Export function to extract and validate AK from server #492
Conversation
yawangwang
force-pushed
the
export_validate_AK
branch
from
caf16c7 to
3d3ca12
Compare
server/verify.go
Outdated
| @@ -183,6 +152,45 @@ func VerifyAttestation(attestation *pb.Attestation, opts VerifyOpts) (*pb.Machin | |||
| return nil, fmt.Errorf("attestation does not contain a supported quote") | |||
| } | |||
|
|
|||
| // ParseAndValidateAK parses and validate AK cert in the attestation, and populate GCE instance info. | |||
There was a problem hiding this comment.
Ideally, we have composable funcs where we can verify the attestation key against the Attestation proto and VerifyOpts and then extract info from it. So I suggest a bit more refactoring:
- call this
ValidateAK - Have
ValidateAKjust callvalidateAKPubandvalidateAKCert - refactor
validateAKPubandvalidateAKCertto only return error - refactor
validateAKCertto not callgetInstanceInfoFromExtensions - in
VerifyAttestationcallValidateAKand thengetInstanceInfoFromExtensions(orGetGCEInstanceInfoif cert != nil)
| { | ||
| name: "failed with missing intermediates", | ||
| opts: VerifyOpts{TrustedRootCerts: GceEKRoots}, | ||
| wantPass: false, |
There was a problem hiding this comment.
Add a test case setting TrustedAKs in VerifyOpts but not Trusted/Intermediate certs
yawangwang
force-pushed
the
export_validate_AK
branch
from
3d3ca12 to
5eb876b
Compare
yawangwang
force-pushed
the
export_validate_AK
branch
4 times, most recently
from
02dce70 to
65204d1
Compare
yawangwang
force-pushed
the
export_validate_AK
branch
from
65204d1 to
e2f86ab
Compare
|
/gcbrun |
Add CAS-based EK/AK root CAs. Add warning about using GetGCEInstanceInfo.
|
/gcbrun |
.github/workflows/ci.yml
Outdated
| @@ -77,11 +77,12 @@ jobs: | |||
| run: | | |||
| GO_EXECUTABLE_PATH=$(which go) | |||
| sudo $GO_EXECUTABLE_PATH test -v -run "TestFetchImageSignaturesDockerPublic" ./launcher | |||
| sudo $GO_EXECUTABLE_PATH test -v -run "TestHwAttestationPass" ./cmd | |||
There was a problem hiding this comment.
See b/368161073, it returns couldn't create report entry in configfs, no such device error
server/verify.go
Outdated
| if akCert != nil { | ||
| instanceInfo, err := GetGCEInstanceInfo(akCert) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to validate AK certificate: %w", err) | ||
| return nil, fmt.Errorf("failed to extract GCE instance info from AK cert: %w", err) | ||
| } | ||
| akPubKey = akCert.PublicKey.(crypto.PublicKey) | ||
| // Populate GCE instance info. | ||
| machineState.Platform = &pb.PlatformState{InstanceInfo: instanceInfo} |
There was a problem hiding this comment.
Oops I realize a security issue: we can't blindly just parse GCE instance info, since we might have validated with the TrustedAKs instead
Which is why we had the extract in validateAK in the first place :).
I'll add something to your PR.
There was a problem hiding this comment.
Please give my changes a look @yawangwang and merge it in if you feel it looks okay.
LGTM, now merging this PR |
* Export ValidateAKCert and add CAS EK root CA + skip TestHwAttestationPass --------- Co-authored-by: Alex Wu <wuale@google.com>
We need to export a function from server to extract/validate AK, and populate GCE instance info into machine state so that GAV can consume.