[cmd] Add new command token in the CLI tool #375
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@jkl73 @kongoshuu Could you take a look? |
kongoshuu
approved these changes
Oct 16, 2023
|
LGTM, let's hold the merge until the ek cert is more available on gce instance. |
|
/gcbrun |
|
Please hold off merging until the internal privacy policy reviewers give the go-ahead, since this is sending data from a user (should be a nonce, but could be anything) to a Google service. |
Ruide
force-pushed
the
main
branch
3 times, most recently
from
2a3ddb5 to
209ba23
Compare
Hi @jkl73, could we resume the merge? The ek cert is now available on gce instance. And the privacy review is passed. |
|
/gcbrun |
…attestation agent
Ruide
force-pushed
the
main
branch
2 times, most recently
from
19961e6 to
d268962
Compare
|
/gcbrun |
|
/gcbrun |
jkl73
approved these changes
Feb 27, 2024
alexmwu
reviewed
Feb 27, 2024
| Use: "token", | ||
| Short: "Attest and fetch an OIDC token from Google Attestation Verification Service.", | ||
| Long: `Gather attestation report and send it to Google Attestation Verification Service for an OIDC token. | ||
| The OIDC token includes claims regarding the GCE VM, which is verified by Attestation Verification Service. Note that Confidential Computing API needs to be enabled for your account to access Google Attestation Verification Service https://pantheon.corp.google.com/apis/api/confidentialcomputing.googleapis.com. |
There was a problem hiding this comment.
I believe the external-facing URL is console.cloud.google.com :).
So, https://console.cloud.google.com/apis/api/confidentialcomputing.googleapis.com
| return err | ||
| } | ||
| if gceAK.Cert() == nil { | ||
| return errors.New("failed to find gceAKCert on this VM: try creating a new VM or verifying the VM has an EK cert using get-shielded-identity gcloud command. The used key algorithm is: " + usedKeyAlgo) |
There was a problem hiding this comment.
"failed to find GCE AK Certificate on this..."
Comment on lines
+85
to
+102
| // Supports GCE VM. Hard code the AK type. Set GCE AK (EK signing) cert | ||
| var gceAK *client.Key | ||
| var usedKeyAlgo string | ||
| if keyAlgo == tpm2.AlgRSA { | ||
| usedKeyAlgo = "RSA" | ||
| gceAK, err = client.GceAttestationKeyRSA(rwc) | ||
| } | ||
| if keyAlgo == tpm2.AlgECC { | ||
| usedKeyAlgo = "ECC" | ||
| gceAK, err = client.GceAttestationKeyECC(rwc) | ||
| } | ||
| if err != nil { | ||
| return err | ||
| } | ||
| if gceAK.Cert() == nil { | ||
| return errors.New("failed to find gceAKCert on this VM: try creating a new VM or verifying the VM has an EK cert using get-shielded-identity gcloud command. The used key algorithm is: " + usedKeyAlgo) | ||
| } | ||
| gceAK.Close() |
There was a problem hiding this comment.
This has a lot in common with the attest command. We should refactor out common logic.
| "github.com/containerd/containerd/namespaces" | ||
| "github.com/golang-jwt/jwt/v4" | ||
| "github.com/google/go-tpm-tools/client" | ||
| "github.com/google/go-tpm-tools/launcher/agent" |
There was a problem hiding this comment.
This PR encodes a dependency on the launcher submodule. We should separate out the agent logic if it will be used between the two.
Ruide
added a commit
that referenced
this pull request
Mar 15, 2024
* refactor verifier * move rest_network_test to agent_test * resolve token command comments in #375 * refactor token cmd without depending on launcher agent * decouple launcher agent from cloud logger * extract agent common functions to package util * extract getRestClient function * extract getRegion function * fix fake_oauth2_server * use constants in the fake * move util to internal * replace fakeOauth2Credential with os.CreateTemp * refactor principalFetcher * add PrincipleFetcher unit test
alexmwu
added a commit
to alexmwu/go-tpm-tools
that referenced
this pull request
Mar 29, 2024
Breaking Changes: [launcher/cmd] Refactor verifier for issue google#419 * Unexport `cmd.Instance`, `cmd.MetadataServer`, `cmd.NewMetadataServer`. * Move package `verifier` from launcher to go-tpm-tools. * `verifier.Client`, `verifier.Challenge`, etc. * Move package `fake` from launcher to go-tpm-tools. * `fake.Claims`, `fake.NewClient`, etc. * Move package `rest` from launcher to go-tpm-tools. * `rest.NewClient`, `rest.BadRegionError`, etc. New Features: [cmd] Add new command token in the CLI tool google#375 [cmd] add records to cloud logging when fetching token from attestation verifier google#417 Bug Fixes: Statically link binaries built by goreleaser google#425 Other Changes: Update readme to include the instruction to use the prebuilt gotpm tool. google#424 New Contributors: @Ruide in google#375 @qinkunbao in google#424
Merged
alexmwu
added a commit
to alexmwu/go-tpm-tools
that referenced
this pull request
Mar 29, 2024
Breaking Changes: [launcher/cmd] Refactor verifier for issue google#419 * Unexport `cmd.Instance`, `cmd.MetadataServer`, `cmd.NewMetadataServer`. * Move package `verifier` from launcher to go-tpm-tools. * `verifier.Client`, `verifier.Challenge`, etc. * Move package `fake` from launcher to go-tpm-tools. * `fake.Claims`, `fake.NewClient`, etc. * Move package `rest` from launcher to go-tpm-tools. * `rest.NewClient`, `rest.BadRegionError`, etc. New Features: [cmd] Add new command token in the CLI tool google#375 [cmd] add records to cloud logging when fetching token from attestation verifier google#417 Bug Fixes: Statically link binaries built by goreleaser google#425 Other Changes: Update readme to gotpm CLi instructions. google#424, google#426 New Contributors: @Ruide in google#375 @qinkunbao in google#424
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Command Description: Fetch an attestation report from GCE VM vTPM and send it to Google Attestation Service for an OIDC token.
This command improves usability for a GCE VM user.
This PR replaces closed #368. Branch name changed.