Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

attestation: enable Constellation for Azure TDX #2827

Merged
merged 12 commits into from
Jan 24, 2024
Merged

attestation: enable Constellation for Azure TDX #2827

merged 12 commits into from
Jan 24, 2024

Conversation

daniel-weisse
Copy link
Member

@daniel-weisse daniel-weisse commented Jan 16, 2024
edited
Loading

Context

Azure's unenlightend-guest TDX implementation functions quite similar to their SEV-SNP implementations in principal.
This PR adds Azure TDX attestation based on our SEV-SNP implementation and the samples provided by Azure.

Proposed change(s)

  • Add Azure TDX attestation issuer and validator
  • Move and adapt some previously Azure SEV-SNP exclusive functions to be shared by both TDX and SNP implementations

Additional info

TODO

  • Run some more tests
  • Add more unit tests
  • Add default measurements for Azure TDX
    • Sort of done. Not sure if our automatic measurement calculation when building the images is already done, but we should have defaults now.
  • Research and decide on what attestation claims we can verify. These should be automatically updated similar to how we do it for SEV on Azure and AWS
    • Waiting on response from Azure, but I have added some defaults I observed over multiple VMs and reboots which we can use for testing

@daniel-weisse daniel-weisse added the feature This introduces new functionality label Jan 16, 2024
@daniel-weisse daniel-weisse added this to the v2.15.0 milestone Jan 16, 2024
@netlify Netlify
Copy link

netlify bot commented Jan 16, 2024
edited
Loading

Deploy Preview for constellation-docs ready!

Name Link
🔨 Latest commit 328173d
🔍 Latest deploy log https://app.netlify.com/sites/constellation-docs/deploys/65b106fed6ae7a000827808d
😎 Deploy Preview https://deploy-preview-2827--constellation-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@daniel-weisse daniel-weisse force-pushed the feat/attestation/tdx-azure branch 6 times, most recently from ac8ada8 to 5d67668 Compare January 18, 2024 10:47
@daniel-weisse daniel-weisse marked this pull request as ready for review January 18, 2024 14:36
elchead
elchead reviewed Jan 19, 2024
View reviewed changes
Copy link
Contributor

@elchead elchead left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed state, encoding, config, terraform.
We should also support it in the provider. We could temporarily hardcode the TDX values there too (instead of calling the API). Can be done in a follow-up PR

internal/config/azure.go Outdated Show resolved Hide resolved
internal/encoding/encoding.go Show resolved Hide resolved
thomasten
thomasten reviewed Jan 21, 2024
View reviewed changes
Copy link
Member

@thomasten thomasten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just some nits

internal/attestation/azure/azure.go Show resolved Hide resolved
internal/attestation/azure/tdx/issuer.go Outdated Show resolved Hide resolved
internal/attestation/azure/tdx/issuer.go Outdated Show resolved Hide resolved
internal/attestation/azure/tdx/issuer_test.go Outdated Show resolved Hide resolved
internal/config/config.go Outdated Show resolved Hide resolved
malt3
malt3 reviewed Jan 22, 2024
View reviewed changes
internal/config/azure.go Outdated Show resolved Hide resolved
@daniel-weisse daniel-weisse force-pushed the feat/attestation/tdx-azure branch from 72c4431 to d6d78ee Compare January 23, 2024 08:41
malt3
malt3 approved these changes Jan 23, 2024
View reviewed changes
Copy link
Contributor

@malt3 malt3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM

@daniel-weisse
Implement Azure TDX attestation primitives
822bd69 
Signed-off-by: Daniel Weiße <[email protected]>
@daniel-weisse
Add default measurement stubs and update config for TDX
ead3c89 
Signed-off-by: Daniel Weiße <[email protected]>
@daniel-weisse
Add some tests for TDX attestation
d19a705 
Signed-off-by: Daniel Weiße <[email protected]>
@daniel-weisse
Add default values for Azure TDX attestation
e6d902a 
Signed-off-by: Daniel Weiße <[email protected]>
@daniel-weisse
Add back byte slice decoding fallback
21fcdd0 
Signed-off-by: Daniel Weiße <[email protected]>
@daniel-weisse
Clean up from suggestions
6332efd 
Signed-off-by: Daniel Weiße <[email protected]>
@daniel-weisse
Update go-tpm-tools library
f90a005 
Signed-off-by: Daniel Weiße <[email protected]>
@daniel-weisse
fixup! Clean up from suggestions
516ee33 
Signed-off-by: Daniel Weiße <[email protected]>
@daniel-weisse
Fix validation for Azure TDX
3ccfc2e 
Signed-off-by: Daniel Weiße <[email protected]>
@daniel-weisse daniel-weisse force-pushed the feat/attestation/tdx-azure branch from 302a2ff to 328173d Compare January 24, 2024 12:47
@github-actions GitHub Actions
Copy link
Contributor

Coverage report

Package Old New Trend
cli/internal/cloudcmd 64.10% 64.10% ↔️
cli/internal/cmd 58.50% 58.50% ↔️
cli/internal/terraform 72.40% 72.40% ↔️
internal/attestation/azure [no test files] 0.00% 🚧
internal/attestation/azure/snp 24.40% 31.20% ↗️
internal/attestation/azure/tdx 0.00% 36.40% 🆕
internal/attestation/choose 85.00% 86.40% ↗️
internal/attestation/measurements 75.30% 75.00% ↘️
internal/attestation/measurements/measurement-generator 0.00% 0.00% 🚧
internal/attestation/variant [no test files] [no test files] 🚧
internal/config 79.40% 79.60% ↗️
internal/constellation/state 94.60% 95.60% ↗️
internal/encoding 0.00% 86.40% 🆕

elchead
elchead approved these changes Jan 24, 2024
View reviewed changes
Copy link
Contributor

@elchead elchead left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm when the provider test is green

@daniel-weisse daniel-weisse merged commit e350ca0 into main Jan 24, 2024
15 checks passed
@daniel-weisse daniel-weisse deleted the feat/attestation/tdx-azure branch January 24, 2024 14:10
@daniel-weisse daniel-weisse changed the title attestation: add Azure TDX attestation attestation: enable Constellation for Azure TDX Jan 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thomasten thomasten thomasten approved these changes

@elchead elchead elchead approved these changes

@malt3 malt3 malt3 approved these changes

@derpsteb derpsteb Awaiting requested review from derpsteb derpsteb is a code owner

@m1ghtym0 m1ghtym0 Awaiting requested review from m1ghtym0

Assignees
No one assigned
Labels
feature This introduces new functionality
Projects
None yet
Milestone
v2.15.0
Development

Successfully merging this pull request may close these issues.
4 participants
@daniel-weisse @malt3 @elchead @thomasten