Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

attestation: dont set a default for TDX MRSEAM #3038

Merged
merged 1 commit into from
Apr 22, 2024
Merged

attestation: dont set a default for TDX MRSEAM #3038

merged 1 commit into from
Apr 22, 2024

Conversation

daniel-weisse
Copy link
Member

Context

TDX attestation verifies the TDX module using various versions and hashes.
One optional value for user validation is MRSEAM, the "measurement of the Intel TDX module. (48 Bytes hash)".
Setting this value ensures attestation only passes if the CVM is running with an Intel TDX module which matches this exact hash.
While this blocks older versions of the module from running (this is also prevented by other versions checks), it also effectively blocks using newer versions.

Proposed change(s)

  • Remove the default value for MRSEAM from Constellation's config
    • Users may still set a value if desired

Additional info

  • I think this should go into the changelog of the next release. However, we are don't have a label for "other changes", and I don't think this is a bug fix or a new feature. Leaving it open for now and marking for backport

@daniel-weisse daniel-weisse added the needs backport This PR needs to be backported to a previous release label Apr 22, 2024
@netlify Netlify
Copy link

netlify bot commented Apr 22, 2024
edited
Loading

Deploy Preview for constellation-docs canceled.

Name Link
🔨 Latest commit 7a2582e
🔍 Latest deploy log https://app.netlify.com/sites/constellation-docs/deploys/662640c254c15600089aed5a

burgerdev
burgerdev approved these changes Apr 22, 2024
View reviewed changes
Copy link
Contributor

@burgerdev burgerdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, lgtm!

@daniel-weisse
Dont set a default for TDX MRSEAM
7a2582e 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@github-actions GitHub Actions
Copy link
Contributor

Coverage report

Package Old New Trend
internal/config 68.00% 68.00% ↔️

@daniel-weisse daniel-weisse merged commit 4635a6c into main Apr 22, 2024
8 checks passed
@daniel-weisse daniel-weisse deleted the ref/tdx/remove-default-mrseam branch April 22, 2024 12:07
burgerdev pushed a commit that referenced this pull request May 13, 2024
@daniel-weisse @burgerdev
attestation: dont set a default for TDX MRSEAM (#3038)
c601154 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@msanft msanft mentioned this pull request Jun 10, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@burgerdev burgerdev burgerdev approved these changes

@derpsteb derpsteb Awaiting requested review from derpsteb derpsteb is a code owner

Assignees
No one assigned
Labels
needs backport This PR needs to be backported to a previous release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@daniel-weisse @burgerdev