@@ -15,6 +15,7 @@ import (
1515 "net/http"
1616 "os"
1717 "path/filepath"
18+ "strings"
1819
1920 "github.com/edgelesssys/contrast/initdata-processor/policy"
2021 "github.com/edgelesssys/contrast/initdata-processor/validator"
@@ -27,7 +28,10 @@ const (
2728 insecureConfigPath = "/run/insecure-cfg"
2829)
2930
30- var version = "0.0.0-dev"
31+ var (
32+ version = "0.0.0-dev"
33+ kernelCmdlinePath = "/proc/cmdline"
34+ )
3135
3236// We always exit with status code 0 so that the Kata agent can start and propagate errors to
3337// the runtime.
@@ -100,10 +104,17 @@ func handleInitdata(doc initdata.Raw) (hostdata []byte, insecurePlatform bool, r
100104 return nil , false , fmt .Errorf ("computing initdata digest: %w" , err )
101105 }
102106
107+ allowInsecure , err := allowInsecureAttestation ()
108+ if err != nil {
109+ return nil , false , err
110+ }
111+
103112 v , verr := validator .New ()
104113 if errors .Is (verr , validator .ErrNoPlatform ) {
114+ if ! allowInsecure {
115+ return nil , false , fmt .Errorf ("no TEE platform detected and insecure attestation is not allowed" )
116+ }
105117 log .Print ("WARNING: No TEE platform detected, skipping initdata digest validation. This is expected on insecure platforms." )
106- insecurePlatform = true
107118 } else if verr != nil {
108119 return nil , false , fmt .Errorf ("creating validator: %w" , verr )
109120 } else if err := v .ValidateDigest (digest ); err != nil {
@@ -121,7 +132,20 @@ func handleInitdata(doc initdata.Raw) (hostdata []byte, insecurePlatform bool, r
121132 return nil , false , fmt .Errorf ("writing file %q: %w" , path , err )
122133 }
123134 }
124- return digest , insecurePlatform , nil
135+ return digest , allowInsecure , nil
136+ }
137+
138+ func allowInsecureAttestation () (bool , error ) {
139+ cmdline , err := os .ReadFile (kernelCmdlinePath )
140+ if err != nil {
141+ return false , fmt .Errorf ("reading kernel command line: %w" , err )
142+ }
143+ for _ , param := range strings .Fields (string (cmdline )) {
144+ if param == "contrast.allow_insecure_attestation=1" {
145+ return true , nil
146+ }
147+ }
148+ return false , nil
125149}
126150
127151// serveHostdata starts an HTTP server that serves the hostdata digest.
0 commit comments