cli: read Azure SEV-SNP version values from launch TCB in constellation verify output
#2357
Conversation
✅ Deploy Preview for constellation-docs canceled.
|
Coverage report
|
fb46fb1 to
7f22076
Compare
| ) | ||
|
|
||
| // ParseSNPReport parses the SNP report and returns the version information. | ||
| func ParseSNPReport(reader io.Reader) (attestationconfigapi.AzureSEVSNPVersion, error) { |
There was a problem hiding this comment.
We have no stability guarantees of Constellation's cli output format. Therefore, this way of parsing is very brittle.
My suggestion is that we should write the full json (before parsing) to disk on constellation verify and then use the exact same parsing here.
There was a problem hiding this comment.
Is this a sensible default to write it to file at all times? or should we add a new flag to show the output as json? I can do that but was not sure this was worth the implementation effort since we also control the constellation verify output and the CI test for the attestationconfigapi would fail
There was a problem hiding this comment.
When we use --raw to parse the content the instance info containing the report is base64 encoded this makes the file parsing yet more obscure in the e2e test setup. Not sure we should go this route. @derpsteb what do you think?
I don't see the verify output as very unstable.
The current parsing would only fail if we rename the affected fields in the report or move the signature field in the output. But the latter could be fixed too.
7f22076 to
a2ed05b
Compare
|
Note that we changed this feature to also consider the Committed and Reported TCB. Please check the AB ticket again. |
|
I discussed with @katexochen and we currently see the following way forward:
Both in one separate PR. Then we can go ahead and implement this story. For the second option based on the json output which can simply be marshalled and unmarshalled again or fir the first option based on the raw output. |
|
I agree that having a |
|
@3u13r @derpsteb so should the azureInstanceInfo be further parsed into a new format which contains version information as presented in the output (see constellation/cli/internal/cmd/verify.go Line 410 in 3ed001f The azureInstanceInfo still has raw data which is unreadable, but I think that we should have a readable file output. |
Yes, the idea is to parse this recursively. All the way down to all struct we currently have and so that everything is readable. |
|
closing in favor of new implementation in #2429 |
UPDATE waiting for #2391
Context
As described in #2343, the current version fetching is not reliable. Since it is not transparent how the Azure MAA values are deduced, we rather refer to the Launch TCB values from
constellation verifyProposed change(s)
Related issue
Checklist