Skip to content

Commit

Permalink
Support SEV-SNP on GCP (#3011)
Browse files Browse the repository at this point in the history 
* terraform: enable creation of SEV-SNP VMs on GCP

* variant: add SEV-SNP attestation variant

* config: add SEV-SNP config options for GCP

* measurements: add GCP SEV-SNP measurements

* gcp: separate package for SEV-ES

* attestation: add GCP SEV-SNP attestation logic

* gcp: factor out common logic

* choose: add GCP SEV-SNP

* cli: add TF variable passthrough for GCP SEV-SNP variables

* cli: support GCP SEV-SNP for `constellation verify`

* Adjust usage of GCP SEV-SNP throughout codebase

* ci: add GCP SEV-SNP

* terraform-provider: support GCP SEV-SNP

* docs: add GCP SEV-SNP reference

* linter fixes

* gcp: only run test with TPM simulator

* gcp: remove nonsense test

* Update cli/internal/cmd/verify.go

Co-authored-by: Daniel Weiße <[email protected]>

* Update docs/docs/overview/clouds.md

Co-authored-by: Daniel Weiße <[email protected]>

* Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go

Co-authored-by: Adrian Stobbe <[email protected]>

* linter fixes

* terraform_provider: correctly pass down CC technology

* config: mark attestationconfigapi as unimplemented

* gcp: fix comments and typos

* snp: use nonce and PK hash in SNP report

* snp: ensure we never use ARK supplied by Issuer (#3025)

* Make sure SNP ARK is always loaded from config, or fetched from AMD KDS
* GCP: Set validator `reportData` correctly

---------

Signed-off-by: Daniel Weiße <[email protected]>
Co-authored-by: Moritz Sanft <[email protected]>

* attestationconfigapi: add GCP to uploading

* snp: use correct cert

Signed-off-by: Moritz Sanft <[email protected]>

* terraform-provider: enable fetching of attestation config values for GCP SEV-SNP

* linter fixes

---------

Signed-off-by: Daniel Weiße <[email protected]>
Signed-off-by: Moritz Sanft <[email protected]>
Co-authored-by: Daniel Weiße <[email protected]>
Co-authored-by: Adrian Stobbe <[email protected]>
  • Loading branch information
@msanft @daniel-weisse @elchead
3 people authored Apr 16, 2024
1 parent 485ebb1 commit 913b09a
Show file tree
Hide file tree
Showing 90 changed files with 1,623 additions and 552 deletions.
2 changes: 1 addition & 1 deletion .github/actions/e2e_verify/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ runs:
aws-region: eu-central-1

- name: Upload extracted TCBs
if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'aws-sev-snp')
if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'aws-sev-snp' || inputs.attestationVariant == 'gcp-sev-snp')
shell: bash
env:
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
Expand Down
3 changes: 3 additions & 0 deletions .github/actions/terraform_apply/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ runs:
"gcpSEVES")
attestationVariant="gcp-sev-es"
;;
"gcpSEVSNP")
attestationVariant="gcp-sev-snp"
;;
*)
echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)"
exit 1
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/e2e-attestationconfigapi.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
fail-fast: false
max-parallel: 1
matrix:
csp: ["azure", "aws"]
csp: ["azure", "aws", "gcp"]
runs-on: ubuntu-22.04
permissions:
id-token: write
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/e2e-test-daily.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ jobs:
max-parallel: 5
matrix:
kubernetesVersion: ["1.28"] # should be default
attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
attestationVariant: ["gcp-sev-es", "gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"]
test: ["sonobuoy quick"]
runs-on: ubuntu-22.04
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/e2e-test-internal-lb.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,11 @@ on:
description: "Which attestation variant to use."
type: choice
options:
- "gcp-sev-es"
- "aws-sev-snp"
- "azure-sev-snp"
- "azure-tdx"
- "aws-sev-snp"
- "gcp-sev-es"
- "gcp-sev-snp"
default: "azure-sev-snp"
required: true
runner:
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/e2e-test-marketplace-image.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,11 @@ on:
description: "Which attestation variant to use."
type: choice
options:
- "gcp-sev-es"
- "aws-sev-snp"
- "azure-sev-snp"
- "azure-tdx"
- "aws-sev-snp"
- "gcp-sev-es"
- "gcp-sev-snp"
default: "azure-sev-snp"
required: true
runner:
Expand Down
11 changes: 11 additions & 0 deletions .github/workflows/e2e-test-provider-example.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ on:
- "azure-sev-snp"
- "azure-tdx"
- "gcp-sev-es"
- "gcp-sev-snp"
default: "azure-sev-snp"
required: true
workflow_call:
Expand Down Expand Up @@ -265,11 +266,21 @@ jobs:
run: |
region=$(echo ${{ inputs.regionZone || 'europe-west3-b' }} | rev | cut -c 3- | rev)
case "${{ inputs.attestationVariant }}" in
"gcp-sev-snp")
cc_tech="SEV_SNP"
;;
*)
cc_tech="SEV"
;;
esac
cat >> _override.tf <<EOF
locals {
project_id = "constellation-e2e"
region = "${region}"
zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
cc_technology = "${cc_tech}"
}
EOF
cat _override.tf
Expand Down
44 changes: 44 additions & 0 deletions .github/workflows/e2e-test-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,10 @@ jobs:
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
- test: "sonobuoy full"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "azure-sev-snp"
Expand All @@ -72,6 +76,11 @@ jobs:
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.28"
Expand All @@ -93,6 +102,11 @@ jobs:
kubernetes-version: "v1.27"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.27"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.27"
Expand All @@ -115,6 +129,11 @@ jobs:
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "verify"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "verify"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
Expand All @@ -137,6 +156,11 @@ jobs:
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "recover"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "recover"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
Expand All @@ -159,6 +183,11 @@ jobs:
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "lb"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "lb"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
Expand All @@ -181,6 +210,11 @@ jobs:
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "autoscaling"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "autoscaling"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
Expand All @@ -203,6 +237,11 @@ jobs:
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "perf-bench"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "perf-bench"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
Expand All @@ -223,6 +262,11 @@ jobs:
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/e2e-test-terraform-provider.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,11 @@ on:
description: "Which attestation variant to use."
type: choice
options:
- "gcp-sev-es"
- "aws-sev-snp"
- "azure-sev-snp"
- "azure-tdx"
- "aws-sev-snp"
- "gcp-sev-es"
- "gcp-sev-snp"
default: "azure-sev-snp"
required: true
runner:
Expand Down
45 changes: 45 additions & 0 deletions .github/workflows/e2e-test-weekly.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,11 @@ jobs:
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
Expand All @@ -79,6 +84,11 @@ jobs:
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
Expand All @@ -100,6 +110,11 @@ jobs:
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.27"
clusterCreation: "cli"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.27"
clusterCreation: "cli"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
Expand All @@ -123,6 +138,11 @@ jobs:
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "verify"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "verify"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
Expand All @@ -146,6 +166,11 @@ jobs:
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "recover"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "recover"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
Expand All @@ -168,6 +193,11 @@ jobs:
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "lb"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "lb"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
Expand All @@ -190,6 +220,11 @@ jobs:
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "autoscaling"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "autoscaling"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
Expand All @@ -212,6 +247,11 @@ jobs:
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "perf-bench"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "perf-bench"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
Expand Down Expand Up @@ -241,6 +281,11 @@ jobs:
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "verify"
refStream: "ref/release/stream/stable/?"
attestationVariant: "gcp-sev-snp"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "verify"
refStream: "ref/release/stream/stable/?"
attestationVariant: "azure-sev-snp"
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/e2e-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ on:
type: choice
options:
- "gcp-sev-es"
- "gcp-sev-snp"
- "azure-sev-snp"
- "azure-tdx"
- "aws-sev-snp"
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/e2e-upgrade.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,11 @@ on:
description: "Which attestation variant to use."
type: choice
options:
- "gcp-sev-es"
- "aws-sev-snp"
- "azure-sev-snp"
- "azure-tdx"
- "aws-sev-snp"
- "gcp-sev-es"
- "gcp-sev-snp"
default: "azure-sev-snp"
required: true
nodeCount:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/on-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,7 @@ jobs:
id: fetch-reference
shell: bash
run: |
# TODO(msanft): Implement marketplace images for GCP SEV-SNP
aws s3 cp s3://cdn-constellation-backend/constellation/v2/ref/-/stream/stable/${{ steps.fetch-version.outputs.output }}/image/info.json .
FULL_REF=$(yq e -r -oy '.list.[] | select(.attestationVariant == "gcp-sev-es") | .reference' info.json)
IMAGE_NAME=$(echo "${FULL_REF}" | cut -d / -f 5)
Expand Down
7 changes: 7 additions & 0 deletions cli/internal/cloudcmd/tfvars.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,12 @@ func gcpTerraformVars(conf *config.Config, imageRef string) *terraform.GCPCluste
DiskType: group.StateDiskType,
}
}

ccTech := "SEV"
if conf.GetAttestationConfig().GetVariant().Equal(variant.GCPSEVSNP{}) {
ccTech = "SEV_SNP"
}

return &terraform.GCPClusterVariables{
Name: conf.Name,
NodeGroups: nodeGroups,
Expand All @@ -219,6 +225,7 @@ func gcpTerraformVars(conf *config.Config, imageRef string) *terraform.GCPCluste
Debug: conf.IsDebugCluster(),
CustomEndpoint: conf.CustomEndpoint,
InternalLoadBalancer: conf.InternalLoadBalancer,
CCTechnology: ccTech,
}
}

Expand Down
9 changes: 9 additions & 0 deletions cli/internal/cmd/configgenerate_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,11 @@ func TestValidProviderAttestationCombination(t *testing.T) {
variant.GCPSEVES{},
config.AttestationConfig{GCPSEVES: defaultAttestation.GCPSEVES},
},
{
cloudprovider.GCP,
variant.GCPSEVSNP{},
config.AttestationConfig{GCPSEVSNP: defaultAttestation.GCPSEVSNP},
},
{
cloudprovider.QEMU,
variant.QEMUVTPM{},
Expand Down Expand Up @@ -286,6 +291,10 @@ func TestParseAttestationFlag(t *testing.T) {
attestationFlag: "gcp-sev-es",
wantVariant: variant.GCPSEVES{},
},
"GCPSEVSNP": {
attestationFlag: "gcp-sev-snp",
wantVariant: variant.GCPSEVSNP{},
},
"QEMUVTPM": {
attestationFlag: "qemu-vtpm",
wantVariant: variant.QEMUVTPM{},
Expand Down
Loading

0 comments on commit 913b09a

Please sign in to comment.