mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-17 03:44:56 -05:00
913b09aeb8
* terraform: enable creation of SEV-SNP VMs on GCP * variant: add SEV-SNP attestation variant * config: add SEV-SNP config options for GCP * measurements: add GCP SEV-SNP measurements * gcp: separate package for SEV-ES * attestation: add GCP SEV-SNP attestation logic * gcp: factor out common logic * choose: add GCP SEV-SNP * cli: add TF variable passthrough for GCP SEV-SNP variables * cli: support GCP SEV-SNP for `constellation verify` * Adjust usage of GCP SEV-SNP throughout codebase * ci: add GCP SEV-SNP * terraform-provider: support GCP SEV-SNP * docs: add GCP SEV-SNP reference * linter fixes * gcp: only run test with TPM simulator * gcp: remove nonsense test * Update cli/internal/cmd/verify.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update docs/docs/overview/clouds.md Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com> * linter fixes * terraform_provider: correctly pass down CC technology * config: mark attestationconfigapi as unimplemented * gcp: fix comments and typos * snp: use nonce and PK hash in SNP report * snp: ensure we never use ARK supplied by Issuer (#3025) * Make sure SNP ARK is always loaded from config, or fetched from AMD KDS * GCP: Set validator `reportData` correctly --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * attestationconfigapi: add GCP to uploading * snp: use correct cert Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * terraform-provider: enable fetching of attestation config values for GCP SEV-SNP * linter fixes --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
60 lines
1.6 KiB
Go
60 lines
1.6 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
package es
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation"
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/gcp"
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
|
|
"github.com/edgelesssys/constellation/v2/internal/config"
|
|
"github.com/google/go-tpm-tools/proto/attest"
|
|
)
|
|
|
|
const minimumGceVersion = 1
|
|
|
|
// Validator for GCP confidential VM attestation.
|
|
type Validator struct {
|
|
variant.GCPSEVES
|
|
*vtpm.Validator
|
|
}
|
|
|
|
// NewValidator initializes a new GCP validator with the provided PCR values specified in the config.
|
|
func NewValidator(cfg *config.GCPSEVES, log attestation.Logger) (*Validator, error) {
|
|
getTrustedKey, err := gcp.TrustedKeyGetter(variant.GCPSEVES{}, gcp.NewRESTClient)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("create trusted key getter: %v", err)
|
|
}
|
|
|
|
return &Validator{
|
|
Validator: vtpm.NewValidator(
|
|
cfg.Measurements,
|
|
getTrustedKey,
|
|
validateCVM,
|
|
log,
|
|
),
|
|
}, nil
|
|
}
|
|
|
|
// validateCVM checks that the machine state represents a GCE AMD-SEV VM.
|
|
func validateCVM(_ vtpm.AttestationDocument, state *attest.MachineState) error {
|
|
gceVersion := state.Platform.GetGceVersion()
|
|
if gceVersion < minimumGceVersion {
|
|
return fmt.Errorf("outdated GCE version: %v (require >= %v)", gceVersion, minimumGceVersion)
|
|
}
|
|
|
|
tech := state.Platform.Technology
|
|
wantTech := attest.GCEConfidentialTechnology_AMD_SEV
|
|
if tech != wantTech {
|
|
return fmt.Errorf("unexpected confidential technology: %v (expected: %v)", tech, wantTech)
|
|
}
|
|
|
|
return nil
|
|
}
|