From a8de5b942f375f65189cf640ff20b20d56fb4461 Mon Sep 17 00:00:00 2001 From: Justin Plock Date: Wed, 18 Dec 2024 19:14:25 -0500 Subject: [PATCH] WIP --- ci_template.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/ci_template.yml b/ci_template.yml index 06f7771..a4756eb 100644 --- a/ci_template.yml +++ b/ci_template.yml @@ -1171,13 +1171,12 @@ Resources: Type: Pass Assign: BuildCondition: - Condition: - StringEqualsIgnoreCase: - "kms:RecipientAttestation:ImageSha384": "{% $states.input.Measurements.PCR0 %}" # EIF hash - "kms:RecipientAttestation:PCR1": "{% $states.input.Measurements.PCR1 %}" # Linux kernel and bootstrap - "kms:RecipientAttestation:PCR2": "{% $states.input.Measurements.PCR2 %}" # Application - "kms:RecipientAttestation:PCR3": "{% $states.input.Measurements.PCR3 %}" # IAM role for parent instance - "kms:RecipientAttestation:PCR8": "{% $states.input.Measurements.PCR8 %}" # Enclave image file signing certificate + StringEqualsIgnoreCase: + "kms:RecipientAttestation:ImageSha384": "{% $states.input.Measurements.PCR0 %}" # EIF hash + "kms:RecipientAttestation:PCR1": "{% $states.input.Measurements.PCR1 %}" # Linux kernel and bootstrap + "kms:RecipientAttestation:PCR2": "{% $states.input.Measurements.PCR2 %}" # Application + "kms:RecipientAttestation:PCR3": "{% $states.input.Measurements.PCR3 %}" # IAM role for parent instance + "kms:RecipientAttestation:PCR8": "{% $states.input.Measurements.PCR8 %}" # Enclave image file signing certificate Next: GetKeyPolicy GetKeyPolicy: Type: Task @@ -1191,7 +1190,7 @@ Resources: MergeStatements: Type: Pass Output: - KeyPolicy: "{% $states.input.KeyPolicy ~> |Statement[Sid='AllowDecryptByEnclave']|$BuildCondition| %}" + KeyPolicy: "{% $states.input.KeyPolicy ~> |Statement[Sid='AllowDecryptByEnclave'].Condition|$BuildCondition| %}" Next: UpdatePolicy UpdatePolicy: Type: Task