constellation/state/cmd/main.go
Daniel Weiße 152e3985f7 AB#1903 Add grpc interface to push decryption keys
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-04-21 13:08:02 +02:00

104 lines
2.8 KiB
Go

package main
import (
"context"
"flag"
"fmt"
"os"
"path/filepath"
"strings"
"time"
"github.com/edgelesssys/constellation/coordinator/attestation/azure"
"github.com/edgelesssys/constellation/coordinator/attestation/gcp"
"github.com/edgelesssys/constellation/coordinator/attestation/vtpm"
azurecloud "github.com/edgelesssys/constellation/coordinator/cloudprovider/azure"
gcpcloud "github.com/edgelesssys/constellation/coordinator/cloudprovider/gcp"
"github.com/edgelesssys/constellation/coordinator/core"
"github.com/edgelesssys/constellation/internal/utils"
"github.com/edgelesssys/constellation/state/keyservice"
"github.com/edgelesssys/constellation/state/mapper"
"github.com/edgelesssys/constellation/state/setup"
"github.com/spf13/afero"
)
const (
gcpStateDiskPath = "/dev/disk/by-id/google-state-disk"
azureStateDiskPath = "/dev/disk/azure/scsi1/lun0"
fallBackPath = "/dev/disk/by-id/state-disk"
)
var csp = flag.String("csp", "", "Cloud Service Provider the image is running on")
func main() {
flag.Parse()
// set up metadata API and quote issuer for aTLS connections
var err error
var diskPathErr error
var diskPath string
var issuer core.QuoteIssuer
var metadata core.ProviderMetadata
switch strings.ToLower(*csp) {
case "azure":
diskPath, diskPathErr = filepath.EvalSymlinks(azureStateDiskPath)
metadata, err = azurecloud.NewMetadata(context.Background())
if err != nil {
utils.KernelPanic(err)
}
issuer = azure.NewIssuer()
case "gcp":
diskPath, diskPathErr = filepath.EvalSymlinks(gcpStateDiskPath)
issuer = gcp.NewIssuer()
gcpClient, err := gcpcloud.NewClient(context.Background())
if err != nil {
utils.KernelPanic(err)
}
metadata = gcpcloud.New(gcpClient)
default:
diskPath, err = filepath.EvalSymlinks(fallBackPath)
if err != nil {
utils.KernelPanic(err)
}
issuer = core.NewMockIssuer()
fmt.Fprintf(os.Stderr, "warning: csp %q is not supported, unable to automatically request decryption keys on reboot\n", *csp)
metadata = &core.ProviderMetadataFake{}
}
if diskPathErr != nil {
fmt.Fprintf(os.Stderr, "warning: no attached disk detected, trying to use boot-disk state partition as fallback")
diskPath, err = filepath.EvalSymlinks(fallBackPath)
if err != nil {
utils.KernelPanic(err)
}
}
// initialize device mapper
mapper, err := mapper.New(diskPath)
if err != nil {
utils.KernelPanic(err)
}
defer mapper.Close()
setupManger := setup.New(
*csp,
afero.Afero{Fs: afero.NewOsFs()},
keyservice.New(issuer, metadata, 20*time.Second), // try to request a key every 20 seconds
mapper,
setup.DiskMounter{},
vtpm.OpenVTPM,
)
// prepare the state disk
if mapper.IsLUKSDevice() {
err = setupManger.PrepareExistingDisk()
} else {
err = setupManger.PrepareNewDisk()
}
if err != nil {
utils.KernelPanic(err)
}
}