failed: EOF"` + authReadTCPErr = `connection error: desc = "transport: authentication handshake failed: read tcp` + authHandshakeErr = `connection error: desc = "transport: authentication handshake failed` + authHandshakeDeadlineExceededErr = `connection error: desc = "transport: authentication handshake failed: context deadline exceeded` ) // grpcErr is the error type that is returned by the grpc client. @@ -57,6 +58,11 @@ func ServiceIsUnavailable(err error) bool { return true } + // retry if the handshake deadline was exceeded + if strings.HasPrefix(statusErr.Message(), authHandshakeDeadlineExceededErr) { + return true + } + return !strings.HasPrefix(statusErr.Message(), authHandshakeErr) } @@ -76,6 +82,11 @@ func LoadbalancerIsNotReady(err error) bool { return false } + // retry if the handshake deadline was exceeded + if strings.HasPrefix(statusErr.Message(), authHandshakeDeadlineExceededErr) { + return true + } + // retry if GCP proxy LB isn't fully available yet return strings.HasPrefix(statusErr.Message(), authReadTCPErr) } diff --git a/internal/grpc/retry/retry_test.go b/internal/grpc/retry/retry_test.go index a1b44dce4..5e51e4bb0 100644 --- a/internal/grpc/retry/retry_test.go +++ b/internal/grpc/retry/retry_test.go @@ -43,6 +43,10 @@ func TestServiceIsUnavailable(t *testing.T) { err: status.Error(codes.Unavailable, `connection error: desc = "transport: authentication handshake failed: read tcp error"`), wantUnavailable: true, }, + "handshake deadline exceeded error": { + err: status.Error(codes.Unavailable, `connection error: desc = "transport: authentication handshake failed: context deadline exceeded"`), + wantUnavailable: true, + }, "wrapped error": { err: fmt.Errorf("some wrapping: %w", status.Error(codes.Unavailable, "error")), wantUnavailable: true, @@ -82,6 +86,10 @@ func TestLoadbalancerIsNotReady(t *testing.T) { err: status.Error(codes.Unavailable, `connection error: desc = "transport: authentication handshake failed: read tcp error"`), wantNotReady: true, }, + "handshake deadline exceeded error": { + err: status.Error(codes.Unavailable, `connection error: desc = "transport: authentication handshake failed: context deadline exceeded"`), + wantNotReady: true, + }, "normal unavailable error": { err: status.Error(codes.Unavailable, "error"), }, From 6e8cd2ad696b23e52768abb49c9c59b6a424764d Mon Sep 17 00:00:00 2001 From: malt3 <1780588+malt3@users.noreply.github.com> Date: Sun, 10 Mar 2024 08:08:19 +0000 Subject: [PATCH 18/47] image: update locked rpms --- image/mirror/SHA256SUMS | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/image/mirror/SHA256SUMS b/image/mirror/SHA256SUMS index 017c3465d..ba49e4366 100644 --- a/image/mirror/SHA256SUMS +++ b/image/mirror/SHA256SUMS @@ -68,7 +68,7 @@ b0fc6c55f5989aebf6e71279541206070b32b3b28b708a249bd3bdeaa6c088a4 filesystem-3.1 79986f917ef1bae7ca2378b16515ba44c19160f5a5eae4f6b697eda160bc26c1 findutils-4.9.0-3.fc38.x86_64.rpm d5ae6a7d99826a17d163d9846c2705442b5792a7ccacc5169e4986cdf4b6bae2 fuse-common-3.14.1-1.fc38.x86_64.rpm 56df47937646df892dad25c6b9ae63d111328febfe86eb93096b8b0a11700b60 fuse-libs-2.9.9-16.fc38.x86_64.rpm -1e9e8b6447c2650a306e8d107dbdcdaa4f81d4175012eea0c87846faecd64c70 fuse-overlayfs-1.12-1.fc38.x86_64.rpm +088ebe20ac0854c1f216883aa1f6ed8dfc7844807455f4acfef05b7a4b8509db fuse-overlayfs-1.13-1.fc38.x86_64.rpm 55ca555fe815bd360b08500889b652f50fe4c56dfafbed0cc459f2362641f1a0 fuse3-3.14.1-1.fc38.x86_64.rpm f54340fec047cc359a6a164a1ce88d0d7ffcd8f7d6334b50dc5b3d234e3a19ac fuse3-libs-3.14.1-1.fc38.x86_64.rpm e607df61803999da46a199d23d4acadb45b290f29b5b644e583c5526d8081178 gawk-5.1.1-5.fc38.x86_64.rpm @@ -256,7 +256,7 @@ dea697370ede1848c1a54fdccebf792155d98cbdc5de89e85bbc75ec7c94de8f p11-kit-trust- 21c59eeb1ad62c09aadca6a4168f927ff943f82e4f764d589f5acb2ab6efc993 pam-libs-1.5.2-16.fc38.i686.rpm 63e970f7b3f8c54e1dff90661c26519f32a4bf7486c40f2dd38d55e40660230e pam-libs-1.5.2-16.fc38.x86_64.rpm 8d846f866158409c775656b39e372d59cf224936d29972d3b6d14e40d3b832ca parted-3.5-11.fc38.x86_64.rpm -5ab994e5589d48c9e600ef7a42c53653607d0c6455c55f739e07da7c3a483bf6 passt-0^20231230.gf091893-1.fc38.x86_64.rpm +7a4cd426505349a948fbc5bcc24545fbdfb7807d525a9c5a41e75dd57b79dccf passt-0^20240220.g1e6f92b-1.fc38.x86_64.rpm 43603df046850c4cf067960d8e47998de5c33955b1f865df8d66f20c1b7f676a passwd-0.80-14.fc38.x86_64.rpm f2737b94fa026a56c7a427f8f4221ff379ea4c4c32f2fff9d95a7a7836dcc6c7 pcre2-10.42-1.fc38.1.i686.rpm cb1caf3e9a4ddc8343c0757c7a2730bf5de2b5f0b4c9ee7d928609566f64f010 pcre2-10.42-1.fc38.1.x86_64.rpm @@ -341,7 +341,7 @@ cce5fcc8b6b0312caeca04a19494358888b00c125747f5c2d2bd8f006665c730 vim-common-9.1 5fa001dbcd0752e75421b2e96aabb73265a48cdd646b02dc947da768147f2be8 vim-data-9.1.113-1.fc38.noarch.rpm 545d77bb579a8fb3e87ecd1d5acf616b4b837612f189206171edad73fd4864ab vim-enhanced-9.1.113-1.fc38.x86_64.rpm 8743bcb074aed6aa20914b7d0258cd6938e3642fe3550279bb1c66c6300d936a vim-filesystem-9.1.113-1.fc38.noarch.rpm -7f8524d182dacd6bef744c11d225dd63a82100350e95fe3ec414e70cf642c1f1 wget-1.21.3-5.fc38.x86_64.rpm +a4c8b2a90705fed491f6f7f258904637c18773d323d39e97bf9036260b79a0f6 wget-1.21.4-1.fc38.x86_64.rpm 2c8b143f3cb83efa5a31c85bea1da3164ca2dde5e2d75d25115f3e21ef98b4e0 which-2.21-39.fc38.x86_64.rpm 84f87df3afabe3de8748f172220107e5a5cbb0f0ef954386ecff6b914604aada whois-nls-5.5.18-1.fc38.noarch.rpm 59a7a5a775c196961cdc51fb89440a055295c767a632bfa684760e73650aa9a0 xkeyboard-config-2.38-1.fc38.noarch.rpm From e50e97dff6d86d06e4d80c39fcc302df3a51debf Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Mon, 11 Mar 2024 10:15:20 +0100 Subject: [PATCH 19/47] openstack: rename client type --- internal/cloud/openstack/openstack.go | 22 +++++++++++----------- internal/cloud/openstack/openstack_test.go | 10 +++++----- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/internal/cloud/openstack/openstack.go b/internal/cloud/openstack/openstack.go index 2e16014f0..9472b3068 100644 --- a/internal/cloud/openstack/openstack.go +++ b/internal/cloud/openstack/openstack.go @@ -28,14 +28,14 @@ const ( microversion = "2.42" ) -// Cloud is the metadata client for OpenStack. -type Cloud struct { +// MetadataClient is the metadata client for OpenStack. +type MetadataClient struct { api serversAPI imds imdsAPI } // New creates a new OpenStack metadata client. -func New(ctx context.Context) (*Cloud, error) { +func New(ctx context.Context) (*MetadataClient, error) { imds := &imdsClient{client: &http.Client{}} authURL, err := imds.authURL(ctx) @@ -77,7 +77,7 @@ func New(ctx context.Context) (*Cloud, error) { } networksClient.Microversion = microversion - return &Cloud{ + return &MetadataClient{ imds: imds, api: &apiClient{ servers: serversClient, @@ -87,7 +87,7 @@ func New(ctx context.Context) (*Cloud, error) { } // Self returns the metadata of the current instance. -func (c *Cloud) Self(ctx context.Context) (metadata.InstanceMetadata, error) { +func (c *MetadataClient) Self(ctx context.Context) (metadata.InstanceMetadata, error) { name, err := c.imds.name(ctx) if err != nil { return metadata.InstanceMetadata{}, fmt.Errorf("getting name: %w", err) @@ -114,7 +114,7 @@ func (c *Cloud) Self(ctx context.Context) (metadata.InstanceMetadata, error) { } // List returns the metadata of all instances belonging to the same Constellation cluster. -func (c *Cloud) List(ctx context.Context) ([]metadata.InstanceMetadata, error) { +func (c *MetadataClient) List(ctx context.Context) ([]metadata.InstanceMetadata, error) { uid, err := c.imds.uid(ctx) if err != nil { return nil, fmt.Errorf("getting uid: %w", err) @@ -211,7 +211,7 @@ func (c *Cloud) List(ctx context.Context) ([]metadata.InstanceMetadata, error) { } // UID retrieves the UID of the constellation. -func (c *Cloud) UID(ctx context.Context) (string, error) { +func (c *MetadataClient) UID(ctx context.Context) (string, error) { uid, err := c.imds.uid(ctx) if err != nil { return "", fmt.Errorf("retrieving instance UID: %w", err) @@ -220,7 +220,7 @@ func (c *Cloud) UID(ctx context.Context) (string, error) { } // InitSecretHash retrieves the InitSecretHash of the current instance. -func (c *Cloud) InitSecretHash(ctx context.Context) ([]byte, error) { +func (c *MetadataClient) InitSecretHash(ctx context.Context) ([]byte, error) { initSecretHash, err := c.imds.initSecretHash(ctx) if err != nil { return nil, fmt.Errorf("retrieving init secret hash: %w", err) @@ -232,7 +232,7 @@ func (c *Cloud) InitSecretHash(ctx context.Context) ([]byte, error) { // For OpenStack, the load balancer is a floating ip attached to // a control plane node. // TODO(malt3): Rewrite to use real load balancer once it is available. -func (c *Cloud) GetLoadBalancerEndpoint(ctx context.Context) (host, port string, err error) { +func (c *MetadataClient) GetLoadBalancerEndpoint(ctx context.Context) (host, port string, err error) { host, err = c.imds.loadBalancerEndpoint(ctx) if err != nil { return "", "", fmt.Errorf("getting load balancer endpoint: %w", err) @@ -240,7 +240,7 @@ func (c *Cloud) GetLoadBalancerEndpoint(ctx context.Context) (host, port string, return host, strconv.FormatInt(constants.KubernetesPort, 10), nil } -func (c *Cloud) getSubnetCIDR(uidTag string) (netip.Prefix, error) { +func (c *MetadataClient) getSubnetCIDR(uidTag string) (netip.Prefix, error) { listNetworksOpts := networks.ListOpts{Tags: uidTag} networksPage, err := c.api.ListNetworks(listNetworksOpts).AllPages() if err != nil { @@ -285,7 +285,7 @@ func (c *Cloud) getSubnetCIDR(uidTag string) (netip.Prefix, error) { return cidr, nil } -func (c *Cloud) getServers(uidTag string) ([]servers.Server, error) { +func (c *MetadataClient) getServers(uidTag string) ([]servers.Server, error) { listServersOpts := servers.ListOpts{Tags: uidTag} serversPage, err := c.api.ListServers(listServersOpts).AllPages() if err != nil { diff --git a/internal/cloud/openstack/openstack_test.go b/internal/cloud/openstack/openstack_test.go index 88e9ff7fd..da8ed9d6b 100644 --- a/internal/cloud/openstack/openstack_test.go +++ b/internal/cloud/openstack/openstack_test.go @@ -86,7 +86,7 @@ func TestSelf(t *testing.T) { t.Run(name, func(t *testing.T) { assert := assert.New(t) - c := &Cloud{imds: tc.imds} + c := &MetadataClient{imds: tc.imds} got, err := c.Self(context.Background()) @@ -382,7 +382,7 @@ func TestList(t *testing.T) { t.Run(name, func(t *testing.T) { assert := assert.New(t) - c := &Cloud{imds: tc.imds, api: tc.api} + c := &MetadataClient{imds: tc.imds, api: tc.api} got, err := c.List(context.Background()) @@ -416,7 +416,7 @@ func TestUID(t *testing.T) { t.Run(name, func(t *testing.T) { assert := assert.New(t) - c := &Cloud{imds: tc.imds} + c := &MetadataClient{imds: tc.imds} got, err := c.UID(context.Background()) @@ -450,7 +450,7 @@ func TestInitSecretHash(t *testing.T) { t.Run(name, func(t *testing.T) { assert := assert.New(t) - c := &Cloud{imds: tc.imds} + c := &MetadataClient{imds: tc.imds} got, err := c.InitSecretHash(context.Background()) @@ -484,7 +484,7 @@ func TestGetLoadBalancerEndpoint(t *testing.T) { t.Run(name, func(t *testing.T) { assert := assert.New(t) - c := &Cloud{imds: tc.imds} + c := &MetadataClient{imds: tc.imds} got, _, err := c.GetLoadBalancerEndpoint(context.Background()) From d1a22a725ed0bd54ec62bc5d3124ad23f1cdbe17 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Mon, 11 Mar 2024 10:21:15 +0100 Subject: [PATCH 20/47] openstack: vendor clouds.yaml Go type definitions from gophercloud v2 beta --- bazel/ci/license_header.sh.in | 2 +- internal/cloud/openstack/clouds/LICENSE | 193 ++++++++++++++++++++ internal/cloud/openstack/clouds/clouds.go | 208 ++++++++++++++++++++++ 3 files changed, 402 insertions(+), 1 deletion(-) create mode 100644 internal/cloud/openstack/clouds/LICENSE create mode 100644 internal/cloud/openstack/clouds/clouds.go diff --git a/bazel/ci/license_header.sh.in b/bazel/ci/license_header.sh.in index 5dba4e4a4..4e5ce470c 100644 --- a/bazel/ci/license_header.sh.in +++ b/bazel/ci/license_header.sh.in @@ -26,7 +26,7 @@ noHeader=$( --exclude-dir 3rdparty \ --exclude-dir build \ -e'SPDX-License-Identifier: AGPL-3.0-only' \ - -e'DO NOT EDIT' + -e'DO NOT EDIT' | { grep -v internal/cloud/openstack/clouds || true; } ) if [[ -z ${noHeader} ]]; then diff --git a/internal/cloud/openstack/clouds/LICENSE b/internal/cloud/openstack/clouds/LICENSE new file mode 100644 index 000000000..b1da7201f --- /dev/null +++ b/internal/cloud/openstack/clouds/LICENSE @@ -0,0 +1,193 @@ +Copyright 2012-2013 Rackspace, Inc. +Copyright Gophercloud authors +Copyright (c) Edgeless Systems GmbH + +Licensed under the Apache License, Version 2.0 (the "License"); you may not use +this file except in compliance with the License. You may obtain a copy of the +License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software distributed +under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +CONDITIONS OF ANY KIND, either express or implied. See the License for the +specific language governing permissions and limitations under the License. + +------ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS diff --git a/internal/cloud/openstack/clouds/clouds.go b/internal/cloud/openstack/clouds/clouds.go new file mode 100644 index 000000000..5128eedc6 --- /dev/null +++ b/internal/cloud/openstack/clouds/clouds.go @@ -0,0 +1,208 @@ +/* +Copyright 2012-2013 Rackspace, Inc. +Copyright Gophercloud authors +Copyright (c) Edgeless Systems GmbH + +SPDX-License-Identifier: Apache-2.0 +*/ +package clouds + +import "encoding/json" + +// Clouds represents a collection of Cloud entries in a clouds.yaml file. +type Clouds struct { + Clouds map[string]Cloud `yaml:"clouds" json:"clouds"` +} + +// Cloud represents an entry in a clouds.yaml/public-clouds.yaml/secure.yaml file. +type Cloud struct { + Cloud string `yaml:"cloud,omitempty" json:"cloud,omitempty"` + Profile string `yaml:"profile,omitempty" json:"profile,omitempty"` + AuthInfo *AuthInfo `yaml:"auth,omitempty" json:"auth,omitempty"` + AuthType AuthType `yaml:"auth_type,omitempty" json:"auth_type,omitempty"` + RegionName string `yaml:"region_name,omitempty" json:"region_name,omitempty"` + Regions []Region `yaml:"regions,omitempty" json:"regions,omitempty"` + + // EndpointType and Interface both specify whether to use the public, internal, + // or admin interface of a service. They should be considered synonymous, but + // EndpointType will take precedence when both are specified. + EndpointType string `yaml:"endpoint_type,omitempty" json:"endpoint_type,omitempty"` + Interface string `yaml:"interface,omitempty" json:"interface,omitempty"` + + // API Version overrides. + IdentityAPIVersion string `yaml:"identity_api_version,omitempty" json:"identity_api_version,omitempty"` + VolumeAPIVersion string `yaml:"volume_api_version,omitempty" json:"volume_api_version,omitempty"` + + // Verify whether or not SSL API requests should be verified. + Verify *bool `yaml:"verify,omitempty" json:"verify,omitempty"` + + // CACertFile a path to a CA Cert bundle that can be used as part of + // verifying SSL API requests. + CACertFile string `yaml:"cacert,omitempty" json:"cacert,omitempty"` + + // ClientCertFile a path to a client certificate to use as part of the SSL + // transaction. + ClientCertFile string `yaml:"cert,omitempty" json:"cert,omitempty"` + + // ClientKeyFile a path to a client key to use as part of the SSL + // transaction. + ClientKeyFile string `yaml:"key,omitempty" json:"key,omitempty"` +} + +// AuthInfo represents the auth section of a cloud entry or +// auth options entered explicitly in ClientOpts. +type AuthInfo struct { + // AuthURL is the keystone/identity endpoint URL. + AuthURL string `yaml:"auth_url,omitempty" json:"auth_url,omitempty"` + + // Token is a pre-generated authentication token. + Token string `yaml:"token,omitempty" json:"token,omitempty"` + + // Username is the username of the user. + Username string `yaml:"username,omitempty" json:"username,omitempty"` + + // UserID is the unique ID of a user. + UserID string `yaml:"user_id,omitempty" json:"user_id,omitempty"` + + // Password is the password of the user. + Password string `yaml:"password,omitempty" json:"password,omitempty"` + + // Application Credential ID to login with. + ApplicationCredentialID string `yaml:"application_credential_id,omitempty" json:"application_credential_id,omitempty"` + + // Application Credential name to login with. + ApplicationCredentialName string `yaml:"application_credential_name,omitempty" json:"application_credential_name,omitempty"` + + // Application Credential secret to login with. + ApplicationCredentialSecret string `yaml:"application_credential_secret,omitempty" json:"application_credential_secret,omitempty"` + + // SystemScope is a system information to scope to. + SystemScope string `yaml:"system_scope,omitempty" json:"system_scope,omitempty"` + + // ProjectName is the common/human-readable name of a project. + // Users can be scoped to a project. + // ProjectName on its own is not enough to ensure a unique scope. It must + // also be combined with either a ProjectDomainName or ProjectDomainID. + // ProjectName cannot be combined with ProjectID in a scope. + ProjectName string `yaml:"project_name,omitempty" json:"project_name,omitempty"` + + // ProjectID is the unique ID of a project. + // It can be used to scope a user to a specific project. + ProjectID string `yaml:"project_id,omitempty" json:"project_id,omitempty"` + + // UserDomainName is the name of the domain where a user resides. + // It is used to identify the source domain of a user. + UserDomainName string `yaml:"user_domain_name,omitempty" json:"user_domain_name,omitempty"` + + // UserDomainID is the unique ID of the domain where a user resides. + // It is used to identify the source domain of a user. + UserDomainID string `yaml:"user_domain_id,omitempty" json:"user_domain_id,omitempty"` + + // ProjectDomainName is the name of the domain where a project resides. + // It is used to identify the source domain of a project. + // ProjectDomainName can be used in addition to a ProjectName when scoping + // a user to a specific project. + ProjectDomainName string `yaml:"project_domain_name,omitempty" json:"project_domain_name,omitempty"` + + // ProjectDomainID is the name of the domain where a project resides. + // It is used to identify the source domain of a project. + // ProjectDomainID can be used in addition to a ProjectName when scoping + // a user to a specific project. + ProjectDomainID string `yaml:"project_domain_id,omitempty" json:"project_domain_id,omitempty"` + + // DomainName is the name of a domain which can be used to identify the + // source domain of either a user or a project. + // If UserDomainName and ProjectDomainName are not specified, then DomainName + // is used as a default choice. + // It can also be used be used to specify a domain-only scope. + DomainName string `yaml:"domain_name,omitempty" json:"domain_name,omitempty"` + + // DomainID is the unique ID of a domain which can be used to identify the + // source domain of eitehr a user or a project. + // If UserDomainID and ProjectDomainID are not specified, then DomainID is + // used as a default choice. + // It can also be used be used to specify a domain-only scope. + DomainID string `yaml:"domain_id,omitempty" json:"domain_id,omitempty"` + + // DefaultDomain is the domain ID to fall back on if no other domain has + // been specified and a domain is required for scope. + DefaultDomain string `yaml:"default_domain,omitempty" json:"default_domain,omitempty"` + + // AllowReauth should be set to true if you grant permission for Gophercloud to + // cache your credentials in memory, and to allow Gophercloud to attempt to + // re-authenticate automatically if/when your token expires. If you set it to + // false, it will not cache these settings, but re-authentication will not be + // possible. This setting defaults to false. + AllowReauth bool `yaml:"allow_reauth,omitempty" json:"allow_reauth,omitempty"` +} + +// Region represents a region included as part of cloud in clouds.yaml +// According to Python-based openstacksdk, this can be either a struct (as defined) +// or a plain string. Custom unmarshallers handle both cases. +type Region struct { + Name string `yaml:"name,omitempty" json:"name,omitempty"` + Values Cloud `yaml:"values,omitempty" json:"values,omitempty"` +} + +// UnmarshalJSON handles either a plain string acting as the Name property or +// a struct, mimicking the Python-based openstacksdk. +func (r *Region) UnmarshalJSON(data []byte) error { + var name string + if err := json.Unmarshal(data, &name); err == nil { + r.Name = name + return nil + } + + type region Region + var tmp region + if err := json.Unmarshal(data, &tmp); err != nil { + return err + } + r.Name = tmp.Name + r.Values = tmp.Values + + return nil +} + +// UnmarshalYAML handles either a plain string acting as the Name property or +// a struct, mimicking the Python-based openstacksdk. +func (r *Region) UnmarshalYAML(unmarshal func(interface{}) error) error { + var name string + if err := unmarshal(&name); err == nil { + r.Name = name + return nil + } + + type region Region + var tmp region + if err := unmarshal(&tmp); err != nil { + return err + } + r.Name = tmp.Name + r.Values = tmp.Values + + return nil +} + +// AuthType respresents a valid method of authentication. +type AuthType string + +const ( + // AuthPassword defines an unknown version of the password + AuthPassword AuthType = "password" + // AuthToken defined an unknown version of the token + AuthToken AuthType = "token" + + // AuthV2Password defines version 2 of the password + AuthV2Password AuthType = "v2password" + // AuthV2Token defines version 2 of the token + AuthV2Token AuthType = "v2token" + + // AuthV3Password defines version 3 of the password + AuthV3Password AuthType = "v3password" + // AuthV3Token defines version 3 of the token + AuthV3Token AuthType = "v3token" + + // AuthV3ApplicationCredential defines version 3 of the application credential + AuthV3ApplicationCredential AuthType = "v3applicationcredential" +) From d6d9ef437c09768c395aae9395294a7b7d4f7611 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Wed, 6 Mar 2024 20:48:40 +0100 Subject: [PATCH 21/47] terraform-provider: Add support for STACKIT / OpenStack --- cli/internal/cmd/apply.go | 2 +- cli/internal/cmd/apply_test.go | 2 +- cli/internal/cmd/applyhelm.go | 16 ++- cli/internal/cmd/init_test.go | 2 +- cli/internal/cmd/upgradeapply_test.go | 4 +- internal/constellation/helm.go | 7 +- internal/constellation/helm/BUILD.bazel | 1 - internal/constellation/helm/helm.go | 10 +- internal/constellation/helm/helm_test.go | 2 +- internal/constellation/helm/loader.go | 17 ++- internal/constellation/helm/loader_test.go | 15 +- internal/constellation/helm/overrides.go | 7 +- .../docs/data-sources/attestation.md | 2 + .../docs/data-sources/image.md | 1 + .../docs/resources/cluster.md | 20 +++ .../examples/full/stackit/main.tf | 128 ++++++++++++++++++ .../internal/provider/BUILD.bazel | 4 + .../provider/attestation_data_source_test.go | 52 +++++++ .../internal/provider/cluster_resource.go | 128 +++++++++++++++++- .../provider/cluster_resource_test.go | 75 ++++++++++ .../internal/provider/convert.go | 6 +- .../internal/provider/image_data_source.go | 7 +- .../provider/image_data_source_test.go | 32 +++++ .../internal/provider/shared_attributes.go | 7 +- 24 files changed, 511 insertions(+), 36 deletions(-) create mode 100644 terraform-provider-constellation/examples/full/stackit/main.tf diff --git a/cli/internal/cmd/apply.go b/cli/internal/cmd/apply.go index b15ae249d..0c524302e 100644 --- a/cli/internal/cmd/apply.go +++ b/cli/internal/cmd/apply.go @@ -844,7 +844,7 @@ type applier interface { // methods required to install/upgrade Helm charts PrepareHelmCharts( - flags helm.Options, state *state.State, serviceAccURI string, masterSecret uri.MasterSecret, openStackCfg *config.OpenStackConfig, + flags helm.Options, state *state.State, serviceAccURI string, masterSecret uri.MasterSecret, ) (helm.Applier, bool, error) // methods to interact with Kubernetes diff --git a/cli/internal/cmd/apply_test.go b/cli/internal/cmd/apply_test.go index a177cd1d4..064e1f42b 100644 --- a/cli/internal/cmd/apply_test.go +++ b/cli/internal/cmd/apply_test.go @@ -554,7 +554,7 @@ func (s *stubConstellApplier) Init(context.Context, atls.Validator, *state.State type helmApplier interface { PrepareHelmCharts( - flags helm.Options, stateFile *state.State, serviceAccURI string, masterSecret uri.MasterSecret, openStackCfg *config.OpenStackConfig, + flags helm.Options, stateFile *state.State, serviceAccURI string, masterSecret uri.MasterSecret, ) ( helm.Applier, bool, error) } diff --git a/cli/internal/cmd/applyhelm.go b/cli/internal/cmd/applyhelm.go index 79ae2a6d7..b9e1538d6 100644 --- a/cli/internal/cmd/applyhelm.go +++ b/cli/internal/cmd/applyhelm.go @@ -43,6 +43,18 @@ func (a *applyCmd) runHelmApply(cmd *cobra.Command, conf *config.Config, stateFi ApplyTimeout: a.flags.helmTimeout, AllowDestructive: helm.DenyDestructive, } + if conf.Provider.OpenStack != nil { + var deployYawolLoadBalancer bool + if conf.Provider.OpenStack.DeployYawolLoadBalancer != nil { + deployYawolLoadBalancer = *conf.Provider.OpenStack.DeployYawolLoadBalancer + } + options.OpenStackValues = &helm.OpenStackValues{ + DeployYawolLoadBalancer: deployYawolLoadBalancer, + FloatingIPPoolID: conf.Provider.OpenStack.FloatingIPPoolID, + YawolFlavorID: conf.Provider.OpenStack.YawolFlavorID, + YawolImageID: conf.Provider.OpenStack.YawolImageID, + } + } a.log.Debug("Getting service account URI") serviceAccURI, err := cloudcmd.GetMarshaledServiceAccountURI(conf, a.fileHandler) @@ -51,7 +63,7 @@ func (a *applyCmd) runHelmApply(cmd *cobra.Command, conf *config.Config, stateFi } a.log.Debug("Preparing Helm charts") - executor, includesUpgrades, err := a.applier.PrepareHelmCharts(options, stateFile, serviceAccURI, masterSecret, conf.Provider.OpenStack) + executor, includesUpgrades, err := a.applier.PrepareHelmCharts(options, stateFile, serviceAccURI, masterSecret) if errors.Is(err, helm.ErrConfirmationMissing) { if !a.flags.yes { cmd.PrintErrln("WARNING: Upgrading cert-manager will destroy all custom resources you have manually created that are based on the current version of cert-manager.") @@ -65,7 +77,7 @@ func (a *applyCmd) runHelmApply(cmd *cobra.Command, conf *config.Config, stateFi } } options.AllowDestructive = helm.AllowDestructive - executor, includesUpgrades, err = a.applier.PrepareHelmCharts(options, stateFile, serviceAccURI, masterSecret, conf.Provider.OpenStack) + executor, includesUpgrades, err = a.applier.PrepareHelmCharts(options, stateFile, serviceAccURI, masterSecret) } var upgradeErr *compatibility.InvalidUpgradeError if err != nil { diff --git a/cli/internal/cmd/init_test.go b/cli/internal/cmd/init_test.go index f55b7e77c..8d6d2b1bb 100644 --- a/cli/internal/cmd/init_test.go +++ b/cli/internal/cmd/init_test.go @@ -279,7 +279,7 @@ type stubHelmApplier struct { } func (s stubHelmApplier) PrepareHelmCharts( - _ helm.Options, _ *state.State, _ string, _ uri.MasterSecret, _ *config.OpenStackConfig, + _ helm.Options, _ *state.State, _ string, _ uri.MasterSecret, ) (helm.Applier, bool, error) { return stubRunner{}, false, s.err } diff --git a/cli/internal/cmd/upgradeapply_test.go b/cli/internal/cmd/upgradeapply_test.go index 8cf546c37..f396cc828 100644 --- a/cli/internal/cmd/upgradeapply_test.go +++ b/cli/internal/cmd/upgradeapply_test.go @@ -376,9 +376,9 @@ type mockApplier struct { } func (m *mockApplier) PrepareHelmCharts( - helmOpts helm.Options, stateFile *state.State, str string, masterSecret uri.MasterSecret, openStackCfg *config.OpenStackConfig, + helmOpts helm.Options, stateFile *state.State, str string, masterSecret uri.MasterSecret, ) (helm.Applier, bool, error) { - args := m.Called(helmOpts, stateFile, helmOpts, str, masterSecret, openStackCfg) + args := m.Called(helmOpts, stateFile, helmOpts, str, masterSecret) return args.Get(0).(helm.Applier), args.Bool(1), args.Error(2) } diff --git a/internal/constellation/helm.go b/internal/constellation/helm.go index e8b9a815f..1378ce3a0 100644 --- a/internal/constellation/helm.go +++ b/internal/constellation/helm.go @@ -9,7 +9,6 @@ package constellation import ( "errors" - "github.com/edgelesssys/constellation/v2/internal/config" "github.com/edgelesssys/constellation/v2/internal/constellation/helm" "github.com/edgelesssys/constellation/v2/internal/constellation/state" "github.com/edgelesssys/constellation/v2/internal/kms/uri" @@ -17,18 +16,18 @@ import ( // PrepareHelmCharts loads Helm charts for Constellation and returns an executor to apply them. func (a *Applier) PrepareHelmCharts( - flags helm.Options, state *state.State, serviceAccURI string, masterSecret uri.MasterSecret, openStackCfg *config.OpenStackConfig, + flags helm.Options, state *state.State, serviceAccURI string, masterSecret uri.MasterSecret, ) (helm.Applier, bool, error) { if a.helmClient == nil { return nil, false, errors.New("helm client not initialized") } - return a.helmClient.PrepareApply(flags, state, serviceAccURI, masterSecret, openStackCfg) + return a.helmClient.PrepareApply(flags, state, serviceAccURI, masterSecret) } type helmApplier interface { PrepareApply( - flags helm.Options, stateFile *state.State, serviceAccURI string, masterSecret uri.MasterSecret, openStackCfg *config.OpenStackConfig, + flags helm.Options, stateFile *state.State, serviceAccURI string, masterSecret uri.MasterSecret, ) ( helm.Applier, bool, error) } diff --git a/internal/constellation/helm/BUILD.bazel b/internal/constellation/helm/BUILD.bazel index d579dddb9..6e3c5eee7 100644 --- a/internal/constellation/helm/BUILD.bazel +++ b/internal/constellation/helm/BUILD.bazel @@ -467,7 +467,6 @@ go_library( "//internal/cloud/gcpshared", "//internal/cloud/openstack", "//internal/compatibility", - "//internal/config", "//internal/constants", "//internal/constellation/helm/imageversion", "//internal/constellation/state", diff --git a/internal/constellation/helm/helm.go b/internal/constellation/helm/helm.go index ab0438214..d3f1e20f3 100644 --- a/internal/constellation/helm/helm.go +++ b/internal/constellation/helm/helm.go @@ -35,7 +35,6 @@ import ( "github.com/edgelesssys/constellation/v2/internal/attestation/variant" "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" - "github.com/edgelesssys/constellation/v2/internal/config" "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/constellation/state" "github.com/edgelesssys/constellation/v2/internal/file" @@ -91,13 +90,14 @@ type Options struct { MicroserviceVersion semver.Semver HelmWaitMode WaitMode ApplyTimeout time.Duration + OpenStackValues *OpenStackValues } // PrepareApply loads the charts and returns the executor to apply them. func (h Client) PrepareApply( - flags Options, stateFile *state.State, serviceAccURI string, masterSecret uri.MasterSecret, openStackCfg *config.OpenStackConfig, + flags Options, stateFile *state.State, serviceAccURI string, masterSecret uri.MasterSecret, ) (Applier, bool, error) { - releases, err := h.loadReleases(flags.CSP, flags.AttestationVariant, flags.K8sVersion, masterSecret, stateFile, flags, serviceAccURI, openStackCfg) + releases, err := h.loadReleases(flags.CSP, flags.AttestationVariant, flags.K8sVersion, masterSecret, stateFile, flags, serviceAccURI) if err != nil { return nil, false, fmt.Errorf("loading Helm releases: %w", err) } @@ -111,11 +111,11 @@ func (h Client) PrepareApply( func (h Client) loadReleases( csp cloudprovider.Provider, attestationVariant variant.Variant, k8sVersion versions.ValidK8sVersion, secret uri.MasterSecret, - stateFile *state.State, flags Options, serviceAccURI string, openStackCfg *config.OpenStackConfig, + stateFile *state.State, flags Options, serviceAccURI string, ) ([]release, error) { helmLoader := newLoader(csp, attestationVariant, k8sVersion, stateFile, h.cliVersion) h.log.Debug("Created new Helm loader") - return helmLoader.loadReleases(flags.Conformance, flags.DeployCSIDriver, flags.HelmWaitMode, secret, serviceAccURI, openStackCfg) + return helmLoader.loadReleases(flags.Conformance, flags.DeployCSIDriver, flags.HelmWaitMode, secret, serviceAccURI, flags.OpenStackValues) } // Applier runs the Helm actions. diff --git a/internal/constellation/helm/helm_test.go b/internal/constellation/helm/helm_test.go index aed7689d0..f93e49a8a 100644 --- a/internal/constellation/helm/helm_test.go +++ b/internal/constellation/helm/helm_test.go @@ -217,7 +217,7 @@ func TestHelmApply(t *testing.T) { SetInfrastructure(state.Infrastructure{UID: "testuid"}). SetClusterValues(state.ClusterValues{MeasurementSalt: []byte{0x41}}), fakeServiceAccURI(csp), - uri.MasterSecret{Key: []byte("secret"), Salt: []byte("masterSalt")}, nil) + uri.MasterSecret{Key: []byte("secret"), Salt: []byte("masterSalt")}) var upgradeErr *compatibility.InvalidUpgradeError if tc.expectError { assert.Error(t, err) diff --git a/internal/constellation/helm/loader.go b/internal/constellation/helm/loader.go index 6f6c95d4f..994575f6f 100644 --- a/internal/constellation/helm/loader.go +++ b/internal/constellation/helm/loader.go @@ -21,7 +21,6 @@ import ( "github.com/edgelesssys/constellation/v2/internal/attestation/variant" "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" - "github.com/edgelesssys/constellation/v2/internal/config" "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/constellation/helm/imageversion" "github.com/edgelesssys/constellation/v2/internal/constellation/state" @@ -115,9 +114,17 @@ func newLoader(csp cloudprovider.Provider, attestationVariant variant.Variant, k // that the new release is installed after the existing one to avoid name conflicts. type releaseApplyOrder []release +// OpenStackValues are helm values for OpenStack. +type OpenStackValues struct { + DeployYawolLoadBalancer bool + FloatingIPPoolID string + YawolFlavorID string + YawolImageID string +} + // loadReleases loads the embedded helm charts and returns them as a HelmReleases object. func (i *chartLoader) loadReleases(conformanceMode, deployCSIDriver bool, helmWaitMode WaitMode, masterSecret uri.MasterSecret, - serviceAccURI string, openStackCfg *config.OpenStackConfig, + serviceAccURI string, openStackValues *OpenStackValues, ) (releaseApplyOrder, error) { ciliumRelease, err := i.loadRelease(ciliumInfo, helmWaitMode) if err != nil { @@ -143,7 +150,7 @@ func (i *chartLoader) loadReleases(conformanceMode, deployCSIDriver bool, helmWa } svcVals, err := extraConstellationServicesValues(i.csp, i.attestationVariant, masterSecret, - serviceAccURI, i.stateFile.Infrastructure, openStackCfg) + serviceAccURI, i.stateFile.Infrastructure, openStackValues) if err != nil { return nil, fmt.Errorf("extending constellation-services values: %w", err) } @@ -169,13 +176,13 @@ func (i *chartLoader) loadReleases(conformanceMode, deployCSIDriver bool, helmWa } releases = append(releases, awsRelease) } - if i.csp == cloudprovider.OpenStack && openStackCfg.DeployYawolLoadBalancer != nil && *openStackCfg.DeployYawolLoadBalancer { + if i.csp == cloudprovider.OpenStack && openStackValues != nil && openStackValues.DeployYawolLoadBalancer { yawolRelease, err := i.loadRelease(yawolLBControllerInfo, WaitModeNone) if err != nil { return nil, fmt.Errorf("loading yawol chart: %w", err) } - yawolVals, err := extraYawolValues(serviceAccURI, i.stateFile.Infrastructure, openStackCfg) + yawolVals, err := extraYawolValues(serviceAccURI, i.stateFile.Infrastructure, openStackValues) if err != nil { return nil, fmt.Errorf("extending yawol chart values: %w", err) } diff --git a/internal/constellation/helm/loader_test.go b/internal/constellation/helm/loader_test.go index 9f394e2ea..762f544b3 100644 --- a/internal/constellation/helm/loader_test.go +++ b/internal/constellation/helm/loader_test.go @@ -175,6 +175,19 @@ func TestConstellationServices(t *testing.T) { t.Run(name, func(t *testing.T) { assert := assert.New(t) require := require.New(t) + var openstackValues *OpenStackValues + if tc.config.Provider.OpenStack != nil { + var deploy bool + if tc.config.Provider.OpenStack.DeployYawolLoadBalancer != nil { + deploy = *tc.config.Provider.OpenStack.DeployYawolLoadBalancer + } + openstackValues = &OpenStackValues{ + DeployYawolLoadBalancer: deploy, + FloatingIPPoolID: tc.config.Provider.OpenStack.FloatingIPPoolID, + YawolFlavorID: tc.config.Provider.OpenStack.YawolFlavorID, + YawolImageID: tc.config.Provider.OpenStack.YawolImageID, + } + } chartLoader := chartLoader{ csp: tc.config.GetProvider(), @@ -199,7 +212,7 @@ func TestConstellationServices(t *testing.T) { UID: "uid", Azure: &state.Azure{}, GCP: &state.GCP{}, - }, tc.config.Provider.OpenStack) + }, openstackValues) require.NoError(err) values = mergeMaps(values, extraVals) diff --git a/internal/constellation/helm/overrides.go b/internal/constellation/helm/overrides.go index 6dfea0c2c..cf454735a 100644 --- a/internal/constellation/helm/overrides.go +++ b/internal/constellation/helm/overrides.go @@ -18,7 +18,6 @@ import ( "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" "github.com/edgelesssys/constellation/v2/internal/cloud/gcpshared" "github.com/edgelesssys/constellation/v2/internal/cloud/openstack" - "github.com/edgelesssys/constellation/v2/internal/config" "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/constellation/state" "github.com/edgelesssys/constellation/v2/internal/kms/uri" @@ -83,7 +82,7 @@ func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, ou // Values set inside this function are only applied during init, not during upgrade. func extraConstellationServicesValues( csp cloudprovider.Provider, attestationVariant variant.Variant, masterSecret uri.MasterSecret, serviceAccURI string, - output state.Infrastructure, openStackCfg *config.OpenStackConfig, + output state.Infrastructure, openStackCfg *OpenStackValues, ) (map[string]any, error) { extraVals := map[string]any{} extraVals["join-service"] = map[string]any{ @@ -152,7 +151,7 @@ func extraConstellationServicesValues( // extraYawolValues extends the given values map by some values depending on user input. // Values set inside this function are only applied during init, not during upgrade. -func extraYawolValues(serviceAccURI string, output state.Infrastructure, openStackCfg *config.OpenStackConfig) (map[string]any, error) { +func extraYawolValues(serviceAccURI string, output state.Infrastructure, openStackCfg *OpenStackValues) (map[string]any, error) { extraVals := map[string]any{} creds, err := openstack.AccountKeyFromURI(serviceAccURI) @@ -163,7 +162,7 @@ func extraYawolValues(serviceAccURI string, output state.Infrastructure, openSta extraVals["yawol-config"] = map[string]any{ "secretData": yawolIni, } - if openStackCfg.DeployYawolLoadBalancer != nil && *openStackCfg.DeployYawolLoadBalancer { + if openStackCfg != nil && openStackCfg.DeployYawolLoadBalancer { extraVals["yawol-controller"] = map[string]any{ "yawolOSSecretName": "yawolkey", // has to be larger than ~30s to account for slow OpenStack API calls. diff --git a/terraform-provider-constellation/docs/data-sources/attestation.md b/terraform-provider-constellation/docs/data-sources/attestation.md index 7ad4d491e..ec4118c0f 100644 --- a/terraform-provider-constellation/docs/data-sources/attestation.md +++ b/terraform-provider-constellation/docs/data-sources/attestation.md @@ -33,6 +33,7 @@ data "constellation_attestation" "test" { * `azure-sev-snp` * `azure-tdx` * `gcp-sev-es` + * `qemu-vtpm` - `csp` (String) CSP (Cloud Service Provider) to use. (e.g. `azure`) See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview/clouds) that Constellation supports. - `image` (Attributes) Constellation OS Image to use on the nodes. (see [below for nested schema](#nestedatt--image)) @@ -82,6 +83,7 @@ Read-Only: * `azure-sev-snp` * `azure-tdx` * `gcp-sev-es` + * `qemu-vtpm` ### Nested Schema for `attestation.azure_firmware_signer_config` diff --git a/terraform-provider-constellation/docs/data-sources/image.md b/terraform-provider-constellation/docs/data-sources/image.md index d72b9ca91..7f7186b56 100644 --- a/terraform-provider-constellation/docs/data-sources/image.md +++ b/terraform-provider-constellation/docs/data-sources/image.md @@ -32,6 +32,7 @@ data "constellation_image" "example" { * `azure-sev-snp` * `azure-tdx` * `gcp-sev-es` + * `qemu-vtpm` - `csp` (String) CSP (Cloud Service Provider) to use. (e.g. `azure`) See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview/clouds) that Constellation supports. diff --git a/terraform-provider-constellation/docs/resources/cluster.md b/terraform-provider-constellation/docs/resources/cluster.md index 282493ce8..7b6d1ca21 100644 --- a/terraform-provider-constellation/docs/resources/cluster.md +++ b/terraform-provider-constellation/docs/resources/cluster.md @@ -86,6 +86,7 @@ See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview - `gcp` (Attributes) GCP-specific configuration. (see [below for nested schema](#nestedatt--gcp)) - `in_cluster_endpoint` (String) The endpoint of the cluster. When not set, the out-of-cluster endpoint is used. - `license_id` (String) Constellation license ID. When not set, the community license is used. +- `openstack` (Attributes) OpenStack-specific configuration. (see [below for nested schema](#nestedatt--openstack)) ### Read-Only @@ -110,6 +111,7 @@ Required: * `azure-sev-snp` * `azure-tdx` * `gcp-sev-es` + * `qemu-vtpm` Optional: @@ -211,6 +213,24 @@ Required: - `project_id` (String) ID of the GCP project the cluster resides in. - `service_account_key` (String) Base64-encoded private key JSON object of the service account used within the cluster. + + +### Nested Schema for `openstack` + +Required: + +- `cloud` (String) Name of the cloud in the clouds.yaml file. +- `floating_ip_pool_id` (String) Floating IP pool to use for the VMs. +- `network_id` (String) OpenStack network ID to use for the VMs. +- `subnet_id` (String) OpenStack subnet ID to use for the VMs. + +Optional: + +- `clouds_yaml_path` (String) Path to the clouds.yaml file. +- `deploy_yawol_load_balancer` (Boolean) Whether to deploy a YAWOL load balancer. +- `yawol_flavor_id` (String) OpenStack flavor used by the yawollet. +- `yawol_image_id` (String) OpenStack OS image used by the yawollet. + ## Import Import is supported using the following syntax: diff --git a/terraform-provider-constellation/examples/full/stackit/main.tf b/terraform-provider-constellation/examples/full/stackit/main.tf new file mode 100644 index 000000000..22ef92451 --- /dev/null +++ b/terraform-provider-constellation/examples/full/stackit/main.tf @@ -0,0 +1,128 @@ +terraform { + required_providers { + constellation = { + source = "edgelesssys/constellation" + version = "0.0.0" // replace with the version you want to use + } + random = { + source = "hashicorp/random" + version = "3.6.0" + } + } +} + +locals { + name = "constell" + image_version = "vX.Y.Z" + kubernetes_version = "vX.Y.Z" + microservice_version = "vX.Y.Z" + csp = "stackit" + attestation_variant = "qemu-vtpm" + zone = "eu01-1" + cloud = "stackit" + clouds_yaml_path = "~/.config/openstack/clouds.yaml" + floating_ip_pool_id = "970ace5c-458f-484a-a660-0903bcfd91ad" + stackit_project_id = "" // replace with the STACKIT project id + control_plane_count = 3 + worker_count = 2 + instance_type = "m1a.8cd" + deploy_yawol_load_balancer = true + yawol_image_id = "bcd6c13e-75d1-4c3f-bf0f-8f83580cc1be" + yawol_flavor_id = "3b11b27e-6c73-470d-b595-1d85b95a8cdf" + + master_secret = random_bytes.master_secret.hex + master_secret_salt = random_bytes.master_secret_salt.hex + measurement_salt = random_bytes.measurement_salt.hex +} + +resource "random_bytes" "master_secret" { + length = 32 +} + +resource "random_bytes" "master_secret_salt" { + length = 32 +} + +resource "random_bytes" "measurement_salt" { + length = 32 +} + +module "stackit_infrastructure" { + // replace $VERSION with the Constellation version you want to use, e.g., v2.14.0 + source = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/openstack" + name = local.name + node_groups = { + control_plane_default = { + role = "control-plane" + flavor_id = local.instance_type + state_disk_size = 30 + state_disk_type = "storage_premium_perf6" + initial_count = local.control_plane_count + zone = local.zone + }, + worker_default = { + role = "worker" + flavor_id = local.instance_type + state_disk_size = 30 + state_disk_type = "storage_premium_perf6" + initial_count = local.worker_count + zone = local.zone + } + } + image_id = data.constellation_image.bar.image.reference + debug = false + cloud = local.cloud + openstack_clouds_yaml_path = local.clouds_yaml_path + floating_ip_pool_id = local.floating_ip_pool_id + stackit_project_id = local.stackit_project_id +} + +data "constellation_attestation" "foo" { + csp = local.csp + attestation_variant = local.attestation_variant + image = data.constellation_image.bar.image +} + +data "constellation_image" "bar" { + csp = local.csp + attestation_variant = local.attestation_variant + version = local.image_version + marketplace_image = true +} + +resource "constellation_cluster" "stackit_example" { + csp = local.csp + name = module.stackit_infrastructure.name + uid = module.stackit_infrastructure.uid + image = data.constellation_image.bar.image + attestation = data.constellation_attestation.foo.attestation + kubernetes_version = local.kubernetes_version + constellation_microservice_version = local.microservice_version + init_secret = module.stackit_infrastructure.init_secret + master_secret = local.master_secret + master_secret_salt = local.master_secret_salt + measurement_salt = local.measurement_salt + out_of_cluster_endpoint = module.stackit_infrastructure.out_of_cluster_endpoint + in_cluster_endpoint = module.stackit_infrastructure.in_cluster_endpoint + api_server_cert_sans = module.stackit_infrastructure.api_server_cert_sans + openstack = { + cloud = local.cloud + clouds_yaml_path = local.clouds_yaml_path + floating_ip_pool_id = local.floating_ip_pool_id + deploy_yawol_load_balancer = local.deploy_yawol_load_balancer + yawol_image_id = local.yawol_image_id + yawol_flavor_id = local.yawol_flavor_id + network_id = module.stackit_infrastructure.network_id + subnet_id = module.stackit_infrastructure.lb_subnetwork_id + } + network_config = { + ip_cidr_node = module.stackit_infrastructure.ip_cidr_node + ip_cidr_service = "10.96.0.0/12" + } +} + +output "kubeconfig" { + value = constellation_cluster.stackit_example.kubeconfig + sensitive = true + description = "KubeConfig for the Constellation cluster." +} diff --git a/terraform-provider-constellation/internal/provider/BUILD.bazel b/terraform-provider-constellation/internal/provider/BUILD.bazel index 23cd58f8f..1fac7618a 100644 --- a/terraform-provider-constellation/internal/provider/BUILD.bazel +++ b/terraform-provider-constellation/internal/provider/BUILD.bazel @@ -23,6 +23,8 @@ go_library( "//internal/attestation/variant", "//internal/cloud/azureshared", "//internal/cloud/cloudprovider", + "//internal/cloud/openstack", + "//internal/cloud/openstack/clouds", "//internal/compatibility", "//internal/config", "//internal/constants", @@ -30,6 +32,7 @@ go_library( "//internal/constellation/helm", "//internal/constellation/kubecmd", "//internal/constellation/state", + "//internal/file", "//internal/grpc/dialer", "//internal/imagefetcher", "//internal/kms/uri", @@ -53,6 +56,7 @@ go_library( "@com_github_hashicorp_terraform_plugin_framework//types/basetypes", "@com_github_hashicorp_terraform_plugin_framework_validators//stringvalidator", "@com_github_hashicorp_terraform_plugin_log//tflog", + "@com_github_spf13_afero//:afero", ], ) diff --git a/terraform-provider-constellation/internal/provider/attestation_data_source_test.go b/terraform-provider-constellation/internal/provider/attestation_data_source_test.go index 3d8e7342e..4fed9fbe3 100644 --- a/terraform-provider-constellation/internal/provider/attestation_data_source_test.go +++ b/terraform-provider-constellation/internal/provider/attestation_data_source_test.go @@ -110,6 +110,58 @@ func TestAccAttestationSource(t *testing.T) { }, }, }, + "STACKIT qemu-vtpm success": { + ProtoV6ProviderFactories: testAccProtoV6ProviderFactories, + PreCheck: bazelPreCheck, + Steps: []resource.TestStep{ + { + Config: testingConfig + ` + data "constellation_attestation" "test" { + csp = "stackit" + attestation_variant = "qemu-vtpm" + image = { + version = "v2.13.0" + reference = "v2.13.0" + short_path = "v2.13.0" + } + } + `, + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.variant", "qemu-vtpm"), + resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.bootloader_version", "0"), // since this is not supported on STACKIT, we expect 0 + + resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.measurements.15.expected", "0000000000000000000000000000000000000000000000000000000000000000"), + resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.measurements.15.warn_only", "false"), + ), + }, + }, + }, + "openstack qemu-vtpm success": { + ProtoV6ProviderFactories: testAccProtoV6ProviderFactories, + PreCheck: bazelPreCheck, + Steps: []resource.TestStep{ + { + Config: testingConfig + ` + data "constellation_attestation" "test" { + csp = "openstack" + attestation_variant = "qemu-vtpm" + image = { + version = "v2.13.0" + reference = "v2.13.0" + short_path = "v2.13.0" + } + } + `, + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.variant", "qemu-vtpm"), + resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.bootloader_version", "0"), // since this is not supported on OpenStack, we expect 0 + + resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.measurements.15.expected", "0000000000000000000000000000000000000000000000000000000000000000"), + resource.TestCheckResourceAttr("data.constellation_attestation.test", "attestation.measurements.15.warn_only", "false"), + ), + }, + }, + }, } for name, tc := range testCases { diff --git a/terraform-provider-constellation/internal/provider/cluster_resource.go b/terraform-provider-constellation/internal/provider/cluster_resource.go index f2dfb91c8..a12fe38da 100644 --- a/terraform-provider-constellation/internal/provider/cluster_resource.go +++ b/terraform-provider-constellation/internal/provider/cluster_resource.go @@ -26,6 +26,8 @@ import ( "github.com/edgelesssys/constellation/v2/internal/attestation/variant" "github.com/edgelesssys/constellation/v2/internal/cloud/azureshared" "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" + openstackshared "github.com/edgelesssys/constellation/v2/internal/cloud/openstack" + "github.com/edgelesssys/constellation/v2/internal/cloud/openstack/clouds" "github.com/edgelesssys/constellation/v2/internal/compatibility" "github.com/edgelesssys/constellation/v2/internal/config" "github.com/edgelesssys/constellation/v2/internal/constants" @@ -33,6 +35,7 @@ import ( "github.com/edgelesssys/constellation/v2/internal/constellation/helm" "github.com/edgelesssys/constellation/v2/internal/constellation/kubecmd" "github.com/edgelesssys/constellation/v2/internal/constellation/state" + "github.com/edgelesssys/constellation/v2/internal/file" "github.com/edgelesssys/constellation/v2/internal/grpc/dialer" "github.com/edgelesssys/constellation/v2/internal/kms/uri" "github.com/edgelesssys/constellation/v2/internal/license" @@ -50,6 +53,7 @@ import ( "github.com/hashicorp/terraform-plugin-framework/types" "github.com/hashicorp/terraform-plugin-framework/types/basetypes" "github.com/hashicorp/terraform-plugin-log/tflog" + "github.com/spf13/afero" ) var ( @@ -96,6 +100,7 @@ type ClusterResourceModel struct { Attestation types.Object `tfsdk:"attestation"` GCP types.Object `tfsdk:"gcp"` Azure types.Object `tfsdk:"azure"` + OpenStack types.Object `tfsdk:"openstack"` OwnerID types.String `tfsdk:"owner_id"` ClusterID types.String `tfsdk:"cluster_id"` @@ -129,6 +134,17 @@ type azureAttribute struct { LoadBalancerName string `tfsdk:"load_balancer_name"` } +type openStackAttribute struct { + Cloud string `tfsdk:"cloud"` + CloudsYAMLPath string `tfsdk:"clouds_yaml_path"` + FloatingIPPoolID string `tfsdk:"floating_ip_pool_id"` + DeployYawolLoadBalancer bool `tfsdk:"deploy_yawol_load_balancer"` + YawolImageID string `tfsdk:"yawol_image_id"` + YawolFlavorID string `tfsdk:"yawol_flavor_id"` + NetworkID string `tfsdk:"network_id"` + SubnetID string `tfsdk:"subnet_id"` +} + // extraMicroservicesAttribute is the extra microservices attribute's data model. type extraMicroservicesAttribute struct { CSIDriver bool `tfsdk:"csi_driver"` @@ -333,6 +349,53 @@ func (r *ClusterResource) Schema(_ context.Context, _ resource.SchemaRequest, re }, }, }, + "openstack": schema.SingleNestedAttribute{ + MarkdownDescription: "OpenStack-specific configuration.", + Description: "OpenStack-specific configuration.", + Optional: true, + Attributes: map[string]schema.Attribute{ + "cloud": schema.StringAttribute{ + MarkdownDescription: "Name of the cloud in the clouds.yaml file.", + Description: "Name of the cloud in the clouds.yaml file.", + Required: true, + }, + "clouds_yaml_path": schema.StringAttribute{ + MarkdownDescription: "Path to the clouds.yaml file.", + Description: "Path to the clouds.yaml file.", + Optional: true, + }, + "floating_ip_pool_id": schema.StringAttribute{ + MarkdownDescription: "Floating IP pool to use for the VMs.", + Description: "Floating IP pool to use for the VMs.", + Required: true, + }, + "deploy_yawol_load_balancer": schema.BoolAttribute{ + MarkdownDescription: "Whether to deploy a YAWOL load balancer.", + Description: "Whether to deploy a YAWOL load balancer.", + Optional: true, + }, + "yawol_image_id": schema.StringAttribute{ + MarkdownDescription: "OpenStack OS image used by the yawollet.", + Description: "OpenStack OS image used by the yawollet.", + Optional: true, + }, + "yawol_flavor_id": schema.StringAttribute{ + MarkdownDescription: "OpenStack flavor used by the yawollet.", + Description: "OpenStack flavor used by the yawollet.", + Optional: true, + }, + "network_id": schema.StringAttribute{ + MarkdownDescription: "OpenStack network ID to use for the VMs.", + Description: "OpenStack network ID to use for the VMs.", + Required: true, + }, + "subnet_id": schema.StringAttribute{ + MarkdownDescription: "OpenStack subnet ID to use for the VMs.", + Description: "OpenStack subnet ID to use for the VMs.", + Required: true, + }, + }, + }, // Computed (output) attributes "owner_id": schema.StringAttribute{ @@ -406,6 +469,26 @@ func (r *ClusterResource) ValidateConfig(ctx context.Context, req resource.Valid "GCP configuration not allowed", "When csp is not set to 'gcp', setting the 'gcp' configuration has no effect.", ) } + + // OpenStack Config is required for OpenStack + if (strings.EqualFold(data.CSP.ValueString(), cloudprovider.OpenStack.String()) || + strings.EqualFold(data.CSP.ValueString(), "stackit")) && + data.OpenStack.IsNull() { + resp.Diagnostics.AddAttributeError( + path.Root("openstack"), + "OpenStack configuration missing", "When csp is set to 'openstack' or 'stackit', the 'openstack' configuration must be set.", + ) + } + + // OpenStack Config should not be set for other CSPs + if !strings.EqualFold(data.CSP.ValueString(), cloudprovider.OpenStack.String()) && + !strings.EqualFold(data.CSP.ValueString(), "stackit") && + !data.OpenStack.IsNull() { + resp.Diagnostics.AddAttributeWarning( + path.Root("openstack"), + "OpenStack configuration not allowed", "When csp is not set to 'openstack' or 'stackit', setting the 'openstack' configuration has no effect.", + ) + } } // Configure configures the resource. @@ -779,6 +862,7 @@ func (r *ClusterResource) apply(ctx context.Context, data *ClusterResourceModel, serviceAccPayload := constellation.ServiceAccountPayload{} var gcpConfig gcpAttribute var azureConfig azureAttribute + var openStackConfig openStackAttribute switch csp { case cloudprovider.GCP: convertDiags = data.GCP.As(ctx, &gcpConfig, basetypes.ObjectAsOptions{}) @@ -815,6 +899,33 @@ func (r *ClusterResource) apply(ctx context.Context, data *ClusterResourceModel, PreferredAuthMethod: azureshared.AuthMethodUserAssignedIdentity, UamiResourceID: azureConfig.UamiResourceID, } + case cloudprovider.OpenStack: + convertDiags = data.OpenStack.As(ctx, &openStackConfig, basetypes.ObjectAsOptions{}) + diags.Append(convertDiags...) + if diags.HasError() { + return diags + } + cloudsYAML, err := clouds.ReadCloudsYAML(file.NewHandler(afero.NewOsFs()), openStackConfig.CloudsYAMLPath) + if err != nil { + diags.AddError("Reading clouds.yaml", err.Error()) + return diags + } + cloud, ok := cloudsYAML.Clouds[openStackConfig.Cloud] + if !ok { + diags.AddError("Reading clouds.yaml", fmt.Sprintf("Cloud %s not found in clouds.yaml", openStackConfig.Cloud)) + return diags + } + serviceAccPayload.OpenStack = openstackshared.AccountKey{ + AuthURL: cloud.AuthInfo.AuthURL, + Username: cloud.AuthInfo.Username, + Password: cloud.AuthInfo.Password, + ProjectID: cloud.AuthInfo.ProjectID, + ProjectName: cloud.AuthInfo.ProjectName, + UserDomainName: cloud.AuthInfo.UserDomainName, + ProjectDomainName: cloud.AuthInfo.ProjectDomainName, + RegionName: cloud.RegionName, + } + } serviceAccURI, err := constellation.MarshalServiceAccountURI(csp, serviceAccPayload) if err != nil { @@ -861,6 +972,11 @@ func (r *ClusterResource) apply(ctx context.Context, data *ClusterResourceModel, ProjectID: gcpConfig.ProjectID, IPCidrPod: networkCfg.IPCidrPod.ValueString(), } + case cloudprovider.OpenStack: + stateFile.Infrastructure.OpenStack = &state.OpenStack{ + NetworkID: openStackConfig.NetworkID, + SubnetID: openStackConfig.SubnetID, + } } // Check license @@ -937,6 +1053,14 @@ func (r *ClusterResource) apply(ctx context.Context, data *ClusterResourceModel, masterSecret: secrets.masterSecret, serviceAccURI: serviceAccURI, } + if csp == cloudprovider.OpenStack { + payload.openStackHelmValues = &helm.OpenStackValues{ + DeployYawolLoadBalancer: openStackConfig.DeployYawolLoadBalancer, + FloatingIPPoolID: openStackConfig.FloatingIPPoolID, + YawolImageID: openStackConfig.YawolImageID, + YawolFlavorID: openStackConfig.YawolFlavorID, + } + } helmDiags := r.applyHelmCharts(ctx, applier, payload, stateFile) diags.Append(helmDiags...) if diags.HasError() { @@ -1063,6 +1187,7 @@ type applyHelmChartsPayload struct { DeployCSIDriver bool // Whether to deploy the CSI driver. masterSecret uri.MasterSecret // master secret of the cluster. serviceAccURI string // URI of the service account used within the cluster. + openStackHelmValues *helm.OpenStackValues // OpenStack-specific Helm values. } // applyHelmCharts applies the Helm charts to the cluster. @@ -1083,10 +1208,11 @@ func (r *ClusterResource) applyHelmCharts(ctx context.Context, applier *constell // Allow destructive changes to the cluster. // The user has previously been warned about this when planning a microservice version change. AllowDestructive: helm.AllowDestructive, + OpenStackValues: payload.openStackHelmValues, } executor, _, err := applier.PrepareHelmCharts(options, state, - payload.serviceAccURI, payload.masterSecret, nil) + payload.serviceAccURI, payload.masterSecret) var upgradeErr *compatibility.InvalidUpgradeError if err != nil { if !errors.As(err, &upgradeErr) { diff --git a/terraform-provider-constellation/internal/provider/cluster_resource_test.go b/terraform-provider-constellation/internal/provider/cluster_resource_test.go index d9df71713..fb1b5c4fc 100644 --- a/terraform-provider-constellation/internal/provider/cluster_resource_test.go +++ b/terraform-provider-constellation/internal/provider/cluster_resource_test.go @@ -489,6 +489,68 @@ func TestAccClusterResource(t *testing.T) { }, }, }, + "stackit config missing": { + ProtoV6ProviderFactories: testAccProtoV6ProviderFactoriesWithVersion(providerVersion), + PreCheck: bazelPreCheck, + Steps: []resource.TestStep{ + { + Config: fullClusterTestingConfig(t, "openstack") + fmt.Sprintf(` + resource "constellation_cluster" "test" { + csp = "stackit" + name = "constell" + uid = "test" + image = data.constellation_image.bar.image + attestation = data.constellation_attestation.foo.attestation + init_secret = "deadbeef" + master_secret = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" + master_secret_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" + measurement_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" + out_of_cluster_endpoint = "192.0.2.1" + in_cluster_endpoint = "192.0.2.1" + network_config = { + ip_cidr_node = "0.0.0.0/24" + ip_cidr_service = "0.0.0.0/24" + ip_cidr_pod = "0.0.0.0/24" + } + kubernetes_version = "%s" + constellation_microservice_version = "%s" + } + `, versions.Default, providerVersion), + ExpectError: regexp.MustCompile(".*When csp is set to 'openstack' or 'stackit', the 'openstack' configuration\nmust be set.*"), + }, + }, + }, + "openstack config missing": { + ProtoV6ProviderFactories: testAccProtoV6ProviderFactoriesWithVersion(providerVersion), + PreCheck: bazelPreCheck, + Steps: []resource.TestStep{ + { + Config: fullClusterTestingConfig(t, "openstack") + fmt.Sprintf(` + resource "constellation_cluster" "test" { + csp = "openstack" + name = "constell" + uid = "test" + image = data.constellation_image.bar.image + attestation = data.constellation_attestation.foo.attestation + init_secret = "deadbeef" + master_secret = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" + master_secret_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" + measurement_salt = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" + out_of_cluster_endpoint = "192.0.2.1" + in_cluster_endpoint = "192.0.2.1" + network_config = { + ip_cidr_node = "0.0.0.0/24" + ip_cidr_service = "0.0.0.0/24" + ip_cidr_pod = "0.0.0.0/24" + } + kubernetes_version = "%s" + constellation_microservice_version = "%s" + } + `, versions.Default, providerVersion), + ExpectError: regexp.MustCompile(".*When csp is set to 'openstack' or 'stackit', the 'openstack' configuration\nmust be set.*"), + }, + }, + }, } for name, tc := range testCases { @@ -547,6 +609,19 @@ func fullClusterTestingConfig(t *testing.T, csp string) string { attestation_variant = "gcp-sev-es" image = data.constellation_image.bar.image }`, image) + case "openstack": + return providerConfig + fmt.Sprintf(` + data "constellation_image" "bar" { + version = "%s" + attestation_variant = "qemu-vtpm" + csp = "openstack" + } + + data "constellation_attestation" "foo" { + csp = "openstack" + attestation_variant = "qemu-vtpm" + image = data.constellation_image.bar.image + }`, image) default: t.Fatal("unknown csp") return "" diff --git a/terraform-provider-constellation/internal/provider/convert.go b/terraform-provider-constellation/internal/provider/convert.go index 552bdcdd2..087728168 100644 --- a/terraform-provider-constellation/internal/provider/convert.go +++ b/terraform-provider-constellation/internal/provider/convert.go @@ -122,6 +122,10 @@ func convertFromTfAttestationCfg(tfAttestation attestationAttribute, attestation attestationConfig = &config.GCPSEVES{ Measurements: c11nMeasurements, } + case variant.QEMUVTPM{}: + attestationConfig = &config.QEMUVTPM{ + Measurements: c11nMeasurements, + } default: return nil, fmt.Errorf("unknown attestation variant: %s", attestationVariant) } @@ -177,7 +181,7 @@ func convertToTfAttestation(attVar variant.Variant, snpVersions attestationconfi XFAM: hex.EncodeToString(tdxCfg.XFAM), } tfAttestation.TDX = tfTdxCfg - case variant.GCPSEVES{}: + case variant.GCPSEVES{}, variant.QEMUVTPM{}: // no additional fields default: return tfAttestation, fmt.Errorf("unknown attestation variant: %s", attVar) diff --git a/terraform-provider-constellation/internal/provider/image_data_source.go b/terraform-provider-constellation/internal/provider/image_data_source.go index 5e97bdcb4..6ed11c363 100644 --- a/terraform-provider-constellation/internal/provider/image_data_source.go +++ b/terraform-provider-constellation/internal/provider/image_data_source.go @@ -252,9 +252,10 @@ func (d *ImageDataSource) Read(ctx context.Context, req datasource.ReadRequest, // Save data into Terraform state diags := resp.State.SetAttribute(ctx, path.Root("image"), imageAttribute{ - Reference: imageRef, - Version: imageSemver, - ShortPath: apiCompatibleVer.ShortPath(), + Reference: imageRef, + Version: imageSemver, + ShortPath: apiCompatibleVer.ShortPath(), + MarketplaceImage: data.MarketplaceImage.ValueBoolPointer(), }) resp.Diagnostics.Append(diags...) if resp.Diagnostics.HasError() { diff --git a/terraform-provider-constellation/internal/provider/image_data_source_test.go b/terraform-provider-constellation/internal/provider/image_data_source_test.go index 787b7aacf..669899e39 100644 --- a/terraform-provider-constellation/internal/provider/image_data_source_test.go +++ b/terraform-provider-constellation/internal/provider/image_data_source_test.go @@ -141,6 +141,38 @@ func TestAccImageDataSource(t *testing.T) { }, }, }, + "stackit success": { + ProtoV6ProviderFactories: testAccProtoV6ProviderFactories, + PreCheck: bazelPreCheck, + Steps: []resource.TestStep{ + { + Config: testingConfig + ` + data "constellation_image" "test" { + version = "v2.16.0" + attestation_variant = "qemu-vtpm" + csp = "stackit" + } + `, + Check: resource.TestCheckResourceAttr("data.constellation_image.test", "image.reference", "8ffc1740-1e41-4281-b872-f8088ffd7692"), // should be immutable, + }, + }, + }, + "openstack success": { + ProtoV6ProviderFactories: testAccProtoV6ProviderFactories, + PreCheck: bazelPreCheck, + Steps: []resource.TestStep{ + { + Config: testingConfig + ` + data "constellation_image" "test" { + version = "v2.16.0" + attestation_variant = "qemu-vtpm" + csp = "openstack" + } + `, + Check: resource.TestCheckResourceAttr("data.constellation_image.test", "image.reference", "8ffc1740-1e41-4281-b872-f8088ffd7692"), // should be immutable, + }, + }, + }, "unknown attestation variant": { ProtoV6ProviderFactories: testAccProtoV6ProviderFactories, PreCheck: bazelPreCheck, diff --git a/terraform-provider-constellation/internal/provider/shared_attributes.go b/terraform-provider-constellation/internal/provider/shared_attributes.go index 163794e9b..b6f96cd17 100644 --- a/terraform-provider-constellation/internal/provider/shared_attributes.go +++ b/terraform-provider-constellation/internal/provider/shared_attributes.go @@ -31,11 +31,12 @@ func newAttestationVariantAttributeSchema(t attributeType) schema.Attribute { " * `aws-nitro-tpm`\n" + " * `azure-sev-snp`\n" + " * `azure-tdx`\n" + - " * `gcp-sev-es`\n", + " * `gcp-sev-es`\n" + + " * `qemu-vtpm`\n", Required: isInput, Computed: !isInput, Validators: []validator.String{ - stringvalidator.OneOf("aws-sev-snp", "aws-nitro-tpm", "azure-sev-snp", "azure-tdx", "gcp-sev-es"), + stringvalidator.OneOf("aws-sev-snp", "aws-nitro-tpm", "azure-sev-snp", "azure-tdx", "gcp-sev-es", "qemu-vtpm"), }, } } @@ -47,7 +48,7 @@ func newCSPAttributeSchema() schema.Attribute { "See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview/clouds) that Constellation supports.", Required: true, Validators: []validator.String{ - stringvalidator.OneOf("aws", "azure", "gcp"), + stringvalidator.OneOf("aws", "azure", "gcp", "openstack", "stackit"), }, } } From 6181381c6636ba6a78025a580c25b5fe0d0bf7fa Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Mon, 11 Mar 2024 14:20:19 +0100 Subject: [PATCH 22/47] openstack: read credentials from clouds.yaml --- cli/internal/cloudcmd/BUILD.bazel | 1 + cli/internal/cloudcmd/serviceaccount.go | 25 ++++-- cli/internal/cloudcmd/tfvars.go | 4 +- cli/internal/terraform/variables.go | 10 +-- cli/internal/terraform/variables_test.go | 8 +- go.mod | 2 +- internal/cloud/openstack/clouds/BUILD.bazel | 15 ++++ internal/cloud/openstack/clouds/clouds.go | 14 +-- internal/cloud/openstack/clouds/read.go | 59 ++++++++++++ internal/config/config.go | 32 +------ internal/config/config_doc.go | 90 +++++++------------ internal/config/config_test.go | 2 +- internal/config/migration/migration.go | 7 -- internal/constellation/helm/helm.go | 7 +- internal/constellation/helm/loader.go | 23 +++-- terraform/infrastructure/openstack/main.tf | 9 +- .../infrastructure/openstack/variables.tf | 21 ++--- 17 files changed, 169 insertions(+), 160 deletions(-) create mode 100644 internal/cloud/openstack/clouds/BUILD.bazel create mode 100644 internal/cloud/openstack/clouds/read.go diff --git a/cli/internal/cloudcmd/BUILD.bazel b/cli/internal/cloudcmd/BUILD.bazel index 83b394338..946322495 100644 --- a/cli/internal/cloudcmd/BUILD.bazel +++ b/cli/internal/cloudcmd/BUILD.bazel @@ -25,6 +25,7 @@ go_library( "//internal/cloud/cloudprovider", "//internal/cloud/gcpshared", "//internal/cloud/openstack", + "//internal/cloud/openstack/clouds", "//internal/config", "//internal/constants", "//internal/constellation", diff --git a/cli/internal/cloudcmd/serviceaccount.go b/cli/internal/cloudcmd/serviceaccount.go index 994aaa5b0..7c54a0b9f 100644 --- a/cli/internal/cloudcmd/serviceaccount.go +++ b/cli/internal/cloudcmd/serviceaccount.go @@ -13,6 +13,7 @@ import ( "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" "github.com/edgelesssys/constellation/v2/internal/cloud/gcpshared" "github.com/edgelesssys/constellation/v2/internal/cloud/openstack" + "github.com/edgelesssys/constellation/v2/internal/cloud/openstack/clouds" "github.com/edgelesssys/constellation/v2/internal/config" "github.com/edgelesssys/constellation/v2/internal/constellation" "github.com/edgelesssys/constellation/v2/internal/file" @@ -38,15 +39,23 @@ func GetMarshaledServiceAccountURI(config *config.Config, fileHandler file.Handl } case cloudprovider.OpenStack: + cloudsYAML, err := clouds.ReadCloudsYAML(fileHandler, config.Provider.OpenStack.CloudsYAMLPath) + if err != nil { + return "", fmt.Errorf("reading clouds.yaml: %w", err) + } + cloud, ok := cloudsYAML.Clouds[config.Provider.OpenStack.Cloud] + if !ok { + return "", fmt.Errorf("cloud %q not found in clouds.yaml", config.Provider.OpenStack.Cloud) + } payload.OpenStack = openstack.AccountKey{ - AuthURL: config.Provider.OpenStack.AuthURL, - Username: config.Provider.OpenStack.Username, - Password: config.Provider.OpenStack.Password, - ProjectID: config.Provider.OpenStack.ProjectID, - ProjectName: config.Provider.OpenStack.ProjectName, - UserDomainName: config.Provider.OpenStack.UserDomainName, - ProjectDomainName: config.Provider.OpenStack.ProjectDomainName, - RegionName: config.Provider.OpenStack.RegionName, + AuthURL: cloud.AuthInfo.AuthURL, + Username: cloud.AuthInfo.Username, + Password: cloud.AuthInfo.Password, + ProjectID: cloud.AuthInfo.ProjectID, + ProjectName: cloud.AuthInfo.ProjectName, + UserDomainName: cloud.AuthInfo.UserDomainName, + ProjectDomainName: cloud.AuthInfo.ProjectDomainName, + RegionName: cloud.RegionName, } } diff --git a/cli/internal/cloudcmd/tfvars.go b/cli/internal/cloudcmd/tfvars.go index ea53cff5d..309632d98 100644 --- a/cli/internal/cloudcmd/tfvars.go +++ b/cli/internal/cloudcmd/tfvars.go @@ -257,11 +257,9 @@ func openStackTerraformVars(conf *config.Config, imageRef string) (*terraform.Op return &terraform.OpenStackClusterVariables{ Name: conf.Name, Cloud: toPtr(conf.Provider.OpenStack.Cloud), + OpenStackCloudsYAMLPath: conf.Provider.OpenStack.CloudsYAMLPath, FloatingIPPoolID: conf.Provider.OpenStack.FloatingIPPoolID, ImageID: imageRef, - OpenstackUserDomainName: conf.Provider.OpenStack.UserDomainName, - OpenstackUsername: conf.Provider.OpenStack.Username, - OpenstackPassword: conf.Provider.OpenStack.Password, Debug: conf.IsDebugCluster(), NodeGroups: nodeGroups, CustomEndpoint: conf.CustomEndpoint, diff --git a/cli/internal/terraform/variables.go b/cli/internal/terraform/variables.go index f48ae0d88..a83818260 100644 --- a/cli/internal/terraform/variables.go +++ b/cli/internal/terraform/variables.go @@ -278,20 +278,16 @@ type OpenStackClusterVariables struct { Name string `hcl:"name" cty:"name"` // NodeGroups is a map of node groups to create. NodeGroups map[string]OpenStackNodeGroup `hcl:"node_groups" cty:"node_groups"` - // Cloud is the (optional) name of the OpenStack cloud to use when reading the "clouds.yaml" configuration file. If empty, environment variables are used. + // Cloud is the name of the OpenStack cloud to use when reading the "clouds.yaml" configuration file. If empty, environment variables are used. Cloud *string `hcl:"cloud" cty:"cloud"` + // OpenStackCloudsYAMLPath is the path to the OpenStack clouds.yaml file + OpenStackCloudsYAMLPath string `hcl:"openstack_clouds_yaml_path" cty:"openstack_clouds_yaml_path"` // (STACKIT only) STACKITProjectID is the ID of the STACKIT project to use. STACKITProjectID string `hcl:"stackit_project_id" cty:"stackit_project_id"` // FloatingIPPoolID is the ID of the OpenStack floating IP pool to use for public IPs. FloatingIPPoolID string `hcl:"floating_ip_pool_id" cty:"floating_ip_pool_id"` // ImageID is the ID of the OpenStack image to use. ImageID string `hcl:"image_id" cty:"image_id"` - // OpenstackUserDomainName is the OpenStack user domain name to use. - OpenstackUserDomainName string `hcl:"openstack_user_domain_name" cty:"openstack_user_domain_name"` - // OpenstackUsername is the OpenStack user name to use. - OpenstackUsername string `hcl:"openstack_username" cty:"openstack_username"` - // OpenstackPassword is the OpenStack password to use. - OpenstackPassword string `hcl:"openstack_password" cty:"openstack_password"` // Debug is true if debug mode is enabled. Debug bool `hcl:"debug" cty:"debug"` // CustomEndpoint is the (optional) custom dns hostname for the kubernetes api server. diff --git a/cli/internal/terraform/variables_test.go b/cli/internal/terraform/variables_test.go index 56940e976..df27ddb59 100644 --- a/cli/internal/terraform/variables_test.go +++ b/cli/internal/terraform/variables_test.go @@ -254,11 +254,9 @@ func TestOpenStackClusterVariables(t *testing.T) { vars := OpenStackClusterVariables{ Name: "cluster-name", Cloud: toPtr("my-cloud"), + OpenStackCloudsYAMLPath: "~/.config/openstack/clouds.yaml", FloatingIPPoolID: "fip-pool-0123456789abcdef", ImageID: "8e10b92d-8f7a-458c-91c6-59b42f82ef81", - OpenstackUserDomainName: "my-user-domain", - OpenstackUsername: "my-username", - OpenstackPassword: "my-password", Debug: true, STACKITProjectID: "my-stackit-project-id", NodeGroups: map[string]OpenStackNodeGroup{ @@ -287,12 +285,10 @@ node_groups = { } } cloud = "my-cloud" +openstack_clouds_yaml_path = "~/.config/openstack/clouds.yaml" stackit_project_id = "my-stackit-project-id" floating_ip_pool_id = "fip-pool-0123456789abcdef" image_id = "8e10b92d-8f7a-458c-91c6-59b42f82ef81" -openstack_user_domain_name = "my-user-domain" -openstack_username = "my-username" -openstack_password = "my-password" debug = true custom_endpoint = "example.com" internal_load_balancer = false diff --git a/go.mod b/go.mod index e0b5c85b8..8d0f11fd4 100644 --- a/go.mod +++ b/go.mod @@ -300,7 +300,7 @@ require ( github.com/mattn/go-runewidth v0.0.15 // indirect github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect github.com/mitchellh/copystructure v1.2.0 // indirect - github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/mitchellh/go-homedir v1.1.0 github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/mitchellh/go-wordwrap v1.0.1 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect diff --git a/internal/cloud/openstack/clouds/BUILD.bazel b/internal/cloud/openstack/clouds/BUILD.bazel new file mode 100644 index 000000000..153bed763 --- /dev/null +++ b/internal/cloud/openstack/clouds/BUILD.bazel @@ -0,0 +1,15 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library") + +go_library( + name = "clouds", + srcs = [ + "clouds.go", + "read.go", + ], + importpath = "github.com/edgelesssys/constellation/v2/internal/cloud/openstack/clouds", + visibility = ["//:__subpackages__"], + deps = [ + "//internal/file", + "@com_github_mitchellh_go_homedir//:go-homedir", + ], +) diff --git a/internal/cloud/openstack/clouds/clouds.go b/internal/cloud/openstack/clouds/clouds.go index 5128eedc6..923325fe2 100644 --- a/internal/cloud/openstack/clouds/clouds.go +++ b/internal/cloud/openstack/clouds/clouds.go @@ -188,21 +188,21 @@ func (r *Region) UnmarshalYAML(unmarshal func(interface{}) error) error { type AuthType string const ( - // AuthPassword defines an unknown version of the password + // AuthPassword defines an unknown version of the password. AuthPassword AuthType = "password" - // AuthToken defined an unknown version of the token + // AuthToken defined an unknown version of the token. AuthToken AuthType = "token" - // AuthV2Password defines version 2 of the password + // AuthV2Password defines version 2 of the password. AuthV2Password AuthType = "v2password" - // AuthV2Token defines version 2 of the token + // AuthV2Token defines version 2 of the token. AuthV2Token AuthType = "v2token" - // AuthV3Password defines version 3 of the password + // AuthV3Password defines version 3 of the password. AuthV3Password AuthType = "v3password" - // AuthV3Token defines version 3 of the token + // AuthV3Token defines version 3 of the token. AuthV3Token AuthType = "v3token" - // AuthV3ApplicationCredential defines version 3 of the application credential + // AuthV3ApplicationCredential defines version 3 of the application credential. AuthV3ApplicationCredential AuthType = "v3applicationcredential" ) diff --git a/internal/cloud/openstack/clouds/read.go b/internal/cloud/openstack/clouds/read.go new file mode 100644 index 000000000..d4259c338 --- /dev/null +++ b/internal/cloud/openstack/clouds/read.go @@ -0,0 +1,59 @@ +/* +Copyright (c) Edgeless Systems GmbH + +SPDX-License-Identifier: AGPL-3.0-only +*/ +package clouds + +import ( + "fmt" + "os" + "path/filepath" + + "github.com/mitchellh/go-homedir" + + "github.com/edgelesssys/constellation/v2/internal/file" +) + +// ReadCloudsYAML reads a clouds.yaml file and returns its contents. +func ReadCloudsYAML(fileHandler file.Handler, path string) (Clouds, error) { + // Order of operations as performed by the OpenStack CLI: + + // Define a search path for clouds.yaml: + // 1. If OS_CLIENT_CONFIG_FILE is set, use it as search path + // 2. Otherwise, use the following paths: + // - current directory + // - `openstack` directory under standard user config directory (e.g. ~/.config/openstack) + // - /etc/openstack (Unix only) + + var searchPaths []string + if path != "" { + expanded, err := homedir.Expand(path) + if err == nil { + searchPaths = append(searchPaths, expanded) + } else { + searchPaths = append(searchPaths, path) + } + } else if osClientConfigFile := os.Getenv("OS_CLIENT_CONFIG_FILE"); osClientConfigFile != "" { + searchPaths = append(searchPaths, filepath.Join(osClientConfigFile, "clouds.yaml")) + } else { + searchPaths = append(searchPaths, "clouds.yaml") + confDir, err := os.UserConfigDir() + if err != nil { + return Clouds{}, fmt.Errorf("getting user config directory: %w", err) + } + searchPaths = append(searchPaths, filepath.Join(confDir, "openstack", "clouds.yaml")) + if os.PathSeparator == '/' { + searchPaths = append(searchPaths, "/etc/openstack/clouds.yaml") + } + } + + var cloudsYAML Clouds + for _, path := range searchPaths { + if err := fileHandler.ReadYAML(path, &cloudsYAML); err == nil { + return cloudsYAML, nil + } + } + + return Clouds{}, fmt.Errorf("clouds.yaml not found in search paths: %v", searchPaths) +} diff --git a/internal/config/config.go b/internal/config/config.go index 753156dd3..10ac013d1 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -198,40 +198,22 @@ type OpenStackConfig struct { // OpenStack cloud name to select from "clouds.yaml". Only required if config file for OpenStack is used. Fallback authentication uses environment variables. For details see: https://docs.openstack.org/openstacksdk/latest/user/config/configuration.html. Cloud string `yaml:"cloud"` // description: | + // Path to OpenStack "clouds.yaml" file. Only required if automatic detection fails. + CloudsYAMLPath string `yaml:"cloudsYAMLPath"` + // description: | // Availability zone to place the VMs in. For details see: https://docs.openstack.org/nova/latest/admin/availability-zones.html AvailabilityZone string `yaml:"availabilityZone" validate:"required"` // description: | // Floating IP pool to use for the VMs. For details see: https://docs.openstack.org/ocata/user-guide/cli-manage-ip-addresses.html FloatingIPPoolID string `yaml:"floatingIPPoolID" validate:"required"` // description: | - // AuthURL is the OpenStack Identity endpoint to use inside the cluster. - AuthURL string `yaml:"authURL" validate:"required"` - // description: | - // ProjectID is the ID of the OpenStack project where a user resides. - ProjectID string `yaml:"projectID" validate:"required"` - // description: | // STACKITProjectID is the ID of the STACKIT project where a user resides. // Only used if cloud is "stackit". STACKITProjectID string `yaml:"stackitProjectID"` // description: | - // ProjectName is the name of the project where a user resides. - ProjectName string `yaml:"projectName" validate:"required"` - // description: | - // UserDomainName is the name of the domain where a user resides. - UserDomainName string `yaml:"userDomainName" validate:"required"` - // description: | - // ProjectDomainName is the name of the domain where a project resides. - ProjectDomainName string `yaml:"projectDomainName" validate:"required"` - // description: | // RegionName is the name of the region to use inside the cluster. RegionName string `yaml:"regionName" validate:"required"` // description: | - // Username to use inside the cluster. - Username string `yaml:"username" validate:"required"` - // description: | - // Password to use inside the cluster. You can instead use the environment variable "CONSTELL_OS_PASSWORD". - Password string `yaml:"password"` - // description: | // Deploy Yawol loadbalancer. For details see: https://github.com/stackitcloud/yawol DeployYawolLoadBalancer *bool `yaml:"deployYawolLoadBalancer" validate:"required"` // description: | @@ -496,11 +478,6 @@ func New(fileHandler file.Handler, name string, fetcher attestationconfigapi.Fet fmt.Fprintf(os.Stderr, "WARNING: the environment variable %s is no longer used %s", constants.EnvVarAzureClientSecretValue, appRegistrationErrStr) } - openstackPassword := os.Getenv(constants.EnvVarOpenStackPassword) - if openstackPassword != "" && c.Provider.OpenStack != nil { - c.Provider.OpenStack.Password = openstackPassword - } - return c, c.Validate(force) } @@ -909,9 +886,6 @@ func (c *Config) WithOpenStackProviderDefaults(csp cloudprovider.Provider, openS case "stackit": c.Provider.OpenStack.Cloud = "stackit" c.Provider.OpenStack.FloatingIPPoolID = "970ace5c-458f-484a-a660-0903bcfd91ad" - c.Provider.OpenStack.AuthURL = "https://keystone.api.iaas.eu01.stackit.cloud/v3" - c.Provider.OpenStack.UserDomainName = "portal_mvp" - c.Provider.OpenStack.ProjectDomainName = "portal_mvp" c.Provider.OpenStack.RegionName = "RegionOne" c.Provider.OpenStack.DeployYawolLoadBalancer = toPtr(true) c.Provider.OpenStack.YawolImageID = "bcd6c13e-75d1-4c3f-bf0f-8f83580cc1be" diff --git a/internal/config/config_doc.go b/internal/config/config_doc.go index 8665922ed..2168b7f98 100644 --- a/internal/config/config_doc.go +++ b/internal/config/config_doc.go @@ -276,87 +276,57 @@ func init() { FieldName: "openstack", }, } - OpenStackConfigDoc.Fields = make([]encoder.Doc, 16) + OpenStackConfigDoc.Fields = make([]encoder.Doc, 10) OpenStackConfigDoc.Fields[0].Name = "cloud" OpenStackConfigDoc.Fields[0].Type = "string" OpenStackConfigDoc.Fields[0].Note = "" OpenStackConfigDoc.Fields[0].Description = "OpenStack cloud name to select from \"clouds.yaml\". Only required if config file for OpenStack is used. Fallback authentication uses environment variables. For details see: https://docs.openstack.org/openstacksdk/latest/user/config/configuration.html." OpenStackConfigDoc.Fields[0].Comments[encoder.LineComment] = "OpenStack cloud name to select from \"clouds.yaml\". Only required if config file for OpenStack is used. Fallback authentication uses environment variables. For details see: https://docs.openstack.org/openstacksdk/latest/user/config/configuration.html." - OpenStackConfigDoc.Fields[1].Name = "availabilityZone" + OpenStackConfigDoc.Fields[1].Name = "cloudsYAMLPath" OpenStackConfigDoc.Fields[1].Type = "string" OpenStackConfigDoc.Fields[1].Note = "" - OpenStackConfigDoc.Fields[1].Description = "Availability zone to place the VMs in. For details see: https://docs.openstack.org/nova/latest/admin/availability-zones.html" - OpenStackConfigDoc.Fields[1].Comments[encoder.LineComment] = "Availability zone to place the VMs in. For details see: https://docs.openstack.org/nova/latest/admin/availability-zones.html" - OpenStackConfigDoc.Fields[2].Name = "floatingIPPoolID" + OpenStackConfigDoc.Fields[1].Description = "Path to OpenStack \"clouds.yaml\" file. Only required if automatic detection fails." + OpenStackConfigDoc.Fields[1].Comments[encoder.LineComment] = "Path to OpenStack \"clouds.yaml\" file. Only required if automatic detection fails." + OpenStackConfigDoc.Fields[2].Name = "availabilityZone" OpenStackConfigDoc.Fields[2].Type = "string" OpenStackConfigDoc.Fields[2].Note = "" - OpenStackConfigDoc.Fields[2].Description = "Floating IP pool to use for the VMs. For details see: https://docs.openstack.org/ocata/user-guide/cli-manage-ip-addresses.html" - OpenStackConfigDoc.Fields[2].Comments[encoder.LineComment] = "Floating IP pool to use for the VMs. For details see: https://docs.openstack.org/ocata/user-guide/cli-manage-ip-addresses.html" - OpenStackConfigDoc.Fields[3].Name = "authURL" + OpenStackConfigDoc.Fields[2].Description = "Availability zone to place the VMs in. For details see: https://docs.openstack.org/nova/latest/admin/availability-zones.html" + OpenStackConfigDoc.Fields[2].Comments[encoder.LineComment] = "Availability zone to place the VMs in. For details see: https://docs.openstack.org/nova/latest/admin/availability-zones.html" + OpenStackConfigDoc.Fields[3].Name = "floatingIPPoolID" OpenStackConfigDoc.Fields[3].Type = "string" OpenStackConfigDoc.Fields[3].Note = "" - OpenStackConfigDoc.Fields[3].Description = "description: |\nAuthURL is the OpenStack Identity endpoint to use inside the cluster.\n" - OpenStackConfigDoc.Fields[3].Comments[encoder.LineComment] = "description: |" - OpenStackConfigDoc.Fields[4].Name = "projectID" + OpenStackConfigDoc.Fields[3].Description = "Floating IP pool to use for the VMs. For details see: https://docs.openstack.org/ocata/user-guide/cli-manage-ip-addresses.html" + OpenStackConfigDoc.Fields[3].Comments[encoder.LineComment] = "Floating IP pool to use for the VMs. For details see: https://docs.openstack.org/ocata/user-guide/cli-manage-ip-addresses.html" + OpenStackConfigDoc.Fields[4].Name = "stackitProjectID" OpenStackConfigDoc.Fields[4].Type = "string" OpenStackConfigDoc.Fields[4].Note = "" - OpenStackConfigDoc.Fields[4].Description = "ProjectID is the ID of the OpenStack project where a user resides." - OpenStackConfigDoc.Fields[4].Comments[encoder.LineComment] = "ProjectID is the ID of the OpenStack project where a user resides." - OpenStackConfigDoc.Fields[5].Name = "stackitProjectID" + OpenStackConfigDoc.Fields[4].Description = "STACKITProjectID is the ID of the STACKIT project where a user resides.\nOnly used if cloud is \"stackit\"." + OpenStackConfigDoc.Fields[4].Comments[encoder.LineComment] = "STACKITProjectID is the ID of the STACKIT project where a user resides." + OpenStackConfigDoc.Fields[5].Name = "regionName" OpenStackConfigDoc.Fields[5].Type = "string" OpenStackConfigDoc.Fields[5].Note = "" - OpenStackConfigDoc.Fields[5].Description = "STACKITProjectID is the ID of the STACKIT project where a user resides.\nOnly used if cloud is \"stackit\"." - OpenStackConfigDoc.Fields[5].Comments[encoder.LineComment] = "STACKITProjectID is the ID of the STACKIT project where a user resides." - OpenStackConfigDoc.Fields[6].Name = "projectName" - OpenStackConfigDoc.Fields[6].Type = "string" + OpenStackConfigDoc.Fields[5].Description = "description: |\nRegionName is the name of the region to use inside the cluster.\n" + OpenStackConfigDoc.Fields[5].Comments[encoder.LineComment] = "description: |" + OpenStackConfigDoc.Fields[6].Name = "deployYawolLoadBalancer" + OpenStackConfigDoc.Fields[6].Type = "bool" OpenStackConfigDoc.Fields[6].Note = "" - OpenStackConfigDoc.Fields[6].Description = "ProjectName is the name of the project where a user resides." - OpenStackConfigDoc.Fields[6].Comments[encoder.LineComment] = "ProjectName is the name of the project where a user resides." - OpenStackConfigDoc.Fields[7].Name = "userDomainName" + OpenStackConfigDoc.Fields[6].Description = "Deploy Yawol loadbalancer. For details see: https://github.com/stackitcloud/yawol" + OpenStackConfigDoc.Fields[6].Comments[encoder.LineComment] = "Deploy Yawol loadbalancer. For details see: https://github.com/stackitcloud/yawol" + OpenStackConfigDoc.Fields[7].Name = "yawolImageID" OpenStackConfigDoc.Fields[7].Type = "string" OpenStackConfigDoc.Fields[7].Note = "" - OpenStackConfigDoc.Fields[7].Description = "UserDomainName is the name of the domain where a user resides." - OpenStackConfigDoc.Fields[7].Comments[encoder.LineComment] = "UserDomainName is the name of the domain where a user resides." - OpenStackConfigDoc.Fields[8].Name = "projectDomainName" + OpenStackConfigDoc.Fields[7].Description = "OpenStack OS image used by the yawollet. For details see: https://github.com/stackitcloud/yawol" + OpenStackConfigDoc.Fields[7].Comments[encoder.LineComment] = "OpenStack OS image used by the yawollet. For details see: https://github.com/stackitcloud/yawol" + OpenStackConfigDoc.Fields[8].Name = "yawolFlavorID" OpenStackConfigDoc.Fields[8].Type = "string" OpenStackConfigDoc.Fields[8].Note = "" - OpenStackConfigDoc.Fields[8].Description = "ProjectDomainName is the name of the domain where a project resides." - OpenStackConfigDoc.Fields[8].Comments[encoder.LineComment] = "ProjectDomainName is the name of the domain where a project resides." - OpenStackConfigDoc.Fields[9].Name = "regionName" - OpenStackConfigDoc.Fields[9].Type = "string" + OpenStackConfigDoc.Fields[8].Description = "OpenStack flavor id used for yawollets. For details see: https://github.com/stackitcloud/yawol" + OpenStackConfigDoc.Fields[8].Comments[encoder.LineComment] = "OpenStack flavor id used for yawollets. For details see: https://github.com/stackitcloud/yawol" + OpenStackConfigDoc.Fields[9].Name = "deployCSIDriver" + OpenStackConfigDoc.Fields[9].Type = "bool" OpenStackConfigDoc.Fields[9].Note = "" - OpenStackConfigDoc.Fields[9].Description = "description: |\nRegionName is the name of the region to use inside the cluster.\n" - OpenStackConfigDoc.Fields[9].Comments[encoder.LineComment] = "description: |" - OpenStackConfigDoc.Fields[10].Name = "username" - OpenStackConfigDoc.Fields[10].Type = "string" - OpenStackConfigDoc.Fields[10].Note = "" - OpenStackConfigDoc.Fields[10].Description = "Username to use inside the cluster." - OpenStackConfigDoc.Fields[10].Comments[encoder.LineComment] = "Username to use inside the cluster." - OpenStackConfigDoc.Fields[11].Name = "password" - OpenStackConfigDoc.Fields[11].Type = "string" - OpenStackConfigDoc.Fields[11].Note = "" - OpenStackConfigDoc.Fields[11].Description = "Password to use inside the cluster. You can instead use the environment variable \"CONSTELL_OS_PASSWORD\"." - OpenStackConfigDoc.Fields[11].Comments[encoder.LineComment] = "Password to use inside the cluster. You can instead use the environment variable \"CONSTELL_OS_PASSWORD\"." - OpenStackConfigDoc.Fields[12].Name = "deployYawolLoadBalancer" - OpenStackConfigDoc.Fields[12].Type = "bool" - OpenStackConfigDoc.Fields[12].Note = "" - OpenStackConfigDoc.Fields[12].Description = "Deploy Yawol loadbalancer. For details see: https://github.com/stackitcloud/yawol" - OpenStackConfigDoc.Fields[12].Comments[encoder.LineComment] = "Deploy Yawol loadbalancer. For details see: https://github.com/stackitcloud/yawol" - OpenStackConfigDoc.Fields[13].Name = "yawolImageID" - OpenStackConfigDoc.Fields[13].Type = "string" - OpenStackConfigDoc.Fields[13].Note = "" - OpenStackConfigDoc.Fields[13].Description = "OpenStack OS image used by the yawollet. For details see: https://github.com/stackitcloud/yawol" - OpenStackConfigDoc.Fields[13].Comments[encoder.LineComment] = "OpenStack OS image used by the yawollet. For details see: https://github.com/stackitcloud/yawol" - OpenStackConfigDoc.Fields[14].Name = "yawolFlavorID" - OpenStackConfigDoc.Fields[14].Type = "string" - OpenStackConfigDoc.Fields[14].Note = "" - OpenStackConfigDoc.Fields[14].Description = "OpenStack flavor id used for yawollets. For details see: https://github.com/stackitcloud/yawol" - OpenStackConfigDoc.Fields[14].Comments[encoder.LineComment] = "OpenStack flavor id used for yawollets. For details see: https://github.com/stackitcloud/yawol" - OpenStackConfigDoc.Fields[15].Name = "deployCSIDriver" - OpenStackConfigDoc.Fields[15].Type = "bool" - OpenStackConfigDoc.Fields[15].Note = "" - OpenStackConfigDoc.Fields[15].Description = "Deploy Cinder CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage" - OpenStackConfigDoc.Fields[15].Comments[encoder.LineComment] = "Deploy Cinder CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage" + OpenStackConfigDoc.Fields[9].Description = "Deploy Cinder CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage" + OpenStackConfigDoc.Fields[9].Comments[encoder.LineComment] = "Deploy Cinder CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage" QEMUConfigDoc.Type = "QEMUConfig" QEMUConfigDoc.Comments[encoder.LineComment] = "QEMUConfig holds config information for QEMU based Constellation deployments." diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 204ac52ef..013c50edc 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -328,7 +328,7 @@ func TestFromFile(t *testing.T) { } func TestValidate(t *testing.T) { - const defaultErrCount = 38 // expect this number of error messages by default because user-specific values are not set and multiple providers are defined by default + const defaultErrCount = 32 // expect this number of error messages by default because user-specific values are not set and multiple providers are defined by default const azErrCount = 7 const awsErrCount = 8 const gcpErrCount = 8 diff --git a/internal/config/migration/migration.go b/internal/config/migration/migration.go index 03bfb5b5c..54ca54335 100644 --- a/internal/config/migration/migration.go +++ b/internal/config/migration/migration.go @@ -381,14 +381,7 @@ func V3ToV4(path string, fileHandler file.Handler) error { Cloud: cfgV3.Provider.OpenStack.Cloud, AvailabilityZone: cfgV3.Provider.OpenStack.AvailabilityZone, FloatingIPPoolID: cfgV3.Provider.OpenStack.FloatingIPPoolID, - AuthURL: cfgV3.Provider.OpenStack.AuthURL, - ProjectID: cfgV3.Provider.OpenStack.ProjectID, - ProjectName: cfgV3.Provider.OpenStack.ProjectName, - UserDomainName: cfgV3.Provider.OpenStack.UserDomainName, - ProjectDomainName: cfgV3.Provider.OpenStack.ProjectDomainName, RegionName: cfgV3.Provider.OpenStack.RegionName, - Username: cfgV3.Provider.OpenStack.Username, - Password: cfgV3.Provider.OpenStack.Password, DeployYawolLoadBalancer: cfgV3.Provider.OpenStack.DeployYawolLoadBalancer, YawolImageID: cfgV3.Provider.OpenStack.YawolImageID, YawolFlavorID: cfgV3.Provider.OpenStack.YawolFlavorID, diff --git a/internal/constellation/helm/helm.go b/internal/constellation/helm/helm.go index d3f1e20f3..dcc994c6c 100644 --- a/internal/constellation/helm/helm.go +++ b/internal/constellation/helm/helm.go @@ -97,7 +97,7 @@ type Options struct { func (h Client) PrepareApply( flags Options, stateFile *state.State, serviceAccURI string, masterSecret uri.MasterSecret, ) (Applier, bool, error) { - releases, err := h.loadReleases(flags.CSP, flags.AttestationVariant, flags.K8sVersion, masterSecret, stateFile, flags, serviceAccURI) + releases, err := h.loadReleases(masterSecret, stateFile, flags, serviceAccURI) if err != nil { return nil, false, fmt.Errorf("loading Helm releases: %w", err) } @@ -110,10 +110,9 @@ func (h Client) PrepareApply( } func (h Client) loadReleases( - csp cloudprovider.Provider, attestationVariant variant.Variant, k8sVersion versions.ValidK8sVersion, secret uri.MasterSecret, - stateFile *state.State, flags Options, serviceAccURI string, + secret uri.MasterSecret, stateFile *state.State, flags Options, serviceAccURI string, ) ([]release, error) { - helmLoader := newLoader(csp, attestationVariant, k8sVersion, stateFile, h.cliVersion) + helmLoader := newLoader(flags.CSP, flags.AttestationVariant, flags.K8sVersion, stateFile, h.cliVersion) h.log.Debug("Created new Helm loader") return helmLoader.loadReleases(flags.Conformance, flags.DeployCSIDriver, flags.HelmWaitMode, secret, serviceAccURI, flags.OpenStackValues) } diff --git a/internal/constellation/helm/loader.go b/internal/constellation/helm/loader.go index 994575f6f..5634d03fa 100644 --- a/internal/constellation/helm/loader.go +++ b/internal/constellation/helm/loader.go @@ -176,18 +176,23 @@ func (i *chartLoader) loadReleases(conformanceMode, deployCSIDriver bool, helmWa } releases = append(releases, awsRelease) } - if i.csp == cloudprovider.OpenStack && openStackValues != nil && openStackValues.DeployYawolLoadBalancer { - yawolRelease, err := i.loadRelease(yawolLBControllerInfo, WaitModeNone) - if err != nil { - return nil, fmt.Errorf("loading yawol chart: %w", err) + if i.csp == cloudprovider.OpenStack { + if openStackValues == nil { + return nil, errors.New("provider is OpenStack but OpenStack config is missing") } + if openStackValues.DeployYawolLoadBalancer { + yawolRelease, err := i.loadRelease(yawolLBControllerInfo, WaitModeNone) + if err != nil { + return nil, fmt.Errorf("loading yawol chart: %w", err) + } - yawolVals, err := extraYawolValues(serviceAccURI, i.stateFile.Infrastructure, openStackValues) - if err != nil { - return nil, fmt.Errorf("extending yawol chart values: %w", err) + yawolVals, err := extraYawolValues(serviceAccURI, i.stateFile.Infrastructure, openStackValues) + if err != nil { + return nil, fmt.Errorf("extending yawol chart values: %w", err) + } + yawolRelease.values = mergeMaps(yawolRelease.values, yawolVals) + releases = append(releases, yawolRelease) } - yawolRelease.values = mergeMaps(yawolRelease.values, yawolVals) - releases = append(releases, yawolRelease) } return releases, nil diff --git a/terraform/infrastructure/openstack/main.tf b/terraform/infrastructure/openstack/main.tf index 797423654..bc3f2c0dd 100644 --- a/terraform/infrastructure/openstack/main.tf +++ b/terraform/infrastructure/openstack/main.tf @@ -56,6 +56,9 @@ locals { endpoint if(endpoint.interface == "public") ][0] identity_internal_url = local.identity_endpoint.url + cloudsyaml_path = length(var.openstack_clouds_yaml_path) > 0 ? var.openstack_clouds_yaml_path : "~/.config/openstack/clouds.yaml" + cloudsyaml = yamldecode(file(pathexpand(local.cloudsyaml_path))) + cloudyaml = local.cloudsyaml.clouds[var.cloud] } resource "random_id" "uid" { @@ -236,9 +239,9 @@ module "instance_group" { subnet_id = openstack_networking_subnet_v2.vpc_subnetwork.id init_secret_hash = local.init_secret_hash identity_internal_url = local.identity_internal_url - openstack_username = var.openstack_username - openstack_password = var.openstack_password - openstack_user_domain_name = var.openstack_user_domain_name + openstack_username = local.cloudyaml["auth"]["username"] + openstack_password = local.cloudyaml["auth"]["password"] + openstack_user_domain_name = local.cloudyaml["auth"]["user_domain_name"] openstack_load_balancer_endpoint = openstack_networking_floatingip_v2.public_ip.address } diff --git a/terraform/infrastructure/openstack/variables.tf b/terraform/infrastructure/openstack/variables.tf index 3b0983d68..98714a200 100644 --- a/terraform/infrastructure/openstack/variables.tf +++ b/terraform/infrastructure/openstack/variables.tf @@ -48,26 +48,17 @@ variable "cloud" { description = "Cloud to use within the OpenStack \"clouds.yaml\" file. Optional. If not set, environment variables are used." } +variable "openstack_clouds_yaml_path" { + type = string + default = "~/.config/openstack/clouds.yaml" + description = "Path to OpenStack clouds.yaml file" +} + variable "floating_ip_pool_id" { type = string description = "Pool (network name) to use for floating IPs." } -variable "openstack_user_domain_name" { - type = string - description = "OpenStack user domain name." -} - -variable "openstack_username" { - type = string - description = "OpenStack user name." -} - -variable "openstack_password" { - type = string - description = "OpenStack password." -} - # STACKIT-specific variables variable "stackit_project_id" { From c8ae092298baf036e7811640e081a1aa512b5882 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Thu, 7 Mar 2024 09:04:33 +0100 Subject: [PATCH 23/47] docs: add STACKIT to the terraform provider page --- docs/docs/workflows/terraform-provider.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/docs/workflows/terraform-provider.md b/docs/docs/workflows/terraform-provider.md index 7de44a530..78e63f326 100644 --- a/docs/docs/workflows/terraform-provider.md +++ b/docs/docs/workflows/terraform-provider.md @@ -78,6 +78,17 @@ This example shows how to set up a Constellation cluster with the reference IAM Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. + + Initialize the providers and apply the configuration. + + ```bash + terraform init + terraform apply + ``` + + Optionally, you can prefix the `terraform apply` command with `TF_LOG=INFO` to collect [Terraform logs](https://developer.hashicorp.com/terraform/internals/debugging) while applying the configuration. This may provide helpful output in debugging scenarios. + + 4. Connect to the cluster. From 98d5998057fc2b5e3032ce25754027964da8e114 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Fri, 8 Mar 2024 14:16:34 +0100 Subject: [PATCH 24/47] openstack: move credentials to instance user data --- internal/cloud/openstack/imds.go | 70 +++++++++++++------ internal/cloud/openstack/imds_test.go | 38 ++++++---- .../openstack/modules/instance_group/main.tf | 12 ++-- 3 files changed, 79 insertions(+), 41 deletions(-) diff --git a/internal/cloud/openstack/imds.go b/internal/cloud/openstack/imds.go index e977558d9..792a0d881 100644 --- a/internal/cloud/openstack/imds.go +++ b/internal/cloud/openstack/imds.go @@ -23,6 +23,7 @@ import ( const ( imdsMetaDataURL = "http://169.254.169.254/openstack/2018-08-27/meta_data.json" + imdsUserDataURL = "http://169.254.169.254/openstack/2018-08-27/user_data" ec2ImdsBaseURL = "http://169.254.169.254/1.0/meta-data" maxCacheAge = 12 * time.Hour ) @@ -33,6 +34,7 @@ type imdsClient struct { vpcIPCache string vpcIPCacheTime time.Time cache metadataResponse + userDataCache userDataResponse cacheTime time.Time } @@ -129,73 +131,73 @@ func (c *imdsClient) role(ctx context.Context) (role.Role, error) { } func (c *imdsClient) loadBalancerEndpoint(ctx context.Context) (string, error) { - if c.timeForUpdate(c.cacheTime) || c.cache.Tags.LoadBalancerEndpoint == "" { + if c.timeForUpdate(c.cacheTime) || c.userDataCache.LoadBalancerEndpoint == "" { if err := c.update(ctx); err != nil { return "", err } } - if c.cache.Tags.LoadBalancerEndpoint == "" { + if c.userDataCache.LoadBalancerEndpoint == "" { return "", errors.New("unable to get load balancer endpoint") } - return c.cache.Tags.LoadBalancerEndpoint, nil + return c.userDataCache.LoadBalancerEndpoint, nil } func (c *imdsClient) authURL(ctx context.Context) (string, error) { - if c.timeForUpdate(c.cacheTime) || c.cache.Tags.AuthURL == "" { + if c.timeForUpdate(c.cacheTime) || c.userDataCache.AuthURL == "" { if err := c.update(ctx); err != nil { return "", err } } - if c.cache.Tags.AuthURL == "" { + if c.userDataCache.AuthURL == "" { return "", errors.New("unable to get auth url") } - return c.cache.Tags.AuthURL, nil + return c.userDataCache.AuthURL, nil } func (c *imdsClient) userDomainName(ctx context.Context) (string, error) { - if c.timeForUpdate(c.cacheTime) || c.cache.Tags.UserDomainName == "" { + if c.timeForUpdate(c.cacheTime) || c.userDataCache.UserDomainName == "" { if err := c.update(ctx); err != nil { return "", err } } - if c.cache.Tags.UserDomainName == "" { + if c.userDataCache.UserDomainName == "" { return "", errors.New("unable to get user domain name") } - return c.cache.Tags.UserDomainName, nil + return c.userDataCache.UserDomainName, nil } func (c *imdsClient) username(ctx context.Context) (string, error) { - if c.timeForUpdate(c.cacheTime) || c.cache.Tags.Username == "" { + if c.timeForUpdate(c.cacheTime) || c.userDataCache.Username == "" { if err := c.update(ctx); err != nil { return "", err } } - if c.cache.Tags.Username == "" { + if c.userDataCache.Username == "" { return "", errors.New("unable to get token name") } - return c.cache.Tags.Username, nil + return c.userDataCache.Username, nil } func (c *imdsClient) password(ctx context.Context) (string, error) { - if c.timeForUpdate(c.cacheTime) || c.cache.Tags.Password == "" { + if c.timeForUpdate(c.cacheTime) || c.userDataCache.Password == "" { if err := c.update(ctx); err != nil { return "", err } } - if c.cache.Tags.Password == "" { + if c.userDataCache.Password == "" { return "", errors.New("unable to get token password") } - return c.cache.Tags.Password, nil + return c.userDataCache.Password, nil } // timeForUpdate checks whether an update is needed due to cache age. @@ -203,18 +205,41 @@ func (c *imdsClient) timeForUpdate(t time.Time) bool { return time.Since(t) > maxCacheAge } -// update updates instance metadata from the azure imds API. func (c *imdsClient) update(ctx context.Context) error { + if err := c.updateInstanceMetadata(ctx); err != nil { + return fmt.Errorf("updating instance metadata: %w", err) + } + if err := c.updateUserData(ctx); err != nil { + return fmt.Errorf("updating user data: %w", err) + } + c.cacheTime = time.Now() + return nil +} + +// update updates instance metadata from the azure imds API. +func (c *imdsClient) updateInstanceMetadata(ctx context.Context) error { resp, err := httpGet(ctx, c.client, imdsMetaDataURL) if err != nil { return err } var metadataResp metadataResponse if err := json.Unmarshal(resp, &metadataResp); err != nil { - return fmt.Errorf("unmarshalling IMDS metadata response %q: %w", string(resp), err) + return fmt.Errorf("unmarshalling IMDS metadata response %q: %w", resp, err) } c.cache = metadataResp - c.cacheTime = time.Now() + return nil +} + +func (c *imdsClient) updateUserData(ctx context.Context) error { + resp, err := httpGet(ctx, c.client, imdsUserDataURL) + if err != nil { + return err + } + var userdataResp userDataResponse + if err := json.Unmarshal(resp, &userdataResp); err != nil { + return fmt.Errorf("unmarshalling IMDS user_data response %q: %w", resp, err) + } + c.userDataCache = userdataResp return nil } @@ -262,9 +287,12 @@ type metadataResponse struct { } type metadataTags struct { - InitSecretHash string `json:"constellation-init-secret-hash,omitempty"` - Role string `json:"constellation-role,omitempty"` - UID string `json:"constellation-uid,omitempty"` + InitSecretHash string `json:"constellation-init-secret-hash,omitempty"` + Role string `json:"constellation-role,omitempty"` + UID string `json:"constellation-uid,omitempty"` +} + +type userDataResponse struct { AuthURL string `json:"openstack-auth-url,omitempty"` UserDomainName string `json:"openstack-user-domain-name,omitempty"` Username string `json:"openstack-username,omitempty"` diff --git a/internal/cloud/openstack/imds_test.go b/internal/cloud/openstack/imds_test.go index 94caaa108..ce45dbd3d 100644 --- a/internal/cloud/openstack/imds_test.go +++ b/internal/cloud/openstack/imds_test.go @@ -26,7 +26,7 @@ func TestProviderID(t *testing.T) { someErr := errors.New("failed") type testCase struct { - cache metadataResponse + cache any cacheTime time.Time newClient httpClientJSONCreateFunc wantResult string @@ -34,7 +34,7 @@ func TestProviderID(t *testing.T) { wantErr bool } - newTestCases := func(mResp1, mResp2 metadataResponse, expect1, expect2 string) map[string]testCase { + newTestCases := func(mResp1, mResp2 any, expect1, expect2 string) map[string]testCase { return map[string]testCase{ "cached": { cache: mResp1, @@ -120,32 +120,32 @@ func TestProviderID(t *testing.T) { "authURL": { method: (*imdsClient).authURL, testCases: newTestCases( - metadataResponse{Tags: metadataTags{AuthURL: "authURL1"}}, - metadataResponse{Tags: metadataTags{AuthURL: "authURL2"}}, + userDataResponse{AuthURL: "authURL1"}, + userDataResponse{AuthURL: "authURL2"}, "authURL1", "authURL2", ), }, "userDomainName": { method: (*imdsClient).userDomainName, testCases: newTestCases( - metadataResponse{Tags: metadataTags{UserDomainName: "userDomainName1"}}, - metadataResponse{Tags: metadataTags{UserDomainName: "userDomainName2"}}, + userDataResponse{UserDomainName: "userDomainName1"}, + userDataResponse{UserDomainName: "userDomainName2"}, "userDomainName1", "userDomainName2", ), }, "username": { method: (*imdsClient).username, testCases: newTestCases( - metadataResponse{Tags: metadataTags{Username: "username1"}}, - metadataResponse{Tags: metadataTags{Username: "username2"}}, + userDataResponse{Username: "username1"}, + userDataResponse{Username: "username2"}, "username1", "username2", ), }, "password": { method: (*imdsClient).password, testCases: newTestCases( - metadataResponse{Tags: metadataTags{Password: "password1"}}, - metadataResponse{Tags: metadataTags{Password: "password2"}}, + userDataResponse{Password: "password1"}, + userDataResponse{Password: "password2"}, "password1", "password2", ), }, @@ -162,10 +162,18 @@ func TestProviderID(t *testing.T) { if tc.newClient != nil { client = tc.newClient(require) } + var cache metadataResponse + var userDataCache userDataResponse + if _, ok := tc.cache.(metadataResponse); ok { + cache = tc.cache.(metadataResponse) + } else if _, ok := tc.cache.(userDataResponse); ok { + userDataCache = tc.cache.(userDataResponse) + } imds := &imdsClient{ - client: client, - cache: tc.cache, - cacheTime: tc.cacheTime, + client: client, + cache: cache, + userDataCache: userDataCache, + cacheTime: tc.cacheTime, } result, err := tu.method(imds, context.Background()) @@ -373,13 +381,13 @@ type httpClientJSONCreateFunc func(r *require.Assertions) *stubHTTPClientJSON type stubHTTPClientJSON struct { require *require.Assertions - response metadataResponse + response any code int err error called bool } -func newStubHTTPClientJSONFunc(response metadataResponse, statusCode int, err error) httpClientJSONCreateFunc { +func newStubHTTPClientJSONFunc(response any, statusCode int, err error) httpClientJSONCreateFunc { return func(r *require.Assertions) *stubHTTPClientJSON { return &stubHTTPClientJSON{ response: response, diff --git a/terraform/infrastructure/openstack/modules/instance_group/main.tf b/terraform/infrastructure/openstack/modules/instance_group/main.tf index 0d2cdc77a..0a10b1531 100644 --- a/terraform/infrastructure/openstack/modules/instance_group/main.tf +++ b/terraform/infrastructure/openstack/modules/instance_group/main.tf @@ -72,14 +72,16 @@ resource "openstack_compute_instance_v2" "instance_group_member" { delete_on_termination = true } metadata = { - constellation-role = var.role - constellation-uid = var.uid - constellation-init-secret-hash = var.init_secret_hash + constellation-role = var.role + constellation-uid = var.uid + constellation-init-secret-hash = var.init_secret_hash + } + user_data = jsonencode({ openstack-auth-url = var.identity_internal_url openstack-username = var.openstack_username openstack-password = var.openstack_password openstack-user-domain-name = var.openstack_user_domain_name openstack-load-balancer-endpoint = var.openstack_load_balancer_endpoint - } - availability_zone_hints = var.availability_zone + }) + availability_zone_hints = length(var.availability_zone) > 0 ? var.availability_zone : null } From 3fa357786e85216ef1223b0e05f19d350b38d04a Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Fri, 8 Mar 2024 17:07:05 +0100 Subject: [PATCH 25/47] terraform: ignore changes of OpenStack instance image --- .../infrastructure/openstack/modules/instance_group/main.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/infrastructure/openstack/modules/instance_group/main.tf b/terraform/infrastructure/openstack/modules/instance_group/main.tf index 0a10b1531..b104506d5 100644 --- a/terraform/infrastructure/openstack/modules/instance_group/main.tf +++ b/terraform/infrastructure/openstack/modules/instance_group/main.tf @@ -45,7 +45,6 @@ data "openstack_compute_flavor_v2" "flavor" { resource "openstack_compute_instance_v2" "instance_group_member" { name = "${local.name}-${count.index}" count = var.initial_count - image_id = var.image_id flavor_id = data.openstack_compute_flavor_v2.flavor.id tags = local.tags # TODO(malt3): get this API enabled in the test environment @@ -84,4 +83,7 @@ resource "openstack_compute_instance_v2" "instance_group_member" { openstack-load-balancer-endpoint = var.openstack_load_balancer_endpoint }) availability_zone_hints = length(var.availability_zone) > 0 ? var.availability_zone : null + lifecycle { + ignore_changes = [block_device] # block device contains current image, which can be updated from inside the cluster + } } From d8a734dc08e26b5946ce1ca8f4a96c2608cf261f Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Fri, 8 Mar 2024 15:03:12 +0100 Subject: [PATCH 26/47] docs: mention all zones where STACKIT instances are available --- docs/docs/workflows/config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/workflows/config.md b/docs/docs/workflows/config.md index f124e4d78..7e8933466 100644 --- a/docs/docs/workflows/config.md +++ b/docs/docs/workflows/config.md @@ -135,7 +135,7 @@ This configuration creates an additional node group `high_cpu` with a larger ins You can use the field `zone` to specify what availability zone nodes of the group are placed in. On Azure, this field is empty by default and nodes are automatically spread across availability zones. -STACKIT currently only offers SEV-enabled CPUs in the `eu01-1` zone. +STACKIT currently offers SEV-enabled CPUs in the `eu01-1`, `eu01-2` and `eu01-3` zone. Consult the documentation of your cloud provider for more information: * [AWS](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/) From 938d0ceb003de147185c29a2e4bbd6c3779cb297 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Fri, 8 Mar 2024 15:05:15 +0100 Subject: [PATCH 27/47] docs: explain recovery steps on STACKIT --- docs/docs/workflows/recovery.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/docs/docs/workflows/recovery.md b/docs/docs/workflows/recovery.md index 9396bf8f2..9bbb32652 100644 --- a/docs/docs/workflows/recovery.md +++ b/docs/docs/workflows/recovery.md @@ -118,6 +118,37 @@ If this fails due to an unhealthy control plane, you will see log messages simil This means that you have to recover the node manually. + + + +First, open the STACKIT portal to view all servers in your project. Select individual control plane nodes `--control-plane--` and check that enough members are in a *Running* state. + +Second, check the boot logs of these servers. Click on a server name and select **Overview**. Find the **Machine Setup** section and click on **Web console** > **Open console**. + +In the serial console output, search for `Waiting for decryption key`. +Similar output to the following means your node was restarted and needs to decrypt the [state disk](../architecture/images.md#state-disk): + +```json +{"level":"INFO","ts":"2022-09-08T10:21:53Z","caller":"cmd/main.go:55","msg":"Starting disk-mapper","version":"2.0.0","cloudProvider":"gcp"} +{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"setupManager","caller":"setup/setup.go:72","msg":"Preparing existing state disk"} +{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:65","msg":"Starting RejoinClient"} +{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"recoveryServer","caller":"recoveryserver/server.go:59","msg":"Starting RecoveryServer"} +``` + +The node will then try to connect to the [*JoinService*](../architecture/microservices.md#joinservice) and obtain the decryption key. +If this fails due to an unhealthy control plane, you will see log messages similar to the following: + +```json +{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:77","msg":"Received list with JoinService endpoints","endpoints":["192.168.178.4:30090","192.168.178.2:30090"]} +{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.4:30090"} +{"level":"WARN","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.4:30090: connect: connection refused\"","endpoint":"192.168.178.4:30090"} +{"level":"INFO","ts":"2022-09-08T10:21:53Z","logger":"rejoinClient","caller":"rejoinclient/client.go:96","msg":"Requesting rejoin ticket","endpoint":"192.168.178.2:30090"} +{"level":"WARN","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:101","msg":"Failed to rejoin on endpoint","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp 192.168.178.2:30090: i/o timeout\"","endpoint":"192.168.178.2:30090"} +{"level":"ERROR","ts":"2022-09-08T10:22:13Z","logger":"rejoinClient","caller":"rejoinclient/client.go:110","msg":"Failed to rejoin on all endpoints"} +``` + +This means that you have to recover the node manually. + From ad8458d0ac9b2cdae91d028da2a9df0f3a866222 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Fri, 8 Mar 2024 15:06:13 +0100 Subject: [PATCH 28/47] docs: document STACKIT CC features Co-Authored-By: Moritz Eckert --- docs/docs/architecture/attestation.md | 43 ++++++++++++++++++- docs/docs/overview/clouds.md | 18 +++++--- .../config/vocabularies/edgeless/accept.txt | 1 + 3 files changed, 54 insertions(+), 8 deletions(-) diff --git a/docs/docs/architecture/attestation.md b/docs/docs/architecture/attestation.md index 04b85d8ad..572a8511f 100644 --- a/docs/docs/architecture/attestation.md +++ b/docs/docs/architecture/attestation.md @@ -217,6 +217,38 @@ The latter means that the value can be generated offline and compared to the one | 15 | ClusterID | Constellation Bootstrapper | Yes | | 16–23 | Unused | - | - | + + + +Constellation uses a hypervisor-based vTPM for runtime measurements. + +The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification. +The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot). + +The following table lists all PCR values of the vTPM and the measured components. +It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable. +The latter means that the value can be generated offline and compared to the one in the vTPM. + +| PCR | Components | Measured by | Reproducible and verifiable | +| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- | +| 0 | Firmware | STACKIT | No | +| 1 | Firmware | STACKIT | No | +| 2 | Firmware | STACKIT | No | +| 3 | Firmware | STACKIT | No | +| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | STACKIT, Constellation Bootloader | Yes | +| 5 | Firmware | STACKIT | No | +| 6 | Firmware | STACKIT | No | +| 7 | Secure Boot Policy | STACKIT, Constellation Bootloader | No | +| 8 | - | - | - | +| 9 | initramfs, Kernel command line | Linux Kernel | Yes | +| 10 | User space | Linux IMA | No[^1] | +| 11 | Unified Kernel Image components | Constellation Bootloader | Yes | +| 12 | Reserved | (User space, Constellation Bootloader) | Yes | +| 13 | Reserved | (Constellation Bootloader) | Yes | +| 14 | Secure Boot State | Constellation Bootloader | No | +| 15 | ClusterID | Constellation Bootstrapper | Yes | +| 16–23 | Unused | - | - | + @@ -251,13 +283,15 @@ You may customize certain parameters for verification of the attestation stateme +On GCP, AMD SEV-ES is used to provide runtime encryption to the VMs. +The hypervisor-based vTPM is used to establish trust in the VM via [runtime measurements](#runtime-measurements). There is no additional configuration available for GCP. On AWS, AMD SEV-SNP is used to provide runtime encryption to the VMs. -An SEV-SNP attestation report is used to establish trust in the VM and it's vTPM. +An SEV-SNP attestation report is used to establish trust in the VM. You may customize certain parameters for verification of the attestation statement using the Constellation config file. * TCB versions @@ -275,6 +309,13 @@ You may customize certain parameters for verification of the attestation stateme This is the intermediate certificate for verifying the SEV-SNP report's signature. If it's not specified, the CLI fetches it from the AMD key distribution server. + + + +On STACKIT, AMD SEV-ES is used to provide runtime encryption to the VMs. +The hypervisor-based vTPM is used to establish trust in the VM via [runtime measurements](#runtime-measurements). +There is no additional configuration available for STACKIT. + diff --git a/docs/docs/overview/clouds.md b/docs/docs/overview/clouds.md index 8cc42a990..b2de81e4b 100644 --- a/docs/docs/overview/clouds.md +++ b/docs/docs/overview/clouds.md @@ -14,13 +14,13 @@ For Constellation, the ideal environment provides the following: The following table summarizes the state of features for different infrastructures as of June 2023. -| **Feature** | **Azure** | **GCP** | **AWS** | **OpenStack (Yoga)** | -|-----------------------------------|-----------|---------|---------|----------------------| -| **1. Custom images** | Yes | Yes | Yes | Yes | -| **2. SEV-SNP or TDX** | Yes | Yes | Yes | Depends on kernel/HV | -| **3. Raw guest attestation** | Yes | Yes | Yes | Depends on kernel/HV | -| **4. Reviewable firmware** | No | No | Yes | Depends on kernel/HV | -| **5. Confidential measured boot** | Yes | No | No | Depends on kernel/HV | +| **Feature** | **Azure** | **GCP** | **AWS** | **STACKIT** | **OpenStack (Yoga)** | +|-----------------------------------|-----------|---------|---------|--------------|----------------------| +| **1. Custom images** | Yes | Yes | Yes | Yes | Yes | +| **2. SEV-SNP or TDX** | Yes | Yes | Yes | No | Depends on kernel/HV | +| **3. Raw guest attestation** | Yes | Yes | Yes | No | Depends on kernel/HV | +| **4. Reviewable firmware** | No | No | Yes | No | Depends on kernel/HV | +| **5. Confidential measured boot** | Yes | No | No | No | Depends on kernel/HV | ## Microsoft Azure @@ -53,6 +53,10 @@ However, regarding (5), attestation is partially based on the [NitroTPM](https:/ Hence, the hypervisor is currently part of Constellation's TCB. Regarding (4), the [firmware is open source](https://github.com/aws/uefi) and can be reproducibly built. +## STACKIT + +[STACKIT Compute Engine](https://www.stackit.de/en/product/stackit-compute-engine/) supports AMD SEV-ES. A vTPM is used for measured boot, which is a vTPM managed by STACKIT's hypervisor. Hence, the hypervisor is currently part of Constellation's TCB. + ## OpenStack OpenStack is an open-source cloud and infrastructure management software. It's used by many smaller CSPs and datacenters. In the latest *Yoga* version, OpenStack has basic support for CVMs. However, much depends on the employed kernel and hypervisor. Features (2)--(4) are likely to be a *Yes* with Linux kernel version 6.2. Thus, going forward, OpenStack on corresponding AMD or Intel hardware will be a viable underpinning for Constellation. diff --git a/docs/styles/config/vocabularies/edgeless/accept.txt b/docs/styles/config/vocabularies/edgeless/accept.txt index 6220f0553..26fa0d0c9 100644 --- a/docs/styles/config/vocabularies/edgeless/accept.txt +++ b/docs/styles/config/vocabularies/edgeless/accept.txt @@ -63,6 +63,7 @@ rollout SBOM sigstore SSD +STACKIT superset Syft systemd From 02e6cb4a2eedde510cd4879e28faaafbd74896de Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Mon, 11 Mar 2024 14:54:54 +0100 Subject: [PATCH 29/47] docs: document OpenStack related config files on Windows --- docs/docs/getting-started/install.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docs/getting-started/install.md b/docs/docs/getting-started/install.md index 94110617c..9d35c912b 100644 --- a/docs/docs/getting-started/install.md +++ b/docs/docs/getting-started/install.md @@ -397,7 +397,7 @@ Options and first steps are described in the [AWS CLI documentation](https://doc You need to authenticate with the infrastructure API (OpenStack) and create a service account (STACKIT API). 1. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/step-1-generating-of-user-access-token-11763726.html) for obtaining a User Access Token (UAT) to use the infrastructure API -2. Create a configuration file under `~/.config/openstack/clouds.yaml` with the credentials from the User Access Token +2. Create a configuration file under `~/.config/openstack/clouds.yaml` (`%AppData%\openstack\clouds.yaml` on Windows) with the credentials from the User Access Token ```yaml clouds: stackit: @@ -414,7 +414,7 @@ You need to authenticate with the infrastructure API (OpenStack) and create a se ``` 3. [Follow the STACKIT documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) for creating a service account and an access token 4. Assign the `editor` role to the service account by [following the documentation](https://docs.stackit.cloud/stackit/en/getting-started-in-service-accounts-134415831.html) -5. Create a configuration file under `~/.stackit/credentials.json` +5. Create a configuration file under `~/.stackit/credentials.json` (`%USERPROFILE%\.stackit\credentials.json` on Windows) ```json {"STACKIT_SERVICE_ACCOUNT_TOKEN":"REPLACE_WITH_TOKEN"} ``` From a88f9d8df4ede90fe6dde7197bd2e600c3dd9c13 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Mon, 11 Mar 2024 18:37:28 +0100 Subject: [PATCH 30/47] release: prepare release From 83c748a9e8b8e1a33daa13666874122fbac76bd7 Mon Sep 17 00:00:00 2001 From: edgelessci Date: Mon, 11 Mar 2024 17:38:24 +0000 Subject: [PATCH 31/47] chore: update version.txt to v2.16.1 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 0c29db780..c74c7e653 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -v2.16.0 +v2.16.1 From 7af3fd7fda73c02281b3c4cfeb0323c85a690d43 Mon Sep 17 00:00:00 2001 From: edgelessci Date: Mon, 11 Mar 2024 17:38:39 +0000 Subject: [PATCH 32/47] deps: update versions to v2.16.1 --- internal/config/image_enterprise.go | 2 +- s3proxy/deploy/s3proxy/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/config/image_enterprise.go b/internal/config/image_enterprise.go index db52b2f71..b5f64343d 100644 --- a/internal/config/image_enterprise.go +++ b/internal/config/image_enterprise.go @@ -10,5 +10,5 @@ package config const ( // defaultImage is the default image to use. - defaultImage = "v2.16.0" + defaultImage = "v2.16.1" ) diff --git a/s3proxy/deploy/s3proxy/Chart.yaml b/s3proxy/deploy/s3proxy/Chart.yaml index 298c854b0..704396eeb 100644 --- a/s3proxy/deploy/s3proxy/Chart.yaml +++ b/s3proxy/deploy/s3proxy/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: s3proxy description: Helm chart to deploy s3proxy. type: application -version: 2.16.0 +version: 2.16.1 From dec19769c5dc43c49daf16c47f2b765ea15a9d74 Mon Sep 17 00:00:00 2001 From: edgelessci Date: Mon, 11 Mar 2024 18:10:09 +0000 Subject: [PATCH 33/47] attestation: hardcode measurements for v2.16.1 --- .../measurements/measurements_enterprise.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/internal/attestation/measurements/measurements_enterprise.go b/internal/attestation/measurements/measurements_enterprise.go index be6643b4d..be4ad3fd3 100644 --- a/internal/attestation/measurements/measurements_enterprise.go +++ b/internal/attestation/measurements/measurements_enterprise.go @@ -16,13 +16,13 @@ package measurements // revive:disable:var-naming var ( - aws_AWSNitroTPM = M{0: {Expected: []byte{0x73, 0x7f, 0x76, 0x7a, 0x12, 0xf5, 0x4e, 0x70, 0xee, 0xcb, 0xc8, 0x68, 0x40, 0x11, 0x32, 0x3a, 0xe2, 0xfe, 0x2d, 0xd9, 0xf9, 0x07, 0x85, 0x57, 0x79, 0x69, 0xd7, 0xa2, 0x01, 0x3e, 0x8c, 0x12}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x20, 0x99, 0xa0, 0xe2, 0x34, 0x48, 0xe4, 0xc2, 0xdf, 0xe3, 0x7e, 0xf8, 0x89, 0x9d, 0x16, 0x0a, 0x71, 0x7c, 0x75, 0xc4, 0xb1, 0x27, 0x7b, 0xfa, 0xf7, 0xb0, 0x0a, 0x6f, 0x41, 0xb8, 0x64, 0x13}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x85, 0x2c, 0xd0, 0xa3, 0xa7, 0x3d, 0xb1, 0xea, 0x45, 0x7c, 0xeb, 0xec, 0x46, 0xed, 0x7b, 0x5e, 0xb0, 0x79, 0x2c, 0x54, 0x78, 0x25, 0xca, 0x24, 0x44, 0x48, 0x69, 0x92, 0x23, 0x30, 0x04, 0xca}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x5c, 0x60, 0xda, 0x66, 0x89, 0xac, 0x4a, 0xc7, 0xd8, 0xaa, 0x00, 0xc6, 0xea, 0x96, 0x5b, 0xf8, 0x52, 0x25, 0xbe, 0xe6, 0xde, 0x18, 0xc8, 0xd6, 0x5a, 0x56, 0x42, 0x9e, 0x04, 0x8a, 0x6d, 0x09}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - aws_AWSSEVSNP = M{0: {Expected: []byte{0x7b, 0x06, 0x8c, 0x0c, 0x3a, 0xc2, 0x9a, 0xfe, 0x26, 0x41, 0x34, 0x53, 0x6b, 0x9b, 0xe2, 0x6f, 0x1d, 0x4c, 0xcd, 0x57, 0x5b, 0x88, 0xd3, 0xc3, 0xce, 0xab, 0xf3, 0x6a, 0xc9, 0x9c, 0x02, 0x78}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x99, 0xe5, 0x44, 0x49, 0x5f, 0xd9, 0x04, 0x16, 0x40, 0xdc, 0xf7, 0x3f, 0xfa, 0x13, 0x3e, 0x72, 0xd0, 0xf4, 0x45, 0xc7, 0x01, 0xd8, 0x28, 0x5c, 0xcb, 0x67, 0xf2, 0x46, 0x53, 0x48, 0x84, 0xb5}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xab, 0x3e, 0xd4, 0x9d, 0xe4, 0x35, 0x94, 0x73, 0x41, 0x16, 0x23, 0x29, 0x96, 0x3c, 0x39, 0x57, 0x0f, 0xd2, 0x3c, 0xa0, 0x0e, 0x98, 0xbc, 0x69, 0x80, 0xe8, 0xb0, 0xf2, 0x31, 0x20, 0xe9, 0x19}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x2b, 0xe6, 0x62, 0x6c, 0x18, 0x37, 0xf2, 0x68, 0xbe, 0x67, 0x74, 0x06, 0x09, 0xb5, 0xd7, 0xb9, 0xae, 0xf2, 0x9e, 0xc0, 0xa9, 0x88, 0xc1, 0x47, 0x07, 0x3d, 0xe0, 0x45, 0x0e, 0xa3, 0x75, 0xa1}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - azure_AzureSEVSNP = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xc5, 0x23, 0x7c, 0xe4, 0x13, 0x51, 0x73, 0xa9, 0x3d, 0x2b, 0xc2, 0x66, 0x33, 0x70, 0x8f, 0x38, 0xba, 0x98, 0xdf, 0x08, 0x09, 0xcf, 0x31, 0x20, 0x96, 0x3c, 0xc6, 0xb1, 0xf3, 0x58, 0xcf, 0xd2}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xfc, 0x61, 0xc9, 0xd5, 0x69, 0x40, 0x97, 0x60, 0xf0, 0x12, 0x39, 0x39, 0xf3, 0x29, 0xd1, 0x76, 0xa0, 0xf9, 0x1e, 0x0e, 0x67, 0xaf, 0xb9, 0x88, 0x01, 0x21, 0xbd, 0x70, 0x39, 0xf8, 0x62, 0x60}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x40, 0xc8, 0x4c, 0xe4, 0x12, 0xc2, 0x62, 0x7a, 0xe2, 0x41, 0x5a, 0xb0, 0x4c, 0xc2, 0x39, 0xe6, 0x2b, 0x1f, 0x91, 0xa8, 0x85, 0xdb, 0x0e, 0xb3, 0x4b, 0x92, 0x4d, 0x57, 0xbe, 0x8c, 0x6b, 0x86}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - azure_AzureTDX = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x60, 0xd1, 0x8d, 0xaa, 0x20, 0x56, 0x27, 0x23, 0x39, 0x5b, 0xfa, 0xf2, 0xe1, 0x8a, 0xe2, 0xb1, 0xa6, 0x96, 0x53, 0x49, 0x70, 0xd0, 0xf0, 0xcf, 0x67, 0xd4, 0x47, 0x91, 0x9a, 0x1a, 0xbf, 0xa7}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xe9, 0xfd, 0x43, 0x16, 0x12, 0xd1, 0xc4, 0x9c, 0xfd, 0x6b, 0xa2, 0x3b, 0xed, 0xe3, 0x19, 0x15, 0x7c, 0x06, 0xd0, 0xb3, 0x94, 0x93, 0xc2, 0xf9, 0xbd, 0xa4, 0x44, 0x98, 0xb2, 0x9c, 0xef, 0x8d}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x18, 0x6a, 0x1e, 0xc9, 0xa6, 0xec, 0xaa, 0x93, 0xe3, 0xea, 0x78, 0x02, 0x79, 0xd8, 0x4a, 0xd8, 0xd0, 0xe4, 0x14, 0xcc, 0x6d, 0x89, 0xfe, 0xdf, 0xb6, 0x69, 0x12, 0x8f, 0xc9, 0x7c, 0x7f, 0x99}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + aws_AWSNitroTPM = M{0: {Expected: []byte{0x73, 0x7f, 0x76, 0x7a, 0x12, 0xf5, 0x4e, 0x70, 0xee, 0xcb, 0xc8, 0x68, 0x40, 0x11, 0x32, 0x3a, 0xe2, 0xfe, 0x2d, 0xd9, 0xf9, 0x07, 0x85, 0x57, 0x79, 0x69, 0xd7, 0xa2, 0x01, 0x3e, 0x8c, 0x12}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xa6, 0x77, 0x2e, 0xc6, 0x99, 0x67, 0x8e, 0x1e, 0xd1, 0x9e, 0x34, 0x20, 0x23, 0xca, 0x3a, 0xfd, 0xef, 0xed, 0xc5, 0x84, 0x2f, 0xb0, 0x56, 0xc6, 0x58, 0xda, 0xfa, 0x29, 0x3d, 0x5b, 0x4a, 0x18}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xc8, 0xa5, 0x90, 0xea, 0x26, 0xac, 0x32, 0xd5, 0xb0, 0x79, 0x40, 0xbc, 0xdb, 0x84, 0xcd, 0xb6, 0x78, 0xd4, 0xd8, 0x3c, 0x5e, 0xbd, 0xed, 0xe1, 0xe6, 0xd2, 0xff, 0x62, 0x3f, 0x18, 0xbc, 0x99}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xff, 0xac, 0xbb, 0x53, 0xe1, 0x79, 0xac, 0xd4, 0x94, 0xb1, 0x2a, 0xde, 0x75, 0xde, 0xf1, 0x54, 0xe0, 0x1b, 0xec, 0xcc, 0x65, 0xe0, 0x04, 0x3f, 0xac, 0x0e, 0xc3, 0x2f, 0x55, 0x0f, 0x3e, 0x8f}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + aws_AWSSEVSNP = M{0: {Expected: []byte{0x7b, 0x06, 0x8c, 0x0c, 0x3a, 0xc2, 0x9a, 0xfe, 0x26, 0x41, 0x34, 0x53, 0x6b, 0x9b, 0xe2, 0x6f, 0x1d, 0x4c, 0xcd, 0x57, 0x5b, 0x88, 0xd3, 0xc3, 0xce, 0xab, 0xf3, 0x6a, 0xc9, 0x9c, 0x02, 0x78}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xec, 0xe9, 0x34, 0x2d, 0x4d, 0xc2, 0x05, 0xa1, 0x91, 0x03, 0xef, 0x84, 0x37, 0xa6, 0x44, 0x9f, 0xb3, 0xee, 0x33, 0xd8, 0xd1, 0xcc, 0x5f, 0x2e, 0x3d, 0x99, 0x5a, 0x0e, 0x7e, 0x4e, 0x4f, 0x53}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x40, 0x0b, 0x4c, 0xb6, 0x72, 0xfa, 0xa8, 0x84, 0xa1, 0x19, 0x89, 0xf1, 0x56, 0xd9, 0x6c, 0xa4, 0x03, 0xf2, 0x93, 0x43, 0xb3, 0x30, 0xc8, 0xd3, 0x79, 0xcb, 0xb2, 0x87, 0xbb, 0xba, 0xe0, 0xbb}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x6a, 0xd9, 0x74, 0x72, 0x4e, 0xd4, 0x74, 0x40, 0xcf, 0x20, 0x5a, 0x3d, 0x15, 0x2a, 0xda, 0x5a, 0x0a, 0x67, 0x52, 0x0e, 0xee, 0xf6, 0xbe, 0x88, 0xb1, 0x56, 0x04, 0x8d, 0x7a, 0x06, 0x0f, 0x7e}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + azure_AzureSEVSNP = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x82, 0x8c, 0x65, 0x88, 0xbe, 0xff, 0x7f, 0x8c, 0xfd, 0xb7, 0xad, 0x0a, 0xc1, 0xdd, 0x87, 0x3c, 0xa2, 0x3c, 0xae, 0xfb, 0x31, 0xfa, 0x73, 0xb9, 0x57, 0xe6, 0x77, 0xed, 0x64, 0x53, 0x93, 0xeb}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xf5, 0x1b, 0xf2, 0x0e, 0x60, 0xe9, 0x57, 0x11, 0xd7, 0xb4, 0x36, 0x93, 0x06, 0x96, 0x12, 0x16, 0x2d, 0x4d, 0xdf, 0xc2, 0xc4, 0x9c, 0x6e, 0x64, 0x77, 0x78, 0x0e, 0xfc, 0xdf, 0xcd, 0x21, 0xdd}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x7a, 0x46, 0x12, 0x44, 0xe1, 0xe1, 0xfe, 0xda, 0x90, 0x70, 0x1d, 0x22, 0x90, 0x4b, 0x88, 0xaf, 0xc8, 0xac, 0xd2, 0x4d, 0x59, 0x22, 0x7a, 0x1d, 0x02, 0x76, 0x1a, 0xcd, 0x12, 0x56, 0x89, 0x4b}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + azure_AzureTDX = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x0c, 0xb3, 0x15, 0x87, 0xac, 0xaf, 0xb0, 0x01, 0x87, 0xfa, 0x83, 0xdc, 0x45, 0xb1, 0x62, 0x25, 0x57, 0x79, 0xe1, 0x6a, 0x32, 0xbd, 0x40, 0x5a, 0xde, 0xb9, 0xf1, 0x7a, 0xab, 0xa1, 0x92, 0x20}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x7e, 0xb7, 0xd1, 0x26, 0x01, 0xcb, 0x28, 0xc5, 0x42, 0x79, 0x98, 0xdd, 0xd3, 0xe8, 0x7d, 0xe5, 0xbc, 0xf8, 0x4e, 0x0d, 0xa8, 0x27, 0xa0, 0x81, 0x09, 0xaf, 0x4d, 0x78, 0x15, 0xbd, 0x63, 0x29}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x15, 0xc1, 0xb6, 0xb6, 0xe2, 0xd4, 0xd1, 0x9f, 0x60, 0x5a, 0x25, 0x08, 0x8e, 0x43, 0xc1, 0xa3, 0x98, 0x0f, 0x7a, 0x00, 0x7c, 0xec, 0x89, 0x2e, 0x84, 0x55, 0xcf, 0xee, 0xb3, 0xef, 0xd4, 0x48}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} azure_AzureTrustedLaunch M - gcp_GCPSEVES = M{1: {Expected: []byte{0x36, 0x95, 0xdc, 0xc5, 0x5e, 0x3a, 0xa3, 0x40, 0x27, 0xc2, 0x77, 0x93, 0xc8, 0x5c, 0x72, 0x3c, 0x69, 0x7d, 0x70, 0x8c, 0x42, 0xd1, 0xf7, 0x3b, 0xd6, 0xfa, 0x4f, 0x26, 0x60, 0x8a, 0x5b, 0x24}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x68, 0x8b, 0x88, 0x38, 0x8a, 0xe1, 0x2e, 0x61, 0x5f, 0xee, 0x8d, 0x73, 0xa1, 0xa1, 0xb7, 0x67, 0x79, 0x16, 0x63, 0xe5, 0x87, 0xce, 0x00, 0x0e, 0x6c, 0x1c, 0x92, 0x07, 0x9e, 0xf8, 0x79, 0x72}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x3d, 0x30, 0xf1, 0x45, 0x78, 0xcb, 0x21, 0x9a, 0xd0, 0xdd, 0xbd, 0xde, 0x0c, 0x46, 0x55, 0xfc, 0xbd, 0xc9, 0x15, 0xbe, 0x5a, 0xf7, 0xcf, 0xe0, 0x10, 0x18, 0x31, 0x59, 0x38, 0x0d, 0x71, 0xe6}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xc9, 0x68, 0x53, 0x48, 0xd2, 0x1b, 0x83, 0xd7, 0xe9, 0xea, 0xc1, 0xf9, 0x2a, 0x0b, 0x88, 0xe1, 0x7f, 0xcd, 0xdf, 0x66, 0x2b, 0xc4, 0x43, 0x5c, 0x92, 0xe6, 0xb3, 0x68, 0x83, 0x84, 0xee, 0x84}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - openstack_QEMUVTPM = M{4: {Expected: []byte{0x2b, 0x30, 0x0b, 0xed, 0x76, 0x14, 0xfd, 0xc4, 0xd7, 0xbd, 0x6a, 0x79, 0x0b, 0x6a, 0x05, 0xda, 0xeb, 0x48, 0xfc, 0x18, 0xac, 0xf9, 0x93, 0x2b, 0x1a, 0xb9, 0x56, 0xce, 0xdb, 0x79, 0xe0, 0xba}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xce, 0xfb, 0xc5, 0xde, 0x58, 0x19, 0xe7, 0x11, 0x6a, 0x7a, 0x5e, 0x63, 0xbd, 0xf3, 0xb0, 0xa4, 0xab, 0xa6, 0x71, 0x7a, 0x34, 0xb3, 0x5d, 0xf3, 0x1c, 0x18, 0x05, 0x87, 0x57, 0xf0, 0xa0, 0xbe}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x58, 0x60, 0x97, 0x36, 0xdd, 0xcf, 0x2c, 0x8c, 0xb6, 0xd7, 0xce, 0x91, 0xc1, 0x70, 0x65, 0xc8, 0x23, 0x35, 0xf1, 0xd1, 0x11, 0x14, 0xde, 0x0f, 0xfe, 0xb6, 0x71, 0xb9, 0x05, 0xf2, 0xf2, 0xaa}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + gcp_GCPSEVES = M{1: {Expected: []byte{0x36, 0x95, 0xdc, 0xc5, 0x5e, 0x3a, 0xa3, 0x40, 0x27, 0xc2, 0x77, 0x93, 0xc8, 0x5c, 0x72, 0x3c, 0x69, 0x7d, 0x70, 0x8c, 0x42, 0xd1, 0xf7, 0x3b, 0xd6, 0xfa, 0x4f, 0x26, 0x60, 0x8a, 0x5b, 0x24}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xe6, 0xdd, 0x18, 0xdf, 0x44, 0xd9, 0x8e, 0x95, 0x59, 0xf2, 0xf9, 0x14, 0xe2, 0xb1, 0x57, 0xff, 0x61, 0xbf, 0xf8, 0xee, 0x60, 0xb3, 0xaf, 0x0a, 0x85, 0x85, 0x99, 0x95, 0x33, 0xa7, 0x72, 0xd4}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xb6, 0xa1, 0x92, 0xab, 0xb9, 0xab, 0x29, 0x5e, 0xfa, 0x3e, 0x44, 0x23, 0xc5, 0x6f, 0x40, 0x24, 0x2b, 0x76, 0xb1, 0x3f, 0x70, 0x2e, 0x37, 0x41, 0x2f, 0x0a, 0xb4, 0xed, 0x01, 0x98, 0xa8, 0xac}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xa4, 0x84, 0x94, 0xa6, 0x30, 0x9f, 0x99, 0xbf, 0x42, 0x4a, 0xa9, 0x14, 0xd6, 0xb4, 0xeb, 0x57, 0xf4, 0xf2, 0xb1, 0xa5, 0x87, 0x3a, 0x4d, 0x26, 0xec, 0xb8, 0xd1, 0x93, 0x1e, 0x1d, 0x13, 0x9c}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + openstack_QEMUVTPM = M{4: {Expected: []byte{0x96, 0x64, 0x4a, 0x25, 0xb8, 0xdd, 0x38, 0x30, 0x5e, 0x23, 0x92, 0x75, 0xdb, 0xce, 0x01, 0x6c, 0x3d, 0x18, 0xc6, 0x50, 0x0c, 0xde, 0x21, 0x84, 0x63, 0xb6, 0xc8, 0xb6, 0x07, 0x81, 0x45, 0xa3}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x2a, 0x77, 0x2c, 0x62, 0x47, 0x36, 0x69, 0x1e, 0xee, 0xe0, 0x2f, 0x5f, 0x09, 0x11, 0xd9, 0xbc, 0xde, 0xa8, 0xc8, 0x4b, 0x42, 0x02, 0xd1, 0xf8, 0x0d, 0x37, 0xb7, 0x29, 0x41, 0x8b, 0x1b, 0x09}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xea, 0xed, 0x26, 0xaf, 0xc7, 0x9e, 0xf3, 0x74, 0x7c, 0x18, 0x97, 0x80, 0x03, 0x53, 0x69, 0xef, 0x0a, 0x2f, 0x8c, 0x77, 0x4c, 0x87, 0x51, 0x90, 0xbd, 0x11, 0x24, 0x46, 0xcc, 0xa5, 0xb4, 0x63}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} qemu_QEMUTDX M - qemu_QEMUVTPM = M{4: {Expected: []byte{0x7a, 0xbf, 0xb1, 0x50, 0x3b, 0x4e, 0xad, 0xaa, 0x39, 0x91, 0x47, 0x27, 0xda, 0x13, 0xdc, 0x53, 0x6a, 0xa3, 0x4d, 0x96, 0x07, 0x07, 0x6f, 0xa5, 0xac, 0xd8, 0xfd, 0xec, 0x79, 0x30, 0x5b, 0xdd}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x2a, 0xe1, 0xdb, 0x98, 0x4c, 0xe3, 0xa3, 0xcc, 0xe1, 0x63, 0x52, 0x9d, 0x41, 0x1f, 0x64, 0x43, 0x3a, 0x14, 0x21, 0x43, 0x11, 0xb8, 0x32, 0x64, 0xad, 0x4f, 0xe0, 0xd4, 0xcf, 0xe7, 0x8f, 0x36}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x5f, 0xb8, 0x2a, 0x4f, 0x59, 0x46, 0xae, 0x89, 0x12, 0xfc, 0xe6, 0x43, 0x80, 0x8e, 0x5b, 0x00, 0x79, 0x11, 0x72, 0xad, 0x3a, 0x03, 0xb6, 0xb9, 0x28, 0x82, 0xd6, 0x58, 0x2c, 0x18, 0x92, 0x13}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + qemu_QEMUVTPM = M{4: {Expected: []byte{0xba, 0xd0, 0x4a, 0x65, 0x59, 0x80, 0x21, 0xc8, 0x39, 0xa1, 0x02, 0x86, 0xbf, 0x4e, 0xa5, 0x9a, 0x09, 0xb9, 0xc1, 0xe3, 0x91, 0x24, 0xe6, 0x8a, 0x4b, 0xf3, 0x1a, 0x8b, 0x9f, 0x94, 0x41, 0x04}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x70, 0x55, 0xdd, 0x17, 0x19, 0x9e, 0x95, 0xaa, 0x00, 0xb1, 0x78, 0x46, 0xfc, 0xdd, 0x9c, 0xee, 0x40, 0x22, 0xf6, 0xc3, 0x4e, 0x89, 0x4f, 0xc1, 0xe5, 0x17, 0x81, 0x36, 0x80, 0x20, 0xce, 0x8b}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x63, 0x0f, 0x32, 0xbf, 0x7d, 0x41, 0xa9, 0x0d, 0xfc, 0xe9, 0x26, 0x18, 0x87, 0x87, 0x87, 0x0b, 0xb7, 0xff, 0x7e, 0xbb, 0x53, 0x52, 0xd6, 0x96, 0x25, 0xf8, 0xb0, 0xd3, 0xe2, 0x17, 0x01, 0xa5}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} ) From 0a09b02e71ee8ada5dabbf2634c0c46b20358ba6 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Thu, 14 Mar 2024 10:52:11 +0100 Subject: [PATCH 34/47] helm: retry uninstall manually if atomic install failed (#2984) --- internal/constellation/helm/action.go | 29 ++++++++++++++++---- internal/constellation/helm/actionfactory.go | 3 ++ 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/internal/constellation/helm/action.go b/internal/constellation/helm/action.go index 8761b2104..30c1c312d 100644 --- a/internal/constellation/helm/action.go +++ b/internal/constellation/helm/action.go @@ -8,8 +8,10 @@ package helm import ( "context" + "errors" "fmt" "path/filepath" + "strings" "time" "github.com/edgelesssys/constellation/v2/internal/constants" @@ -52,6 +54,12 @@ func newHelmInstallAction(config *action.Configuration, release release, timeout return action } +func newHelmUninstallAction(config *action.Configuration, timeout time.Duration) *action.Uninstall { + action := action.NewUninstall(config) + action.Timeout = timeout + return action +} + func setWaitMode(a *action.Install, waitMode WaitMode) { switch waitMode { case WaitModeNone: @@ -70,11 +78,12 @@ func setWaitMode(a *action.Install, waitMode WaitMode) { // installAction is an action that installs a helm chart. type installAction struct { - preInstall func(context.Context) error - release release - helmAction *action.Install - postInstall func(context.Context) error - log debugLog + preInstall func(context.Context) error + release release + helmAction *action.Install + uninstallAction *action.Uninstall + postInstall func(context.Context) error + log debugLog } // Apply installs the chart. @@ -103,6 +112,11 @@ func (a *installAction) SaveChart(chartsDir string, fileHandler file.Handler) er func (a *installAction) apply(ctx context.Context) error { _, err := a.helmAction.RunWithContext(ctx, a.release.chart, a.release.values) + if isUninstallError(err) && a.uninstallAction != nil { + a.log.Debug("cleaning up manually after failed atomic Helm install", "error", err, "release", a.release.releaseName) + _, uninstallErr := a.uninstallAction.Run(a.release.releaseName) + err = errors.Join(err, uninstallErr) + } return err } @@ -228,3 +242,8 @@ func helmLog(log debugLog) action.DebugLog { log.Debug(fmt.Sprintf(format, v...)) } } + +func isUninstallError(err error) bool { + return err != nil && (strings.Contains(err.Error(), "an error occurred while uninstalling the release") || + strings.Contains(err.Error(), "cannot re-use a name that is still in use")) +} diff --git a/internal/constellation/helm/actionfactory.go b/internal/constellation/helm/actionfactory.go index 73336f3eb..f1a069399 100644 --- a/internal/constellation/helm/actionfactory.go +++ b/internal/constellation/helm/actionfactory.go @@ -139,6 +139,9 @@ func (a actionFactory) appendNewAction( func (a actionFactory) newInstall(release release, timeout time.Duration) *installAction { action := &installAction{helmAction: newHelmInstallAction(a.cfg, release, timeout), release: release, log: a.log} + if action.IsAtomic() { + action.uninstallAction = newHelmUninstallAction(a.cfg, timeout) + } return action } From 10c20f6f0b57565874863d794da84b49a10c7457 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= <66256922+daniel-weisse@users.noreply.github.com> Date: Mon, 18 Mar 2024 14:30:56 +0100 Subject: [PATCH 35/47] provider: Add build tag for Terraform provider (#2992) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Daniel Weiße --- terraform-provider-constellation/BUILD.bazel | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform-provider-constellation/BUILD.bazel b/terraform-provider-constellation/BUILD.bazel index da0fd50ba..347af014b 100644 --- a/terraform-provider-constellation/BUILD.bazel +++ b/terraform-provider-constellation/BUILD.bazel @@ -6,6 +6,7 @@ go_binary( name = "tf_provider", out = "terraform-provider-constellation", # for complying with Terraform provider naming convention embed = [":terraform-provider-constellation_lib"], + gotags = ["enterprise"], pure = "on", visibility = ["//visibility:public"], ) From 010323f8907d9df5707ff349d18d2ddcd45574f1 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Tue, 2 Apr 2024 17:17:17 +0200 Subject: [PATCH 36/47] terraform: update terraform provider STACKIT (#3007) --- .../openstack/.terraform.lock.hcl | 42 +++++++++---------- terraform/infrastructure/openstack/main.tf | 2 +- .../modules/stackit_loadbalancer/main.tf | 2 +- 3 files changed, 23 insertions(+), 23 deletions(-) diff --git a/terraform/infrastructure/openstack/.terraform.lock.hcl b/terraform/infrastructure/openstack/.terraform.lock.hcl index 6f96f0f72..60c4569da 100644 --- a/terraform/infrastructure/openstack/.terraform.lock.hcl +++ b/terraform/infrastructure/openstack/.terraform.lock.hcl @@ -26,29 +26,29 @@ provider "registry.terraform.io/hashicorp/random" { } provider "registry.terraform.io/stackitcloud/stackit" { - version = "0.12.0" - constraints = "0.12.0" + version = "0.15.1" + constraints = "0.15.1" hashes = [ - "h1:08k0ihJixjWGyzNF0wdMiOckr+4qfBi50yj4tTLsbMM=", - "h1:8wtUYCXZke9uJiWp3Y7/tRy84UM0TjOzrzhb6BAX5vo=", - "h1:EwUqtQ7b/ShFcNvBMiemsbrvqBwFfkIRtnEIeIisKSA=", - "h1:lPXt86IQA6bHnX6o6xIaOUHqbAs6WHAehwtS1kK3wcg=", - "h1:t+pHh9fQCS+4Rq9STVs+npH3DOe7qp1L0rJfbMjAdjM=", + "h1:CUdva/dYmpT8++N6Ga2r4z592keQCFLnjfHPbNjegtQ=", + "h1:Ue1niRFNomhn2QRuXLc39gYs9VR6blZm31vV4h5DKlw=", + "h1:Vra5UFH8yFTaa/xykLJ1XzUSmSsFyhtT4xsiZy2uJiY=", + "h1:eWQwYVxuB8JFt3w95fNMP3l8UfRNTtX9RwcmkG7YhNU=", + "h1:ouS981NXWByi4I15QpypXdqza6p5TmqEJKGqPbE2QBQ=", + "zh:0673b539594ed62a1510036da5b15bb477fcd1d997cc4fd7ec82227c5a4b2a26", + "zh:0bd6afcebeeeea3a463fe3e6b5537f2f046ec2b8ae3e842984d9e30e2cdfd8e6", "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f", - "zh:13ff6111adb804e3e7a33a0e8e341e494a84a81115b144c950ea9864ce12efdb", - "zh:2b13aff4a4879b833e27d215102c98809fe78d9a1fb33d09ec352760d21fa7c3", - "zh:6562b6ca55bebd7e425fba60ba5683a3cb00d49d50883e37f418b5be8d52d992", - "zh:6ce745a9a2fac88fd7b219dca1d70882e3c1b573e2d27a49de0a04b76ceabdf0", - "zh:70dd57f2e59596f697aaeab377423a041a57e066d1ad8bbfc0ace9cfaf6e9e0d", - "zh:7bb24a57ef0d802c62d23249078d86a0daeba29b7508d46bb8d104c5b820f35b", - "zh:93b57ec66d0f18ef616416f9d39a5a5b45dde604145b66e5184f00840db7a981", - "zh:9646f12a59a3eab161040eee68093b4c55864c865d544fa83d0e56bfbc59c174", - "zh:c23b3433b81eb99e314239add0df206a5388ef79884e924537bf09d4374815a8", - "zh:d2ef1946a5d559a72dac15a38a78f8d2d09bcd13068d9fe1debe7ae82e9c527d", - "zh:d63299ca4bf158573706a0c313dbee0aa79c7b910d85a0a748ba77620f533a5d", - "zh:e796aec8e1c64c7142d1b2877794ff8cb6fc5699292dfea102f2f229375626a2", - "zh:eb4003be226dc810004cd6a50d98f872d61bb49f2891a2966247a245c9d7cc1c", - "zh:f62e5390fca4d920c3db329276e1780ae57cc20aa666ee549dcf452d4f839ba5", + "zh:1f97c5435e58072e7369df8510251c94d832d98d1ee0bc3acfa9c2ed533b178d", + "zh:282dad21d39d81f64e1749797c57961eb04c020374e83e86b877d5866e22ba32", + "zh:38fa32343fe63779d4ed95600d12c589b9e49bf52cf0121b1b849e4a6ee75162", + "zh:65384b0f08cab580377aafc0d944bf853663dc116f0a453acd9d701ed856ec67", + "zh:6723184842d5e7cdffa5e8225ceccc4315b2a2624157d5b42b13f51d6916812b", + "zh:772b35cd5ee7900a8cae77580d10c10d4cb8c7cf99bf2fe2e906cbf3d554ecd5", + "zh:796eeabb73fb22d5996a7b846d5462477e90c08ba9eada194c8ad1d1eb9daeb2", + "zh:8575e1867a8d8410b9d7652511b57783f4e592db64f32ab2d53950d54b3df282", + "zh:cf56e99ce0ab2e09e75da3ed3e30712ebf32125f8a436e6ea120a45079161cbb", + "zh:e591c9fcd5e1b22bc928974655276e9cff0bf66c2d82712805b42e1a6dc9fdd9", + "zh:f095b3499b57c344aa8586e4ad4dbfc65ef74ca800470ce4a805e1858b632827", + "zh:f68014d78c1eec7ba0a12eeba0713ba7ee98446621649cd05452f358a4f8a9f9", ] } diff --git a/terraform/infrastructure/openstack/main.tf b/terraform/infrastructure/openstack/main.tf index bc3f2c0dd..9fc228bdc 100644 --- a/terraform/infrastructure/openstack/main.tf +++ b/terraform/infrastructure/openstack/main.tf @@ -7,7 +7,7 @@ terraform { stackit = { source = "stackitcloud/stackit" - version = "0.12.0" + version = "0.15.1" } random = { diff --git a/terraform/infrastructure/openstack/modules/stackit_loadbalancer/main.tf b/terraform/infrastructure/openstack/modules/stackit_loadbalancer/main.tf index cbe08c83b..a3afe6491 100644 --- a/terraform/infrastructure/openstack/modules/stackit_loadbalancer/main.tf +++ b/terraform/infrastructure/openstack/modules/stackit_loadbalancer/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { stackit = { source = "stackitcloud/stackit" - version = "0.12.0" + version = "0.15.1" } } } From 3dedcbd2ff76e9d12b6ccae68b2a0dcead5466f2 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Wed, 3 Apr 2024 14:08:45 +0200 Subject: [PATCH 37/47] bazel: patch Go SDK to increase tls maxHandshake size (#3009) --- 3rdparty/bazel/org_golang/BUILD.bazel | 1 + .../bazel/org_golang/go_tls_max_handshake_size.patch | 11 +++++++++++ WORKSPACE.bazel | 10 ++++++++-- 3 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 3rdparty/bazel/org_golang/BUILD.bazel create mode 100644 3rdparty/bazel/org_golang/go_tls_max_handshake_size.patch diff --git a/3rdparty/bazel/org_golang/BUILD.bazel b/3rdparty/bazel/org_golang/BUILD.bazel new file mode 100644 index 000000000..dc940d416 --- /dev/null +++ b/3rdparty/bazel/org_golang/BUILD.bazel @@ -0,0 +1 @@ +exports_files(["go_tls_max_handshake_size.patch"]) diff --git a/3rdparty/bazel/org_golang/go_tls_max_handshake_size.patch b/3rdparty/bazel/org_golang/go_tls_max_handshake_size.patch new file mode 100644 index 000000000..ac2da752f --- /dev/null +++ b/3rdparty/bazel/org_golang/go_tls_max_handshake_size.patch @@ -0,0 +1,11 @@ +--- src/crypto/tls/common.go ++++ src/crypto/tls/common.go +@@ -62,7 +62,7 @@ + maxCiphertext = 16384 + 2048 // maximum ciphertext payload length + maxCiphertextTLS13 = 16384 + 256 // maximum ciphertext length in TLS 1.3 + recordHeaderLen = 5 // record header length +- maxHandshake = 65536 // maximum handshake we support (protocol max is 16 MB) ++ maxHandshake = 262144 // maximum handshake we support (protocol max is 16 MB) + maxUselessRecords = 16 // maximum number of consecutive non-advancing records + ) + diff --git a/WORKSPACE.bazel b/WORKSPACE.bazel index e65cf4f10..21c6e1982 100644 --- a/WORKSPACE.bazel +++ b/WORKSPACE.bazel @@ -165,11 +165,17 @@ load("//bazel/toolchains:go_module_deps.bzl", "go_dependencies") # gazelle:repository_macro bazel/toolchains/go_module_deps.bzl%go_dependencies go_dependencies() -load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains", "go_rules_dependencies") +load("@io_bazel_rules_go//go:deps.bzl", "go_download_sdk", "go_register_toolchains", "go_rules_dependencies") + +go_download_sdk( + name = "go_sdk", + patches = ["//3rdparty/bazel/org_golang:go_tls_max_handshake_size.patch"], + version = "1.22.1", +) go_rules_dependencies() -go_register_toolchains(version = "1.22.1") +go_register_toolchains() load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies") From 027fd82206149458807928334077f6a368facc00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= <66256922+daniel-weisse@users.noreply.github.com> Date: Fri, 5 Apr 2024 14:29:52 +0200 Subject: [PATCH 38/47] ci: fix slsa generator action by updating to new version (#3014) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Daniel Weiße --- .github/workflows/draft-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index e80c88843..73cf7da3b 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -316,7 +316,7 @@ jobs: - provenance-subjects # This must not be pinned to digest. See: # https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 with: base64-subjects: "${{ needs.provenance-subjects.outputs.provenance-subjects }}" From b4820c9aa9ff86500fcfb7711211923929438173 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= Date: Fri, 5 Apr 2024 15:17:21 +0200 Subject: [PATCH 39/47] Bump slsa-verifier to v2.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Daniel Weiße --- .github/workflows/draft-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index 73cf7da3b..fa0821e3d 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -323,7 +323,7 @@ jobs: provenance-verify: runs-on: ubuntu-22.04 env: - SLSA_VERIFIER_VERSION: "2.0.1" + SLSA_VERIFIER_VERSION: "2.5.1" needs: - build-cli - provenance From 50861c76af23c7f40c58358a6bd75be89fcf87c2 Mon Sep 17 00:00:00 2001 From: edgelessci Date: Fri, 5 Apr 2024 13:23:52 +0000 Subject: [PATCH 40/47] chore: update version.txt to v2.16.2 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index c74c7e653..608ac5d84 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -v2.16.1 +v2.16.2 From 0f2f1d3fd2e5a0e647e86357b84db9595c5f152a Mon Sep 17 00:00:00 2001 From: edgelessci Date: Fri, 5 Apr 2024 13:24:03 +0000 Subject: [PATCH 41/47] deps: update versions to v2.16.2 --- internal/config/image_enterprise.go | 2 +- s3proxy/deploy/s3proxy/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/config/image_enterprise.go b/internal/config/image_enterprise.go index b5f64343d..1e22c1d69 100644 --- a/internal/config/image_enterprise.go +++ b/internal/config/image_enterprise.go @@ -10,5 +10,5 @@ package config const ( // defaultImage is the default image to use. - defaultImage = "v2.16.1" + defaultImage = "v2.16.2" ) diff --git a/s3proxy/deploy/s3proxy/Chart.yaml b/s3proxy/deploy/s3proxy/Chart.yaml index 704396eeb..3bca06c2a 100644 --- a/s3proxy/deploy/s3proxy/Chart.yaml +++ b/s3proxy/deploy/s3proxy/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: s3proxy description: Helm chart to deploy s3proxy. type: application -version: 2.16.1 +version: 2.16.2 From d2e1880f3e82f5a2101ce596e3fb4c15921aea08 Mon Sep 17 00:00:00 2001 From: edgelessci Date: Fri, 5 Apr 2024 13:54:57 +0000 Subject: [PATCH 42/47] attestation: hardcode measurements for v2.16.2 --- .../measurements/measurements_enterprise.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/internal/attestation/measurements/measurements_enterprise.go b/internal/attestation/measurements/measurements_enterprise.go index be4ad3fd3..1bdaa8737 100644 --- a/internal/attestation/measurements/measurements_enterprise.go +++ b/internal/attestation/measurements/measurements_enterprise.go @@ -16,13 +16,13 @@ package measurements // revive:disable:var-naming var ( - aws_AWSNitroTPM = M{0: {Expected: []byte{0x73, 0x7f, 0x76, 0x7a, 0x12, 0xf5, 0x4e, 0x70, 0xee, 0xcb, 0xc8, 0x68, 0x40, 0x11, 0x32, 0x3a, 0xe2, 0xfe, 0x2d, 0xd9, 0xf9, 0x07, 0x85, 0x57, 0x79, 0x69, 0xd7, 0xa2, 0x01, 0x3e, 0x8c, 0x12}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xa6, 0x77, 0x2e, 0xc6, 0x99, 0x67, 0x8e, 0x1e, 0xd1, 0x9e, 0x34, 0x20, 0x23, 0xca, 0x3a, 0xfd, 0xef, 0xed, 0xc5, 0x84, 0x2f, 0xb0, 0x56, 0xc6, 0x58, 0xda, 0xfa, 0x29, 0x3d, 0x5b, 0x4a, 0x18}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xc8, 0xa5, 0x90, 0xea, 0x26, 0xac, 0x32, 0xd5, 0xb0, 0x79, 0x40, 0xbc, 0xdb, 0x84, 0xcd, 0xb6, 0x78, 0xd4, 0xd8, 0x3c, 0x5e, 0xbd, 0xed, 0xe1, 0xe6, 0xd2, 0xff, 0x62, 0x3f, 0x18, 0xbc, 0x99}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xff, 0xac, 0xbb, 0x53, 0xe1, 0x79, 0xac, 0xd4, 0x94, 0xb1, 0x2a, 0xde, 0x75, 0xde, 0xf1, 0x54, 0xe0, 0x1b, 0xec, 0xcc, 0x65, 0xe0, 0x04, 0x3f, 0xac, 0x0e, 0xc3, 0x2f, 0x55, 0x0f, 0x3e, 0x8f}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - aws_AWSSEVSNP = M{0: {Expected: []byte{0x7b, 0x06, 0x8c, 0x0c, 0x3a, 0xc2, 0x9a, 0xfe, 0x26, 0x41, 0x34, 0x53, 0x6b, 0x9b, 0xe2, 0x6f, 0x1d, 0x4c, 0xcd, 0x57, 0x5b, 0x88, 0xd3, 0xc3, 0xce, 0xab, 0xf3, 0x6a, 0xc9, 0x9c, 0x02, 0x78}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xec, 0xe9, 0x34, 0x2d, 0x4d, 0xc2, 0x05, 0xa1, 0x91, 0x03, 0xef, 0x84, 0x37, 0xa6, 0x44, 0x9f, 0xb3, 0xee, 0x33, 0xd8, 0xd1, 0xcc, 0x5f, 0x2e, 0x3d, 0x99, 0x5a, 0x0e, 0x7e, 0x4e, 0x4f, 0x53}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x40, 0x0b, 0x4c, 0xb6, 0x72, 0xfa, 0xa8, 0x84, 0xa1, 0x19, 0x89, 0xf1, 0x56, 0xd9, 0x6c, 0xa4, 0x03, 0xf2, 0x93, 0x43, 0xb3, 0x30, 0xc8, 0xd3, 0x79, 0xcb, 0xb2, 0x87, 0xbb, 0xba, 0xe0, 0xbb}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x6a, 0xd9, 0x74, 0x72, 0x4e, 0xd4, 0x74, 0x40, 0xcf, 0x20, 0x5a, 0x3d, 0x15, 0x2a, 0xda, 0x5a, 0x0a, 0x67, 0x52, 0x0e, 0xee, 0xf6, 0xbe, 0x88, 0xb1, 0x56, 0x04, 0x8d, 0x7a, 0x06, 0x0f, 0x7e}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - azure_AzureSEVSNP = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x82, 0x8c, 0x65, 0x88, 0xbe, 0xff, 0x7f, 0x8c, 0xfd, 0xb7, 0xad, 0x0a, 0xc1, 0xdd, 0x87, 0x3c, 0xa2, 0x3c, 0xae, 0xfb, 0x31, 0xfa, 0x73, 0xb9, 0x57, 0xe6, 0x77, 0xed, 0x64, 0x53, 0x93, 0xeb}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xf5, 0x1b, 0xf2, 0x0e, 0x60, 0xe9, 0x57, 0x11, 0xd7, 0xb4, 0x36, 0x93, 0x06, 0x96, 0x12, 0x16, 0x2d, 0x4d, 0xdf, 0xc2, 0xc4, 0x9c, 0x6e, 0x64, 0x77, 0x78, 0x0e, 0xfc, 0xdf, 0xcd, 0x21, 0xdd}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x7a, 0x46, 0x12, 0x44, 0xe1, 0xe1, 0xfe, 0xda, 0x90, 0x70, 0x1d, 0x22, 0x90, 0x4b, 0x88, 0xaf, 0xc8, 0xac, 0xd2, 0x4d, 0x59, 0x22, 0x7a, 0x1d, 0x02, 0x76, 0x1a, 0xcd, 0x12, 0x56, 0x89, 0x4b}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - azure_AzureTDX = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x0c, 0xb3, 0x15, 0x87, 0xac, 0xaf, 0xb0, 0x01, 0x87, 0xfa, 0x83, 0xdc, 0x45, 0xb1, 0x62, 0x25, 0x57, 0x79, 0xe1, 0x6a, 0x32, 0xbd, 0x40, 0x5a, 0xde, 0xb9, 0xf1, 0x7a, 0xab, 0xa1, 0x92, 0x20}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x7e, 0xb7, 0xd1, 0x26, 0x01, 0xcb, 0x28, 0xc5, 0x42, 0x79, 0x98, 0xdd, 0xd3, 0xe8, 0x7d, 0xe5, 0xbc, 0xf8, 0x4e, 0x0d, 0xa8, 0x27, 0xa0, 0x81, 0x09, 0xaf, 0x4d, 0x78, 0x15, 0xbd, 0x63, 0x29}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x15, 0xc1, 0xb6, 0xb6, 0xe2, 0xd4, 0xd1, 0x9f, 0x60, 0x5a, 0x25, 0x08, 0x8e, 0x43, 0xc1, 0xa3, 0x98, 0x0f, 0x7a, 0x00, 0x7c, 0xec, 0x89, 0x2e, 0x84, 0x55, 0xcf, 0xee, 0xb3, 0xef, 0xd4, 0x48}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + aws_AWSNitroTPM = M{0: {Expected: []byte{0x73, 0x7f, 0x76, 0x7a, 0x12, 0xf5, 0x4e, 0x70, 0xee, 0xcb, 0xc8, 0x68, 0x40, 0x11, 0x32, 0x3a, 0xe2, 0xfe, 0x2d, 0xd9, 0xf9, 0x07, 0x85, 0x57, 0x79, 0x69, 0xd7, 0xa2, 0x01, 0x3e, 0x8c, 0x12}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x16, 0x6c, 0x6c, 0x7f, 0xee, 0x55, 0x96, 0x5e, 0x9c, 0xe6, 0x8f, 0x7a, 0x08, 0xe9, 0x3d, 0x54, 0xfd, 0x70, 0x6e, 0xc5, 0x5b, 0x7a, 0xaa, 0x54, 0x8c, 0xb7, 0xbb, 0xe4, 0x63, 0x1e, 0x5a, 0x6e}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x58, 0x31, 0x58, 0xcd, 0x6b, 0x05, 0x93, 0x6a, 0x1d, 0x85, 0xf4, 0x5a, 0x20, 0x7d, 0x16, 0x38, 0x87, 0x80, 0x51, 0x2f, 0x63, 0xf0, 0x87, 0x97, 0xdc, 0x57, 0x13, 0x8f, 0x61, 0xa7, 0x6a, 0x84}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x92, 0xe7, 0xf8, 0x84, 0x01, 0x2f, 0x4e, 0x25, 0x42, 0xcb, 0x85, 0xd9, 0xe2, 0x39, 0x05, 0x7b, 0x90, 0x03, 0xee, 0x5a, 0x7e, 0xa5, 0x51, 0xff, 0xdf, 0x52, 0x55, 0xfb, 0xdd, 0xce, 0x12, 0xf0}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + aws_AWSSEVSNP = M{0: {Expected: []byte{0x7b, 0x06, 0x8c, 0x0c, 0x3a, 0xc2, 0x9a, 0xfe, 0x26, 0x41, 0x34, 0x53, 0x6b, 0x9b, 0xe2, 0x6f, 0x1d, 0x4c, 0xcd, 0x57, 0x5b, 0x88, 0xd3, 0xc3, 0xce, 0xab, 0xf3, 0x6a, 0xc9, 0x9c, 0x02, 0x78}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x41, 0xa4, 0x61, 0x55, 0x15, 0xdb, 0xfc, 0x08, 0x64, 0x72, 0x66, 0x97, 0xae, 0x55, 0xf1, 0x17, 0x4d, 0x93, 0x20, 0x08, 0x6c, 0xaa, 0x1c, 0x47, 0xe8, 0x15, 0x1d, 0xf0, 0x3e, 0x0e, 0x40, 0x58}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x0b, 0x73, 0xbc, 0x4e, 0xde, 0x3e, 0x04, 0xe4, 0x5f, 0xb0, 0x69, 0x5c, 0xaf, 0x32, 0xad, 0x6c, 0x54, 0x1e, 0xc9, 0xf3, 0xf6, 0x12, 0xb0, 0x76, 0x30, 0xbd, 0x03, 0xa6, 0x64, 0xab, 0xd5, 0xab}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xe1, 0x93, 0x05, 0xe7, 0xb5, 0x75, 0x60, 0xb3, 0x56, 0x9a, 0x37, 0xda, 0x67, 0xf8, 0x40, 0xfb, 0x5b, 0x06, 0xde, 0xb4, 0x0d, 0xf8, 0x55, 0xcf, 0xbc, 0xbc, 0x0b, 0x2a, 0xf3, 0x1e, 0x59, 0x84}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + azure_AzureSEVSNP = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xc8, 0x6d, 0x69, 0x40, 0x29, 0x02, 0xf3, 0x0f, 0xd8, 0x0b, 0xe8, 0x32, 0xf4, 0x71, 0x53, 0xc6, 0x8d, 0x64, 0xeb, 0x71, 0x71, 0x86, 0x1a, 0x27, 0x5e, 0x0a, 0x32, 0x61, 0x62, 0x18, 0x59, 0x4e}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x1b, 0xda, 0x82, 0xf3, 0xe0, 0x5e, 0xfa, 0xa9, 0xc8, 0x3f, 0xaf, 0xe5, 0x92, 0xba, 0x13, 0xdf, 0xcd, 0x57, 0xff, 0xd2, 0xa2, 0x23, 0x4c, 0x11, 0x72, 0x68, 0xbf, 0xc7, 0x9b, 0x26, 0x74, 0x94}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xd7, 0x2b, 0x9d, 0x4d, 0x99, 0xf5, 0xdd, 0x9b, 0xa0, 0x18, 0xc6, 0xc5, 0x34, 0xf5, 0x2f, 0x8b, 0x77, 0xe1, 0x89, 0xcc, 0x80, 0x0a, 0xcd, 0x01, 0xd6, 0x02, 0xb2, 0xfe, 0x12, 0x33, 0xb6, 0x5e}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + azure_AzureTDX = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x3c, 0x2c, 0x17, 0x26, 0x5a, 0x05, 0x70, 0x6b, 0x22, 0xea, 0x61, 0x4b, 0x4a, 0xe6, 0xdb, 0x21, 0x8d, 0xc5, 0x83, 0x9d, 0x71, 0xfe, 0xe6, 0x88, 0x3e, 0x80, 0xc1, 0x8b, 0x5e, 0x54, 0xf0, 0xdf}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x72, 0x6f, 0xce, 0x2b, 0xea, 0x94, 0xb4, 0x1b, 0x3e, 0x40, 0x78, 0xc9, 0xab, 0x5e, 0xa6, 0x1b, 0x58, 0x3b, 0x89, 0xf9, 0xff, 0x04, 0x4a, 0x10, 0xd9, 0xba, 0xc1, 0xe6, 0xb7, 0x4e, 0x88, 0xfc}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xc7, 0x6f, 0x49, 0x2d, 0xbb, 0xbe, 0x07, 0x3c, 0x0e, 0x77, 0x72, 0xf6, 0xd7, 0x7e, 0xa9, 0x2d, 0xe8, 0xe6, 0xdd, 0x71, 0xaa, 0x08, 0xbe, 0xf1, 0x99, 0xb9, 0xf2, 0x13, 0x19, 0x28, 0x81, 0xa5}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} azure_AzureTrustedLaunch M - gcp_GCPSEVES = M{1: {Expected: []byte{0x36, 0x95, 0xdc, 0xc5, 0x5e, 0x3a, 0xa3, 0x40, 0x27, 0xc2, 0x77, 0x93, 0xc8, 0x5c, 0x72, 0x3c, 0x69, 0x7d, 0x70, 0x8c, 0x42, 0xd1, 0xf7, 0x3b, 0xd6, 0xfa, 0x4f, 0x26, 0x60, 0x8a, 0x5b, 0x24}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xe6, 0xdd, 0x18, 0xdf, 0x44, 0xd9, 0x8e, 0x95, 0x59, 0xf2, 0xf9, 0x14, 0xe2, 0xb1, 0x57, 0xff, 0x61, 0xbf, 0xf8, 0xee, 0x60, 0xb3, 0xaf, 0x0a, 0x85, 0x85, 0x99, 0x95, 0x33, 0xa7, 0x72, 0xd4}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xb6, 0xa1, 0x92, 0xab, 0xb9, 0xab, 0x29, 0x5e, 0xfa, 0x3e, 0x44, 0x23, 0xc5, 0x6f, 0x40, 0x24, 0x2b, 0x76, 0xb1, 0x3f, 0x70, 0x2e, 0x37, 0x41, 0x2f, 0x0a, 0xb4, 0xed, 0x01, 0x98, 0xa8, 0xac}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xa4, 0x84, 0x94, 0xa6, 0x30, 0x9f, 0x99, 0xbf, 0x42, 0x4a, 0xa9, 0x14, 0xd6, 0xb4, 0xeb, 0x57, 0xf4, 0xf2, 0xb1, 0xa5, 0x87, 0x3a, 0x4d, 0x26, 0xec, 0xb8, 0xd1, 0x93, 0x1e, 0x1d, 0x13, 0x9c}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - openstack_QEMUVTPM = M{4: {Expected: []byte{0x96, 0x64, 0x4a, 0x25, 0xb8, 0xdd, 0x38, 0x30, 0x5e, 0x23, 0x92, 0x75, 0xdb, 0xce, 0x01, 0x6c, 0x3d, 0x18, 0xc6, 0x50, 0x0c, 0xde, 0x21, 0x84, 0x63, 0xb6, 0xc8, 0xb6, 0x07, 0x81, 0x45, 0xa3}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x2a, 0x77, 0x2c, 0x62, 0x47, 0x36, 0x69, 0x1e, 0xee, 0xe0, 0x2f, 0x5f, 0x09, 0x11, 0xd9, 0xbc, 0xde, 0xa8, 0xc8, 0x4b, 0x42, 0x02, 0xd1, 0xf8, 0x0d, 0x37, 0xb7, 0x29, 0x41, 0x8b, 0x1b, 0x09}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xea, 0xed, 0x26, 0xaf, 0xc7, 0x9e, 0xf3, 0x74, 0x7c, 0x18, 0x97, 0x80, 0x03, 0x53, 0x69, 0xef, 0x0a, 0x2f, 0x8c, 0x77, 0x4c, 0x87, 0x51, 0x90, 0xbd, 0x11, 0x24, 0x46, 0xcc, 0xa5, 0xb4, 0x63}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + gcp_GCPSEVES = M{1: {Expected: []byte{0x36, 0x95, 0xdc, 0xc5, 0x5e, 0x3a, 0xa3, 0x40, 0x27, 0xc2, 0x77, 0x93, 0xc8, 0x5c, 0x72, 0x3c, 0x69, 0x7d, 0x70, 0x8c, 0x42, 0xd1, 0xf7, 0x3b, 0xd6, 0xfa, 0x4f, 0x26, 0x60, 0x8a, 0x5b, 0x24}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x2a, 0x46, 0x06, 0x77, 0x48, 0x94, 0xfb, 0xe8, 0x5d, 0x48, 0xc8, 0x26, 0xfe, 0xe7, 0x53, 0xc2, 0x51, 0x24, 0x6d, 0x70, 0x28, 0x02, 0xe7, 0x2a, 0xa2, 0x63, 0xce, 0x51, 0x3d, 0xa1, 0x7b, 0xe8}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xa7, 0x69, 0x37, 0x3a, 0x51, 0xb2, 0xab, 0x1a, 0x6a, 0xa9, 0x34, 0x5e, 0x5c, 0x40, 0xf7, 0x53, 0x9c, 0x59, 0x9b, 0xc1, 0x0a, 0x78, 0x6c, 0xc9, 0x67, 0x52, 0xc6, 0x89, 0xcf, 0xb6, 0x7b, 0x6a}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xbc, 0x58, 0x92, 0xb2, 0xe3, 0x22, 0x04, 0x7a, 0x62, 0x4a, 0x52, 0x6a, 0x76, 0xb1, 0xed, 0x7a, 0x9f, 0xdc, 0xeb, 0x3d, 0x61, 0xf9, 0x9e, 0x2c, 0x98, 0xe6, 0xdf, 0x3e, 0xa6, 0x0d, 0xe5, 0xa2}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + openstack_QEMUVTPM = M{4: {Expected: []byte{0x09, 0xe2, 0x40, 0x72, 0x55, 0xcd, 0xea, 0x64, 0x76, 0xec, 0xea, 0x5a, 0x63, 0xfc, 0x56, 0xa0, 0x07, 0xff, 0xfb, 0xc2, 0xa0, 0x74, 0xdb, 0xce, 0x27, 0x46, 0x4d, 0x28, 0x65, 0x55, 0x2e, 0x65}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x45, 0xd0, 0x96, 0xa6, 0xb5, 0x08, 0x83, 0x49, 0x46, 0x4f, 0x8c, 0xe3, 0x4b, 0xa1, 0xea, 0x27, 0x7b, 0x3b, 0x8e, 0xcc, 0xee, 0xb4, 0x8c, 0x35, 0x62, 0x16, 0x6c, 0x0d, 0xff, 0x3f, 0x94, 0xc4}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x12, 0x84, 0x45, 0x00, 0x3e, 0xac, 0x7a, 0xaa, 0x68, 0x91, 0x92, 0xde, 0x82, 0xb0, 0x95, 0xc8, 0x91, 0x9f, 0x5f, 0x78, 0x27, 0x2e, 0x81, 0x4d, 0x20, 0x65, 0x71, 0xbd, 0xd9, 0xdf, 0x1d, 0x4c}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} qemu_QEMUTDX M - qemu_QEMUVTPM = M{4: {Expected: []byte{0xba, 0xd0, 0x4a, 0x65, 0x59, 0x80, 0x21, 0xc8, 0x39, 0xa1, 0x02, 0x86, 0xbf, 0x4e, 0xa5, 0x9a, 0x09, 0xb9, 0xc1, 0xe3, 0x91, 0x24, 0xe6, 0x8a, 0x4b, 0xf3, 0x1a, 0x8b, 0x9f, 0x94, 0x41, 0x04}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x70, 0x55, 0xdd, 0x17, 0x19, 0x9e, 0x95, 0xaa, 0x00, 0xb1, 0x78, 0x46, 0xfc, 0xdd, 0x9c, 0xee, 0x40, 0x22, 0xf6, 0xc3, 0x4e, 0x89, 0x4f, 0xc1, 0xe5, 0x17, 0x81, 0x36, 0x80, 0x20, 0xce, 0x8b}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x63, 0x0f, 0x32, 0xbf, 0x7d, 0x41, 0xa9, 0x0d, 0xfc, 0xe9, 0x26, 0x18, 0x87, 0x87, 0x87, 0x0b, 0xb7, 0xff, 0x7e, 0xbb, 0x53, 0x52, 0xd6, 0x96, 0x25, 0xf8, 0xb0, 0xd3, 0xe2, 0x17, 0x01, 0xa5}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + qemu_QEMUVTPM = M{4: {Expected: []byte{0xd0, 0xcf, 0x25, 0x41, 0xfa, 0xba, 0x63, 0x9e, 0xa7, 0x97, 0x0d, 0x19, 0xf1, 0x0c, 0x94, 0x67, 0x60, 0x25, 0x8c, 0x5b, 0x80, 0x0e, 0xa0, 0x5e, 0x91, 0x63, 0x35, 0xe5, 0x03, 0xef, 0xca, 0x3a}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x77, 0xb2, 0x25, 0x17, 0x01, 0xec, 0x5f, 0xd5, 0xe8, 0x0b, 0xdb, 0xe5, 0x5c, 0x35, 0x9c, 0x5a, 0x3c, 0x62, 0xec, 0xa0, 0x70, 0x74, 0x31, 0xfa, 0x17, 0xdb, 0x95, 0x90, 0x6a, 0xda, 0x53, 0xf8}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xbd, 0xe0, 0xe7, 0x64, 0xbb, 0x5d, 0xe9, 0x47, 0xd8, 0xa2, 0xce, 0xa4, 0xad, 0x20, 0x09, 0x38, 0xea, 0xea, 0xe3, 0x3f, 0x1a, 0x04, 0xcf, 0xd3, 0x58, 0x8d, 0x01, 0xa4, 0x27, 0x81, 0x20, 0x50}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} ) From 4db8b2c272b854ff8ab388f1fc9bc71c45cb0cb7 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Wed, 10 Apr 2024 13:48:32 +0200 Subject: [PATCH 43/47] Merge pull request from GHSA-g8fc-vrcg-8vjg * helm: firewall pods * helm: bump cilium chart version --------- Co-authored-by: Leonard Cohnen --- .../helm/charts/cilium/Chart.yaml | 4 +- .../templates/cilium-agent/daemonset.yaml | 31 +++++++++++++ internal/constellation/helm/cilium.patch | 46 ++++++++++++++++++- internal/constellation/helm/loader.go | 3 +- 4 files changed, 79 insertions(+), 5 deletions(-) diff --git a/internal/constellation/helm/charts/cilium/Chart.yaml b/internal/constellation/helm/charts/cilium/Chart.yaml index 3f3fc714b..3ba2d273f 100644 --- a/internal/constellation/helm/charts/cilium/Chart.yaml +++ b/internal/constellation/helm/charts/cilium/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: cilium displayName: Cilium home: https://cilium.io/ -version: 1.15.0-pre.3-edg.2 -appVersion: 1.15.0-pre.3-edg.2 +version: 1.15.0-pre.3-edg.3 +appVersion: 1.15.0-pre.3-edg.3 kubeVersion: ">= 1.16.0-0" icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability diff --git a/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml b/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml index f6b493cb7..773a5b26b 100644 --- a/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml +++ b/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml @@ -715,6 +715,37 @@ spec: - name: cni-path mountPath: /host/opt/cni/bin {{- end }} # .Values.cni.install + - name: firewall-pods + image: ghcr.io/edgelesssys/cilium/cilium:v1.15.0-pre.3-edg.2@sha256:c21b7fbbb084a128a479d6170e5f89ad2768dfecb4af10ee6a99ffe5d1a11749 + imagePullPolicy: IfNotPresent + command: + - /bin/bash + - -exc + - | + pref=32 + interface=$(ip route | awk '/^default/ { print $5 }') + tc qdisc add dev "${interface}" clsact || true + tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true + handle=0 + for cidr in ${POD_CIDRS}; do + handle=$((handle + 1)) + tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop + done + env: + - name: POD_CIDRS + valueFrom: + configMapKeyRef: + key: encryption-strict-mode-pod-cidrs + name: cilium-config + optional: true + resources: + requests: + cpu: 100m + memory: 20Mi + securityContext: + capabilities: + add: + - NET_ADMIN restartPolicy: Always priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }} serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }} diff --git a/internal/constellation/helm/cilium.patch b/internal/constellation/helm/cilium.patch index 26d7c3343..cc12f4cb5 100644 --- a/internal/constellation/helm/cilium.patch +++ b/internal/constellation/helm/cilium.patch @@ -54,8 +54,50 @@ index 256a79542..3f3fc714b 100644 home: https://cilium.io/ -version: 1.15.0-pre.3 -appVersion: 1.15.0-pre.3 -+version: 1.15.0-pre.3-edg.2 -+appVersion: 1.15.0-pre.3-edg.2 ++version: 1.15.0-pre.3-edg.3 ++appVersion: 1.15.0-pre.3-edg.3 kubeVersion: ">= 1.16.0-0" icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability +diff --git a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml +index f6b493cb7..50b80267a 100644 +--- a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml ++++ b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml +@@ -715,6 +715,37 @@ spec: + - name: cni-path + mountPath: /host/opt/cni/bin + {{- end }} # .Values.cni.install ++ - name: firewall-pods ++ image: ghcr.io/edgelesssys/cilium/cilium:v1.15.0-pre.3-edg.2@sha256:c21b7fbbb084a128a479d6170e5f89ad2768dfecb4af10ee6a99ffe5d1a11749 ++ imagePullPolicy: IfNotPresent ++ command: ++ - /bin/bash ++ - -exc ++ - | ++ pref=32 ++ interface=$(ip route | awk '/^default/ { print $5 }') ++ tc qdisc add dev "${interface}" clsact || true ++ tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true ++ handle=0 ++ for cidr in ${POD_CIDRS}; do ++ handle=$((handle + 1)) ++ tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop ++ done ++ env: ++ - name: POD_CIDRS ++ valueFrom: ++ configMapKeyRef: ++ key: encryption-strict-mode-pod-cidrs ++ name: cilium-config ++ optional: true ++ resources: ++ requests: ++ cpu: 100m ++ memory: 20Mi ++ securityContext: ++ capabilities: ++ add: ++ - NET_ADMIN + restartPolicy: Always + priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }} + serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }} diff --git a/internal/constellation/helm/loader.go b/internal/constellation/helm/loader.go index 5634d03fa..a3c6a50fa 100644 --- a/internal/constellation/helm/loader.go +++ b/internal/constellation/helm/loader.go @@ -359,7 +359,7 @@ func (i *chartLoader) cspTags() map[string]any { func (i *chartLoader) loadCiliumValues(cloudprovider.Provider) (map[string]any, error) { sharedConfig := map[string]any{ - "extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"}, + "extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label", "--bpf-filter-priority=128"}, "endpointRoutes": map[string]any{ "enabled": true, }, @@ -412,6 +412,7 @@ func (i *chartLoader) loadCiliumValues(cloudprovider.Provider) (map[string]any, "kubeProxyReplacement": "strict", "enableCiliumEndpointSlice": true, "kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256", + "cleanBpfState": true, } cspOverrideConfigs := map[string]map[string]any{ cloudprovider.AWS.String(): {}, From c64068557c27e7ecdb951aad8630e698be3af394 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Thu, 11 Apr 2024 09:38:15 +0200 Subject: [PATCH 44/47] helm: unbreak helm test after Cilium version bump (#3022) --- internal/constellation/helm/helm_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/constellation/helm/helm_test.go b/internal/constellation/helm/helm_test.go index f93e49a8a..cd8aab6a6 100644 --- a/internal/constellation/helm/helm_test.go +++ b/internal/constellation/helm/helm_test.go @@ -198,7 +198,7 @@ func TestHelmApply(t *testing.T) { if tc.clusterCertManagerVersion != nil { certManagerVersion = *tc.clusterCertManagerVersion } - helmListVersion(lister, "cilium", "v1.15.0-pre.3-edg.2") + helmListVersion(lister, "cilium", "v1.15.0-pre.3-edg.3") helmListVersion(lister, "cert-manager", certManagerVersion) helmListVersion(lister, "constellation-services", tc.clusterMicroServiceVersion) helmListVersion(lister, "constellation-operators", tc.clusterMicroServiceVersion) From 79832a8f2a96ac39e2e7c1fb82d87206e086a441 Mon Sep 17 00:00:00 2001 From: edgelessci Date: Thu, 11 Apr 2024 07:46:59 +0000 Subject: [PATCH 45/47] chore: update version.txt to v2.16.3 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 608ac5d84..839d54f2f 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -v2.16.2 +v2.16.3 From b34d9dc9d4a3b3b2eed2b173ba3f1aec12e23fd5 Mon Sep 17 00:00:00 2001 From: edgelessci Date: Thu, 11 Apr 2024 07:47:14 +0000 Subject: [PATCH 46/47] deps: update versions to v2.16.3 --- internal/config/image_enterprise.go | 2 +- s3proxy/deploy/s3proxy/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/config/image_enterprise.go b/internal/config/image_enterprise.go index 1e22c1d69..ae2dbca8f 100644 --- a/internal/config/image_enterprise.go +++ b/internal/config/image_enterprise.go @@ -10,5 +10,5 @@ package config const ( // defaultImage is the default image to use. - defaultImage = "v2.16.2" + defaultImage = "v2.16.3" ) diff --git a/s3proxy/deploy/s3proxy/Chart.yaml b/s3proxy/deploy/s3proxy/Chart.yaml index 3bca06c2a..f0e1f34bd 100644 --- a/s3proxy/deploy/s3proxy/Chart.yaml +++ b/s3proxy/deploy/s3proxy/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: s3proxy description: Helm chart to deploy s3proxy. type: application -version: 2.16.2 +version: 2.16.3 From ea5cdfb247829d0ea2b8573651132d9376bf9a30 Mon Sep 17 00:00:00 2001 From: edgelessci Date: Thu, 11 Apr 2024 08:29:03 +0000 Subject: [PATCH 47/47] attestation: hardcode measurements for v2.16.3 --- .../measurements/measurements_enterprise.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/internal/attestation/measurements/measurements_enterprise.go b/internal/attestation/measurements/measurements_enterprise.go index 1bdaa8737..226563848 100644 --- a/internal/attestation/measurements/measurements_enterprise.go +++ b/internal/attestation/measurements/measurements_enterprise.go @@ -16,13 +16,13 @@ package measurements // revive:disable:var-naming var ( - aws_AWSNitroTPM = M{0: {Expected: []byte{0x73, 0x7f, 0x76, 0x7a, 0x12, 0xf5, 0x4e, 0x70, 0xee, 0xcb, 0xc8, 0x68, 0x40, 0x11, 0x32, 0x3a, 0xe2, 0xfe, 0x2d, 0xd9, 0xf9, 0x07, 0x85, 0x57, 0x79, 0x69, 0xd7, 0xa2, 0x01, 0x3e, 0x8c, 0x12}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x16, 0x6c, 0x6c, 0x7f, 0xee, 0x55, 0x96, 0x5e, 0x9c, 0xe6, 0x8f, 0x7a, 0x08, 0xe9, 0x3d, 0x54, 0xfd, 0x70, 0x6e, 0xc5, 0x5b, 0x7a, 0xaa, 0x54, 0x8c, 0xb7, 0xbb, 0xe4, 0x63, 0x1e, 0x5a, 0x6e}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x58, 0x31, 0x58, 0xcd, 0x6b, 0x05, 0x93, 0x6a, 0x1d, 0x85, 0xf4, 0x5a, 0x20, 0x7d, 0x16, 0x38, 0x87, 0x80, 0x51, 0x2f, 0x63, 0xf0, 0x87, 0x97, 0xdc, 0x57, 0x13, 0x8f, 0x61, 0xa7, 0x6a, 0x84}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x92, 0xe7, 0xf8, 0x84, 0x01, 0x2f, 0x4e, 0x25, 0x42, 0xcb, 0x85, 0xd9, 0xe2, 0x39, 0x05, 0x7b, 0x90, 0x03, 0xee, 0x5a, 0x7e, 0xa5, 0x51, 0xff, 0xdf, 0x52, 0x55, 0xfb, 0xdd, 0xce, 0x12, 0xf0}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - aws_AWSSEVSNP = M{0: {Expected: []byte{0x7b, 0x06, 0x8c, 0x0c, 0x3a, 0xc2, 0x9a, 0xfe, 0x26, 0x41, 0x34, 0x53, 0x6b, 0x9b, 0xe2, 0x6f, 0x1d, 0x4c, 0xcd, 0x57, 0x5b, 0x88, 0xd3, 0xc3, 0xce, 0xab, 0xf3, 0x6a, 0xc9, 0x9c, 0x02, 0x78}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x41, 0xa4, 0x61, 0x55, 0x15, 0xdb, 0xfc, 0x08, 0x64, 0x72, 0x66, 0x97, 0xae, 0x55, 0xf1, 0x17, 0x4d, 0x93, 0x20, 0x08, 0x6c, 0xaa, 0x1c, 0x47, 0xe8, 0x15, 0x1d, 0xf0, 0x3e, 0x0e, 0x40, 0x58}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x0b, 0x73, 0xbc, 0x4e, 0xde, 0x3e, 0x04, 0xe4, 0x5f, 0xb0, 0x69, 0x5c, 0xaf, 0x32, 0xad, 0x6c, 0x54, 0x1e, 0xc9, 0xf3, 0xf6, 0x12, 0xb0, 0x76, 0x30, 0xbd, 0x03, 0xa6, 0x64, 0xab, 0xd5, 0xab}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xe1, 0x93, 0x05, 0xe7, 0xb5, 0x75, 0x60, 0xb3, 0x56, 0x9a, 0x37, 0xda, 0x67, 0xf8, 0x40, 0xfb, 0x5b, 0x06, 0xde, 0xb4, 0x0d, 0xf8, 0x55, 0xcf, 0xbc, 0xbc, 0x0b, 0x2a, 0xf3, 0x1e, 0x59, 0x84}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - azure_AzureSEVSNP = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xc8, 0x6d, 0x69, 0x40, 0x29, 0x02, 0xf3, 0x0f, 0xd8, 0x0b, 0xe8, 0x32, 0xf4, 0x71, 0x53, 0xc6, 0x8d, 0x64, 0xeb, 0x71, 0x71, 0x86, 0x1a, 0x27, 0x5e, 0x0a, 0x32, 0x61, 0x62, 0x18, 0x59, 0x4e}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x1b, 0xda, 0x82, 0xf3, 0xe0, 0x5e, 0xfa, 0xa9, 0xc8, 0x3f, 0xaf, 0xe5, 0x92, 0xba, 0x13, 0xdf, 0xcd, 0x57, 0xff, 0xd2, 0xa2, 0x23, 0x4c, 0x11, 0x72, 0x68, 0xbf, 0xc7, 0x9b, 0x26, 0x74, 0x94}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xd7, 0x2b, 0x9d, 0x4d, 0x99, 0xf5, 0xdd, 0x9b, 0xa0, 0x18, 0xc6, 0xc5, 0x34, 0xf5, 0x2f, 0x8b, 0x77, 0xe1, 0x89, 0xcc, 0x80, 0x0a, 0xcd, 0x01, 0xd6, 0x02, 0xb2, 0xfe, 0x12, 0x33, 0xb6, 0x5e}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - azure_AzureTDX = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x3c, 0x2c, 0x17, 0x26, 0x5a, 0x05, 0x70, 0x6b, 0x22, 0xea, 0x61, 0x4b, 0x4a, 0xe6, 0xdb, 0x21, 0x8d, 0xc5, 0x83, 0x9d, 0x71, 0xfe, 0xe6, 0x88, 0x3e, 0x80, 0xc1, 0x8b, 0x5e, 0x54, 0xf0, 0xdf}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x72, 0x6f, 0xce, 0x2b, 0xea, 0x94, 0xb4, 0x1b, 0x3e, 0x40, 0x78, 0xc9, 0xab, 0x5e, 0xa6, 0x1b, 0x58, 0x3b, 0x89, 0xf9, 0xff, 0x04, 0x4a, 0x10, 0xd9, 0xba, 0xc1, 0xe6, 0xb7, 0x4e, 0x88, 0xfc}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xc7, 0x6f, 0x49, 0x2d, 0xbb, 0xbe, 0x07, 0x3c, 0x0e, 0x77, 0x72, 0xf6, 0xd7, 0x7e, 0xa9, 0x2d, 0xe8, 0xe6, 0xdd, 0x71, 0xaa, 0x08, 0xbe, 0xf1, 0x99, 0xb9, 0xf2, 0x13, 0x19, 0x28, 0x81, 0xa5}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + aws_AWSNitroTPM = M{0: {Expected: []byte{0x73, 0x7f, 0x76, 0x7a, 0x12, 0xf5, 0x4e, 0x70, 0xee, 0xcb, 0xc8, 0x68, 0x40, 0x11, 0x32, 0x3a, 0xe2, 0xfe, 0x2d, 0xd9, 0xf9, 0x07, 0x85, 0x57, 0x79, 0x69, 0xd7, 0xa2, 0x01, 0x3e, 0x8c, 0x12}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xb6, 0x86, 0xbc, 0x7c, 0xe9, 0xee, 0x11, 0x3c, 0x4e, 0xe4, 0x66, 0xf2, 0xce, 0x24, 0xdd, 0xef, 0x11, 0x39, 0x75, 0x7e, 0xe2, 0xd3, 0xa7, 0xcc, 0xd3, 0x8c, 0x5e, 0x34, 0x15, 0xb3, 0x60, 0x4e}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xe4, 0x84, 0x0d, 0x74, 0xe5, 0xaa, 0xaf, 0x7a, 0x75, 0x27, 0xce, 0xd7, 0x28, 0xc0, 0xa7, 0x51, 0x24, 0x32, 0x61, 0x06, 0x14, 0xb7, 0x6a, 0xee, 0xc3, 0x43, 0xa6, 0x56, 0x47, 0xc5, 0x41, 0xed}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xfa, 0x60, 0x0e, 0xf1, 0x9b, 0xd8, 0x81, 0x70, 0xa7, 0xa0, 0x34, 0x86, 0x79, 0x35, 0xe0, 0x4d, 0x48, 0xa0, 0xc2, 0x8c, 0xda, 0x9c, 0xa8, 0xbb, 0xdc, 0xce, 0x9b, 0x51, 0x04, 0x7d, 0xca, 0x2c}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + aws_AWSSEVSNP = M{0: {Expected: []byte{0x7b, 0x06, 0x8c, 0x0c, 0x3a, 0xc2, 0x9a, 0xfe, 0x26, 0x41, 0x34, 0x53, 0x6b, 0x9b, 0xe2, 0x6f, 0x1d, 0x4c, 0xcd, 0x57, 0x5b, 0x88, 0xd3, 0xc3, 0xce, 0xab, 0xf3, 0x6a, 0xc9, 0x9c, 0x02, 0x78}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x93, 0x6b, 0x2f, 0xf8, 0x60, 0xa3, 0xfa, 0x97, 0x05, 0x46, 0xe9, 0x8c, 0x43, 0xb6, 0xdd, 0x42, 0x39, 0x34, 0x9d, 0x53, 0xe9, 0x10, 0xba, 0x04, 0x6c, 0xe9, 0x5a, 0x2e, 0x85, 0x9b, 0xbb, 0x2e}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xf3, 0x96, 0x93, 0x03, 0x13, 0xa3, 0x67, 0x8c, 0xf9, 0xc5, 0x1d, 0x89, 0x34, 0xbc, 0xd1, 0xcf, 0xd0, 0xf6, 0x15, 0x56, 0x6c, 0xac, 0x3a, 0xee, 0xba, 0xbd, 0xe9, 0x71, 0x2e, 0x8b, 0xc1, 0xa1}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xc3, 0xa8, 0x62, 0xa2, 0x72, 0x2e, 0xa9, 0x0d, 0x73, 0xf0, 0x51, 0x14, 0x4c, 0x2d, 0x79, 0x76, 0x87, 0x40, 0xb8, 0x45, 0xf5, 0x39, 0xa6, 0xab, 0x0d, 0x62, 0xe2, 0x2c, 0x9f, 0x84, 0x1b, 0x03}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + azure_AzureSEVSNP = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xe7, 0x66, 0xf4, 0x6e, 0xd4, 0x3f, 0x14, 0x56, 0x49, 0xee, 0xdb, 0x05, 0xd3, 0xcc, 0xfe, 0xbd, 0x62, 0xee, 0xb8, 0xff, 0x9a, 0xac, 0x93, 0xb0, 0x3a, 0x10, 0x5a, 0x33, 0x9c, 0x41, 0x93, 0xb9}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xd3, 0x01, 0x66, 0x75, 0xb2, 0xf2, 0xf5, 0x48, 0x0b, 0xc4, 0x4a, 0x58, 0xfd, 0xe3, 0x3b, 0x61, 0x08, 0xe3, 0xb4, 0x6c, 0x3e, 0xac, 0x6c, 0x3e, 0x54, 0xd6, 0x6d, 0xb3, 0x50, 0x09, 0xcc, 0xad}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x2b, 0xce, 0x7d, 0x09, 0xec, 0x08, 0xdb, 0xa5, 0x0b, 0xae, 0x74, 0x5d, 0x5a, 0x46, 0xea, 0x3e, 0x61, 0xd4, 0x8e, 0xdb, 0x80, 0x41, 0x63, 0xb4, 0xac, 0xff, 0xf3, 0x56, 0x79, 0xdb, 0x83, 0x6f}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + azure_AzureTDX = M{1: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x77, 0xe4, 0x8c, 0xa5, 0x0d, 0x52, 0x9a, 0x3b, 0x71, 0xfd, 0x73, 0x5a, 0x79, 0x33, 0xcf, 0x5a, 0xe6, 0x19, 0x45, 0x9b, 0x86, 0x80, 0x70, 0x92, 0x81, 0xf6, 0x2c, 0x8b, 0xb4, 0x48, 0xfb, 0x38}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x83, 0x1d, 0x7d, 0x4f, 0xbd, 0x1f, 0x8b, 0xa5, 0xd1, 0x5e, 0x77, 0x58, 0xe7, 0x81, 0xa4, 0x8f, 0xcf, 0xc3, 0xdc, 0x7f, 0x0c, 0xdb, 0xf9, 0x3b, 0xa5, 0x08, 0x6e, 0x89, 0x11, 0xf9, 0xec, 0x4a}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x06, 0xfb, 0x71, 0xdf, 0xc3, 0xba, 0x72, 0xbd, 0x7b, 0xed, 0x9f, 0xa6, 0xa7, 0x44, 0x96, 0x68, 0xcd, 0x5b, 0xee, 0x09, 0x1d, 0x9e, 0x3e, 0x3c, 0x4e, 0xd0, 0xfb, 0x71, 0x6d, 0x90, 0x4f, 0x1d}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} azure_AzureTrustedLaunch M - gcp_GCPSEVES = M{1: {Expected: []byte{0x36, 0x95, 0xdc, 0xc5, 0x5e, 0x3a, 0xa3, 0x40, 0x27, 0xc2, 0x77, 0x93, 0xc8, 0x5c, 0x72, 0x3c, 0x69, 0x7d, 0x70, 0x8c, 0x42, 0xd1, 0xf7, 0x3b, 0xd6, 0xfa, 0x4f, 0x26, 0x60, 0x8a, 0x5b, 0x24}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0x2a, 0x46, 0x06, 0x77, 0x48, 0x94, 0xfb, 0xe8, 0x5d, 0x48, 0xc8, 0x26, 0xfe, 0xe7, 0x53, 0xc2, 0x51, 0x24, 0x6d, 0x70, 0x28, 0x02, 0xe7, 0x2a, 0xa2, 0x63, 0xce, 0x51, 0x3d, 0xa1, 0x7b, 0xe8}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xa7, 0x69, 0x37, 0x3a, 0x51, 0xb2, 0xab, 0x1a, 0x6a, 0xa9, 0x34, 0x5e, 0x5c, 0x40, 0xf7, 0x53, 0x9c, 0x59, 0x9b, 0xc1, 0x0a, 0x78, 0x6c, 0xc9, 0x67, 0x52, 0xc6, 0x89, 0xcf, 0xb6, 0x7b, 0x6a}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xbc, 0x58, 0x92, 0xb2, 0xe3, 0x22, 0x04, 0x7a, 0x62, 0x4a, 0x52, 0x6a, 0x76, 0xb1, 0xed, 0x7a, 0x9f, 0xdc, 0xeb, 0x3d, 0x61, 0xf9, 0x9e, 0x2c, 0x98, 0xe6, 0xdf, 0x3e, 0xa6, 0x0d, 0xe5, 0xa2}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} - openstack_QEMUVTPM = M{4: {Expected: []byte{0x09, 0xe2, 0x40, 0x72, 0x55, 0xcd, 0xea, 0x64, 0x76, 0xec, 0xea, 0x5a, 0x63, 0xfc, 0x56, 0xa0, 0x07, 0xff, 0xfb, 0xc2, 0xa0, 0x74, 0xdb, 0xce, 0x27, 0x46, 0x4d, 0x28, 0x65, 0x55, 0x2e, 0x65}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x45, 0xd0, 0x96, 0xa6, 0xb5, 0x08, 0x83, 0x49, 0x46, 0x4f, 0x8c, 0xe3, 0x4b, 0xa1, 0xea, 0x27, 0x7b, 0x3b, 0x8e, 0xcc, 0xee, 0xb4, 0x8c, 0x35, 0x62, 0x16, 0x6c, 0x0d, 0xff, 0x3f, 0x94, 0xc4}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x12, 0x84, 0x45, 0x00, 0x3e, 0xac, 0x7a, 0xaa, 0x68, 0x91, 0x92, 0xde, 0x82, 0xb0, 0x95, 0xc8, 0x91, 0x9f, 0x5f, 0x78, 0x27, 0x2e, 0x81, 0x4d, 0x20, 0x65, 0x71, 0xbd, 0xd9, 0xdf, 0x1d, 0x4c}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + gcp_GCPSEVES = M{1: {Expected: []byte{0x36, 0x95, 0xdc, 0xc5, 0x5e, 0x3a, 0xa3, 0x40, 0x27, 0xc2, 0x77, 0x93, 0xc8, 0x5c, 0x72, 0x3c, 0x69, 0x7d, 0x70, 0x8c, 0x42, 0xd1, 0xf7, 0x3b, 0xd6, 0xfa, 0x4f, 0x26, 0x60, 0x8a, 0x5b, 0x24}, ValidationOpt: WarnOnly}, 2: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 3: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 4: {Expected: []byte{0xb3, 0xc3, 0x6a, 0x88, 0xf7, 0xa3, 0x51, 0x4d, 0x25, 0xc5, 0xcc, 0x2b, 0x2a, 0x05, 0x47, 0xb5, 0xda, 0x76, 0x66, 0x2e, 0xe5, 0x90, 0x11, 0xb5, 0x29, 0xbc, 0xfc, 0x07, 0x62, 0x4b, 0xb9, 0x3f}, ValidationOpt: Enforce}, 6: {Expected: []byte{0x3d, 0x45, 0x8c, 0xfe, 0x55, 0xcc, 0x03, 0xea, 0x1f, 0x44, 0x3f, 0x15, 0x62, 0xbe, 0xec, 0x8d, 0xf5, 0x1c, 0x75, 0xe1, 0x4a, 0x9f, 0xcf, 0x9a, 0x72, 0x34, 0xa1, 0x3f, 0x19, 0x8e, 0x79, 0x69}, ValidationOpt: WarnOnly}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x8a, 0x97, 0x88, 0x17, 0x3f, 0x55, 0x40, 0x9d, 0x5f, 0x6e, 0x90, 0xee, 0x0f, 0x9a, 0x22, 0x7a, 0xa6, 0x2f, 0xf7, 0xbc, 0x78, 0xd6, 0xbc, 0x85, 0x28, 0xd9, 0x75, 0xe7, 0x94, 0x28, 0x95, 0x85}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x52, 0xca, 0xc5, 0xa6, 0x44, 0xb9, 0xf0, 0xc7, 0x5b, 0x32, 0x42, 0x03, 0x1f, 0x7c, 0x80, 0x03, 0xdb, 0xdc, 0x3c, 0xc7, 0xc4, 0x0b, 0xd3, 0x83, 0x8a, 0xef, 0x0c, 0x85, 0x7b, 0xbf, 0xf1, 0x8d}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + openstack_QEMUVTPM = M{4: {Expected: []byte{0xc5, 0x70, 0xa4, 0xff, 0xba, 0xc6, 0x7b, 0x93, 0x48, 0x88, 0x6b, 0x11, 0xe2, 0x80, 0xa5, 0xf0, 0x43, 0xc1, 0x2f, 0xba, 0x8e, 0xb3, 0xfb, 0x36, 0x6d, 0x71, 0x8f, 0x7c, 0x85, 0x97, 0x44, 0x98}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x45, 0x06, 0xb3, 0xfb, 0xcb, 0xd3, 0x27, 0x21, 0x2a, 0xb6, 0x52, 0xf8, 0x68, 0x65, 0x69, 0x88, 0x6e, 0xb5, 0x83, 0xd3, 0x97, 0xe0, 0x6a, 0x77, 0xa8, 0xdf, 0xeb, 0xb8, 0xe0, 0xa4, 0x01, 0xe2}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x7c, 0xd6, 0xa4, 0xe5, 0x2c, 0x00, 0x42, 0x46, 0x3f, 0xe4, 0xd6, 0x07, 0x21, 0xc0, 0xc2, 0xff, 0xb4, 0xcd, 0xc1, 0xf9, 0x3d, 0xad, 0xd8, 0x8d, 0x48, 0xc2, 0x71, 0xef, 0xcc, 0x5f, 0x13, 0x14}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 14: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: WarnOnly}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} qemu_QEMUTDX M - qemu_QEMUVTPM = M{4: {Expected: []byte{0xd0, 0xcf, 0x25, 0x41, 0xfa, 0xba, 0x63, 0x9e, 0xa7, 0x97, 0x0d, 0x19, 0xf1, 0x0c, 0x94, 0x67, 0x60, 0x25, 0x8c, 0x5b, 0x80, 0x0e, 0xa0, 0x5e, 0x91, 0x63, 0x35, 0xe5, 0x03, 0xef, 0xca, 0x3a}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0x77, 0xb2, 0x25, 0x17, 0x01, 0xec, 0x5f, 0xd5, 0xe8, 0x0b, 0xdb, 0xe5, 0x5c, 0x35, 0x9c, 0x5a, 0x3c, 0x62, 0xec, 0xa0, 0x70, 0x74, 0x31, 0xfa, 0x17, 0xdb, 0x95, 0x90, 0x6a, 0xda, 0x53, 0xf8}, ValidationOpt: Enforce}, 11: {Expected: []byte{0xbd, 0xe0, 0xe7, 0x64, 0xbb, 0x5d, 0xe9, 0x47, 0xd8, 0xa2, 0xce, 0xa4, 0xad, 0x20, 0x09, 0x38, 0xea, 0xea, 0xe3, 0x3f, 0x1a, 0x04, 0xcf, 0xd3, 0x58, 0x8d, 0x01, 0xa4, 0x27, 0x81, 0x20, 0x50}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} + qemu_QEMUVTPM = M{4: {Expected: []byte{0xd7, 0x4d, 0x99, 0xcd, 0x10, 0xb3, 0xf6, 0x43, 0xd2, 0x91, 0xff, 0x6d, 0x88, 0x88, 0xe2, 0xe4, 0xc5, 0x5e, 0x6d, 0x48, 0xc8, 0x7a, 0xde, 0xac, 0xfb, 0xd3, 0xf5, 0x51, 0x3e, 0xb8, 0x2b, 0x9e}, ValidationOpt: Enforce}, 8: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 9: {Expected: []byte{0xea, 0x05, 0xc1, 0x74, 0x83, 0x05, 0x0e, 0x73, 0x63, 0x73, 0x77, 0x6d, 0xa6, 0x2b, 0xec, 0x0b, 0x3c, 0x69, 0x03, 0x22, 0x10, 0xd3, 0xaa, 0x9f, 0xe3, 0x3a, 0xa4, 0x0d, 0x5f, 0x37, 0x2c, 0x21}, ValidationOpt: Enforce}, 11: {Expected: []byte{0x91, 0xe2, 0x79, 0xac, 0x19, 0x51, 0x61, 0x6d, 0x0d, 0xac, 0x0b, 0xe4, 0x05, 0x20, 0x66, 0x5b, 0xb0, 0xe5, 0x1d, 0xb5, 0x94, 0xd9, 0x47, 0x41, 0xcf, 0x3f, 0x0e, 0x2e, 0x1e, 0xf1, 0x30, 0x43}, ValidationOpt: Enforce}, 12: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 13: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}, 15: {Expected: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, ValidationOpt: Enforce}} )