Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make SEV-SNP the default attestation variant on GCP #3267

Merged
merged 3 commits into from
Jul 22, 2024
Merged

Make SEV-SNP the default attestation variant on GCP #3267

merged 3 commits into from
Jul 22, 2024

Conversation

thomasten
Copy link
Member

Context

SNP on GCP is GA

Proposed change(s)

  • make attestation variant gcp-sev-snp the default on GCP

Checklist

  • Run the E2E tests that are relevant to this PR's changes
  • Update docs
  • Add labels (e.g., for changelog category)
  • Is PR title adequate for changelog?
  • Link to Milestone

@thomasten thomasten added the feature This introduces new functionality label Jul 19, 2024
@thomasten thomasten added this to the v2.18.0 milestone Jul 19, 2024
@netlify Netlify
Copy link

netlify bot commented Jul 19, 2024
edited
Loading

Deploy Preview for constellation-docs ready!

Name Link
🔨 Latest commit 5a3105f
🔍 Latest deploy log https://app.netlify.com/sites/constellation-docs/deploys/669e3c932e2967000821209b
😎 Deploy Preview https://deploy-preview-3267--constellation-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@thomasten thomasten force-pushed the t/default-to-gcp-sev-snp branch from 1861f5d to d6d86da Compare July 19, 2024 15:05
@thomasten thomasten marked this pull request as ready for review July 19, 2024 15:25
@thomasten
Copy link
Member Author

@msanft does this TODO need to be resolved before we can make SNP the default?

constellation/.github/workflows/on-release.yml

Lines 158 to 166 in 3f6e7f9

- name: Fetch GCP image reference
id: fetch-reference
shell: bash
run: |
# TODO(msanft): Implement marketplace images for GCP SEV-SNP
aws s3 cp s3://cdn-constellation-backend/constellation/v2/ref/-/stream/stable/${{ steps.fetch-version.outputs.output }}/image/info.json .
FULL_REF=$(yq e -r -oy '.list.[] | select(.attestationVariant == "gcp-sev-es") | .reference' info.json)
IMAGE_NAME=$(echo "${FULL_REF}" | cut -d / -f 5)
echo "reference=$IMAGE_NAME" | tee -a "$GITHUB_OUTPUT"

@msanft
Copy link
Contributor

msanft commented Jul 19, 2024

@msanft does this TODO need to be resolved before we can make SNP the default?

constellation/.github/workflows/on-release.yml

Lines 158 to 166 in 3f6e7f9

- name: Fetch GCP image reference
id: fetch-reference
shell: bash
run: |
# TODO(msanft): Implement marketplace images for GCP SEV-SNP
aws s3 cp s3://cdn-constellation-backend/constellation/v2/ref/-/stream/stable/${{ steps.fetch-version.outputs.output }}/image/info.json .
FULL_REF=$(yq e -r -oy '.list.[] | select(.attestationVariant == "gcp-sev-es") | .reference' info.json)
IMAGE_NAME=$(echo "${FULL_REF}" | cut -d / -f 5)
echo "reference=$IMAGE_NAME" | tee -a "$GITHUB_OUTPUT"

Need to talk to the business side to clarify this, but I think it should not be too much work altogether.

I'll have a look at this PR generally on Monday. My mind isn't fresh enough anymore today 😄

@elchead
Copy link
Contributor

elchead commented Jul 19, 2024

should we change it here too?

constellation/.github/workflows/e2e-test-release.yml

Line 407 in 74e0f44

attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]

constellation/.github/workflows/e2e-test-weekly.yml

Line 416 in 74e0f44

attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]

constellation/.github/workflows/e2e-test-weekly.yml

Line 494 in 74e0f44

attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]

is this done?

constellation/.github/workflows/on-release.yml

Line 162 in 9cd1184

# TODO(msanft): Implement marketplace images for GCP SEV-SNP

let's switch the order here:

constellation/terraform-provider-constellation/internal/provider/shared_attributes.go

Line 34 in 913b09a

" * `gcp-sev-es`\n" +

@thomasten thomasten force-pushed the t/default-to-gcp-sev-snp branch from d6d86da to 30307e1 Compare July 22, 2024 09:07
@thomasten thomasten force-pushed the t/default-to-gcp-sev-snp branch from 30307e1 to 59dd625 Compare July 22, 2024 09:57
msanft
msanft approved these changes Jul 22, 2024
View reviewed changes
Copy link
Contributor

@msanft msanft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Marketplace images should not be critical for this PR, we'll just have to add them until we release a version containing the SEV-SNP default.

docs/docs/overview/clouds.md Outdated
The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev) are based on AMD SEV but don't have SNP features enabled.
CVMs with [SEV-SNP enabled are in public preview](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#amd_sev-snp). Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
The [CVMs Generally Available in GCP](https://cloud.google.com/confidential-computing/confidential-vm/docs/confidential-vm-overview#technologies) are based on AMD SEV-ES or SEV-SNP.
Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Regarding (3), with their SEV-SNP offering Google provides direct access to remote-attestation statements.
Regarding (3), with their SEV-SNP offering Google provides direct access to attestation statements.

nit

@github-actions GitHub Actions
Copy link
Contributor

Coverage report

Package Old New Trend
cli/internal/cmd 41.00% 41.10% ↗️
internal/attestation/variant 0.00% 0.00% 🚧
internal/config 67.00% 67.00% ↔️
terraform-provider-constellation/internal/provider 3.60% 3.60% 🚧

@thomasten thomasten merged commit 399376d into main Jul 22, 2024
11 of 12 checks passed
@thomasten thomasten deleted the t/default-to-gcp-sev-snp branch July 22, 2024 11:29
@msanft msanft mentioned this pull request Sep 12, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daniel-weisse daniel-weisse daniel-weisse approved these changes

@msanft msanft msanft approved these changes

@elchead elchead elchead approved these changes

@derpsteb derpsteb Awaiting requested review from derpsteb derpsteb is a code owner

Assignees
No one assigned
Labels
feature This introduces new functionality
Projects
None yet
Milestone
v2.18.0
Development

Successfully merging this pull request may close these issues.
4 participants
@thomasten @msanft @elchead @daniel-weisse