-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure detection + attestation report fetch #16
Conversation
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
Closes #5 |
CC @berrange |
src/report.rs
Outdated
.get_report(None, Some(request_data), args.vmpl) | ||
.context("Failed to get report.")?; | ||
let att_report = if hv { | ||
hyperv::report::get()? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For args.vmpl
we need to mandate that it is 0
, because the Azure HCL report is created at VMPL 0
I'm not sure what todo for args.random
- we can't honour the current semantics for either true
or false
value - the data won't be random, and the user also can't provide their own data. Basically the report data is fixed at what HCL added, which is the TPM attestation key. We should however still write out the fixed HCL report data to args.request_file
I think
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, we can fail if VMPL > 1 && Hyper-V report is detected. Should the command fail if args.request_file
is given with a message Hyper-V request data is fixed and cannot be changed, do not submit a request file as input
? The same could be said with args.random
. Maybe these args should be re-considered for the command if so.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Essentially we have three scenarios
- User provides a request file as input
- User requests random data as input
- Input is pre-determined by platform
We could add a third argument --platform
which is mutually exclusive with --random
--request-data
- user provided input, unchanged on output--random
- auto-generated input, output./random-request-file.txt
--random
,--request-data PATH
- auto-generated input, output$PATH
--platform
- pre-determined input, output./platform-request-file.txt
--platform
,--request-data PATH
- pre-detrermined input, output$PATH
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In 0c80f34 I removed the --random
flag altogether. The user is instead required to give a "request file" as an argument.
- For regular guests, the data in the request data file will be used as the data in the attestation report.
- For Hyper-V guests, the platform data already present in the report is written to the request file.
Although a bit unavoidable here, I don't like the request-file
arg being interpreted differently based on what platform you're running on. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In 0c80f34 I removed the --random flag altogether. The user is instead required to give a "request file" as an argument.
Being able to omit the request file and just have the tool create a random nonce was desirable behaviour IMHO
Although a bit unavoidable here, I don't like the request-file arg being interpreted differently based on what platform you're running on. What do you think?
I think it is highly undesirable, because the behaviour is not discoverable / reportable.
With the 5 scenarios I illustrated above, each combination of args has clearly defined platform independent semantics. The command will either complete with the documented semantics, or an error will be reported if the platform can't honour that particular combination of args.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I second @berrange comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In 0c80f34 I removed the
--random
flag altogether. The user is instead required to give a "request file" as an argument.
- For regular guests, the data in the request data file will be used as the data in the attestation report.
- For Hyper-V guests, the platform data already present in the report is written to the request file.
Although a bit unavoidable here, I don't like the
request-file
arg being interpreted differently based on what platform you're running on. What do you think?
@tylerfanelli was there a reason we wanted to remove this option? I must have missed this from my quick review. I agree with @berrange, this is a nice feature for users who care less about generating the request data, and just want to attest the report.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@larrydewey The motivation to remove --random
was to "clean up" the arguments of this command and try to give some uniformity, so that the experience was the same regardless if one was running on Azure or not. Corner cases such as
--random
and--platform
are mutually exclusive--random
must fail on Azure--platform
must fail on non-Azure
And the option inclusion of--request-file
. I don't want to confuse users on the different flags and why/how they are used. If--random
is desirable however, I'll change this to use--platform
, and document it's prospective use cases (i.e. in Azure)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed the commit and added the --platform
flag. To try and complicate things less, a user is required to input the name of a file to write the request data, rather than defaulting to {random, platform}-request-data.txt
. I can add support for those "default" files as well if the feature is desirable?
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
0c80f34
to
60fd74e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CC @DGonzalezVillal Just a heads up on the API changes made here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just have a couple of questions/comments on the workflow, and the certificates command. Everything else looks good
@@ -51,9 +53,10 @@ fn main() -> Result<()> { | |||
env_logger::init(); | |||
|
|||
let snpguest = SnpGuest::from_args(); | |||
let hv = hyperv::present(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to check for Hyper-V every single time the tool is used? Why wouldn't we just check whenever people request a report?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There will be parity with other commands.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, I think it would make more sense to only check for Hyper-V when we are potentially going to interact with the PSP. All other functionality from the tool does not rely on architecture. The only other locations I could potentially think this check would be useful is for enabling/disabling --random
and/or extended certs, as Hyper-V disallows the use of these flags
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An example I currently see is certs. In non-Azure, certs are fetched from the KDS. However, in Azure they are fetched from another MS-defined endpoint.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Revoking approval until discussion is complete.
9c36a17
to
1ad76b1
Compare
Currently, with Hyper-V guests, the report_data of an attestation report is generated beforehand by the platform. This indicates that a user cannot write some optional data to be included in the report. With --platform enabled, the pre-generated platform data will be written to the file pointed to by $REQUEST_PATH (or "platform-request-file.txt" if no $REQUEST_PATH is given as input). Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This PR introduces two new features: