mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-08 06:08:04 -05:00
913b09aeb8
* terraform: enable creation of SEV-SNP VMs on GCP * variant: add SEV-SNP attestation variant * config: add SEV-SNP config options for GCP * measurements: add GCP SEV-SNP measurements * gcp: separate package for SEV-ES * attestation: add GCP SEV-SNP attestation logic * gcp: factor out common logic * choose: add GCP SEV-SNP * cli: add TF variable passthrough for GCP SEV-SNP variables * cli: support GCP SEV-SNP for `constellation verify` * Adjust usage of GCP SEV-SNP throughout codebase * ci: add GCP SEV-SNP * terraform-provider: support GCP SEV-SNP * docs: add GCP SEV-SNP reference * linter fixes * gcp: only run test with TPM simulator * gcp: remove nonsense test * Update cli/internal/cmd/verify.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update docs/docs/overview/clouds.md Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com> * linter fixes * terraform_provider: correctly pass down CC technology * config: mark attestationconfigapi as unimplemented * gcp: fix comments and typos * snp: use nonce and PK hash in SNP report * snp: ensure we never use ARK supplied by Issuer (#3025) * Make sure SNP ARK is always loaded from config, or fetched from AMD KDS * GCP: Set validator `reportData` correctly --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * attestationconfigapi: add GCP to uploading * snp: use correct cert Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * terraform-provider: enable fetching of attestation config values for GCP SEV-SNP * linter fixes --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
114 lines
3.5 KiB
Go
114 lines
3.5 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
package attestationconfigapi
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"path"
|
|
"sort"
|
|
"strings"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
|
|
)
|
|
|
|
// AttestationURLPath is the URL path to the attestation versions.
|
|
const AttestationURLPath = "constellation/v1/attestation"
|
|
|
|
// SEVSNPVersion tracks the latest version of each component of the SEVSNP.
|
|
type SEVSNPVersion struct {
|
|
// Bootloader is the latest version of the SEVSNP bootloader.
|
|
Bootloader uint8 `json:"bootloader"`
|
|
// TEE is the latest version of the SEVSNP TEE.
|
|
TEE uint8 `json:"tee"`
|
|
// SNP is the latest version of the SEVSNP SNP.
|
|
SNP uint8 `json:"snp"`
|
|
// Microcode is the latest version of the SEVSNP microcode.
|
|
Microcode uint8 `json:"microcode"`
|
|
}
|
|
|
|
// SEVSNPVersionAPI is the request to get the version information of the specific version in the config api.
|
|
// Because variant is not part of the marshalled JSON, fetcher and client methods need to fill the variant property.
|
|
// Once we switch to v2 of the API we should embed the variant in the object.
|
|
// That would remove the possibility of some fetcher/client code forgetting to set the variant.
|
|
type SEVSNPVersionAPI struct {
|
|
Version string `json:"-"`
|
|
Variant variant.Variant `json:"-"`
|
|
SEVSNPVersion
|
|
}
|
|
|
|
// JSONPath returns the path to the JSON file for the request to the config api.
|
|
func (i SEVSNPVersionAPI) JSONPath() string {
|
|
return path.Join(AttestationURLPath, i.Variant.String(), i.Version)
|
|
}
|
|
|
|
// ValidateRequest validates the request.
|
|
func (i SEVSNPVersionAPI) ValidateRequest() error {
|
|
if !strings.HasSuffix(i.Version, ".json") {
|
|
return fmt.Errorf("version has no .json suffix")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Validate is a No-Op at the moment.
|
|
func (i SEVSNPVersionAPI) Validate() error {
|
|
return nil
|
|
}
|
|
|
|
// SEVSNPVersionList is the request to list all versions in the config api.
|
|
// Because variant is not part of the marshalled JSON, fetcher and client methods need to fill the variant property.
|
|
// Once we switch to v2 of the API we could embed the variant in the object and remove some code from fetcher & client.
|
|
// That would remove the possibility of some fetcher/client code forgetting to set the variant.
|
|
type SEVSNPVersionList struct {
|
|
variant variant.Variant
|
|
list []string
|
|
}
|
|
|
|
// MarshalJSON marshals the i's list property to JSON.
|
|
func (i SEVSNPVersionList) MarshalJSON() ([]byte, error) {
|
|
return json.Marshal(i.list)
|
|
}
|
|
|
|
// UnmarshalJSON unmarshals a list of strings into i's list property.
|
|
func (i *SEVSNPVersionList) UnmarshalJSON(data []byte) error {
|
|
return json.Unmarshal(data, &i.list)
|
|
}
|
|
|
|
// List returns i's list property.
|
|
func (i SEVSNPVersionList) List() []string { return i.list }
|
|
|
|
// JSONPath returns the path to the JSON file for the request to the config api.
|
|
func (i SEVSNPVersionList) JSONPath() string {
|
|
return path.Join(AttestationURLPath, i.variant.String(), "list")
|
|
}
|
|
|
|
// ValidateRequest is a NoOp as there is no input.
|
|
func (i SEVSNPVersionList) ValidateRequest() error {
|
|
return nil
|
|
}
|
|
|
|
// SortReverse sorts the list of versions in reverse order.
|
|
func (i *SEVSNPVersionList) SortReverse() {
|
|
sort.Sort(sort.Reverse(sort.StringSlice(i.list)))
|
|
}
|
|
|
|
// addVersion adds new to i's list and sorts the element in descending order.
|
|
func (i *SEVSNPVersionList) addVersion(new string) {
|
|
i.list = append(i.list, new)
|
|
i.list = variant.RemoveDuplicate(i.list)
|
|
|
|
i.SortReverse()
|
|
}
|
|
|
|
// Validate validates the response.
|
|
func (i SEVSNPVersionList) Validate() error {
|
|
if len(i.list) < 1 {
|
|
return fmt.Errorf("no versions found in /list")
|
|
}
|
|
return nil
|
|
}
|