2022-07-14 17:25:18 +02:00

140 lines
4.2 KiB
Go

package main
import (
"bytes"
"context"
"encoding/json"
"flag"
"net/http"
"net/url"
"path/filepath"
"strings"
"time"
azurecloud "github.com/edgelesssys/constellation/bootstrapper/cloudprovider/azure"
gcpcloud "github.com/edgelesssys/constellation/bootstrapper/cloudprovider/gcp"
qemucloud "github.com/edgelesssys/constellation/bootstrapper/cloudprovider/qemu"
"github.com/edgelesssys/constellation/internal/attestation/azure"
"github.com/edgelesssys/constellation/internal/attestation/gcp"
"github.com/edgelesssys/constellation/internal/attestation/qemu"
"github.com/edgelesssys/constellation/internal/attestation/vtpm"
"github.com/edgelesssys/constellation/internal/cloud/metadata"
"github.com/edgelesssys/constellation/internal/constants"
"github.com/edgelesssys/constellation/internal/logger"
"github.com/edgelesssys/constellation/state/keyservice"
"github.com/edgelesssys/constellation/state/mapper"
"github.com/edgelesssys/constellation/state/setup"
tpmClient "github.com/google/go-tpm-tools/client"
"github.com/google/go-tpm/tpm2"
"github.com/spf13/afero"
"go.uber.org/zap"
)
const (
gcpStateDiskPath = "/dev/disk/by-id/google-state-disk"
azureStateDiskPath = "/dev/disk/azure/scsi1/lun0"
qemuStateDiskPath = "/dev/vda"
)
func main() {
csp := flag.String("csp", "", "Cloud Service Provider the image is running on")
verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription)
flag.Parse()
log := logger.New(logger.JSONLog, logger.VerbosityFromInt(*verbosity))
log.With(zap.String("version", constants.VersionInfo), zap.String("cloudProvider", *csp)).
Infof("Starting disk-mapper")
// set up metadata API and quote issuer for aTLS connections
var err error
var diskPath string
var issuer keyservice.QuoteIssuer
var metadata metadata.InstanceLister
switch strings.ToLower(*csp) {
case "azure":
diskPath, err = filepath.EvalSymlinks(azureStateDiskPath)
if err != nil {
_ = exportPCRs()
log.With(zap.Error(err)).Fatalf("Unable to resolve Azure state disk path")
}
metadata, err = azurecloud.NewMetadata(context.Background())
if err != nil {
log.With(zap.Error).Fatalf("Failed to create Azure metadata API")
}
issuer = azure.NewIssuer()
case "gcp":
diskPath, err = filepath.EvalSymlinks(gcpStateDiskPath)
if err != nil {
_ = exportPCRs()
log.With(zap.Error(err)).Fatalf("Unable to resolve GCP state disk path")
}
issuer = gcp.NewIssuer()
gcpClient, err := gcpcloud.NewClient(context.Background())
if err != nil {
log.With(zap.Error).Fatalf("Failed to create GCP client")
}
metadata = gcpcloud.New(gcpClient)
case "qemu":
diskPath = qemuStateDiskPath
issuer = qemu.NewIssuer()
metadata = &qemucloud.Metadata{}
default:
log.Fatalf("CSP %s is not supported by Constellation", *csp)
}
// initialize device mapper
mapper, err := mapper.New(diskPath)
if err != nil {
log.With(zap.Error(err)).Fatalf("Failed to initialize device mapper")
}
defer mapper.Close()
setupManger := setup.New(
log.Named("setupManager"),
*csp,
afero.Afero{Fs: afero.NewOsFs()},
keyservice.New(log.Named("keyService"), issuer, metadata, 20*time.Second), // try to request a key every 20 seconds
mapper,
setup.DiskMounter{},
vtpm.OpenVTPM,
)
// prepare the state disk
if mapper.IsLUKSDevice() {
err = setupManger.PrepareExistingDisk()
} else {
err = setupManger.PrepareNewDisk()
}
if err != nil {
log.With(zap.Error(err)).Fatalf("Failed to prepare state disk")
}
}
// exportPCRs tries to export the node's PCRs to QEMU's metadata API.
// This function is called when an Azure or GCP image boots, but is unable to find a state disk.
// This happens when we boot such an image in QEMU.
// We can use this to calculate the PCRs of the image locally.
func exportPCRs() error {
// get TPM state
pcrs, err := vtpm.GetSelectedPCRs(vtpm.OpenVTPM, tpmClient.FullPcrSel(tpm2.AlgSHA256))
if err != nil {
return err
}
pcrsPretty, err := json.Marshal(pcrs)
if err != nil {
return err
}
// send PCRs to metadata API
url := &url.URL{
Scheme: "http",
Host: "10.42.0.1:8080", // QEMU metadata endpoint
Path: "/pcrs",
}
_, err = http.Post(url.String(), "application/json", bytes.NewBuffer(pcrsPretty))
return err
}