Skip to content

Commit

Permalink
cli: print ordered measurements list during constellation verify (#…
Browse files Browse the repository at this point in the history
…2302)

* Print measurements as ordered list during verify
* Fix missing safety check in AWS attestation validation

---------

Signed-off-by: Daniel Weiße <[email protected]>
  • Loading branch information
daniel-weisse authored Sep 8, 2023
1 parent 0eb9ca2 commit 9765003
Show file tree
Hide file tree
Showing 4 changed files with 112 additions and 9 deletions.
1 change: 1 addition & 0 deletions cli/internal/cmd/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,7 @@ go_test(
"//internal/versions",
"//operators/constellation-node-operator/api/v1alpha1",
"//verify/verifyproto",
"@com_github_google_go_tpm_tools//proto/tpm",
"@com_github_spf13_afero//:afero",
"@com_github_spf13_cobra//:cobra",
"@com_github_stretchr_testify//assert",
Expand Down
21 changes: 13 additions & 8 deletions cli/internal/cmd/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"net"
"net/http"
"net/url"
"sort"
"strconv"
"strings"

Expand Down Expand Up @@ -381,19 +382,23 @@ func (f *attestationDocFormatterImpl) parseCerts(b *strings.Builder, certTypeNam
// parseQuotes parses the base64-encoded quotes and writes their details to the output builder.
func (f *attestationDocFormatterImpl) parseQuotes(b *strings.Builder, quotes []*tpmProto.Quote, expectedPCRs measurements.M) error {
writeIndentfln(b, 1, "Quote:")
for pcrNum, expectedPCR := range expectedPCRs {

var pcrNumbers []uint32
for pcrNum := range expectedPCRs {
pcrNumbers = append(pcrNumbers, pcrNum)
}
sort.Slice(pcrNumbers, func(i, j int) bool { return pcrNumbers[i] < pcrNumbers[j] })

for _, pcrNum := range pcrNumbers {
expectedPCR := expectedPCRs[pcrNum]
pcrIdx, err := vtpm.GetSHA256QuoteIndex(quotes)
if err != nil {
return fmt.Errorf("get SHA256 quote index: %w", err)
}

if quotes[pcrIdx] == nil {
return fmt.Errorf("quote %d is nil", pcrIdx)
}

actualPCR := quotes[pcrIdx].Pcrs.Pcrs[pcrNum]
if err != nil {
return fmt.Errorf("decode PCR %d: %w", pcrNum, err)
actualPCR, ok := quotes[pcrIdx].Pcrs.Pcrs[pcrNum]
if !ok {
return fmt.Errorf("PCR %d not found in quote", pcrNum)
}
writeIndentfln(b, 2, "PCR %d (Strict: %t):", pcrNum, !expectedPCR.ValidationOpt)
writeIndentfln(b, 3, "Expected:\t%x", expectedPCR.Expected)
Expand Down
91 changes: 91 additions & 0 deletions cli/internal/cmd/verify_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import (
"github.com/edgelesssys/constellation/v2/internal/grpc/testdialer"
"github.com/edgelesssys/constellation/v2/internal/logger"
"github.com/edgelesssys/constellation/v2/verify/verifyproto"
tpmProto "github.com/google/go-tpm-tools/proto/tpm"
"github.com/spf13/afero"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
Expand Down Expand Up @@ -466,3 +467,93 @@ func TestAddPortIfMissing(t *testing.T) {
})
}
}

func TestParseQuotes(t *testing.T) {
testCases := map[string]struct {
quotes []*tpmProto.Quote
expectedPCRs measurements.M
wantOutput string
wantErr bool
}{
"parse quotes in order": {
quotes: []*tpmProto.Quote{
{
Pcrs: &tpmProto.PCRs{
Hash: tpmProto.HashAlgo_SHA256,
Pcrs: map[uint32][]byte{
0: {0x00},
1: {0x01},
},
},
},
},
expectedPCRs: measurements.M{
0: measurements.WithAllBytes(0x00, measurements.Enforce, 1),
1: measurements.WithAllBytes(0x01, measurements.WarnOnly, 1),
},
wantOutput: "\tQuote:\n\t\tPCR 0 (Strict: true):\n\t\t\tExpected:\t00\n\t\t\tActual:\t\t00\n\t\tPCR 1 (Strict: false):\n\t\t\tExpected:\t01\n\t\t\tActual:\t\t01\n",
},
"additional quotes are skipped": {
quotes: []*tpmProto.Quote{
{
Pcrs: &tpmProto.PCRs{
Hash: tpmProto.HashAlgo_SHA256,
Pcrs: map[uint32][]byte{
0: {0x00},
1: {0x01},
2: {0x02},
3: {0x03},
},
},
},
},
expectedPCRs: measurements.M{
0: measurements.WithAllBytes(0x00, measurements.Enforce, 1),
1: measurements.WithAllBytes(0x01, measurements.WarnOnly, 1),
},
wantOutput: "\tQuote:\n\t\tPCR 0 (Strict: true):\n\t\t\tExpected:\t00\n\t\t\tActual:\t\t00\n\t\tPCR 1 (Strict: false):\n\t\t\tExpected:\t01\n\t\t\tActual:\t\t01\n",
},
"missing quotes error": {
quotes: []*tpmProto.Quote{
{
Pcrs: &tpmProto.PCRs{
Hash: tpmProto.HashAlgo_SHA256,
Pcrs: map[uint32][]byte{
0: {0x00},
},
},
},
},
expectedPCRs: measurements.M{
0: measurements.WithAllBytes(0x00, measurements.Enforce, 1),
1: measurements.WithAllBytes(0x01, measurements.WarnOnly, 1),
},
wantErr: true,
},
"no quotes error": {
quotes: []*tpmProto.Quote{},
expectedPCRs: measurements.M{
0: measurements.WithAllBytes(0x00, measurements.Enforce, 1),
1: measurements.WithAllBytes(0x01, measurements.WarnOnly, 1),
},
wantErr: true,
},
}

for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)

b := &strings.Builder{}
parser := &attestationDocFormatterImpl{}

err := parser.parseQuotes(b, tc.quotes, tc.expectedPCRs)
if tc.wantErr {
assert.Error(err)
} else {
assert.NoError(err)
assert.Equal(tc.wantOutput, b.String())
}
})
}
}
8 changes: 7 additions & 1 deletion internal/attestation/aws/snp/validator.go
Original file line number Diff line number Diff line change
Expand Up @@ -80,12 +80,18 @@ func (v *Validator) tpmEnabled(attestation vtpm.AttestationDocument, _ *attest.M
if err != nil {
return err
}
if len(imageOutput.Images) == 0 {
return fmt.Errorf("aws image %s not found", imageID)
}
if len(imageOutput.Images) > 1 {
return fmt.Errorf("found multiple image references for image ID %s", imageID)
}

if imageOutput.Images[0].TpmSupport == "v2.0" {
return nil
}

return fmt.Errorf("iam image %s does not support TPM v2.0", imageID)
return fmt.Errorf("aws image %s does not support TPM v2.0", imageID)
}

func getEC2Client(ctx context.Context, region string) (awsMetadataAPI, error) {
Expand Down

0 comments on commit 9765003

Please sign in to comment.