initdata-processor: add insecure field for initdata

msanft · msanft · commit f2897e60b05e · 2026-05-06T11:56:02.000+02:00
diff --git a/initdata-processor/main.go b/initdata-processor/main.go
@@ -6,7 +6,7 @@ package main
 import (
 	"bytes"
 	"context"
-	"errors"
+	"encoding/json"
 	"fmt"
 	"io"
 	"io/fs"
@@ -23,8 +23,9 @@ import (
 )
 
 const (
-	measuredConfigPath = "/run/measured-cfg"
-	insecureConfigPath = "/run/insecure-cfg"
+	measuredConfigPath         = "/run/measured-cfg"
+	insecureConfigPath         = "/run/insecure-cfg"
+	initdataProcessorConfigKey = "contrast-initdata-processor.json"
 )
 
 var version = "0.0.0-dev"
@@ -100,28 +101,54 @@ func handleInitdata(doc initdata.Raw) (hostdata []byte, insecurePlatform bool, r
 		return nil, false, fmt.Errorf("computing initdata digest: %w", err)
 	}
 
-	v, verr := validator.New()
-	if errors.Is(verr, validator.ErrNoPlatform) {
-		log.Print("WARNING: No TEE platform detected, skipping initdata digest validation. This is expected on insecure platforms.")
-		insecurePlatform = true
-	} else if verr != nil {
-		return nil, false, fmt.Errorf("creating validator: %w", verr)
-	} else if err := v.ValidateDigest(digest); err != nil {
-		return nil, false, fmt.Errorf("validating initdata digest: %w", err)
-	}
-
 	data, err := doc.Parse()
 	if err != nil {
 		return nil, false, fmt.Errorf("parsing initdata: %w", err)
 	}
+	processorConfig, err := parseProcessorConfig(data.Data)
+	if err != nil {
+		return nil, false, err
+	}
+	if processorConfig.Insecure {
+		log.Print("WARNING: Insecure initdata requested, skipping TEE initdata digest validation.")
+	} else {
+		v, err := validator.New()
+		if err != nil {
+			return nil, false, fmt.Errorf("creating validator: %w", err)
+		}
+		if err := v.ValidateDigest(digest); err != nil {
+			return nil, false, fmt.Errorf("validating initdata digest: %w", err)
+		}
+	}
 	for name, content := range data.Data {
 		name = filepath.Clean(name)
 		path := filepath.Join(measuredConfigPath, name)
 		if err := os.WriteFile(path, []byte(content), 0o644); err != nil {
 			return nil, false, fmt.Errorf("writing file %q: %w", path, err)
 		}
 	}
-	return digest, insecurePlatform, nil
+	return digest, processorConfig.Insecure, nil
+}
+
+type processorConfig struct {
+	// Insecure allows running workloads on non-TEE development platforms.
+	// When set, the initdata-processor serves the initdata digest to the
+	// insecure attestation issuer via HTTP instead of validating it against
+	// TEE hostdata.
+	Insecure bool `json:"insecure"`
+}
+
+func parseProcessorConfig(data map[string]string) (processorConfig, error) {
+	configJSON, ok := data[initdataProcessorConfigKey]
+	if !ok {
+		return processorConfig{}, nil
+	}
+
+	var config processorConfig
+	if err := json.Unmarshal([]byte(configJSON), &config); err != nil {
+		return processorConfig{}, fmt.Errorf("parsing %q: %w", initdataProcessorConfigKey, err)
+	}
+	return config, nil
 }
 
 // serveHostdata starts an HTTP server that serves the hostdata digest.
diff --git a/initdata-processor/main_test.go b/initdata-processor/main_test.go
@@ -0,0 +1,50 @@
+// Copyright 2026 Edgeless Systems GmbH
+// SPDX-License-Identifier: BUSL-1.1
+
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestParseProcessorConfig(t *testing.T) {
+	tests := map[string]struct {
+		data         map[string]string
+		wantInsecure bool
+		wantErr      bool
+	}{
+		"missing": {},
+		"insecure": {
+			data: map[string]string{
+				initdataProcessorConfigKey: `{"insecure": true}`,
+			},
+			wantInsecure: true,
+		},
+		"secure": {
+			data: map[string]string{
+				initdataProcessorConfigKey: `{"insecure": false}`,
+			},
+		},
+		"invalid": {
+			data: map[string]string{
+				initdataProcessorConfigKey: `{insecure: true}`,
+			},
+			wantErr: true,
+		},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			config, err := parseProcessorConfig(tc.data)
+			if tc.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, tc.wantInsecure, config.Insecure)
+		})
+	}
+}
diff --git a/internal/initdata/initdata_test.go b/internal/initdata/initdata_test.go
@@ -28,7 +28,6 @@ func buildTemplate(algorithm, version string, data bool) Raw {
 	if version != "" {
 		fmt.Fprintf(&builder, "version = \"%s\"\n", version)
 	}
-
 	if data {
 		builder.WriteString(`
 [data]
@@ -159,6 +158,7 @@ func TestEncode(t *testing.T) {
 
 			assert.Contains(tomlString, fmt.Sprintf("version = '%s'", tc.version))
 			assert.Contains(tomlString, fmt.Sprintf("algorithm = '%s'", tc.algorithm))
+			assert.NotContains(tomlString, "insecure")
 			for key, value := range tc.data {
 				if strings.Contains(key, ".") {
 					key = fmt.Sprintf("'%s'", key)
