constellation/.github/workflows/generate-measurements.yml
2023-01-12 13:24:07 +01:00

392 lines
17 KiB
YAML

name: Generate and Upload Measurements
on:
workflow_dispatch:
inputs:
osImage:
description: "Full name of OS image (CSP independent image version UID)."
type: string
required: true
isDebugImage:
description: "Is OS image a debug image?"
type: boolean
required: true
signMeasurements:
description: "Sign and upload the measurements?"
type: boolean
required: true
isRelease:
description: "Is this a release?"
type: boolean
default: false
required: false
ref:
type: string
description: "Git ref to checkout"
required: false
workflow_call:
inputs:
osImage:
description: "Full name of OS image (CSP independent image version UID)."
type: string
required: true
isDebugImage:
description: "Is OS image a debug image?"
type: boolean
required: true
signMeasurements:
description: "Sign and upload the measurements?"
type: boolean
required: true
isRelease:
description: "Is this a release?"
type: boolean
ref:
type: string
description: "Git ref to checkout"
required: false
jobs:
calculate-measurements-on-csp:
name: "Calculate Measurements on CSP"
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
provider: ["aws", "azure", "gcp", "qemu"]
permissions:
id-token: write
contents: read
env:
ARM_CLIENT_ID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_E2E_TENANT_ID }}
outputs:
ref: ${{ steps.extract.outputs.ref }}
stream: ${{ steps.extract.outputs.stream }}
version: ${{ steps.extract.outputs.version }}
steps:
- name: Check out repository
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Extract ref, stream and version
id: extract
uses: ./.github/actions/shortname
with:
shortname: ${{ inputs.osImage }}
- name: Check if image definition from build pipeline exists
run: |
wget -O /dev/null "https://cdn.confidential.cloud/constellation/v1/ref/${{ steps.extract.outputs.ref }}/stream/${{ steps.extract.outputs.stream }}/${{ steps.extract.outputs.version }}/image/info.json"
shell: bash
- name: Setup Go environment
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: "1.19.4"
- name: Build hack/pcr-reader
run: |
go build .
pwd >> "$GITHUB_PATH"
working-directory: hack/pcr-reader
shell: bash
- name: Login to Azure
if: matrix.provider == 'azure'
uses: ./.github/actions/login_azure
with:
azure_credentials: ${{ secrets.AZURE_E2E_CREDENTIALS }}
- name: Create Azure resource group
if: matrix.provider == 'azure'
id: az_resource_group_gen
shell: bash
run: |
uuid=$(cat /proc/sys/kernel/random/uuid)
name=e2e-test-${uuid%%-*}
az group create --location northeurope --name "$name" --tags e2e
echo "res_group_name=$name" >> "$GITHUB_OUTPUT"
- name: Create Cluster in E2E Test environment
if: matrix.provider != 'qemu'
id: create_cluster
uses: ./.github/actions/e2e_test
with:
workerNodesCount: 1
controlNodesCount: 1
cloudProvider: ${{ matrix.provider }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
osImage: ${{ inputs.osImage }}
isDebugImage: ${{ inputs.isDebugImage }}
test: "nop"
- name: Fetch PCRs from running cluster
if: matrix.provider != 'qemu'
run: |
KUBECONFIG="${PWD}/constellation-admin.conf" kubectl rollout status ds/verification-service -n kube-system --timeout=3m
CONSTELL_IP=$(jq -r ".ip" constellation-id.json)
mkdir -p "${{ github.workspace }}/generated-measurements"
pcr-reader -constell-ip "${CONSTELL_IP}" -format json -metadata -csp "${{ matrix.provider }}" -image "${{ inputs.osImage }}" > "${{ github.workspace }}/generated-measurements/measurements.json"
echo "All PCRs of current boot:"
cat "${{ github.workspace }}/generated-measurements/measurements.json"
case ${CSP} in
aws)
yq e 'del(.measurements.[1,10,16,17,18,19,20,21,22,23])' -i "${{ github.workspace }}/generated-measurements/measurements.json"
yq '.measurements.4.warnOnly = false |
.measurements.8.warnOnly = false |
.measurements.9.warnOnly = false |
.measurements.11.warnOnly = false |
.measurements.12.warnOnly = false |
.measurements.13.warnOnly = false |
.measurements.15.warnOnly = false |
.measurements.15.expected = "0000000000000000000000000000000000000000000000000000000000000000"' \
-I 0 -o json -i "${{ github.workspace }}/generated-measurements/measurements.json"
;;
azure)
yq e 'del(.measurements.[0,6,10,16,17,18,19,20,21,22,23])' -I 0 -o json -i "${{ github.workspace }}/generated-measurements/measurements.json"
yq '.measurements.4.warnOnly = false |
.measurements.8.warnOnly = false |
.measurements.9.warnOnly = false |
.measurements.11.warnOnly = false |
.measurements.12.warnOnly = false |
.measurements.13.warnOnly = false |
.measurements.15.warnOnly = false |
.measurements.15.expected = "0000000000000000000000000000000000000000000000000000000000000000"' \
-I 0 -o json -i "${{ github.workspace }}/generated-measurements/measurements.json"
;;
gcp)
yq e 'del(.measurements.[16,17,18,19,20,21,22,23])' -I 0 -o json -i "${{ github.workspace }}/generated-measurements/measurements.json"
yq '.measurements.0.warnOnly = false |
.measurements.4.warnOnly = false |
.measurements.8.warnOnly = false |
.measurements.9.warnOnly = false |
.measurements.11.warnOnly = false |
.measurements.12.warnOnly = false |
.measurements.13.warnOnly = false |
.measurements.15.warnOnly = false |
.measurements.15.expected = "0000000000000000000000000000000000000000000000000000000000000000"' \
-I 0 -o json -i "${{ github.workspace }}/generated-measurements/measurements.json"
;;
*)
echo "CSP case check failed!"
exit 1
;;
esac
echo "PCRs to be published after removing known variable ones:"
cat "${{ github.workspace }}/generated-measurements/measurements.json"
mv "${{ github.workspace }}/generated-measurements/measurements.json" "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json"
shell: bash
env:
CSP: ${{ matrix.provider }}
- name: Set PCRs for QEMU
if: matrix.provider == 'qemu'
env:
ref: ${{ steps.extract.outputs.ref }}
stream: ${{ steps.extract.outputs.stream }}
version: ${{ steps.extract.outputs.version }}
run: |
path="constellation/v1/ref/${ref}/stream/${stream}/${version}/image/csp/${{ matrix.provider }}/measurements.image.json"
mkdir -p "${{ github.workspace }}/generated-measurements"
wget -O ${{ github.workspace }}/generated-measurements/measurements.image.json "https://cdn.confidential.cloud/${path}"
jq '.measurements' < ${{ github.workspace }}/generated-measurements/measurements.image.json | jq '{"measurements": .}' > ${{ github.workspace }}/generated-measurements/measurements.json
cat "${{ github.workspace }}/generated-measurements/measurements.json"
yq '
.csp = "QEMU" |
.image = "${{ steps.extract.outputs.version }}" |
.measurements.4.warnOnly = false |
.measurements.8.warnOnly = false |
.measurements.9.warnOnly = false |
.measurements.11.warnOnly = false |
.measurements.12.warnOnly = false |
.measurements.13.warnOnly = false |
.measurements.15.warnOnly = false |
.measurements.15.expected = "0000000000000000000000000000000000000000000000000000000000000000"' \
-I 0 -o json -i "${{ github.workspace }}/generated-measurements/measurements.json"
mv "${{ github.workspace }}/generated-measurements/measurements.json" "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json"
shell: bash
- name: Upload measurements as artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: measurements-${{ matrix.provider }}.json
path: "${{ github.workspace }}/generated-measurements"
- name: Always terminate cluster
if: always() && matrix.provider != 'qemu'
continue-on-error: true
uses: ./.github/actions/constellation_destroy
with:
kubeconfig: ${{ steps.create_cluster.outputs.kubeconfig }}
- name: Always destroy Azure resource group
if: always() && matrix.provider == 'azure'
shell: bash
run: |
az group delete \
--name ${{ steps.az_resource_group_gen.outputs.res_group_name }} \
--force-deletion-types Microsoft.Compute/virtualMachineScaleSets \
--force-deletion-types Microsoft.Compute/virtualMachines \
--no-wait \
--yes
validate-measurements:
name: "Validate Measurements"
needs: [calculate-measurements-on-csp]
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
provider: ["aws", "azure", "gcp", "qemu"]
steps:
- name: Check out repository
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Setup Go environment
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: "1.19.4"
- name: Build hack/pcr-compare
run: |
go build .
pwd >> "$GITHUB_PATH"
working-directory: hack/pcr-compare
shell: bash
- name: Download calculated measurements from artifact
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.1.1
with:
name: measurements-${{ matrix.provider }}.json
path: "${{ github.workspace }}/generated-measurements"
- name: Download expected measurements from build pipeline for image
run: |
path="constellation/v1/ref/${ref}/stream/${stream}/${version}/image/csp/${{ matrix.provider }}/measurements.image.json"
mkdir -p ${{ github.workspace }}/expected-measurements
wget -O ${{ github.workspace }}/expected-measurements/measurements.image.json "https://cdn.confidential.cloud/${path}"
cat ${{ github.workspace }}/expected-measurements/measurements.image.json
shell: bash
env:
ref: ${{ needs.calculate-measurements-on-csp.outputs.ref }}
stream: ${{ needs.calculate-measurements-on-csp.outputs.stream }}
version: ${{ needs.calculate-measurements-on-csp.outputs.version }}
- name: Check if expected measurements == actual measurements from running cluster
run: |
pcr-compare ${{ github.workspace }}/expected-measurements/measurements.image.json ${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json
shell: bash
sign-measurements:
name: "Sign Measurements"
if: inputs.signMeasurements
needs: [calculate-measurements-on-csp, validate-measurements]
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
provider: ["aws", "azure", "gcp", "qemu"]
permissions:
id-token: write
contents: read
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
- name: Install Rekor
shell: bash
run: |
curl -sLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-linux-amd64
sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
rm rekor-cli-linux-amd64
- name: Download measurements from artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: measurements-${{ matrix.provider }}.json
path: "${{ github.workspace }}/generated-measurements"
- name: Sign measurements
shell: bash
env:
COSIGN_PUBLIC_KEY: ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
COSIGN_PRIVATE_KEY: ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
run: |
echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
# Enabling experimental mode also publishes signature to Rekor
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json" > "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json.sig"
# Verify - As documentation & check
# Local Signature (input: artifact, key, signature)
cosign verify-blob --key cosign.pub --signature "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json.sig" "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json"
# Transparency Log Signature (input: artifact, key)
uuid=$(rekor-cli search --artifact "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json" | tail -n 1)
sig=$(rekor-cli get --uuid="${uuid}" --format=json | jq -r .Body.HashedRekordObj.signature.content)
cosign verify-blob --key cosign.pub --signature <(echo "${sig}") "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json"
- name: Upload signed measurements as artifact
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: measurements-${{ matrix.provider }}.json.sig
path: "${{ github.workspace }}/generated-measurements"
publish-measurements:
name: "Publish Measurements"
if: inputs.signMeasurements
needs:
[calculate-measurements-on-csp, validate-measurements, sign-measurements]
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
provider: ["aws", "azure", "gcp", "qemu"]
permissions:
id-token: write
contents: read
steps:
- name: Download measurements from artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: measurements-${{ matrix.provider }}.json
path: "${{ github.workspace }}/generated-measurements"
- name: Download signature from artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: measurements-${{ matrix.provider }}.json.sig
path: "${{ github.workspace }}/generated-measurements"
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region: eu-central-1
- name: Upload to S3
run: |
S3_PATH=s3://cdn-constellation-backend/constellation/v1/ref/${ref}/stream/${stream}/${version}/image/csp/${{ matrix.provider }}
aws s3 cp "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json" "${S3_PATH}/measurements.json"
aws s3 cp "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json.sig" "${S3_PATH}/measurements.json.sig"
shell: bash
env:
IMAGE_UID: ${{ inputs.osImage }}
PUBLIC_BUCKET_NAME: ${{ secrets.PUBLIC_BUCKET_NAME }}
CSP: ${{ matrix.provider }}
ref: ${{ needs.calculate-measurements-on-csp.outputs.ref }}
stream: ${{ needs.calculate-measurements-on-csp.outputs.stream }}
version: ${{ needs.calculate-measurements-on-csp.outputs.version }}