diff --git a/cli/cmd/generate.go b/cli/cmd/generate.go index 6099c2dac5..3a5a8913e7 100644 --- a/cli/cmd/generate.go +++ b/cli/cmd/generate.go @@ -25,8 +25,7 @@ import ( "github.com/edgelesssys/contrast/internal/embedbin" "github.com/edgelesssys/contrast/internal/kuberesource" "github.com/edgelesssys/contrast/internal/manifest" - "github.com/edgelesssys/contrast/node-installer/platforms" - "github.com/edgelesssys/contrast/node-installer/runtimehandler" + "github.com/edgelesssys/contrast/platforms" applyappsv1 "k8s.io/client-go/applyconfigurations/apps/v1" applycorev1 "k8s.io/client-go/applyconfigurations/core/v1" @@ -122,7 +121,7 @@ func runGenerate(cmd *cobra.Command, args []string) error { } } - runtimeHandler, err := runtimehandler.Name(flags.referenceValuesPlatform) + runtimeHandler, err := platforms.RuntimeHandler(flags.referenceValuesPlatform) if err != nil { return fmt.Errorf("get runtime handler: %w", err) } @@ -394,7 +393,7 @@ func addWorkloadOwnerKeyToManifest(manifst *manifest.Manifest, keyPath string) e } hash := sha256.Sum256(publicKey) - hashString := manifest.NewHexString(hash[:]) + hashString := platforms.NewHexString(hash[:]) for _, existingHash := range manifst.WorkloadOwnerKeyDigests { if existingHash == hashString { return nil diff --git a/cli/cmd/policies.go b/cli/cmd/policies.go index 3245e21ea5..6100384ad4 100644 --- a/cli/cmd/policies.go +++ b/cli/cmd/policies.go @@ -11,6 +11,7 @@ import ( "github.com/edgelesssys/contrast/internal/kubeapi" "github.com/edgelesssys/contrast/internal/manifest" + "github.com/edgelesssys/contrast/platforms" ) func policiesFromKubeResources(yamlPaths []string) ([]deployment, error) { @@ -76,8 +77,8 @@ func policiesFromKubeResources(yamlPaths []string) ([]deployment, error) { return deployments, nil } -func manifestPolicyMapFromPolicies(policies []deployment) (map[manifest.HexString][]string, error) { - policyHashes := make(map[manifest.HexString][]string) +func manifestPolicyMapFromPolicies(policies []deployment) (map[platforms.HexString][]string, error) { + policyHashes := make(map[platforms.HexString][]string) for _, depl := range policies { if existingNames, ok := policyHashes[depl.policy.Hash()]; ok { if slices.Equal(existingNames, depl.DNSNames()) { @@ -91,7 +92,7 @@ func manifestPolicyMapFromPolicies(policies []deployment) (map[manifest.HexStrin return policyHashes, nil } -func checkPoliciesMatchManifest(policies []deployment, policyHashes map[manifest.HexString][]string) error { +func checkPoliciesMatchManifest(policies []deployment, policyHashes map[platforms.HexString][]string) error { if len(policies) != len(policyHashes) { return fmt.Errorf("policy count mismatch: %d policies in deployment, but %d in manifest", len(policies), len(policyHashes)) diff --git a/cli/cmd/verify.go b/cli/cmd/verify.go index adb06568c5..19caffa37a 100644 --- a/cli/cmd/verify.go +++ b/cli/cmd/verify.go @@ -19,6 +19,7 @@ import ( "github.com/edgelesssys/contrast/internal/logger" "github.com/edgelesssys/contrast/internal/manifest" "github.com/edgelesssys/contrast/internal/userapi" + "github.com/edgelesssys/contrast/platforms" "github.com/spf13/cobra" ) @@ -114,7 +115,7 @@ func runVerify(cmd *cobra.Command, _ []string) error { } for _, p := range resp.Policies { sha256sum := sha256.Sum256(p) - pHash := manifest.NewHexString(sha256sum[:]) + pHash := platforms.NewHexString(sha256sum[:]) filelist[fmt.Sprintf("policy.%s.rego", pHash)] = p } if err := writeFilelist(filepath.Join(flags.workspaceDir, verifyDir), filelist); err != nil { diff --git a/cli/main.go b/cli/main.go index cba4ba38cb..04991b2a7e 100644 --- a/cli/main.go +++ b/cli/main.go @@ -14,7 +14,7 @@ import ( "github.com/edgelesssys/contrast/cli/cmd" "github.com/edgelesssys/contrast/internal/constants" - "github.com/edgelesssys/contrast/internal/manifest" + "github.com/edgelesssys/contrast/platforms" "github.com/spf13/cobra" ) @@ -43,7 +43,7 @@ func buildVersionString() string { fmt.Fprintf(versionsWriter, "\t%s\n", image) } } - if refValues, err := json.MarshalIndent(manifest.EmbeddedReferenceValues(), "\t", " "); err == nil { + if refValues, err := json.MarshalIndent(platforms.EmbeddedReferenceValues(), "\t", " "); err == nil { fmt.Fprintf(versionsWriter, "embedded reference values:\t%s\n", refValues) } fmt.Fprintf(versionsWriter, "genpolicy version:\t%s\n", constants.GenpolicyVersion) diff --git a/coordinator/internal/authority/authority.go b/coordinator/internal/authority/authority.go index d6435f9130..e23c04ad07 100644 --- a/coordinator/internal/authority/authority.go +++ b/coordinator/internal/authority/authority.go @@ -22,6 +22,7 @@ import ( "github.com/edgelesssys/contrast/internal/ca" "github.com/edgelesssys/contrast/internal/manifest" "github.com/edgelesssys/contrast/internal/userapi" + "github.com/edgelesssys/contrast/platforms" "github.com/google/go-sev-guest/proto/sevsnp" "github.com/google/go-sev-guest/validate" "github.com/prometheus/client_golang/prometheus" @@ -89,7 +90,7 @@ func (m *Authority) SNPValidateOpts(report *sevsnp.Report) (*validate.Options, e } mnfst := state.manifest - hostData := manifest.NewHexString(report.HostData) + hostData := platforms.NewHexString(report.HostData) if _, ok := mnfst.Policies[hostData]; !ok { return nil, fmt.Errorf("hostdata %s not found in manifest", hostData) } @@ -106,7 +107,7 @@ func (m *Authority) ValidateCallback(_ context.Context, report *sevsnp.Report, return ErrNoManifest } - hostData := manifest.NewHexString(report.HostData) + hostData := platforms.NewHexString(report.HostData) dnsNames, ok := state.manifest.Policies[hostData] if !ok { return fmt.Errorf("report data %s not found in manifest", hostData) diff --git a/coordinator/internal/authority/authority_test.go b/coordinator/internal/authority/authority_test.go index 3cb2ca6e83..fb597038ce 100644 --- a/coordinator/internal/authority/authority_test.go +++ b/coordinator/internal/authority/authority_test.go @@ -15,7 +15,7 @@ import ( "github.com/edgelesssys/contrast/coordinator/history" "github.com/edgelesssys/contrast/internal/manifest" "github.com/edgelesssys/contrast/internal/userapi" - "github.com/edgelesssys/contrast/node-installer/platforms" + "github.com/edgelesssys/contrast/platforms" "github.com/google/go-sev-guest/proto/sevsnp" "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/testutil" @@ -31,7 +31,7 @@ contrast_coordinator_manifest_generation %d ` ) -var keyDigest = manifest.HexString("0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef") +var keyDigest = platforms.HexString("0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef") func TestSNPValidateOpts(t *testing.T) { require := require.New(t) @@ -78,12 +78,12 @@ func newManifest(t *testing.T) (*manifest.Manifest, []byte, [][]byte) { t.Helper() policy := []byte("=== SOME REGO HERE ===") policyHash := sha256.Sum256(policy) - policyHashHex := manifest.NewHexString(policyHash[:]) + policyHashHex := platforms.NewHexString(policyHash[:]) mnfst, err := manifest.Default(platforms.AKSCloudHypervisorSNP) require.NoError(t, err) - mnfst.Policies = map[manifest.HexString][]string{policyHashHex: {"test"}} - mnfst.WorkloadOwnerKeyDigests = []manifest.HexString{keyDigest} + mnfst.Policies = map[platforms.HexString][]string{policyHashHex: {"test"}} + mnfst.WorkloadOwnerKeyDigests = []platforms.HexString{keyDigest} mnfstBytes, err := json.Marshal(mnfst) require.NoError(t, err) return mnfst, mnfstBytes, [][]byte{policy} diff --git a/coordinator/internal/authority/userapi.go b/coordinator/internal/authority/userapi.go index d8e2be8d07..6acc31f5e6 100644 --- a/coordinator/internal/authority/userapi.go +++ b/coordinator/internal/authority/userapi.go @@ -18,6 +18,7 @@ import ( "github.com/edgelesssys/contrast/internal/crypto" "github.com/edgelesssys/contrast/internal/manifest" "github.com/edgelesssys/contrast/internal/userapi" + "github.com/edgelesssys/contrast/platforms" "google.golang.org/grpc/codes" "google.golang.org/grpc/credentials" "google.golang.org/grpc/peer" @@ -167,7 +168,7 @@ func (a *Authority) GetManifests(_ context.Context, _ *userapi.GetManifestsReque } var manifests [][]byte - policies := make(map[manifest.HexString][]byte) + policies := make(map[platforms.HexString][]byte) err := a.walkTransitions(state.latest.TransitionHash, func(_ [history.HashSize]byte, t *history.Transition) error { manifestBytes, err := a.hist.GetManifest(t.ManifestHash) if err != nil { diff --git a/coordinator/internal/authority/userapi_test.go b/coordinator/internal/authority/userapi_test.go index 07865f7ee1..cc7829bfdc 100644 --- a/coordinator/internal/authority/userapi_test.go +++ b/coordinator/internal/authority/userapi_test.go @@ -21,7 +21,7 @@ import ( "github.com/edgelesssys/contrast/coordinator/history" "github.com/edgelesssys/contrast/internal/manifest" "github.com/edgelesssys/contrast/internal/userapi" - "github.com/edgelesssys/contrast/node-installer/platforms" + "github.com/edgelesssys/contrast/platforms" "github.com/prometheus/client_golang/prometheus" "github.com/spf13/afero" "github.com/stretchr/testify/assert" @@ -76,9 +76,9 @@ func TestManifestSet(t *testing.T) { "request without policies": { req: &userapi.SetManifestRequest{ Manifest: newManifestBytes(func(m *manifest.Manifest) { - m.Policies = map[manifest.HexString][]string{ - manifest.HexString("a"): {"a1", "a2"}, - manifest.HexString("b"): {"b1", "b2"}, + m.Policies = map[platforms.HexString][]string{ + platforms.HexString("a"): {"a1", "a2"}, + platforms.HexString("b"): {"b1", "b2"}, } }), }, @@ -87,9 +87,9 @@ func TestManifestSet(t *testing.T) { "policy not in manifest": { req: &userapi.SetManifestRequest{ Manifest: newManifestBytes(func(m *manifest.Manifest) { - m.Policies = map[manifest.HexString][]string{ - manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, - manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, + m.Policies = map[platforms.HexString][]string{ + platforms.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, + platforms.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, } }), Policies: [][]byte{ @@ -103,9 +103,9 @@ func TestManifestSet(t *testing.T) { "valid manifest": { req: &userapi.SetManifestRequest{ Manifest: newManifestBytes(func(m *manifest.Manifest) { - m.Policies = map[manifest.HexString][]string{ - manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, - manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, + m.Policies = map[platforms.HexString][]string{ + platforms.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, + platforms.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, } }), Policies: [][]byte{ @@ -167,9 +167,9 @@ func TestManifestSet(t *testing.T) { req := &userapi.SetManifestRequest{ Manifest: newManifestBytes(func(m *manifest.Manifest) { - m.Policies = map[manifest.HexString][]string{ - manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, - manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, + m.Policies = map[platforms.HexString][]string{ + platforms.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, + platforms.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, } }), Policies: [][]byte{ @@ -226,9 +226,9 @@ func TestGetManifests(t *testing.T) { m, err := manifest.Default(platforms.AKSCloudHypervisorSNP) require.NoError(err) - m.Policies = map[manifest.HexString][]string{ - manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, - manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, + m.Policies = map[platforms.HexString][]string{ + platforms.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, + platforms.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, } manifestBytes, err := json.Marshal(m) require.NoError(err) @@ -320,7 +320,7 @@ func TestRecoveryFlow(t *testing.T) { seedShareOwnerKeyBytes := manifest.MarshalSeedShareOwnerKey(&seedShareOwnerKey.PublicKey) mnfst, _, policies := newManifest(t) - mnfst.SeedshareOwnerPubKeys = []manifest.HexString{seedShareOwnerKeyBytes} + mnfst.SeedshareOwnerPubKeys = []platforms.HexString{seedShareOwnerKeyBytes} manifestBytes, err := json.Marshal(mnfst) require.NoError(err) @@ -399,9 +399,9 @@ func TestUserAPIConcurrent(t *testing.T) { setReq := &userapi.SetManifestRequest{ Manifest: newManifestBytes(func(m *manifest.Manifest) { - m.Policies = map[manifest.HexString][]string{ - manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, - manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, + m.Policies = map[platforms.HexString][]string{ + platforms.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"}, + platforms.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"}, } }), Policies: [][]byte{ @@ -477,8 +477,8 @@ func manifestWithWorkloadOwnerKey(key *ecdsa.PrivateKey) (*manifest.Manifest, er return nil, err } ownerKeyHash := sha256.Sum256(pubKey) - ownerKeyHex := manifest.NewHexString(ownerKeyHash[:]) - m.WorkloadOwnerKeyDigests = []manifest.HexString{ownerKeyHex} + ownerKeyHex := platforms.NewHexString(ownerKeyHash[:]) + m.WorkloadOwnerKeyDigests = []platforms.HexString{ownerKeyHex} return m, nil } diff --git a/e2e/genpolicy/genpolicy_test.go b/e2e/genpolicy/genpolicy_test.go index f68c193955..7dce9affe1 100644 --- a/e2e/genpolicy/genpolicy_test.go +++ b/e2e/genpolicy/genpolicy_test.go @@ -19,8 +19,7 @@ import ( "github.com/edgelesssys/contrast/e2e/internal/contrasttest" "github.com/edgelesssys/contrast/e2e/internal/kubeclient" "github.com/edgelesssys/contrast/internal/kuberesource" - "github.com/edgelesssys/contrast/node-installer/platforms" - "github.com/edgelesssys/contrast/node-installer/runtimehandler" + "github.com/edgelesssys/contrast/platforms" "github.com/stretchr/testify/require" ) @@ -36,7 +35,7 @@ func TestGenpolicy(t *testing.T) { testCases := kuberesource.GenpolicyRegressionTests() - runtimeHandler, err := runtimehandler.Name(platform) + runtimeHandler, err := platforms.RuntimeHandler(platform) require.NoError(t, err) for name, deploy := range testCases { diff --git a/e2e/getdents/getdents_test.go b/e2e/getdents/getdents_test.go index 58d50d813a..8edb562c91 100644 --- a/e2e/getdents/getdents_test.go +++ b/e2e/getdents/getdents_test.go @@ -19,8 +19,7 @@ import ( "github.com/edgelesssys/contrast/e2e/internal/contrasttest" "github.com/edgelesssys/contrast/e2e/internal/kubeclient" "github.com/edgelesssys/contrast/internal/kuberesource" - "github.com/edgelesssys/contrast/node-installer/platforms" - "github.com/edgelesssys/contrast/node-installer/runtimehandler" + "github.com/edgelesssys/contrast/platforms" "github.com/stretchr/testify/require" ) @@ -39,7 +38,7 @@ func TestGetDEnts(t *testing.T) { // TODO(msanft): Make this configurable platform := platforms.AKSCloudHypervisorSNP - runtimeHandler, err := runtimehandler.Name(platform) + runtimeHandler, err := platforms.RuntimeHandler(platform) require.NoError(t, err) resources := kuberesource.GetDEnts() diff --git a/e2e/internal/contrasttest/contrasttest.go b/e2e/internal/contrasttest/contrasttest.go index 7742804ea9..2502dc3d55 100644 --- a/e2e/internal/contrasttest/contrasttest.go +++ b/e2e/internal/contrasttest/contrasttest.go @@ -22,7 +22,7 @@ import ( "github.com/edgelesssys/contrast/e2e/internal/kubeclient" "github.com/edgelesssys/contrast/internal/kubeapi" "github.com/edgelesssys/contrast/internal/kuberesource" - "github.com/edgelesssys/contrast/node-installer/platforms" + "github.com/edgelesssys/contrast/platforms" ksync "github.com/katexochen/sync/api/client" "github.com/spf13/cobra" "github.com/stretchr/testify/require" diff --git a/e2e/openssl/openssl_test.go b/e2e/openssl/openssl_test.go index e0445ad5fb..30c1d9518d 100644 --- a/e2e/openssl/openssl_test.go +++ b/e2e/openssl/openssl_test.go @@ -21,8 +21,7 @@ import ( "github.com/edgelesssys/contrast/e2e/internal/kubeclient" "github.com/edgelesssys/contrast/internal/kuberesource" "github.com/edgelesssys/contrast/internal/manifest" - "github.com/edgelesssys/contrast/node-installer/platforms" - "github.com/edgelesssys/contrast/node-installer/runtimehandler" + "github.com/edgelesssys/contrast/platforms" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -48,7 +47,7 @@ func TestOpenSSL(t *testing.T) { // TODO(msanft): Make this configurable platform := platforms.AKSCloudHypervisorSNP - runtimeHandler, err := runtimehandler.Name(platform) + runtimeHandler, err := platforms.RuntimeHandler(platform) require.NoError(t, err) resources := kuberesource.OpenSSL() diff --git a/e2e/policy/policy_test.go b/e2e/policy/policy_test.go index c383f96efb..273d97058c 100644 --- a/e2e/policy/policy_test.go +++ b/e2e/policy/policy_test.go @@ -21,8 +21,7 @@ import ( "github.com/edgelesssys/contrast/internal/kubeapi" "github.com/edgelesssys/contrast/internal/kuberesource" "github.com/edgelesssys/contrast/internal/manifest" - "github.com/edgelesssys/contrast/node-installer/platforms" - "github.com/edgelesssys/contrast/node-installer/runtimehandler" + "github.com/edgelesssys/contrast/platforms" "github.com/prometheus/common/expfmt" "github.com/stretchr/testify/require" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -45,7 +44,7 @@ func TestPolicy(t *testing.T) { // TODO(msanft): Make this configurable platform := platforms.AKSCloudHypervisorSNP - runtimeHandler, err := runtimehandler.Name(platform) + runtimeHandler, err := platforms.RuntimeHandler(platform) require.NoError(t, err) resources := kuberesource.OpenSSL() diff --git a/e2e/servicemesh/servicemesh_test.go b/e2e/servicemesh/servicemesh_test.go index f19a83974f..a1ea8079d7 100644 --- a/e2e/servicemesh/servicemesh_test.go +++ b/e2e/servicemesh/servicemesh_test.go @@ -20,8 +20,7 @@ import ( "github.com/edgelesssys/contrast/e2e/internal/contrasttest" "github.com/edgelesssys/contrast/e2e/internal/kubeclient" "github.com/edgelesssys/contrast/internal/kuberesource" - "github.com/edgelesssys/contrast/node-installer/platforms" - "github.com/edgelesssys/contrast/node-installer/runtimehandler" + "github.com/edgelesssys/contrast/platforms" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -38,7 +37,7 @@ func TestIngressEgress(t *testing.T) { // TODO(msanft): Make this configurable platform := platforms.AKSCloudHypervisorSNP - runtimeHandler, err := runtimehandler.Name(platform) + runtimeHandler, err := platforms.RuntimeHandler(platform) require.NoError(t, err) resources := kuberesource.Emojivoto(kuberesource.ServiceMeshIngressEgress) diff --git a/go.mod b/go.mod index 49b540ed27..fdcb5b8367 100644 --- a/go.mod +++ b/go.mod @@ -4,17 +4,13 @@ go 1.22.0 toolchain go1.22.5 -replace ( - github.com/edgelesssys/contrast/node-installer => ./node-installer - // The upstream package has some stepping issues with Genoa: - // https://github.com/google/go-sev-guest/issues/115 - // https://github.com/google/go-sev-guest/issues/103 - github.com/google/go-sev-guest => github.com/edgelesssys/go-sev-guest v0.0.0-20240719074306-114f78ece7a7 -) +// The upstream package has some stepping issues with Genoa: +// https://github.com/google/go-sev-guest/issues/115 +// https://github.com/google/go-sev-guest/issues/103 +replace github.com/google/go-sev-guest => github.com/edgelesssys/go-sev-guest v0.0.0-20240719074306-114f78ece7a7 require ( filippo.io/keygen v0.0.0-20240718133620-7f162efbbd87 - github.com/edgelesssys/contrast/node-installer v0.0.0-20240711120720-005f613ddf37 github.com/google/go-github/v63 v63.0.0 github.com/google/go-sev-guest v0.11.1 github.com/google/go-tdx-guest v0.3.1 @@ -72,7 +68,6 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect - github.com/pelletier/go-toml/v2 v2.2.2 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/client_model v0.6.1 // indirect github.com/prometheus/procfs v0.15.1 // indirect diff --git a/go.sum b/go.sum index 39d6273616..be8e6fc495 100644 --- a/go.sum +++ b/go.sum @@ -101,8 +101,6 @@ github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM= github.com/onsi/gomega v1.31.0 h1:54UJxxj6cPInHS3a35wm6BK/F9nHYueZ1NVujHDrnXE= github.com/onsi/gomega v1.31.0/go.mod h1:DW9aCi7U6Yi40wNVAvT6kzFnEVEI5n3DloYBiKiT6zk= -github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM= -github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= @@ -125,12 +123,10 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= -github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= diff --git a/internal/kuberesource/parts.go b/internal/kuberesource/parts.go index 8cc64dfc27..ad806aa01e 100644 --- a/internal/kuberesource/parts.go +++ b/internal/kuberesource/parts.go @@ -7,8 +7,7 @@ import ( "fmt" "strconv" - "github.com/edgelesssys/contrast/node-installer/platforms" - "github.com/edgelesssys/contrast/node-installer/runtimehandler" + "github.com/edgelesssys/contrast/platforms" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" @@ -19,7 +18,7 @@ import ( // ContrastRuntimeClass creates a new RuntimeClassConfig. func ContrastRuntimeClass(platform platforms.Platform) (*RuntimeClassConfig, error) { - runtimeHandler, err := runtimehandler.Name(platform) + runtimeHandler, err := platforms.RuntimeHandler(platform) if err != nil { return nil, fmt.Errorf("getting default runtime handler: %w", err) } @@ -45,7 +44,7 @@ type NodeInstallerConfig struct { func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstallerConfig, error) { name := "contrast-node-installer" - runtimeHandler, err := runtimehandler.Name(platform) + runtimeHandler, err := platforms.RuntimeHandler(platform) if err != nil { return nil, fmt.Errorf("getting default runtime handler: %w", err) } diff --git a/internal/kuberesource/resourcegen/main.go b/internal/kuberesource/resourcegen/main.go index fd212fbc98..095b94c0ca 100644 --- a/internal/kuberesource/resourcegen/main.go +++ b/internal/kuberesource/resourcegen/main.go @@ -10,8 +10,7 @@ import ( "os" "github.com/edgelesssys/contrast/internal/kuberesource" - "github.com/edgelesssys/contrast/node-installer/platforms" - "github.com/edgelesssys/contrast/node-installer/runtimehandler" + "github.com/edgelesssys/contrast/platforms" ) func main() { @@ -37,7 +36,7 @@ func main() { log.Fatalf("Error parsing platform: %v", err) } - runtimeHandler, err = runtimehandler.Name(platform) + runtimeHandler, err = platforms.RuntimeHandler(platform) if err != nil { log.Fatalf("Error getting default runtime handler: %v", err) } diff --git a/internal/kuberesource/sets.go b/internal/kuberesource/sets.go index 3caa0f93e2..8678543415 100644 --- a/internal/kuberesource/sets.go +++ b/internal/kuberesource/sets.go @@ -6,7 +6,7 @@ package kuberesource import ( "fmt" - "github.com/edgelesssys/contrast/node-installer/platforms" + "github.com/edgelesssys/contrast/platforms" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/intstr" applyappsv1 "k8s.io/client-go/applyconfigurations/apps/v1" diff --git a/internal/manifest/constants.go b/internal/manifest/constants.go index b6230c2fdc..3a4638aa5f 100644 --- a/internal/manifest/constants.go +++ b/internal/manifest/constants.go @@ -4,48 +4,27 @@ package manifest import ( - "encoding/json" - "fmt" - - "github.com/edgelesssys/contrast/node-installer/platforms" + "github.com/edgelesssys/contrast/platforms" ) // Default returns a default manifest with reference values for the given platform. func Default(platform platforms.Platform) (*Manifest, error) { - refValues := setReferenceValuesIfUninitialized() + refValues := platforms.EmbeddedReferenceValues() mnfst := Manifest{} switch platform { case platforms.AKSCloudHypervisorSNP: return &Manifest{ - ReferenceValues: ReferenceValues{ + ReferenceValues: platforms.ReferenceValues{ AKS: refValues.AKS, }, }, nil case platforms.RKE2QEMUTDX, platforms.K3sQEMUTDX: return &Manifest{ - ReferenceValues: ReferenceValues{ + ReferenceValues: platforms.ReferenceValues{ BareMetalTDX: refValues.BareMetalTDX, }, }, nil } return &mnfst, nil } - -// EmbeddedReferenceValues returns the reference values embedded in the binary. -func EmbeddedReferenceValues() ReferenceValues { - return setReferenceValuesIfUninitialized() -} - -// EmbeddedReferenceValuesIfUninitialized returns the reference values embedded in the binary. -func setReferenceValuesIfUninitialized() ReferenceValues { - var embeddedReferenceValues *ReferenceValues - - if err := json.Unmarshal(EmbeddedReferenceValuesJSON, &embeddedReferenceValues); err != nil { - // As this relies on a constant, predictable value (i.e. the embedded JSON), which -- in a correctly built binary -- should - // unmarshal safely into the [ReferenceValues], it's acceptable to panic here. - panic(fmt.Errorf("failed to unmarshal embedded reference values: %w", err)) - } - - return *embeddedReferenceValues -} diff --git a/internal/manifest/crypto.go b/internal/manifest/crypto.go index f4077be311..cea6bfaa9b 100644 --- a/internal/manifest/crypto.go +++ b/internal/manifest/crypto.go @@ -15,6 +15,7 @@ import ( "fmt" "github.com/edgelesssys/contrast/internal/userapi" + "github.com/edgelesssys/contrast/platforms" ) // NewSeedShareOwnerPrivateKey creates and PEM-encodes a new seed share private key. @@ -30,14 +31,14 @@ func NewSeedShareOwnerPrivateKey() ([]byte, error) { // ExtractSeedshareOwnerPublicKey extracts the public key for a seedshare owner and returns it as serialized DER. // // This function supports PEM-encoded public and private keys. -func ExtractSeedshareOwnerPublicKey(keyData []byte) (HexString, error) { +func ExtractSeedshareOwnerPublicKey(keyData []byte) (platforms.HexString, error) { block, _ := pem.Decode(keyData) if block == nil { return "", fmt.Errorf("decoding seedshare owner key: no key found") } switch block.Type { case "PUBLIC KEY": - return NewHexString(block.Bytes), nil + return platforms.NewHexString(block.Bytes), nil case "RSA PRIVATE KEY": privateKey, err := x509.ParsePKCS1PrivateKey(block.Bytes) if err != nil { @@ -67,12 +68,12 @@ func ParseSeedshareOwnerPrivateKey(keyData []byte) (*rsa.PrivateKey, error) { } // MarshalSeedShareOwnerKey converts a public key into the format for userapi.SetManifestRequest. -func MarshalSeedShareOwnerKey(pubKey *rsa.PublicKey) HexString { - return NewHexString(x509.MarshalPKCS1PublicKey(pubKey)) +func MarshalSeedShareOwnerKey(pubKey *rsa.PublicKey) platforms.HexString { + return platforms.NewHexString(x509.MarshalPKCS1PublicKey(pubKey)) } // ParseSeedShareOwnerKey reads a public key embedded in a userapi.SetManifestRequest. -func ParseSeedShareOwnerKey(pubKeyHex HexString) (*rsa.PublicKey, error) { +func ParseSeedShareOwnerKey(pubKeyHex platforms.HexString) (*rsa.PublicKey, error) { pubKeyBytes, err := pubKeyHex.Bytes() if err != nil { return nil, fmt.Errorf("parsing from hex: %w", err) @@ -85,7 +86,7 @@ func ParseSeedShareOwnerKey(pubKeyHex HexString) (*rsa.PublicKey, error) { } // EncryptSeedShares encrypts a seed for owners identified by their public keys and returns a SeedShare slice suitable for userapi.SetManifestResponse. -func EncryptSeedShares(seed []byte, ownerPubKeys []HexString) ([]*userapi.SeedShare, error) { +func EncryptSeedShares(seed []byte, ownerPubKeys []platforms.HexString) ([]*userapi.SeedShare, error) { var out []*userapi.SeedShare for _, pubKeyHex := range ownerPubKeys { pubKey, err := ParseSeedShareOwnerKey(pubKeyHex) @@ -141,7 +142,7 @@ func ParseWorkloadOwnerPrivateKey(keyBytes []byte) (*ecdsa.PrivateKey, error) { } // HashWorkloadOwnerKey converts a public key into the format for Manifest.WorkloadOwnerKeyDigests. -func HashWorkloadOwnerKey(pubKey *ecdsa.PublicKey) HexString { +func HashWorkloadOwnerKey(pubKey *ecdsa.PublicKey) platforms.HexString { keyData, err := x509.MarshalPKIXPublicKey(pubKey) if err != nil { // According to the docs for MarshalPKIXPublicKey, an error should only @@ -151,7 +152,7 @@ func HashWorkloadOwnerKey(pubKey *ecdsa.PublicKey) HexString { } ownerKeyHash := sha256.Sum256(keyData) - return NewHexString(ownerKeyHash[:]) + return platforms.NewHexString(ownerKeyHash[:]) } // ExtractWorkloadOwnerPublicKey extracts the public key for a workload owner and returns it as serialized DER. diff --git a/internal/manifest/crypto_test.go b/internal/manifest/crypto_test.go index 83b8eecaf6..2833ec31ff 100644 --- a/internal/manifest/crypto_test.go +++ b/internal/manifest/crypto_test.go @@ -13,6 +13,7 @@ import ( "testing" "github.com/edgelesssys/contrast/internal/userapi" + "github.com/edgelesssys/contrast/platforms" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -28,7 +29,7 @@ func TestEncryptDecryptSingleKey(t *testing.T) { t.Run(name, func(t *testing.T) { require := require.New(t) keys := make([]*rsa.PrivateKey, numKeys) - pubKeys := make([]HexString, numKeys) + pubKeys := make([]platforms.HexString, numKeys) for i := range numKeys { keys[i] = getTestKey(t, b, i) pubKeys[i] = MarshalSeedShareOwnerKey(&keys[i].PublicKey) @@ -59,7 +60,7 @@ func TestEncryptDecryptSingleKey(t *testing.T) { pubKeyHex := MarshalSeedShareOwnerKey(&rightKey.PublicKey) - seedShares, err := EncryptSeedShares(seed, []HexString{pubKeyHex}) + seedShares, err := EncryptSeedShares(seed, []platforms.HexString{pubKeyHex}) require.NoError(err) require.Len(seedShares, 1) diff --git a/internal/manifest/manifest.go b/internal/manifest/manifest.go index 5c2c1c8375..fe8604d295 100644 --- a/internal/manifest/manifest.go +++ b/internal/manifest/manifest.go @@ -8,6 +8,7 @@ import ( "encoding/base64" "fmt" + "github.com/edgelesssys/contrast/platforms" "github.com/google/go-sev-guest/abi" "github.com/google/go-sev-guest/kds" "github.com/google/go-sev-guest/validate" @@ -16,14 +17,14 @@ import ( // Manifest is the Coordinator manifest and contains the reference values of the deployment. type Manifest struct { // policyHash/HOSTDATA -> commonName - Policies map[HexString][]string - ReferenceValues ReferenceValues - WorkloadOwnerKeyDigests []HexString - SeedshareOwnerPubKeys []HexString + Policies map[platforms.HexString][]string + ReferenceValues platforms.ReferenceValues + WorkloadOwnerKeyDigests []platforms.HexString + SeedshareOwnerPubKeys []platforms.HexString } // HexStrings is a slice of HexString. -type HexStrings []HexString +type HexStrings []platforms.HexString // ByteSlices returns the byte slice representation of the HexStrings. func (l *HexStrings) ByteSlices() ([][]byte, error) { @@ -52,57 +53,12 @@ func (p Policy) Bytes() []byte { } // Hash returns the hash of the policy. -func (p Policy) Hash() HexString { +func (p Policy) Hash() platforms.HexString { hashBytes := sha256.Sum256(p) - return NewHexString(hashBytes[:]) + return platforms.NewHexString(hashBytes[:]) } -// Validate checks the validity of all fields in the reference values. -func (r ReferenceValues) Validate() error { - if r.AKS != nil { - if err := r.AKS.Validate(); err != nil { - return fmt.Errorf("validating AKS reference values: %w", err) - } - } - if r.BareMetalTDX != nil { - if err := r.BareMetalTDX.Validate(); err != nil { - return fmt.Errorf("validating bare metal TDX reference values: %w", err) - } - } - - if r.BareMetalTDX == nil && r.AKS == nil { - return fmt.Errorf("reference values in manifest cannot be empty. Is the chosen platform supported?") - } - return nil -} - -// Validate checks the validity of all fields in the AKS reference values. -func (r AKSReferenceValues) Validate() error { - if r.SNP.MinimumTCB.BootloaderVersion == nil { - return fmt.Errorf("field BootloaderVersion in manifest cannot be empty") - } else if r.SNP.MinimumTCB.TEEVersion == nil { - return fmt.Errorf("field TEEVersion in manifest cannot be empty") - } else if r.SNP.MinimumTCB.SNPVersion == nil { - return fmt.Errorf("field SNPVersion in manifest cannot be empty") - } else if r.SNP.MinimumTCB.MicrocodeVersion == nil { - return fmt.Errorf("field MicrocodeVersion in manifest cannot be empty") - } - - if len(r.TrustedMeasurement) != abi.MeasurementSize*2 { - return fmt.Errorf("trusted measurement has invalid length: %d (expected %d)", len(r.TrustedMeasurement), abi.MeasurementSize*2) - } - - return nil -} - -// Validate checks the validity of all fields in the bare metal TDX reference values. -func (r BareMetalTDXReferenceValues) Validate() error { - if r.TrustedMeasurement == "" { - return fmt.Errorf("field TrustedMeasurement in manifest cannot be empty") - } - return nil -} // Validate checks the validity of all fields in the manifest. func (m *Manifest) Validate() error { diff --git a/internal/manifest/manifest_test.go b/internal/manifest/manifest_test.go index 2c7143ee91..5fffad7cca 100644 --- a/internal/manifest/manifest_test.go +++ b/internal/manifest/manifest_test.go @@ -8,7 +8,7 @@ import ( "strconv" "testing" - "github.com/edgelesssys/contrast/node-installer/platforms" + "github.com/edgelesssys/contrast/platforms" "github.com/google/go-sev-guest/kds" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -52,7 +52,7 @@ func TestPolicy(t *testing.T) { assert := assert.New(t) policy := []byte("test-policy") - expectedHash := HexString("48a7cea3db9b9bf087e58bdff6e7a4260a0227b90ba0fceb97060a3c76e004e1") + expectedHash := platforms.HexString("48a7cea3db9b9bf087e58bdff6e7a4260a0227b90ba0fceb97060a3c76e004e1") annotation := base64.StdEncoding.EncodeToString(policy) p, err := NewPolicyFromAnnotation([]byte(annotation)) @@ -84,16 +84,16 @@ func TestValidate(t *testing.T) { }, { m: &Manifest{ - Policies: map[HexString][]string{HexString(""): {}}, + Policies: map[platforms.HexString][]string{platforms.HexString(""): {}}, ReferenceValues: mnf.ReferenceValues, }, wantErr: true, }, { m: &Manifest{ - Policies: map[HexString][]string{HexString(""): {}}, - ReferenceValues: ReferenceValues{ - AKS: &AKSReferenceValues{ + Policies: map[platforms.HexString][]string{platforms.HexString(""): {}}, + ReferenceValues: platforms.ReferenceValues{ + AKS: &platforms.AKSReferenceValues{ SNP: mnf.ReferenceValues.AKS.SNP, TrustedMeasurement: "", }, @@ -104,7 +104,7 @@ func TestValidate(t *testing.T) { { m: &Manifest{ ReferenceValues: mnf.ReferenceValues, - WorkloadOwnerKeyDigests: []HexString{HexString("")}, + WorkloadOwnerKeyDigests: []platforms.HexString{platforms.HexString("")}, }, wantErr: true, }, diff --git a/node-installer/internal/constants/constants.go b/node-installer/internal/constants/constants.go index 85d6ae51a5..86f23ab558 100644 --- a/node-installer/internal/constants/constants.go +++ b/node-installer/internal/constants/constants.go @@ -9,14 +9,11 @@ import ( "path/filepath" "github.com/edgelesssys/contrast/node-installer/internal/config" - "github.com/edgelesssys/contrast/node-installer/platforms" + "github.com/edgelesssys/contrast/platforms" "github.com/pelletier/go-toml/v2" ) var ( - // Version value is injected at build time. - Version = "0.0.0-dev" - // kataCLHSNPBaseConfig is the configuration file for the Kata runtime on AKS SEV-SNP // with Cloud-Hypervisor. // diff --git a/node-installer/node-installer.go b/node-installer/node-installer.go index 5a384f6b0d..923e5e9ab9 100644 --- a/node-installer/node-installer.go +++ b/node-installer/node-installer.go @@ -20,8 +20,7 @@ import ( "github.com/edgelesssys/contrast/node-installer/internal/asset" "github.com/edgelesssys/contrast/node-installer/internal/config" "github.com/edgelesssys/contrast/node-installer/internal/constants" - "github.com/edgelesssys/contrast/node-installer/platforms" - "github.com/edgelesssys/contrast/node-installer/runtimehandler" + "github.com/edgelesssys/contrast/platforms" "github.com/pelletier/go-toml/v2" ) @@ -66,7 +65,7 @@ func run(ctx context.Context, fetcher assetFetcher, platform platforms.Platform, } fmt.Printf("Using config: %+v\n", config) - runtimeHandlerName, err := runtimehandler.Name(platform) + runtimeHandlerName, err := platforms.RuntimeHandler(platform) if err != nil { return fmt.Errorf("getting runtime handler name: %w", err) } @@ -219,7 +218,7 @@ func patchContainerdConfig(basePath, configPath string, platform platforms.Platf existing = constants.ContainerdBaseConfig() } - runtimeName, err := runtimehandler.Name(platform) + runtimeName, err := platforms.RuntimeHandler(platform) if err != nil { return fmt.Errorf("getting runtime name: %w", err) } @@ -267,7 +266,7 @@ func patchContainerdConfigTemplate(basePath, configTemplatePath string, platform } fmt.Printf("Existing containerd config template:\n%s\n", existingConfig) - runtimeName, err := runtimehandler.Name(platform) + runtimeName, err := platforms.RuntimeHandler(platform) if err != nil { return fmt.Errorf("getting runtime name: %w", err) } diff --git a/node-installer/node-installer_test.go b/node-installer/node-installer_test.go index 91cafab4c2..ae1927d7bc 100644 --- a/node-installer/node-installer_test.go +++ b/node-installer/node-installer_test.go @@ -10,8 +10,7 @@ import ( _ "embed" - "github.com/edgelesssys/contrast/node-installer/platforms" - "github.com/edgelesssys/contrast/node-installer/runtimehandler" + "github.com/edgelesssys/contrast/platforms" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -65,7 +64,7 @@ func TestPatchContainerdConfig(t *testing.T) { configPath := filepath.Join(tmpDir, "config.toml") - runtimeHandler, err := runtimehandler.Name(tc.platform) + runtimeHandler, err := platforms.RuntimeHandler(tc.platform) require.NoError(err) err = patchContainerdConfig(filepath.Join("/opt/edgeless", runtimeHandler), @@ -118,7 +117,7 @@ func TestPatchContainerdConfigTemplate(t *testing.T) { // Testing patching a config template. - runtimeHandler, err := runtimehandler.Name(tc.platform) + runtimeHandler, err := platforms.RuntimeHandler(tc.platform) require.NoError(err) err = patchContainerdConfigTemplate(filepath.Join("/opt/edgeless", runtimeHandler), diff --git a/node-installer/runtimehandler/runtimehandler.go b/node-installer/runtimehandler/runtimehandler.go deleted file mode 100644 index d2e4f72b01..0000000000 --- a/node-installer/runtimehandler/runtimehandler.go +++ /dev/null @@ -1,26 +0,0 @@ -// Copyright 2024 Edgeless Systems GmbH -// SPDX-License-Identifier: AGPL-3.0-only - -package runtimehandler - -import ( - "fmt" - "strings" - - "github.com/edgelesssys/contrast/node-installer/internal/constants" - "github.com/edgelesssys/contrast/node-installer/platforms" -) - -// Name returns the name of the runtime handler for the given platform. -func Name(platform platforms.Platform) (string, error) { - platformName := strings.ToLower(platform.String()) - - if strings.EqualFold(platformName, platforms.Unknown.String()) { - return "", fmt.Errorf("unsupported platform %s", platform) - } - - // Replace dots to ensure a readable directory name used by the node-installer. - version := strings.ReplaceAll(constants.Version, ".", "-") - - return fmt.Sprintf("contrast-cc-%s-%s", version, platformName), nil -} diff --git a/packages/by-name/contrast-node-installer/package.nix b/packages/by-name/contrast-node-installer/package.nix index 0273361b0c..eb1c4369ec 100644 --- a/packages/by-name/contrast-node-installer/package.nix +++ b/packages/by-name/contrast-node-installer/package.nix @@ -16,18 +16,23 @@ buildGoModule rec { src = let inherit (lib) fileset path hasSuffix; - root = ../../../node-installer; + root = ../../../.; + node-installer = ../../../node-installer; in fileset.toSource { inherit root; fileset = fileset.unions [ (path.append root "go.mod") (path.append root "go.sum") - (fileset.fileFilter (file: hasSuffix ".toml" file.name) root) - (fileset.fileFilter (file: hasSuffix ".toml.tmpl" file.name) root) - (fileset.fileFilter (file: hasSuffix ".go" file.name) root) + (path.append node-installer "go.mod") + (path.append node-installer "go.sum") + (fileset.fileFilter (file: hasSuffix ".toml" file.name) node-installer) + (fileset.fileFilter (file: hasSuffix ".toml.tmpl" file.name) node-installer) + (fileset.fileFilter (file: hasSuffix ".go" file.name) node-installer) + (path.append root "platforms") ]; }; + sourceRoot = "${src.name}/node-installer"; proxyVendor = true; vendorHash = "sha256-VogMwIzO8ocHBTqemhsJcUEXIXJpyJOPjnqORBDp+Eg="; @@ -35,10 +40,7 @@ buildGoModule rec { subPackages = [ "." ]; CGO_ENABLED = 0; - ldflags = [ - "-s" - "-X github.com/edgelesssys/contrast/node-installer/constants.Version=${version}" - ]; + ldflags = [ "-s" ]; preCheck = '' export CGO_ENABLED=1 diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix index a14c0b0f6e..3215e22d72 100644 --- a/packages/by-name/contrast/package.nix +++ b/packages/by-name/contrast/package.nix @@ -91,7 +91,6 @@ buildGoModule rec { (path.append root "cli/cmd/assets/image-replacements.txt") (path.append root "internal/attestation/snp/Milan.pem") (path.append root "internal/attestation/snp/Genoa.pem") - (path.append root "node-installer") (fileset.difference (fileset.fileFilter (file: hasSuffix ".go" file.name) root) ( path.append root "service-mesh" )) @@ -99,7 +98,7 @@ buildGoModule rec { }; proxyVendor = true; - vendorHash = "sha256-C7nbHoH+LCKgjxFHtZdj+7NvyurY9q6QHz4JRNDonvY="; + vendorHash = "sha256-8l/QXPbPstVtpqAdctnz5hiW5a61gGoF0DYz6XQeDtk="; nativeBuildInputs = [ installShellFiles ]; diff --git a/internal/manifest/assets/reference-values.json b/platforms/assets/reference-values.json similarity index 100% rename from internal/manifest/assets/reference-values.json rename to platforms/assets/reference-values.json diff --git a/node-installer/platforms/platforms.go b/platforms/platforms.go similarity index 100% rename from node-installer/platforms/platforms.go rename to platforms/platforms.go diff --git a/internal/manifest/referencevalues.go b/platforms/referencevalues.go similarity index 51% rename from internal/manifest/referencevalues.go rename to platforms/referencevalues.go index 8399be0ee3..83a5d52fc6 100644 --- a/internal/manifest/referencevalues.go +++ b/platforms/referencevalues.go @@ -1,7 +1,7 @@ // Copyright 2024 Edgeless Systems GmbH // SPDX-License-Identifier: AGPL-3.0-only -package manifest +package platforms import ( _ "embed" @@ -9,6 +9,8 @@ import ( "encoding/json" "fmt" "strconv" + + "github.com/google/go-sev-guest/abi" ) // EmbeddedReferenceValuesJSON contains the embedded reference values in JSON format. @@ -17,6 +19,19 @@ import ( //go:embed assets/reference-values.json var EmbeddedReferenceValuesJSON []byte +// EmbeddedReferenceValues returns the reference values embedded in the binary. +func EmbeddedReferenceValues() ReferenceValues { + var embeddedReferenceValues *ReferenceValues + + if err := json.Unmarshal(EmbeddedReferenceValuesJSON, &embeddedReferenceValues); err != nil { + // As this relies on a constant, predictable value (i.e. the embedded JSON), which -- in a correctly built binary -- should + // unmarshal safely into the [ReferenceValues], it's acceptable to panic here. + panic(fmt.Errorf("failed to unmarshal embedded reference values: %w", err)) + } + + return *embeddedReferenceValues +} + // ReferenceValues contains the workload-independent reference values for each platform. type ReferenceValues struct { // AKS holds the reference values for AKS. @@ -94,3 +109,50 @@ func (h HexString) String() string { func (h HexString) Bytes() ([]byte, error) { return hex.DecodeString(string(h)) } + +// Validate checks the validity of all fields in the reference values. +func (r ReferenceValues) Validate() error { + if r.AKS != nil { + if err := r.AKS.Validate(); err != nil { + return fmt.Errorf("validating AKS reference values: %w", err) + } + } + if r.BareMetalTDX != nil { + if err := r.BareMetalTDX.Validate(); err != nil { + return fmt.Errorf("validating bare metal TDX reference values: %w", err) + } + } + + if r.BareMetalTDX == nil && r.AKS == nil { + return fmt.Errorf("reference values in manifest cannot be empty. Is the chosen platform supported?") + } + + return nil +} + +// Validate checks the validity of all fields in the AKS reference values. +func (r AKSReferenceValues) Validate() error { + if r.SNP.MinimumTCB.BootloaderVersion == nil { + return fmt.Errorf("field BootloaderVersion in manifest cannot be empty") + } else if r.SNP.MinimumTCB.TEEVersion == nil { + return fmt.Errorf("field TEEVersion in manifest cannot be empty") + } else if r.SNP.MinimumTCB.SNPVersion == nil { + return fmt.Errorf("field SNPVersion in manifest cannot be empty") + } else if r.SNP.MinimumTCB.MicrocodeVersion == nil { + return fmt.Errorf("field MicrocodeVersion in manifest cannot be empty") + } + + if len(r.TrustedMeasurement) != abi.MeasurementSize*2 { + return fmt.Errorf("trusted measurement has invalid length: %d (expected %d)", len(r.TrustedMeasurement), abi.MeasurementSize*2) + } + + return nil +} + +// Validate checks the validity of all fields in the bare metal TDX reference values. +func (r BareMetalTDXReferenceValues) Validate() error { + if r.TrustedMeasurement == "" { + return fmt.Errorf("field TrustedMeasurement in manifest cannot be empty") + } + return nil +} diff --git a/internal/manifest/referencevalues_test.go b/platforms/referencevalues_test.go similarity index 99% rename from internal/manifest/referencevalues_test.go rename to platforms/referencevalues_test.go index 9ddf56bc3f..bb7502d762 100644 --- a/internal/manifest/referencevalues_test.go +++ b/platforms/referencevalues_test.go @@ -1,7 +1,7 @@ // Copyright 2024 Edgeless Systems GmbH // SPDX-License-Identifier: AGPL-3.0-only -package manifest +package platforms import ( "encoding/json" diff --git a/platforms/runtimehandler.go b/platforms/runtimehandler.go new file mode 100644 index 0000000000..f117d6a0c7 --- /dev/null +++ b/platforms/runtimehandler.go @@ -0,0 +1,23 @@ +// Copyright 2024 Edgeless Systems GmbH +// SPDX-License-Identifier: AGPL-3.0-only + +package platforms + +import ( + "fmt" + "strings" +) + +// RuntimeHandler returns the name of the runtime handler for the given platform. +func RuntimeHandler(platform Platform) (string, error) { + platformName := strings.ToLower(platform.String()) + + if strings.EqualFold(platformName, Unknown.String()) { + return "", fmt.Errorf("unsupported platform %s", platform) + } + + // TODO add hash + hash := "" + + return fmt.Sprintf("contrast-cc-%s-%s", hash, platformName), nil +}