attestation_policy: unify the PCR path across platforms

fangge1212 · fangge1212 · commit be7eda5c9402 · 2025-10-14T22:03:49.000-04:00
Previously, attestation policies had to handle different PCR path formats:
- Azure SNP:   input.azsnpvtpm.tpm.pcr01
- Azure TDX:   input.aztdxvtpm.tpm.pcr01
- Local TPM:   input.tpm.pcr[1]

This change introduces a generic `get_by_path()` helper and rewrites PCR
validation rules to dynamically traverse nested objects based on a
platform-specific path array. As a result, the same set of rules can now
be reused for multiple platforms without duplicating policy logic.

Benefits:
- Removes platform-specific hardcoding from rules
- Simplifies maintenance and extension to future platforms
- Makes PCR verification more consistent and extensible

Signed-off-by: Fangge Jin &lt;fjin@redhat.com&gt;
diff --git a/policy/attestation-policy.rego b/policy/attestation-policy.rego
@@ -29,10 +29,10 @@ default configuration := 36
 
 ##### Azure vTPM SNP
 executables := 3 if {
+    platform := detect_platform
     input.azsnpvtpm.measurement in data.reference.measurement
-    input.azsnpvtpm.tpm.pcr4 in data.reference.snp_pcr04
-    input.azsnpvtpm.tpm.pcr7 in data.reference.snp_pcr07
-    input.azsnpvtpm.tpm.pcr11 in data.reference.snp_pcr11
+    pcr_match(platform, "pcr04", data.reference.pcr04)
+    pcr_match(platform, "pcr07", data.reference.pcr07)
 }
 
 hardware := 2 if {
@@ -52,3 +52,35 @@ configuration := 2 if {
     input.azsnpvtpm.policy_smt_allowed in data.reference.smt_allowed
 }
 
+##### PCRs check for any platform
+platform_paths := {
+    "azure-snp": ["azsnpvtpm", "tpm"],
+    "azure-tdx": ["aztdxvtpm", "tpm"],
+    "raw": ["tpm"]
+}
+
+detect_platform := "azure-snp" if {
+    input.azsnpvtpm
+} else := "azure-tdx" if {
+    input.aztdxvtpm
+} else := "raw"
+
+get_by_path(obj, path) = result if {
+    result := object.get(obj, path, false)
+}
+
+get_pcr_value(platform, pcr_name) = value if {
+    platform != "raw"
+    tpm := get_by_path(input, platform_paths[platform])
+    value := tpm[pcr_name]
+}
+
+get_pcr_value("raw", pcr_name) = value if {
+    tpm := get_by_path(input, platform_paths["raw"])
+    idx := to_number(trim_prefix(pcr_name, "pcr"))
+    value := tpm.pcr[idx]
+}
+
+pcr_match(platform, pcr_name, expected_values) if {
+    lower(get_pcr_value(platform, pcr_name)) in expected_values
+}
