Skip to content

Allow specifying accepted avisories for SWHardeningNeeded TCB status#733

Merged
daniel-weisse merged 7 commits into
masterfrom
dw/advisory-whitelist
Oct 2, 2024
Merged

Allow specifying accepted avisories for SWHardeningNeeded TCB status#733
daniel-weisse merged 7 commits into
masterfrom
dw/advisory-whitelist

Conversation

@daniel-weisse
Copy link
Copy Markdown
Member

@daniel-weisse daniel-weisse commented Sep 26, 2024

#729 added support for reading the Security Advisories if attestation failed due to invalid TCB status.
This PR builds on that to allow users to specify just specific advisories when the reported TCB status is SWHardeningNeeded

Proposed changes

  • Add a new flag to the CLI --accepted-advisories which allows specifying a list of Intel Security Advisories to accept if the Coordinator's TCB status is SWHardeningNeeded. If not set, all advisories are accepted
  • Add a new manifest field Packages.AcceptedAdvisories which allows specifying a list of Intel Security Advisories to accept if the package's TCB status is SWHardeningNeeded. If not set, all advisories are accepted
  • Fix for the CLI printing a nil error if parsing the advisory list of a report failed

@netlify
Copy link
Copy Markdown

netlify Bot commented Sep 26, 2024
edited
Loading

Deploy Preview for marblerun-docs canceled.

Name Link
🔨 Latest commit 69323e6
🔍 Latest deploy log https://app.netlify.com/sites/marblerun-docs/deploys/66fce6f49ad8ca00087b32e4

thomasten
thomasten requested changes Sep 27, 2024
View reviewed changes
Comment thread api/attestation/attestation.go Outdated
Comment thread api/attestation/attestation.go Outdated
Comment thread coordinator/quote/ert.go
Comment thread coordinator/quote/ertvalidator/ertvalidator.go
Comment thread internal/tcb/tcb_test.go
Comment thread coordinator/quote/ert.go
Comment thread api/attestation/attestation_test.go
@daniel-weisse
Allow specifying accepted avisories for SWHardeningNeeded TCB status
2cd394e 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Add separate NewTCBStatusErrorWithAdvisories function
0caff58 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Return error on CheckAdvisories if report contains an TCBAdvisoriesErr
83cf0ce 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Add AcceptedAdvisories to quote string representation
0d4c161 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Simplify package update logic
f1130a8 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
Improve tcb advisory error test
5035c93 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse daniel-weisse force-pushed the dw/advisory-whitelist branch from 77591d1 to 5035c93 Compare October 2, 2024 06:21
@daniel-weisse
Keep vale action on ubuntu-22.04
69323e6 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse daniel-weisse merged commit bc05f54 into master Oct 2, 2024
@daniel-weisse daniel-weisse deleted the dw/advisory-whitelist branch October 2, 2024 06:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thomasten thomasten thomasten approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@daniel-weisse @thomasten