[launcher] Support TDX RTMR based attestation in launcher #478
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jkl73
force-pushed
the
tdxrmtr
branch
4 times, most recently
from
c75591b
to
b9c1240
Compare
|
/gcbrun |
|
/gcbrun |
|
/gcbrun |
jkl73
force-pushed
the
tdxrmtr
branch
2 times, most recently
from
a3066ba
to
cf3b63c
Compare
|
/gcbrun |
jkl73
force-pushed
the
tdxrmtr
branch
3 times, most recently
from
9df421f
to
7244331
Compare
|
/gcbrun |
jkl73
force-pushed
the
tdxrmtr
branch
6 times, most recently
from
6307fc9
to
952db42
Compare
|
/gcbrun |
jkl73
changed the title
qinkunbao
reviewed
Oct 9, 2024
qinkunbao
reviewed
Oct 9, 2024
|
/gcbrun |
alexmwu
requested changes
Oct 9, 2024
| // If an error is encountered in the process, return what has been constructed so far. | ||
| func (k *Key) getCertificateChain(client *http.Client) ([][]byte, error) { |
There was a problem hiding this comment.
don't export this. put this in internal somewhere and take a key.
func getCertificateChain(cert *x509.Certificate, client *http.Client) ([][]byte, error)
There was a problem hiding this comment.
moved to internal/cert.go
| @@ -7,7 +7,7 @@ require ( | |||
| github.com/google/go-attestation v0.5.1 | |||
| github.com/google/go-cmp v0.6.0 | |||
| github.com/google/go-configfs-tsm v0.3.3-0.20240910040719-1cc7e25d9272 | |||
| github.com/google/go-sev-guest v0.11.1 | |||
| github.com/google/go-sev-guest v0.11.2-0.20241009005433-de2ac900e958 | |||
yawangwang
reviewed
Oct 10, 2024
qinkunbao
reviewed
Oct 10, 2024
yawangwang
approved these changes
Oct 10, 2024
| @@ -1,7 +1,7 @@ | |||
| substitutions: | |||
| '_BASE_IMAGE': '' # an empty base image means the build will use the latest image in '_BASE_IMAGE_FAMILY' | |||
| '_BASE_IMAGE_FAMILY': 'cos-113-lts' # base image family | |||
| '_OUTPUT_IMAGE_PREFIX': 'confidential-space' | |||
| '_BASE_IMAGE_FAMILY': 'cos-tdx-113-lts' # base image family | |||
There was a problem hiding this comment.
nit: so I'm assuming cos-tdx-113-lts family will also work for SEV-based CS image?
There was a problem hiding this comment.
yes, it's SEV_CAPABLE as well
qinkunbao
approved these changes
Oct 10, 2024
|
/gcbrun |
Comment on lines
+213
to
+268
| type tpmAttestRoot struct { | ||
| tpmMu sync.Mutex | ||
| fetchedAK *client.Key | ||
| tpm io.ReadWriteCloser | ||
| } | ||
|
|
||
| func (t *tpmAttestRoot) Extend(c cel.Content, l *cel.CEL) error { | ||
| return l.AppendEventPCR(t.tpm, cel.CosEventPCR, defaultCELHashAlgo, c) | ||
| } | ||
|
|
||
| func (t *tpmAttestRoot) Attest(nonce []byte) (any, error) { | ||
| t.tpmMu.Lock() | ||
| defer t.tpmMu.Unlock() | ||
|
|
||
| return t.fetchedAK.Attest(client.AttestOpts{ | ||
| Nonce: nonce, | ||
| CertChainFetcher: http.DefaultClient, | ||
| }) | ||
| } | ||
|
|
||
| type tdxAttestRoot struct { | ||
| tdxMu sync.Mutex | ||
| qp *tg.LinuxConfigFsQuoteProvider | ||
| tsmClient configfsi.Client | ||
| } | ||
|
|
||
| func (t *tdxAttestRoot) Extend(c cel.Content, l *cel.CEL) error { | ||
| return l.AppendEventRTMR(t.tsmClient, cel.CosRTMR, c) | ||
| } | ||
|
|
||
| func (t *tdxAttestRoot) Attest(nonce []byte) (any, error) { | ||
| t.tdxMu.Lock() | ||
| defer t.tdxMu.Unlock() | ||
|
|
||
| var tdxNonce [tlabi.TdReportDataSize]byte | ||
| copy(tdxNonce[:], nonce) | ||
|
|
||
| rawQuote, err := tg.GetRawQuote(t.qp, tdxNonce) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| ccelData, err := os.ReadFile("/sys/firmware/acpi/tables/data/CCEL") | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| ccelTable, err := os.ReadFile("/sys/firmware/acpi/tables/CCEL") | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| return &verifier.TDCCELAttestation{ | ||
| CcelAcpiTable: ccelTable, | ||
| CcelData: ccelData, | ||
| TdQuote: rawQuote, | ||
| }, nil |
There was a problem hiding this comment.
Should these live in attest.go instead of here?
There was a problem hiding this comment.
No. Really most of this should belong in go-tdx-guest, but it's okay to be here for now.
alexmwu
approved these changes
Oct 10, 2024
Comment on lines
-82
to
-84
| if: (runner.os == 'Linux' || runner.os == 'macOS') && matrix.architecture == 'x64' | ||
| - name: Test all modules | ||
| run: go test -v ./... ./cmd/... ./launcher/... ./verifier/... -skip='TestCacheConcurrentSetGet|TestHwAttestationPass|TestHardwareAttestationPass' |
There was a problem hiding this comment.
Why do we need this change?
There was a problem hiding this comment.
launcher now depends on LinuxConfigFsQuoteProvider (which is in tdxAttestRoot). Which can be only complied on Linux. So trying to compile launcher on mac will fail
Comment on lines
+213
to
+268
| type tpmAttestRoot struct { | ||
| tpmMu sync.Mutex | ||
| fetchedAK *client.Key | ||
| tpm io.ReadWriteCloser | ||
| } | ||
|
|
||
| func (t *tpmAttestRoot) Extend(c cel.Content, l *cel.CEL) error { | ||
| return l.AppendEventPCR(t.tpm, cel.CosEventPCR, defaultCELHashAlgo, c) | ||
| } | ||
|
|
||
| func (t *tpmAttestRoot) Attest(nonce []byte) (any, error) { | ||
| t.tpmMu.Lock() | ||
| defer t.tpmMu.Unlock() | ||
|
|
||
| return t.fetchedAK.Attest(client.AttestOpts{ | ||
| Nonce: nonce, | ||
| CertChainFetcher: http.DefaultClient, | ||
| }) | ||
| } | ||
|
|
||
| type tdxAttestRoot struct { | ||
| tdxMu sync.Mutex | ||
| qp *tg.LinuxConfigFsQuoteProvider | ||
| tsmClient configfsi.Client | ||
| } | ||
|
|
||
| func (t *tdxAttestRoot) Extend(c cel.Content, l *cel.CEL) error { | ||
| return l.AppendEventRTMR(t.tsmClient, cel.CosRTMR, c) | ||
| } | ||
|
|
||
| func (t *tdxAttestRoot) Attest(nonce []byte) (any, error) { | ||
| t.tdxMu.Lock() | ||
| defer t.tdxMu.Unlock() | ||
|
|
||
| var tdxNonce [tlabi.TdReportDataSize]byte | ||
| copy(tdxNonce[:], nonce) | ||
|
|
||
| rawQuote, err := tg.GetRawQuote(t.qp, tdxNonce) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| ccelData, err := os.ReadFile("/sys/firmware/acpi/tables/data/CCEL") | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| ccelTable, err := os.ReadFile("/sys/firmware/acpi/tables/CCEL") | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| return &verifier.TDCCELAttestation{ | ||
| CcelAcpiTable: ccelTable, | ||
| CcelData: ccelData, | ||
| TdQuote: rawQuote, | ||
| }, nil |
There was a problem hiding this comment.
No. Really most of this should belong in go-tdx-guest, but it's okay to be here for now.
Comment on lines
+255
to
+259
| ccelData, err := os.ReadFile("/sys/firmware/acpi/tables/data/CCEL") | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| ccelTable, err := os.ReadFile("/sys/firmware/acpi/tables/CCEL") |
There was a problem hiding this comment.
I am surprised there's no utilities for this in go-tdx-guest. There should be.
There was a problem hiding this comment.
noted google/go-tdx-guest#53
| @@ -21,7 +21,7 @@ steps: | |||
| if [ -z ${base_image} ] | |||
| then | |||
| echo "getting the latest COS image" | |||
| base_image=$(gcloud compute images describe-from-family ${BASE_IMAGE_FAMILY} --project cos-cloud | grep name | cut -d ' ' -f 2) | |||
| base_image=$(gcloud compute images describe-from-family ${BASE_IMAGE_FAMILY} --project confidential-vm-images | grep name | cut -d ' ' -f 2) | |||
There was a problem hiding this comment.
Why are we changing the project?
There was a problem hiding this comment.
COS TDX_capable images are not released in regular cos-cloud project
JoshuaKrstic
approved these changes
Oct 10, 2024
Allow a TDX machine to create a TD quote and request a hardware rooted attestation from the attestation verifier. ./launcher ci will now only run in linux. Upgrade go-sev-guest. Signed-off-by: Jiankun Lu <jiankun@google.com>
|
/gcbrun |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Allow a TDX machine to create a TD quote and request a hardware rooted attestation from the attestation verifier.
./launcher ci will now only run in linux. (because launcher now depends on *tg.LinuxConfigFsQuoteProvider which only presents in linux)