Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

attestation: add options to the EnforceIDKeyDigest config field to enable Microsoft Azure Attestation fallback when verifying AMD SNP-SEV id key digest #1257

Merged
merged 17 commits into from
Mar 21, 2023
Merged

attestation: add options to the EnforceIDKeyDigest config field to enable Microsoft Azure Attestation fallback when verifying AMD SNP-SEV id key digest #1257

merged 17 commits into from
Mar 21, 2023

Conversation

daniel-weisse
Copy link
Member

Proposed change(s)

  • Change the EnforceIDKeyDigest option in the Constellation config from boolean to an enum. The following values are available (naming not final, looking for feedback/suggestions):
    • StrictChecking: requires the IDKeyDigest of the node to be in the list of trusted IDKeyDigests, error otherwise
    • MAAFallback: if a node's IDKeyDigest is not in the list of trusted digests, MAA is used to verify the SNP properties of the VM.
    • WarnOnly: emit a warning, but accept IDKeyDigests not in the list of trusted digests
  • Enable MAA fallback in SNP attestation Validator
    • This requires some changes to the internal Validator API, mainly the GetTPMTrustedAttestationPublicKey and GetInstanceInfo functions now also accept extraData (userData hashed with nonce)

Additional info

  • blocked until MAA issues are resolved on our node images

Checklist

  • Update docs
  • Add labels (e.g., for changelog category)
  • Link to Milestone

@daniel-weisse daniel-weisse added the feature This introduces new functionality label Feb 22, 2023
@netlify
Copy link

netlify bot commented Feb 22, 2023
edited

Deploy Preview for constellation-docs canceled.

Name Link
🔨 Latest commit 09ec59f
🔍 Latest deploy log https://app.netlify.com/sites/constellation-docs/deploys/641997e43ff90500081ac290

@daniel-weisse daniel-weisse force-pushed the feat/attestation/maa-fallback branch 2 times, most recently from 6a55d5d to 22766f0 Compare March 6, 2023 13:49
@daniel-weisse daniel-weisse added this to the v2.7.0 milestone Mar 6, 2023
@daniel-weisse daniel-weisse marked this pull request as ready for review March 6, 2023 15:39
@daniel-weisse daniel-weisse force-pushed the feat/attestation/maa-fallback branch 4 times, most recently from c8ca59a to dc385b9 Compare March 7, 2023 07:47
@malt3
Copy link
Contributor

malt3 commented Mar 9, 2023

Just a heads-up: This branch should be rebased before merge and bazel build files should be generated.
This document has up-to-date information on the required tasks (bazel run gazelle).

thomasten
thomasten reviewed Mar 12, 2023
View reviewed changes
internal/attestation/idkeydigest/idkeydigest.go
// EnforceIDKeyDigest defines the behavior of the validator when the ID key digest is not found in the expected list.
type EnforceIDKeyDigest uint32

// TODO: Decide on final value naming.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should also think about renaming the key, but not sure what this means for backwards compat

Copy link
Member

@derpsteb derpsteb Mar 21, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be a breaking change from my pov. Maybe we can rename it when implementing #1436?
For that one we will need migration docs/code anyways.

EDIT: Oh. This requires migration docs/code already :D

internal/attestation/azure/snp/maa.go Outdated Show resolved Hide resolved
internal/attestation/azure/snp/issuer.go Outdated Show resolved Hide resolved
internal/attestation/azure/snp/issuer.go Outdated Show resolved Hide resolved
internal/attestation/azure/snp/validator.go Outdated Show resolved Hide resolved
@katexochen katexochen removed their request for review March 13, 2023 09:39
@daniel-weisse daniel-weisse force-pushed the feat/attestation/maa-fallback branch 2 times, most recently from 990cb4d to eee1dcf Compare March 14, 2023 11:22
@daniel-weisse
Copy link
Member Author

Did a bunch of manual testing, but there is also this e2e test: https://github.com/edgelesssys/constellation/actions/runs/4417455739
It doesnt cover actually using the MAA fallback, but should make sure the new configs are set correctly.
For manual testing, one has to set the constellation-maa-url tag to the url of a MAA provider manually (at least until the changes from #1409 are in main)

thomasten
thomasten reviewed Mar 19, 2023
View reviewed changes
cli/internal/cloudcmd/validators.go Outdated Show resolved Hide resolved
internal/attestation/idkeydigest/idkeydigest.go Outdated Show resolved Hide resolved
internal/cloud/azure/imds.go Outdated Show resolved Hide resolved
internal/cloud/azure/imds.go Show resolved Hide resolved
internal/watcher/validator.go Show resolved Hide resolved
@daniel-weisse daniel-weisse force-pushed the feat/attestation/maa-fallback branch 3 times, most recently from 742a421 to 05485cb Compare March 20, 2023 15:15
derpsteb
derpsteb requested changes Mar 21, 2023
View reviewed changes
internal/config/config.go Show resolved Hide resolved
daniel-weisse and others added 16 commits March 21, 2023 11:42
@daniel-weisse
Convert enforceIDKeyDigest setting to enum
e429e39 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Use MAA fallback in Azure SNP attestation
89fb35e 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Log MAA fallback attempts
05416ba 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Regenerate bazel files
d84064d 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
[wip] refactor MAA usage
b433898 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
More context
8fc3357 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
[wip] maa url selection
d3c8611 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Wrap ID key digest configuration
0a04b1d 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Fix idKeyDigest and MAA URL
5b4b448 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
[no ci] update container image
e93ee9a 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Fix idKey warning in create
2cbb29c 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@thomasten @daniel-weisse
Use maa.NewParameters
09a829a
@daniel-weisse
Apply suggestions
6b83ddb 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Only create MAA provider if MAA fallback is enabled
453e720 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Fix TODOs
165a025 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
[no ci] update join-service image
cbe07d1 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
[no ci] revert image
09ec59f 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse daniel-weisse changed the title attestation: MAA fallback attestation: add option for MAA fallback to verify azure's snp-sev id key digest Mar 21, 2023
@daniel-weisse daniel-weisse merged commit 5a0234b into main Mar 21, 2023
@daniel-weisse daniel-weisse deleted the feat/attestation/maa-fallback branch March 21, 2023 11:46
@katexochen katexochen changed the title attestation: add option for MAA fallback to verify azure's snp-sev id key digest attestation: add options to the EnforceIDKeyDigest config field to enable Microsoft Azure Attestation fallback when verifying AMD SNP-SEV id key digest Apr 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derpsteb derpsteb derpsteb approved these changes

@thomasten thomasten thomasten approved these changes

@3u13r 3u13r Awaiting requested review from 3u13r 3u13r is a code owner

@malt3 malt3 Awaiting requested review from malt3

Assignees
No one assigned
Labels
feature This introduces new functionality
Projects
None yet
Milestone
v2.7.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@daniel-weisse @malt3 @derpsteb @thomasten