microsoft / guardedfabrictools Goto Github PK
View Code? Open in Web Editor NEWPowerShell tools for managing a Hyper-V guarded fabric and shielded virtual machines
License: MIT License
PowerShell tools for managing a Hyper-V guarded fabric and shielded virtual machines
License: MIT License
There seems to be a lack of documentation around the ShieldedVMProvisioning supporting module that this module utilizes. I also cannot find where to actually get the ShieldedVMProvisioning module to fully utilize this module.
As an example just running the new-shieldedvm cmdlet will error on:
Get-KeyProtectorFromShieldingDataFile : The term 'Get-KeyProtectorFromShieldingDataFile' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
Can you provide further clarification around the ShieldedVMProvisioning module and where to actually get this from.
Trying out this module in PowerShell Core earlier, I ran into the following:
> Install-Module GuardedFabricTools
# Success
> Import-Module GuardedFabricTools
Add-Type : (157,17): error CS0246: The type or namespace name 'SafeNCryptKeyHandle' could not be found (are you missing a using directive or an assembly reference?)
out SafeNCryptKeyHandle phCryptProvOrNCryptKey,
^
At C:\Users\Administrator\Documents\PowerShell\Modules\GuardedFabricTools\1.0.0\CertificateManagement\CertificateManagement.psm1:633 char:5
+ Add-Type -TypeDefinition $source -Language CSharp -ReferencedAsse ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: ((157,17): error...bly reference?):CSDiagnostic) [Add-Type], Exception
+ FullyQualifiedErrorId : SOURCE_CODE_ERROR,Microsoft.PowerShell.Commands.AddTypeCommand
ipmo : The given assembly name or codebase was invalid. (Exception from HRESULT: 0x80131047)
At line:1 char:1
+ ipmo GuardedFabricTools
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Import-Module], FileLoadException
+ FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.PowerShell.Commands.ImportModuleCommand
I had a quick look into the the relevant part of the module:
https://github.com/Microsoft/GuardedFabricTools/blob/c62650db8fc02b5273c272477594762b59d68d19/CertificateManagement/CertificateManagement.psm1#L18-L38
(The above sets up the references used by Add-Type
below)
I edited the file and replaced the code above with this:
if (Test-Nano)
{
Write-Verbose "Running on Nano, using API sets."
$securityDll = "api-ms-win-security-base-l1-2-0"
$capiDll = "api-ms-win-security-cryptoapi-l1-1-0"
$PrepareConstrainedRegions = "";
$references = "System.Security.Cryptography.X509Certificates.dll", `
"System.Security.Cryptography.Cng.dll", `
"System.IO.FileSystem.AccessControl.dll", `
"System.Runtime.Handles.dll", `
"System.Security.AccessControl.dll", `
"Microsoft.Win32.Primitives.dll" | % { Join-Path "C:\Windows\system32\DotNetCore\v1.0\" $_ }
}
elseif ($PSEdition -eq 'Core')
{
$securityDll = "advapi32.dll"
$capiDll = "advapi32.dll"
$PrepareConstrainedRegions = ""
$references = "System.Security.Cryptography.X509Certificates.dll", `
"System.Security.Cryptography.Cng.dll", `
"System.IO.FileSystem.AccessControl.dll", `
"System.Runtime.Handles.dll", `
"System.Security.AccessControl.dll", `
"Microsoft.Win32.Primitives.dll" | % { Join-Path $PSHome $_ }
}
else
{
Write-Verbose "Not running on Nano, using default Win32 binaries."
$securityDll = "advapi32.dll"
$capiDll = "advapi32.dll"
$references = @()
$PrepareConstrainedRegions = "RuntimeHelpers.PrepareConstrainedRegions();"
}
That allowed me to load the module.
I'm not sure if that's the right fix, so I haven't opened a PR yet. But if we decide this is the way to go (and that this is a wanted change), I can easily do so.
Hi,
I've used the module to backup ACLs of a cert, delete it with option -deletekey and reimport it via certutil to a different CSP/KSP (HSM), after that I tried to restore the ACLs. That failed with the following exception:
Exception setting "Acl": "Exception setting "Acl": "The system cannot find the file specified""
If I invalidate the handle after importing the cert with certutil with this code
$handle=$global:ContosoCertificateManagementHandleCache[$cert.GetHashCode()]
$handle.dispose()
it works.
Is it possible to automatically invalidate the handle if the cert get's deleted?
greetings
Carsten
PS: Do you have any good tipps how to import a certificates privatekey to a CSP/KSP without using certutil using only powershell?
Running this module on guarded hosts that has CI Policy lockdown isn't possible if you don't publish the public key/cert this was signed with. Please consider adding the cert with the public key so we can trust this code in our CI policy
The version of these tools published to PSGallery are outdated and missing fixes, especially the ones around Static IPs
PDKs with "encryption supported" policy do not require live migration traffic to be encrypted, but New-ShieldedVM should enable it anyways to promote secure defaults. "Shielded" policies will already enforce this requirement.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.