GO-2024-2727: Constellation has pods exposed to peers in VPC in github.com/edgelesssys/constellation

measurements

package

v2.10.0 Latest Latest Go to latest Published: Aug 14, 2023 License: AGPL-3.0 Imports: 18 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/edgelesssys/constellation

Links

Open Source Insights

Documentation ¶

Overview ¶

Measurements ¶

Defines default expected measurements for the current release, as well as functions for comparing, updating and marshalling measurements.

This package should not include TPM specific code.

Index ¶

Constants
type ImageMeasurementsV2
- func MergeImageMeasurementsV2(measurements ...ImageMeasurementsV2) (ImageMeasurementsV2, error)
type ImageMeasurementsV2Entry
type M
- func DefaultsFor(provider cloudprovider.Provider, attestationVariant variant.Variant) M
type Measurement
- func PlaceHolderMeasurement(len int) Measurement
- func WithAllBytes(b byte, validationOpt MeasurementValidationOption, len int) Measurement
type MeasurementValidationOption

Constants ¶

View Source

const (
	// PCRIndexClusterID is a PCR we extend to mark the node as initialized.
	// The value used to extend is a random generated 32 Byte value.
	PCRIndexClusterID = tpmutil.Handle(15)
	// PCRIndexOwnerID is a PCR we extend to mark the node as initialized.
	// The value used to extend is derived from Constellation's master key.
	// TODO(daniel-weisse): move to stable, non-debug PCR before use.
	PCRIndexOwnerID = tpmutil.Handle(16)

	// TDXIndexClusterID is the measurement used to mark the node as initialized.
	// The value is the index of the RTMR + 1, since index 0 of the TDX measurements is reserved for MRTD.
	TDXIndexClusterID = RTMRIndexClusterID + 1
	// RTMRIndexClusterID is the RTMR we extend to mark the node as initialized.
	RTMRIndexClusterID = 2

	// PCRMeasurementLength holds the length for valid PCR measurements (SHA256).
	PCRMeasurementLength = 32
	// TDXMeasurementLength holds the length for valid TDX measurements (SHA384).
	TDXMeasurementLength = 48
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type ImageMeasurementsV2 ¶ added in v2.8.0

type ImageMeasurementsV2 struct {
	Version string                     `json:"version" yaml:"version"`
	Ref     string                     `json:"ref" yaml:"ref"`
	Stream  string                     `json:"stream" yaml:"stream"`
	List    []ImageMeasurementsV2Entry `json:"list" yaml:"list"`
}

ImageMeasurementsV2 is a struct to hold measurements for a specific image. .List contains measurements for all variants of the image.

func MergeImageMeasurementsV2 ¶ added in v2.8.0

func MergeImageMeasurementsV2(measurements ...ImageMeasurementsV2) (ImageMeasurementsV2, error)

MergeImageMeasurementsV2 combines the image measurement entries from multiple sources into a single ImageMeasurementsV2 object.

type ImageMeasurementsV2Entry ¶ added in v2.8.0

type ImageMeasurementsV2Entry struct {
	CSP                cloudprovider.Provider `json:"csp" yaml:"csp"`
	AttestationVariant string                 `json:"attestationVariant" yaml:"attestationVariant"`
	Measurements       M                      `json:"measurements" yaml:"measurements"`
}

ImageMeasurementsV2Entry is a struct to hold measurements for one variant of a specific image.

type M ¶

type M map[uint32]Measurement

M are Platform Configuration Register (PCR) values that make up the Measurements.

func DefaultsFor ¶

func DefaultsFor(provider cloudprovider.Provider, attestationVariant variant.Variant) M

DefaultsFor provides the default measurements for given cloud provider.

func (*M) Copy ¶ added in v2.8.0

func (m *M) Copy() M

Copy creates a new map with the same values as the original.

func (*M) CopyFrom ¶

func (m *M) CopyFrom(other M)

CopyFrom copies over all values from other. Overwriting existing values, but keeping not specified values untouched.

func (*M) EqualTo ¶

func (m *M) EqualTo(other M) bool

EqualTo tests whether the provided other Measurements are equal to these measurements.

func (*M) FetchAndVerify ¶

func (m *M) FetchAndVerify(
	ctx context.Context, client *http.Client, verifier cosignVerifier,
	measurementsURL, signatureURL *url.URL,
	version versionsapi.Version, csp cloudprovider.Provider, attestationVariant variant.Variant,
) (string, error)

FetchAndVerify fetches measurement and signature files via provided URLs, using client for download. The hash of the fetched measurements is returned.

func (*M) FetchNoVerify ¶ added in v2.8.0

func (m *M) FetchNoVerify(ctx context.Context, client *http.Client, measurementsURL *url.URL,
	version versionsapi.Version, csp cloudprovider.Provider, attestationVariant variant.Variant,
) error

FetchNoVerify fetches measurement via provided URLs, using client for download. Measurements are not verified.

func (*M) GetEnforced ¶

func (m *M) GetEnforced() []uint32

GetEnforced returns a list of all enforced Measurements, i.e. all Measurements that are not marked as WarnOnly.

func (M) MarshalYAML ¶

func (m M) MarshalYAML() (any, error)

MarshalYAML returns the YAML encoding of m.

func (*M) SetEnforced ¶

func (m *M) SetEnforced(enforced []uint32) error

SetEnforced sets the WarnOnly flag to true for all Measurements that are NOT included in the provided list of enforced measurements.

func (*M) UnmarshalJSON ¶ added in v2.8.0

func (m *M) UnmarshalJSON(b []byte) error

UnmarshalJSON unmarshals measurements from json. This function enforces all measurements to be of equal length.

func (*M) UnmarshalYAML ¶ added in v2.8.0

func (m *M) UnmarshalYAML(unmarshal func(any) error) error

UnmarshalYAML unmarshals measurements from yaml. This function enforces all measurements to be of equal length.

type Measurement ¶

type Measurement struct {
	// Expected measurement value.
	// 32 bytes for vTPM attestation, 48 for TDX.
	Expected []byte `json:"expected" yaml:"expected"`
	// ValidationOpt indicates how measurement mismatches should be handled.
	ValidationOpt MeasurementValidationOption `json:"warnOnly" yaml:"warnOnly"`
}

Measurement wraps expected PCR value and whether it is enforced.

func PlaceHolderMeasurement ¶

func PlaceHolderMeasurement(len int) Measurement

PlaceHolderMeasurement returns a measurement with placeholder values for Expected.

func WithAllBytes ¶

func WithAllBytes(b byte, validationOpt MeasurementValidationOption, len int) Measurement

WithAllBytes returns a measurement value where all bytes are set to b. Takes a dynamic length as input. Expected are either 32 bytes (PCRMeasurementLength) or 48 bytes (TDXMeasurementLength). Over inputs are possible in this function, but potentially rejected elsewhere.

func (Measurement) MarshalJSON ¶

func (m Measurement) MarshalJSON() ([]byte, error)

MarshalJSON writes out a Measurement with Expected encoded as a hex string.

func (Measurement) MarshalYAML ¶

func (m Measurement) MarshalYAML() (any, error)

MarshalYAML writes out a Measurement with Expected encoded as a hex string.

func (*Measurement) UnmarshalJSON ¶

func (m *Measurement) UnmarshalJSON(b []byte) error

UnmarshalJSON reads a Measurement either as json object, or as a simple hex or base64 encoded string.

func (*Measurement) UnmarshalYAML ¶

func (m *Measurement) UnmarshalYAML(unmarshal func(any) error) error

UnmarshalYAML reads a Measurement either as yaml object, or as a simple hex or base64 encoded string.

type MeasurementValidationOption ¶ added in v2.7.0

type MeasurementValidationOption bool

MeasurementValidationOption indicates how measurement mismatches should be handled.

const (
	// WarnOnly will only result in a warning in case of a mismatching measurement.
	WarnOnly MeasurementValidationOption = true
	// Enforce will result in an error in case of a mismatching measurement, and operation will be aborted.
	Enforce MeasurementValidationOption = false
)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
measurement-generator

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL