Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Align policy hash verification between SNP and TDX #901

Merged
merged 4 commits into from
Oct 2, 2024
Merged

Align policy hash verification between SNP and TDX #901

merged 4 commits into from
Oct 2, 2024

Conversation

burgerdev
Copy link
Contributor

BREAKING: The Prometheus counter contrast_meshapi_attestation_failures_total is not incremented anymore if a workload has matching reference values but an untrusted policy hash. These rejections are now visible in the contrast_grpc_server_handled_total counter with field grpc_code=PermissionDenied.

The policy hash is passed as HOSTDATA on SNP and as MRCONFIGID on TDX. In the SNP validation, we used to check the HOSTDATA too, but we did not introduce this for TDX. As a consequence, the metrics observed on SNP and TDX are different: on SNP, an unknown hash ends up in attestation_failures_total, while on TDX it ends up in grpc_server_handled_total with an internal error status. Thus, we could not have a simple portable policy test that relied on the metrics.

This PR unifies handling of the policy hash between SNP and TDX by removing the additional validation from SNP. Existence of the hash in the manifest is now only checked in the NewMeshCert handler, where failures increment the grpc_server_handled_total with a PermissionDenied status. Now we can run the policy e2e test on all platforms.

Drive-by fix: the CLI now verifies coordinators on TDX correctly.

@burgerdev burgerdev added the breaking change A user-affecting breaking change label Sep 30, 2024
@burgerdev burgerdev marked this pull request as ready for review September 30, 2024 14:07
@burgerdev burgerdev requested review from Freax13 and katexochen and removed request for katexochen September 30, 2024 14:08
Freax13
Freax13 reviewed Sep 30, 2024
View reviewed changes
coordinator/meshapi.go Show resolved Hide resolved
e2e/policy/policy_test.go Outdated Show resolved Hide resolved
@burgerdev burgerdev force-pushed the burgerdev/bm-policy-test branch from 4b818b8 to 05807fa Compare October 1, 2024 13:56
@burgerdev burgerdev force-pushed the burgerdev/bm-policy-test branch from 05807fa to 97160ad Compare October 1, 2024 13:57
@burgerdev burgerdev requested a review from Freax13 October 1, 2024 16:55
@burgerdev burgerdev merged commit b154547 into main Oct 2, 2024
21 checks passed
@burgerdev burgerdev deleted the burgerdev/bm-policy-test branch October 2, 2024 06:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Freax13 Freax13 Freax13 approved these changes

@katexochen katexochen Awaiting requested review from katexochen

Assignees
No one assigned
Labels
breaking change A user-affecting breaking change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@burgerdev @Freax13