[launcher] Fix CEL RTMR extending (google#635)

Add image tests for TDX machines
Add TDX support in the fakeverifier

Author: jkl73

launcher/agent/agent.go

@@ -121,9 +121,7 @@ func CreateAttestationAgent(tpm io.ReadWriteCloser, akFetcher util.TpmKeyFetcher
 	for _, sel := range pcrSels {
 		hashAlgo, err := sel.Hash.Hash()
 		if err != nil {
-			if err != nil {
-				return nil, fmt.Errorf("failed to get TPM hash algorithm: %v", err)
-			}
+			return nil, fmt.Errorf("failed to get TPM hash algorithm: %v", err)
 		}
 		hashAlgos = append(hashAlgos, hashAlgo)
 	}
@@ -352,8 +350,8 @@ func (t *tdxAttestRoot) GetCEL() gecel.CEL {
 }
 
 func (t *tdxAttestRoot) Extend(c gecel.Content) error {
-	return t.cosCel.AppendEvent(c, []crypto.Hash{crypto.SHA384}, cel.CosRTMR+1, func(ch crypto.Hash, mrIndex int, digest []byte) error {
-		return rtmr.ExtendEventLogSysfs(mrIndex-1, ch, digest) // MR_INDEX - 1 == RTMR_INDEX
+	return t.cosCel.AppendEvent(c, []crypto.Hash{crypto.SHA384}, cel.CosCCELMRIndex, func(_ crypto.Hash, mrIndex int, digest []byte) error {
+		return rtmr.ExtendDigestSysfs(mrIndex-1, digest) // MR_INDEX - 1 == RTMR_INDEX
 	})
 }
 

launcher/cloudbuild.yaml

@@ -133,6 +133,22 @@ steps:
       --substitutions _IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-debug-${OUTPUT_IMAGE_SUFFIX},_IMAGE_PROJECT=${PROJECT_ID}
     exit
 
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: DebugImageTestsTDX
+  waitFor: ['DebugImageBuild']
+  env:
+  - 'OUTPUT_IMAGE_PREFIX=${_OUTPUT_IMAGE_PREFIX}'
+  - 'OUTPUT_IMAGE_SUFFIX=${_OUTPUT_IMAGE_SUFFIX}'
+  - 'PROJECT_ID=$PROJECT_ID'
+  script: |
+    #!/usr/bin/env bash
+
+    cd launcher/image/test
+    echo "running debug image tests on ${OUTPUT_IMAGE_PREFIX}-debug-${OUTPUT_IMAGE_SUFFIX}"
+    gcloud builds submit --config=test_debug_cloudbuild.yaml --region us-west1 \
+      --substitutions _CC=TDX,_IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-debug-${OUTPUT_IMAGE_SUFFIX},_IMAGE_PROJECT=${PROJECT_ID}
+    exit
+
 - name: 'gcr.io/cloud-builders/gcloud'
   id: HardenedImageTests
   waitFor: ['HardenedImageBuild']
@@ -148,6 +164,23 @@ steps:
     gcloud builds submit --config=test_hardened_cloudbuild.yaml --region us-west1 \
       --substitutions _IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX},_IMAGE_PROJECT=${PROJECT_ID}
     exit
+
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: HardenedImageTestsTDX
+  waitFor: ['HardenedImageBuild']
+  env:
+  - 'OUTPUT_IMAGE_PREFIX=${_OUTPUT_IMAGE_PREFIX}'
+  - 'OUTPUT_IMAGE_SUFFIX=${_OUTPUT_IMAGE_SUFFIX}'
+  - 'PROJECT_ID=$PROJECT_ID'
+  script: |
+    #!/usr/bin/env bash
+
+    cd launcher/image/test
+    echo "running hardened image tests on ${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX}"
+    gcloud builds submit --config=test_hardened_cloudbuild.yaml --region us-west1 \
+      --substitutions _CC=TDX,_IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX},_IMAGE_PROJECT=${PROJECT_ID}
+    exit
+
 - name: 'gcr.io/cloud-builders/gcloud'
   id: LaunchPolicyTests
   waitFor: ['HardenedImageBuild']

launcher/image/entrypoint.sh

@@ -18,7 +18,6 @@ main() {
   systemctl enable container-runner.service
   systemctl start container-runner.service
   systemctl start fluent-bit.service
-
 }
 
 main

launcher/image/test/create_vm.sh

@@ -9,6 +9,7 @@ print_usage() {
     echo "  -f <metadataFromFile>: read a metadata value from a file; specified in format key=filePath"
     echo "  -n <instanceName>: instance name"
     echo "  -z <instanceZone>: instance zone"
+    echo "  -c <confidentialComputing>: TDX or SEV"
     exit 1
 }
 
@@ -18,6 +19,20 @@ create_vm() {
     exit 1
   fi
 
+  if [ -z "$CC" ]; then
+    CC='SEV'
+  fi
+
+  MACHINE_TYPE=''
+  if [[ "${CC}" == "SEV" ]]; then
+    MACHINE_TYPE='n2d-standard-2'
+  elif [[ "${CC}" == "TDX" ]]; then
+    MACHINE_TYPE='c3-standard-4'
+  else
+    echo "unsupported confidential computing type: ${CC}"
+    exit 1
+  fi
+
   # use the fake verifier for all tests
   FAKE_VERIFIER='test-fake-verifier=true'
 
@@ -48,10 +63,10 @@ create_vm() {
   ADDTL_DISK_RANGE=$(($MAX_DISK_SIZE_GB - $MIN_DISK_SIZE + 1))
   DISK_SIZE_GB=$(($MIN_DISK_SIZE + ($RANDOM % $ADDTL_DISK_RANGE)))
 
-  gcloud compute instances create $VM_NAME --confidential-compute --maintenance-policy=TERMINATE \
-    --machine-type=n2d-standard-2 --boot-disk-size=$DISK_SIZE_GB --scopes=cloud-platform --zone $ZONE \
-    --image=$IMAGE_NAME --image-project=$PROJECT_NAME --shielded-secure-boot $APPEND_METADATA \
-    $APPEND_METADATA_FILE
+  gcloud compute instances create $VM_NAME --confidential-compute-type=$CC --maintenance-policy=TERMINATE \
+  --machine-type=$MACHINE_TYPE --boot-disk-size=$DISK_SIZE_GB --scopes=cloud-platform --zone $ZONE \
+  --image=$IMAGE_NAME --image-project=$PROJECT_NAME --shielded-secure-boot $APPEND_METADATA \
+  $APPEND_METADATA_FILE
 }
 
 IMAGE_NAME=''
@@ -60,17 +75,19 @@ METADATA=''
 PROJECT_NAME=''
 VM_NAME=''
 ZONE=''
+CC='SEV' # default using sev
 
 # In getopts, a ':' following a letter means that that flag takes an argument.
 # For example, i: means -i takes an additional argument.
-while getopts 'i:f:m:p:n:z:' flag; do
+while getopts 'i:f:m:p:n:z:c:' flag; do
   case "${flag}" in
     i) IMAGE_NAME=${OPTARG} ;;
     f) METADATA_FILE=${OPTARG} ;;
     m) METADATA=${OPTARG} ;;
     p) PROJECT_NAME=${OPTARG} ;;
     n) VM_NAME=${OPTARG} ;;
     z) ZONE=${OPTARG} ;;
+    c) CC=${OPTARG} ;;
     *) print_usage ;;
   esac
 done

launcher/image/test/test_debug_cloudbuild.yaml

@@ -4,6 +4,7 @@ substitutions:
   '_CLEANUP': 'true'
   '_VM_NAME_PREFIX': 'cs-debug-test'
   '_ZONE': 'us-central1-a'
+  '_CC': ''
   '_WORKLOAD_IMAGE': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/basic-test:latest,tee-cmd=["newCmd"],tee-env-ALLOWED_OVERRIDE=overridden'
 steps:
 - name: 'gcr.io/cloud-builders/gcloud'
@@ -16,6 +17,7 @@ steps:
           '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-container-log-redirect=true',
           '-n', '${_VM_NAME_PREFIX}-${BUILD_ID}',
           '-z', '${_ZONE}',
+          '-c', '${_CC}',
         ]
 - name: 'gcr.io/cloud-builders/gcloud'
   id: BasicWorkloadTest

launcher/image/test/test_hardened_cloudbuild.yaml

@@ -8,6 +8,7 @@ substitutions:
   '_CLEANUP': 'true'
   '_VM_NAME_PREFIX': 'cs-hardened-test'
   '_ZONE': 'us-west1-a'
+  '_CC': ''
   '_WORKLOAD_IMAGE': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/basic-test:latest'
 steps:
 - name: 'gcr.io/cloud-builders/gcloud'
@@ -21,6 +22,7 @@ steps:
           '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-container-log-redirect=true,tee-cmd=["newCmd"],tee-env-ALLOWED_OVERRIDE=overridden',
           '-n', '${_VM_NAME_PREFIX}-${BUILD_ID}',
           '-z', '${_ZONE}',
+          '-c', '${_CC}',
         ]
 - name: 'gcr.io/cloud-builders/gcloud'
   id: BasicWorkloadTest

verifier/fake/fakeverifier.go

@@ -6,13 +6,17 @@ import (
 	"crypto"
 	"encoding/base64"
 	"encoding/binary"
+	"errors"
 	"fmt"
 	"strings"
 	"time"
 
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/google/go-eventlog/proto/state"
 	"github.com/google/go-eventlog/register"
+	tabi "github.com/google/go-tdx-guest/abi"
+	tdxpb "github.com/google/go-tdx-guest/proto/tdx"
+	"github.com/google/go-tdx-guest/rtmr"
 	"github.com/google/go-tpm-tools/proto/attest"
 	"github.com/google/go-tpm-tools/proto/tpm"
 	"github.com/google/go-tpm-tools/server"
@@ -53,12 +57,37 @@ func (fc *fakeClient) CreateChallenge(_ context.Context) (*verifier.Challenge, e
 	}, nil
 }
 
-// VerifyAttestation calls server.VerifyAttestation against the request's public key.
-// It returns the marshaled MachineState as a claim.
-func (fc *fakeClient) VerifyAttestation(_ context.Context, req verifier.VerifyAttestationRequest) (*verifier.VerifyAttestationResponse, error) {
-	// Determine signing algorithm.
-	signingMethod := jwt.SigningMethodRS256
-	now := jwt.TimeFunc()
+func verifyTDX(req verifier.VerifyAttestationRequest, nonce []byte) (*attest.MachineState, error) {
+	tdQuote, err := tabi.QuoteToProto(req.TDCCELAttestation.TdQuote)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal TdQuote: %v", err)
+	}
+	quoteV4, ok := tdQuote.(*tdxpb.QuoteV4)
+	if !ok {
+		return nil, errors.New("failed to convert TdQuote: not of type QuoteV4")
+	}
+	rtmrbank, err := rtmr.GetRtmrsFromTdQuote(quoteV4)
+	if err != nil {
+		return nil, err
+	}
+	cosState, err := server.ParseCosCELRTMR(req.TDCCELAttestation.CanonicalEventLog, *rtmrbank)
+	if err != nil {
+		return nil, fmt.Errorf("failed to validate the Canonical event log: %w", err)
+	}
+	opts := rtmr.TdxDefaultOpts(nonce)
+	fls, err := rtmr.ParseCcelWithTdQuote(req.TDCCELAttestation.CcelData, req.TDCCELAttestation.CcelAcpiTable, quoteV4, &opts)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse CCEL: %w", err)
+	}
+	ms, err := server.ConvertToMachineState(fls)
+	if err != nil {
+		return nil, fmt.Errorf("failed to convert to MachineState: %w", err)
+	}
+	ms.Cos = cosState
+	return ms, nil
+}
+
+func verifyTPM(req verifier.VerifyAttestationRequest, nonce []byte) (*attest.MachineState, error) {
 	akPub, err := tpm2.DecodePublic(req.Attestation.GetAkPub())
 	if err != nil {
 		return nil, fmt.Errorf("failed to decode AKPub as TPMT_PUBLIC: %v", err)
@@ -67,7 +96,7 @@ func (fc *fakeClient) VerifyAttestation(_ context.Context, req verifier.VerifyAt
 	if err != nil {
 		return nil, fmt.Errorf("failed to convert TPMT_PUBLIC to crypto.PublicKey: %v", err)
 	}
-	ms, err := server.VerifyAttestation(req.Attestation, server.VerifyOpts{Nonce: fc.nonce, TrustedAKs: []crypto.PublicKey{akCrypto}})
+	ms, err := server.VerifyAttestation(req.Attestation, server.VerifyOpts{Nonce: nonce, TrustedAKs: []crypto.PublicKey{akCrypto}})
 	if err != nil {
 		return nil, fmt.Errorf("failed to verify attestation: %v", err)
 	}
@@ -82,6 +111,31 @@ func (fc *fakeClient) VerifyAttestation(_ context.Context, req verifier.VerifyAt
 		return nil, fmt.Errorf("failed to validate the Canonical event log: %w", err)
 	}
 	ms.Cos = cosState
+	return ms, nil
+}
+
+// VerifyAttestation calls server.VerifyAttestation against the request's public key.
+// It returns the marshaled MachineState as a claim.
+func (fc *fakeClient) VerifyAttestation(_ context.Context, req verifier.VerifyAttestationRequest) (*verifier.VerifyAttestationResponse, error) {
+	// Determine signing algorithm.
+	signingMethod := jwt.SigningMethodRS256
+	now := jwt.TimeFunc()
+	var ms *attest.MachineState
+	var err error
+
+	if req.TDCCELAttestation != nil {
+		ms, err = verifyTDX(req, fc.nonce)
+		if err != nil {
+			return nil, err
+		}
+	} else if req.Attestation != nil {
+		ms, err = verifyTPM(req, fc.nonce)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		return nil, errors.New("contains no attestation in the request")
+	}
 
 	msJSON, err := protojson.Marshal(ms)
 	if err != nil {