Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow specifying accepted avisories for SWHardeningNeeded TCB status #733

Merged
merged 7 commits into from
Oct 2, 2024
Merged

Allow specifying accepted avisories for SWHardeningNeeded TCB status #733

merged 7 commits into from
Oct 2, 2024

Conversation

daniel-weisse
Copy link
Member

#729 added support for reading the Security Advisories if attestation failed due to invalid TCB status.
This PR builds on that to allow users to specify just specific advisories when the reported TCB status is SWHardeningNeeded

Proposed changes

  • Add a new flag to the CLI --accepted-advisories which allows specifying a list of Intel Security Advisories to accept if the Coordinator's TCB status is SWHardeningNeeded. If not set, all advisories are accepted
  • Add a new manifest field Packages.AcceptedAdvisories which allows specifying a list of Intel Security Advisories to accept if the package's TCB status is SWHardeningNeeded. If not set, all advisories are accepted
  • Fix for the CLI printing a nil error if parsing the advisory list of a report failed

@netlify Netlify
Copy link

netlify bot commented Sep 26, 2024
edited
Loading

Deploy Preview for marblerun-docs canceled.

Name Link
🔨 Latest commit 69323e6
🔍 Latest deploy log https://app.netlify.com/sites/marblerun-docs/deploys/66fce6f49ad8ca00087b32e4

thomasten
thomasten requested changes Sep 27, 2024
View reviewed changes
api/attestation/attestation.go Outdated Show resolved Hide resolved
api/attestation/attestation.go Outdated Show resolved Hide resolved
coordinator/quote/ert.go Show resolved Hide resolved
coordinator/quote/ertvalidator/ertvalidator.go Show resolved Hide resolved
internal/tcb/tcb_test.go Show resolved Hide resolved
coordinator/quote/ert.go Show resolved Hide resolved
api/attestation/attestation_test.go Show resolved Hide resolved
@daniel-weisse
Allow specifying accepted avisories for SWHardeningNeeded TCB status
2cd394e 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Add separate NewTCBStatusErrorWithAdvisories function
0caff58 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Return error on CheckAdvisories if report contains an TCBAdvisoriesErr
83cf0ce 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Add AcceptedAdvisories to quote string representation
0d4c161 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Simplify package update logic
f1130a8 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Improve tcb advisory error test
5035c93 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Keep vale action on ubuntu-22.04
69323e6 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse daniel-weisse merged commit bc05f54 into master Oct 2, 2024
9 of 10 checks passed
@daniel-weisse daniel-weisse deleted the dw/advisory-whitelist branch October 2, 2024 06:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thomasten thomasten thomasten approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@daniel-weisse @thomasten