edgelesssys · daniel-weisse · Jan 24, 2024 · Jan 16, 2024 · Jan 18, 2024 · Jan 18, 2024
@@ -2270,6 +2270,14 @@ def go_dependencies():
         sum = "h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=",
         version = "v0.6.0",
     )
+    go_repository(
+        name = "com_github_google_go_configfs_tsm",
+        build_file_generation = "on",
+        build_file_proto_mode = "disable_global",
+        importpath = "github.com/google/go-configfs-tsm",
+        sum = "h1:YnJ9rXIOj5BYD7/0DNnzs8AOp7UcvjfTvt215EWcs98=",
+        version = "v0.2.2",
+    )
     go_repository(
         name = "com_github_google_go_containerregistry",
         build_file_generation = "on",
@@ -2316,8 +2324,8 @@ def go_dependencies():
         build_file_generation = "on",
         build_file_proto_mode = "disable_global",
         importpath = "github.com/google/go-tdx-guest",
-        sum = "h1:lRlUusuieEuqljjihCXb+Mr73VNitOYPJYWXzJKtBWs=",
-        version = "v0.2.3-0.20231011100059-4cf02bed9d33",
+        sum = "h1:fwe2ROo/XIpC3JWdD5My75NP1oYCQFc6wCITLP1vXCE=",
+        version = "v0.2.3-0.20240122115010-59d674a08de0",
     )
     go_repository(
         name = "com_github_google_go_tpm",
@@ -2339,8 +2347,8 @@ def go_dependencies():
             "//3rdparty/bazel/com_github_google_go_tpm_tools:ms_tpm_20_ref.patch",
             "//3rdparty/bazel/com_github_google_go_tpm_tools:include.patch",
         ],
-        sum = "h1:iyaCPKt2N5Rd0yz0G8ANa022SgCNZkMpp+db6QELtvI=",
-        version = "v0.4.2",
+        sum = "h1:EQ1rGgyI8IEBApvDH9HPF7ehUd/6H6SxSNKVDF5z/GU=",
+        version = "v0.4.3-0.20240112165732-912a43636883",
     )
     go_repository(
         name = "com_github_google_go_tspi",

@@ -15,6 +15,7 @@ import (
 
 	"github.com/edgelesssys/constellation/v2/cli/internal/libvirt"
 	"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
@@ -89,7 +90,9 @@ func (a *Applier) Plan(ctx context.Context, conf *config.Config) (bool, error) {
 }
 
 // Apply applies the prepared configuration by creating or updating cloud resources.
-func (a *Applier) Apply(ctx context.Context, csp cloudprovider.Provider, withRollback RollbackBehavior) (infra state.Infrastructure, retErr error) {
+func (a *Applier) Apply(
+	ctx context.Context, csp cloudprovider.Provider, attestation variant.Variant, withRollback RollbackBehavior,
+) (infra state.Infrastructure, retErr error) {
 	if withRollback {
 		var rollbacker rollbacker
 		switch csp {
@@ -105,7 +108,7 @@ func (a *Applier) Apply(ctx context.Context, csp cloudprovider.Provider, withRol
 	if err != nil {
 		return infraState, fmt.Errorf("terraform apply: %w", err)
 	}
-	if csp == cloudprovider.Azure && infraState.Azure != nil {
+	if csp == cloudprovider.Azure && attestation.Equal(variant.AzureSEVSNP{}) && infraState.Azure != nil {
 		if err := a.policyPatcher.Patch(ctx, infraState.Azure.AttestationURL); err != nil {
 			return infraState, fmt.Errorf("patching policies: %w", err)
 		}

@@ -19,6 +19,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
@@ -192,7 +193,7 @@ func TestApplier(t *testing.T) {
 			}
 			assert.False(diff)
 
-			idFile, err := applier.Apply(context.Background(), tc.provider, true)
+			idFile, err := applier.Apply(context.Background(), tc.provider, tc.config.GetAttestationConfig().GetVariant(), true)
 
 			if tc.wantErr {
 				assert.Error(err)
@@ -352,7 +353,7 @@ func TestApply(t *testing.T) {
 				out:             io.Discard,
 			}
 
-			_, err := u.Apply(context.Background(), cloudprovider.QEMU, WithoutRollbackOnError)
+			_, err := u.Apply(context.Background(), cloudprovider.QEMU, variant.QEMUVTPM{}, WithoutRollbackOnError)
 			if tc.wantErr {
 				assert.Error(err)
 			} else {

@@ -158,7 +158,7 @@ func azureTerraformVars(conf *config.Config, imageRef string) (*terraform.AzureC
 		Location:             conf.Provider.Azure.Location,
 		CreateMAA:            toPtr(conf.GetAttestationConfig().GetVariant().Equal(variant.AzureSEVSNP{})),
 		Debug:                toPtr(conf.IsDebugCluster()),
-		ConfidentialVM:       toPtr(conf.GetAttestationConfig().GetVariant().Equal(variant.AzureSEVSNP{})),
+		ConfidentialVM:       toPtr(!conf.GetAttestationConfig().GetVariant().Equal(variant.AzureTrustedLaunch{})),
 		SecureBoot:           conf.Provider.Azure.SecureBoot,
 		UserAssignedIdentity: conf.Provider.Azure.UserAssignedIdentity,
 		ResourceGroup:        conf.Provider.Azure.ResourceGroup,

diff --git a/cli/internal/cmd/apply.go b/cli/internal/cmd/apply.go
@@ -465,9 +465,9 @@ func (a *applyCmd) validateInputs(cmd *cobra.Command, configFetcher attestationc
 	// a user may still end up skipping phases that could result in errors later on.
 	// However, we perform basic steps, like ensuring init phase is not skipped if
 	a.log.Debugf("Validating state file")
-	preCreateValidateErr := stateFile.Validate(state.PreCreate, conf.GetProvider())
-	preInitValidateErr := stateFile.Validate(state.PreInit, conf.GetProvider())
-	postInitValidateErr := stateFile.Validate(state.PostInit, conf.GetProvider())
+	preCreateValidateErr := stateFile.Validate(state.PreCreate, conf.GetAttestationConfig().GetVariant())
+	preInitValidateErr := stateFile.Validate(state.PreInit, conf.GetAttestationConfig().GetVariant())
+	postInitValidateErr := stateFile.Validate(state.PostInit, conf.GetAttestationConfig().GetVariant())
 
 	// If the state file is in a pre-create state, we need to create the cluster,
 	// in which case the workspace has to be clean

diff --git a/cli/internal/cmd/applyterraform.go b/cli/internal/cmd/applyterraform.go
@@ -13,6 +13,7 @@ import (
 	"path/filepath"
 
 	"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
@@ -94,7 +95,8 @@ func (a *applyCmd) applyTerraformChanges(
 			return state.Infrastructure{}, err
 		}
 		return a.applyTerraformChangesWithMessage(
-			cmd, conf.GetProvider(), cloudcmd.WithRollbackOnError, terraformClient, upgradeDir,
+			cmd, conf.GetProvider(), conf.GetAttestationConfig().GetVariant(),
+			cloudcmd.WithRollbackOnError, terraformClient, upgradeDir,
 			"Do you want to create this cluster?",
 			"The creation of the cluster was aborted.",
 			"cluster creation aborted by user",
@@ -105,7 +107,8 @@ func (a *applyCmd) applyTerraformChanges(
 
 	cmd.Println("Changes of Constellation cloud resources are required by applying an updated Terraform template.")
 	return a.applyTerraformChangesWithMessage(
-		cmd, conf.GetProvider(), cloudcmd.WithoutRollbackOnError, terraformClient, upgradeDir,
+		cmd, conf.GetProvider(), conf.GetAttestationConfig().GetVariant(),
+		cloudcmd.WithoutRollbackOnError, terraformClient, upgradeDir,
 		"Do you want to apply these Terraform changes?",
 		"Aborting upgrade.",
 		"cluster upgrade aborted by user",
@@ -119,8 +122,8 @@ func (a *applyCmd) applyTerraformChanges(
 }
 
 func (a *applyCmd) applyTerraformChangesWithMessage(
-	cmd *cobra.Command, csp cloudprovider.Provider, rollbackBehavior cloudcmd.RollbackBehavior,
-	terraformClient cloudApplier, upgradeDir string,
+	cmd *cobra.Command, csp cloudprovider.Provider, attestation variant.Variant,
+	rollbackBehavior cloudcmd.RollbackBehavior, terraformClient cloudApplier, upgradeDir string,
 	confirmationQst, abortMsg, abortErrorMsg, progressMsg, successMsg string,
 ) (state.Infrastructure, error) {
 	// Ask for confirmation first
@@ -146,7 +149,7 @@ func (a *applyCmd) applyTerraformChangesWithMessage(
 	a.log.Debugf("Applying Terraform changes")
 
 	a.spinner.Start(progressMsg, false)
-	infraState, err := terraformClient.Apply(cmd.Context(), csp, rollbackBehavior)
+	infraState, err := terraformClient.Apply(cmd.Context(), csp, attestation, rollbackBehavior)
 	a.spinner.Stop()
 	if err != nil {
 		return state.Infrastructure{}, fmt.Errorf("applying terraform changes: %w", err)

diff --git a/cli/internal/cmd/cloud.go b/cli/internal/cmd/cloud.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
 	"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/gcpshared"
 	"github.com/edgelesssys/constellation/v2/internal/config"
@@ -19,7 +20,7 @@ import (
 
 type cloudApplier interface {
 	Plan(ctx context.Context, conf *config.Config) (bool, error)
-	Apply(ctx context.Context, csp cloudprovider.Provider, rollback cloudcmd.RollbackBehavior) (state.Infrastructure, error)
+	Apply(ctx context.Context, csp cloudprovider.Provider, variant variant.Variant, rollback cloudcmd.RollbackBehavior) (state.Infrastructure, error)
 	RestoreWorkspace() error
 	WorkingDirIsEmpty() (bool, error)
 }

diff --git a/cli/internal/cmd/cloud_test.go b/cli/internal/cmd/cloud_test.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
 	"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/gcpshared"
 	"github.com/edgelesssys/constellation/v2/internal/config"
@@ -44,7 +45,7 @@ func (c *stubCloudCreator) Plan(_ context.Context, _ *config.Config) (bool, erro
 	return c.planDiff, c.planErr
 }
 
-func (c *stubCloudCreator) Apply(_ context.Context, _ cloudprovider.Provider, _ cloudcmd.RollbackBehavior) (state.Infrastructure, error) {
+func (c *stubCloudCreator) Apply(_ context.Context, _ cloudprovider.Provider, _ variant.Variant, _ cloudcmd.RollbackBehavior) (state.Infrastructure, error) {
 	c.applyCalled = true
 	return c.state, c.applyErr
 }

diff --git a/cli/internal/cmd/configgenerate.go b/cli/internal/cmd/configgenerate.go
@@ -152,6 +152,8 @@ func createConfigWithAttestationVariant(provider cloudprovider.Provider, rawProv
 		return nil, fmt.Errorf("provider %s does not support attestation variant %s", provider, attestationVariant)
 	}
 	conf.SetAttestation(attestationVariant)
+
+	conf.SetCSPNodeGroupDefaults(provider)
 	return conf, nil
 }
 

diff --git a/cli/internal/cmd/recover.go b/cli/internal/cmd/recover.go
@@ -109,17 +109,16 @@ func (r *recoverCmd) recover(
 		return err
 	}
 
-	provider := conf.GetProvider()
-	r.log.Debugf("Got provider %s", provider.String())
-	if provider == cloudprovider.Azure {
+	r.log.Debugf("Got provider %s", conf.GetProvider())
+	if conf.GetProvider() == cloudprovider.Azure {
 		interval = 20 * time.Second // Azure LB takes a while to remove unhealthy instances
 	}
 
 	stateFile, err := state.ReadFromFile(fileHandler, constants.StateFilename)
 	if err != nil {
 		return fmt.Errorf("reading state file: %w", err)
 	}
-	if err := stateFile.Validate(state.PostInit, provider); err != nil {
+	if err := stateFile.Validate(state.PostInit, conf.GetAttestationConfig().GetVariant()); err != nil {
 		return fmt.Errorf("validating state file: %w", err)
 	}
 

@@ -335,7 +335,7 @@ func (u stubTerraformUpgrader) Plan(_ context.Context, _ *config.Config) (bool,
 	return u.terraformDiff, u.planTerraformErr
 }
 
-func (u stubTerraformUpgrader) Apply(_ context.Context, _ cloudprovider.Provider, _ cloudcmd.RollbackBehavior) (state.Infrastructure, error) {
+func (u stubTerraformUpgrader) Apply(_ context.Context, _ cloudprovider.Provider, _ variant.Variant, _ cloudcmd.RollbackBehavior) (state.Infrastructure, error) {
 	return state.Infrastructure{}, u.applyTerraformErr
 }
 
@@ -356,8 +356,8 @@ func (m *mockTerraformUpgrader) Plan(ctx context.Context, conf *config.Config) (
 	return args.Bool(0), args.Error(1)
 }
 
-func (m *mockTerraformUpgrader) Apply(ctx context.Context, provider cloudprovider.Provider, rollback cloudcmd.RollbackBehavior) (state.Infrastructure, error) {
-	args := m.Called(ctx, provider, rollback)
+func (m *mockTerraformUpgrader) Apply(ctx context.Context, provider cloudprovider.Provider, variant variant.Variant, rollback cloudcmd.RollbackBehavior) (state.Infrastructure, error) {
+	args := m.Called(ctx, provider, variant, rollback)
 	return args.Get(0).(state.Infrastructure), args.Error(1)
 }
 

diff --git a/cli/internal/cmd/verify.go b/cli/internal/cmd/verify.go
@@ -30,7 +30,6 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/attestation/snp"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
-	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/edgelesssys/constellation/v2/internal/constellation/state"
@@ -108,9 +107,9 @@ func runVerify(cmd *cobra.Command, _ []string) error {
 		dialer: dialer.New(nil, nil, &net.Dialer{}),
 		log:    log,
 	}
-	formatterFactory := func(output string, provider cloudprovider.Provider, log debugLog) (attestationDocFormatter, error) {
-		if output == "json" && (provider != cloudprovider.Azure && provider != cloudprovider.AWS) {
-			return nil, errors.New("json output is only supported for Azure and AWS")
+	formatterFactory := func(output string, attestation variant.Variant, log debugLog) (attestationDocFormatter, error) {
+		if output == "json" && (!attestation.Equal(variant.AzureSEVSNP{}) && !attestation.Equal(variant.AWSSEVSNP{})) {
+			return nil, errors.New("json output is only supported for Azure SEV-SNP and AWS SEV-SNP")
 		}
 		switch output {
 		case "json":
@@ -135,7 +134,7 @@ func runVerify(cmd *cobra.Command, _ []string) error {
 	return v.verify(cmd, verifyClient, formatterFactory, fetcher)
 }
 
-type formatterFactory func(output string, provider cloudprovider.Provider, log debugLog) (attestationDocFormatter, error)
+type formatterFactory func(output string, attestation variant.Variant, log debugLog) (attestationDocFormatter, error)
 
 func (c *verifyCmd) verify(cmd *cobra.Command, verifyClient verifyClient, factory formatterFactory, configFetcher attestationconfigapi.Fetcher) error {
 	c.log.Debugf("Loading configuration file from %q", c.flags.pathPrefixer.PrefixPrintablePath(constants.ConfigFilename))
@@ -152,7 +151,7 @@ func (c *verifyCmd) verify(cmd *cobra.Command, verifyClient verifyClient, factor
 	if err != nil {
 		return fmt.Errorf("reading state file: %w", err)
 	}
-	if err := stateFile.Validate(state.PostInit, conf.GetProvider()); err != nil {
+	if err := stateFile.Validate(state.PostInit, conf.GetAttestationConfig().GetVariant()); err != nil {
 		return fmt.Errorf("validating state file: %w", err)
 	}
 
@@ -201,15 +200,15 @@ func (c *verifyCmd) verify(cmd *cobra.Command, verifyClient verifyClient, factor
 		return fmt.Errorf("verifying: %w", err)
 	}
 
-	// certificates are only available for Azure
-	formatter, err := factory(c.flags.output, conf.GetProvider(), c.log)
+	// certificates are only available for Azure SEV-SNP and AWS SEV-SNP
+	formatter, err := factory(c.flags.output, conf.GetAttestationConfig().GetVariant(), c.log)
 	if err != nil {
 		return fmt.Errorf("creating formatter: %w", err)
 	}
 	attDocOutput, err := formatter.format(
 		cmd.Context(),
 		rawAttestationDoc,
-		(conf.Provider.Azure == nil && conf.Provider.AWS == nil),
+		(!attConfig.GetVariant().Equal(variant.AzureSEVSNP{}) && !attConfig.GetVariant().Equal(variant.AWSSEVSNP{})),
 		attConfig,
 	)
 	if err != nil {
@@ -467,7 +466,10 @@ func updateInitMeasurements(config config.AttestationCfg, ownerID, clusterID str
 	m := config.GetMeasurements()
 
 	switch config.GetVariant() {
-	case variant.AWSNitroTPM{}, variant.AWSSEVSNP{}, variant.AzureTrustedLaunch{}, variant.AzureSEVSNP{}, variant.GCPSEVES{}, variant.QEMUVTPM{}:
+	case variant.AWSNitroTPM{}, variant.AWSSEVSNP{},
+		variant.AzureTrustedLaunch{}, variant.AzureSEVSNP{}, variant.AzureTDX{}, // AzureTDX also uses a vTPM for measurements
+		variant.GCPSEVES{},
+		variant.QEMUVTPM{}:
 		if err := updateMeasurementTPM(m, uint32(measurements.PCRIndexOwnerID), ownerID); err != nil {
 			return err
 		}

diff --git a/cli/internal/cmd/verify_test.go b/cli/internal/cmd/verify_test.go
@@ -216,7 +216,7 @@ func TestVerify(t *testing.T) {
 					endpoint:  tc.nodeEndpointFlag,
 				},
 			}
-			formatterFac := func(_ string, _ cloudprovider.Provider, _ debugLog) (attestationDocFormatter, error) {
+			formatterFac := func(_ string, _ variant.Variant, _ debugLog) (attestationDocFormatter, error) {
 				return tc.formatter, nil
 			}
 			err := v.verify(cmd, tc.protoClient, formatterFac, stubAttestationFetcher{})

@@ -44,7 +44,7 @@ go_test(
     deps = [
         "//internal/cloud/cloudprovider",
         "//internal/constants",
-        "//internal/constellation/state",
+        "//internal/encoding",
         "//internal/file",
         "//internal/role",
         "@com_github_azure_azure_sdk_for_go_sdk_azcore//to",

@@ -18,7 +18,7 @@ import (
 
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
-	"github.com/edgelesssys/constellation/v2/internal/constellation/state"
+	"github.com/edgelesssys/constellation/v2/internal/encoding"
 	"github.com/edgelesssys/constellation/v2/internal/file"
 	"github.com/edgelesssys/constellation/v2/internal/role"
 	"github.com/hashicorp/terraform-exec/tfexec"
@@ -490,7 +490,7 @@ func TestCreateCluster(t *testing.T) {
 			}
 			assert.NoError(err)
 			assert.Equal("192.0.2.100", infraState.ClusterEndpoint)
-			assert.Equal(state.HexBytes("initSecret"), infraState.InitSecret)
+			assert.Equal(encoding.HexBytes("initSecret"), infraState.InitSecret)
 			assert.Equal("12345abc", infraState.UID)
 			assert.Equal("192.0.2.101", infraState.InClusterEndpoint)
 			assert.Equal("192.0.2.103/32", infraState.IPCidrNode)

@@ -78,7 +78,7 @@ constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags]
 ### Options
 
 ```
-  -a, --attestation string   attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-trustedlaunch|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used
+  -a, --attestation string   attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used
   -h, --help                 help for generate
   -k, --kubernetes string    Kubernetes version to use in format MAJOR.MINOR (default "v1.28")
 ```

diff --git a/go.mod b/go.mod
@@ -85,8 +85,9 @@ require (
 	github.com/go-playground/validator/v10 v10.14.1
 	github.com/golang-jwt/jwt/v5 v5.0.0
 	github.com/google/go-sev-guest v0.9.3
+	github.com/google/go-tdx-guest v0.2.3-0.20240122115010-59d674a08de0
 	github.com/google/go-tpm v0.9.0
-	github.com/google/go-tpm-tools v0.4.2
+	github.com/google/go-tpm-tools v0.4.3-0.20240112165732-912a43636883
 	github.com/google/uuid v1.4.0
 	github.com/googleapis/gax-go/v2 v2.12.0
 	github.com/gophercloud/gophercloud v1.5.0
@@ -257,8 +258,8 @@ require (
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-attestation v0.5.0 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/go-configfs-tsm v0.2.2 // indirect
 	github.com/google/go-containerregistry v0.15.2 // indirect
-	github.com/google/go-tdx-guest v0.2.3-0.20231011100059-4cf02bed9d33 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/logger v1.1.1 // indirect