constellation/coordinator/attestation/azure/validator.go
Leonard Cohnen 2d8fcd9bf4 monorepo
Co-authored-by: Malte Poll <mp@edgeless.systems>
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
Co-authored-by: Benedict Schlueter <bs@edgeless.systems>
Co-authored-by: leongross <leon.gross@rub.de>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
2022-03-22 16:09:39 +01:00

52 lines
1.4 KiB
Go

package azure
import (
"crypto"
"github.com/edgelesssys/constellation/coordinator/attestation/vtpm"
"github.com/edgelesssys/constellation/coordinator/oid"
"github.com/google/go-tpm/tpm2"
)
// PCRs are the expected PCR values for uninitialized Azure Constellation nodes.
var PCRs = map[uint32][]byte{}
// Validator for GCP confindetial VM attestation.
type Validator struct {
oid.Azure
*vtpm.Validator
}
// NewValidator initializes a new GCP validator with the provided PCR values.
func NewValidator(pcrs map[uint32][]byte) *Validator {
return &Validator{
Validator: vtpm.NewValidator(
pcrs,
trustedKeyFromSNP,
validateAzureCVM,
vtpm.VerifyPKCS1v15,
),
}
}
// trustedKeyFromSNP establishes trust in the given public key.
// It does so by verifying the SNP attestation statement in instanceInfo.
//
// As long as we are using regular VMs on Azure this is a stub, only returning the given key.
func trustedKeyFromSNP(akPub, instanceInfo []byte) (crypto.PublicKey, error) {
// TODO: convert this to SEV-SNP attestation verification
pubArea, err := tpm2.DecodePublic(akPub)
if err != nil {
return nil, err
}
return pubArea.Key()
}
// validateAzureCVM validates Azure CVM capabilities.
//
// This might stay a stub, since SEV-SNP attestation is already verified in trustedKeyFromSNP().
func validateAzureCVM(attestation vtpm.AttestationDocument) error {
// TODO: implement this for CVMs
return nil
}