Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow specifying accepted avisories for SWHardeningNeeded TCB status #733

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Allow specifying accepted avisories for SWHardeningNeeded TCB status #733

wants to merge 6 commits into from

Conversation

daniel-weisse
Copy link
Member

#729 added support for reading the Security Advisories if attestation failed due to invalid TCB status.
This PR builds on that to allow users to specify just specific advisories when the reported TCB status is SWHardeningNeeded

Proposed changes

  • Add a new flag to the CLI --accepted-advisories which allows specifying a list of Intel Security Advisories to accept if the Coordinator's TCB status is SWHardeningNeeded. If not set, all advisories are accepted
  • Add a new manifest field Packages.AcceptedAdvisories which allows specifying a list of Intel Security Advisories to accept if the package's TCB status is SWHardeningNeeded. If not set, all advisories are accepted
  • Fix for the CLI printing a nil error if parsing the advisory list of a report failed

@netlify Netlify
Copy link

netlify bot commented Sep 26, 2024
edited
Loading

Deploy Preview for marblerun-docs canceled.

Name Link
🔨 Latest commit 77591d1
🔍 Latest deploy log https://app.netlify.com/sites/marblerun-docs/deploys/66fab98bb2a64c0008034e5b

thomasten
thomasten requested changes Sep 27, 2024
View reviewed changes
api/attestation/attestation.go Outdated Show resolved Hide resolved
api/attestation/attestation.go Outdated Show resolved Hide resolved
coordinator/quote/ert.go Show resolved Hide resolved
coordinator/quote/ertvalidator/ertvalidator.go
@@ -47,6 +47,10 @@ func (v *ERTValidator) Validate(givenQuote []byte, cert []byte, pp quote.Package
v.log.Error("TCB Advisories", zap.Error(report.TCBAdvisoriesErr))
}

if notAccepted := tcb.CheckAdvisories(report.TCBStatus, report.TCBAdvisories, pp.AcceptedAdvisories); len(notAccepted) > 0 {
return fmt.Errorf("TCB status %s contains advisories not accepted by configuration: %s", report.TCBStatus, notAccepted)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this be logged somewhere, linked to the package?
We should maybe generally check and (if needed) improve the logging of Marble activations in case of different errors.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We log any failed Marble verification attempts in coordinator/core/marbleapi.go. That log statement contains the error returned by this package.
Is there any information missing you would prefer to be logged in ertvalidator.go?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure, but I think I've seen log outputs of failed activations where we could have given more details. However, this is out of scope. I may revisit this myself at some point.

internal/tcb/tcb_test.go Show resolved Hide resolved
coordinator/quote/ert.go Show resolved Hide resolved
api/attestation/attestation_test.go Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thomasten thomasten thomasten approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@daniel-weisse @thomasten