Skip to content

Commit

Permalink
Merge branch 'confidential-containers:main' into feat-kms-aliyun-sm
Browse files Browse the repository at this point in the history
  • Loading branch information
@1570005763
1570005763 authored Jan 18, 2024
2 parents 83b0b9a + cf5716d commit 9ce601d
Show file tree
Hide file tree
Showing 57 changed files with 1,085 additions and 843 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/cdh_basic.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,11 +50,11 @@ jobs:
- name: Build and install
run: |
make && make install
make RESOURCE_PROVIDER=kbs,sev && make install
- name: Musl build
run: |
make LIBC=musl
make LIBC=musl RESOURCE_PROVIDER=kbs,sev
- name: s390x build
run:
Expand Down
15 changes: 7 additions & 8 deletions .github/workflows/image_rs_build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,7 @@ jobs:
run: |
cargo clippy -p image-rs --all-targets --features=default -- -D warnings
cargo clippy -p image-rs --all-targets --features=kata-cc-rustls-tls --no-default-features -- -D warnings
cargo clippy -p image-rs --all-targets --features=enclave-cc-eaakbc-rustls-tls --no-default-features -- -D warnings
cargo clippy -p image-rs --all-targets --features=kata-cc-native-tls --no-default-features -- -D warnings
cargo clippy -p image-rs --all-targets --features=enclave-cc-eaakbc-native-tls --no-default-features -- -D warnings
cargo clippy -p image-rs --all-targets --features=enclave-cc-cckbc-native-tls --no-default-features -- -D warnings
cargo clippy -p image-rs --all-targets --features=kata-cc-native-tls,signature-simple-xrss --no-default-features -- -D warnings
Expand All @@ -90,13 +88,14 @@ jobs:
run: |
sudo -E PATH=$PATH -s cargo test -p image-rs --features default
- name: Run cargo test - kata-cc (rust-tls version) with keywrap-grpc + keywrap-jwe
run: |
sudo -E PATH=$PATH -s cargo test -p image-rs --no-default-features --features=encryption-ring,keywrap-grpc,snapshot-overlayfs,signature-cosign-rustls,signature-simple,getresource,oci-distribution/rustls-tls,keywrap-jwe
# TODO: delete the comment after https://github.com/confidential-containers/guest-components/issues/430
# - name: Run cargo test - kata-cc (rust-tls version) with keywrap-grpc + keywrap-jwe
# run: |
# sudo -E PATH=$PATH -s cargo test -p image-rs --no-default-features --features=encryption-ring,keywrap-grpc,snapshot-overlayfs,signature-cosign-rustls,signature-simple,getresource,oci-distribution/rustls-tls,keywrap-jwe

- name: Run cargo test - kata-cc (native-tls version) with keywrap-grpc + keywrap-jwe
run: |
sudo -E PATH=$PATH -s cargo test -p image-rs --no-default-features --features=encryption-openssl,keywrap-grpc,snapshot-overlayfs,signature-cosign-native,signature-simple,getresource,oci-distribution/native-tls,keywrap-jwe
# - name: Run cargo test - kata-cc (native-tls version) with keywrap-grpc + keywrap-jwe
# run: |
# sudo -E PATH=$PATH -s cargo test -p image-rs --no-default-features --features=encryption-openssl,keywrap-grpc,snapshot-overlayfs,signature-cosign-native,signature-simple,getresource,oci-distribution/native-tls,keywrap-jwe

- name: Run cargo test - kata-cc (rust-tls version) with keywrap-ttrpc (default) + keywrap-jwe
run: |
Expand Down
24 changes: 0 additions & 24 deletions .github/workflows/ocicrypt_rs_build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,30 +146,6 @@ jobs:
command: test
args: -p ocicrypt-rs --no-default-features --features=keywrap-keyprovider-native

- name: Run cargo test - eaa-kbc
uses: actions-rs/cargo@v1
with:
command: test
args: -p ocicrypt-rs --no-default-features --features=eaa_kbc

- name: Run cargo test - cc-kbc-sgx
uses: actions-rs/cargo@v1
with:
command: test
args: -p ocicrypt-rs --no-default-features --features=cc_kbc_sgx

- name: Run cargo test - default
uses: actions-rs/cargo@v1
with:
command: test
args: -p ocicrypt-rs --no-default-features

- name: Run cargo test - all features
uses: actions-rs/cargo@v1
with:
command: test
args: -p ocicrypt-rs --no-default-features --all-features

- name: Run cargo fmt check
uses: actions-rs/cargo@v1
with:
Expand Down
19 changes: 17 additions & 2 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

29 changes: 24 additions & 5 deletions Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,22 +1,41 @@
TEE_PLATFORM ?= test
TEE_PLATFORM ?= fs
ARCH ?= $(shell uname -m)

DESTDIR ?= /usr/local/bin

LIBC ?= musl
KBC ?=
RESOURCE_PROVIDER ?= kbs

ifeq ($(TEE_PLATFORM), test)
NO_RESOURCE_PROVIDER ?=

ifeq ($(NO_RESOURCE_PROVIDER), true)
RESOURCE_PROVIDER :=
else
RESOURCE_PROVIDER ?= kbs
endif

ifeq ($(TEE_PLATFORM), none)
KBC = cc_kbc
else ifeq ($(TEE_PLATFORM), fs)
KBC = offline_fs_kbc
else ifeq ($(TEE_PLATFORM), tdx)
LIBC = gnu
KBC = cc_kbc_tdx
else ifeq ($(TEE_PLATFORM), az-tdx-vtpm)
KBC = cc_kbc_az_tdx_vtpm
else ifeq ($(TEE_PLATFORM), sev)
KBC = online_sev_kbc
RESOURCE_PROVIDER = sev
ifeq ($(NO_RESOURCE_PROVIDER), true)
RESOURCE_PROVIDER :=
else
RESOURCE_PROVIDER = sev
endif
else ifeq ($(TEE_PLATFORM), snp)
KBC = cc_kbc_snp
else ifeq ($(TEE_PLATFORM), az-snp-vtpm)
KBC = cc_kbc_az_snp_vtpm
endif
# TODO: Add support for SNP, Az-snp-vtpm, CCA, CSV
# TODO: Add support for CCA and CSV

ifeq ($(ARCH), $(filter $(ARCH), s390x powerpc64le))
LIBC = gnu
Expand Down
17 changes: 14 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,17 +23,28 @@ CoCo Keyprovider. Used to encrypt the container images.

## Build

A `Makefile` is provided to quickly build Attestation Agent/Api Server Rest/Confidential Data Hub of a given platform.
A `Makefile` is provided to quickly build Attestation Agent/Api Server Rest/Confidential Data Hub for a given platform.

```shell
make build TEE_PLATFORM=$(TEE_PLATFORM)
make install DESTDIR=/usr/local/bin
```

The `TEE_PLATFORM` parameter can be
- `test`: for test
- `none`: for tests with non-confidential guests
- `fs`: for platforms with encrypted root filesystems (i.e. s390x)
- `tdx`: for Intel TDX
- `sev`: for AMD SEV
- `az-tdx-vtpm`: for Intel TDX with Azure vTPM
- `sev`: for AMD SEV(-ES)
- `snp`: for AMD SEV-SNP
- `az-snp-vtpm`: for AMD SEV-SNP with Azure vTPM

by default, `kbs`/`sev` as a resource provider will be built in Confidential Data Hub. If you do not want enable any
default except for only builtin `offline-fs-kbc`, you can build with `NO_RESOURCE_PROVIDER` flag set to `true`.

```shell
make build TEE_PLATFORM=$(TEE_PLATFORM) NO_RESOURCE_PROVIDER=true
```

## License
[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fconfidential-containers%2Fimage-rs.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fconfidential-containers%2Fimage-rs?ref=badge_large)
2 changes: 1 addition & 1 deletion attestation-agent/attester/src/bin/evidence_getter.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ async fn main() {
.read(&mut report_data)
.expect("read input failed");

let tee = detect_tee_type().expect("unknown tee type");
let tee = detect_tee_type();
let attester: BoxedAttester = tee.try_into().expect("create attester failed");
let evidence = attester
.get_evidence(report_data)
Expand Down
23 changes: 10 additions & 13 deletions attestation-agent/attester/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,45 +77,42 @@ pub trait Attester {
}

// Detect which TEE platform the KBC running environment is.
pub fn detect_tee_type() -> Option<Tee> {
if sample::detect_platform() {
return Some(Tee::Sample);
}

pub fn detect_tee_type() -> Tee {
#[cfg(feature = "tdx-attester")]
if tdx::detect_platform() {
return Some(Tee::Tdx);
return Tee::Tdx;
}

#[cfg(feature = "sgx-attester")]
if sgx_dcap::detect_platform() {
return Some(Tee::Sgx);
return Tee::Sgx;
}

#[cfg(feature = "az-tdx-vtpm-attester")]
if az_tdx_vtpm::detect_platform() {
return Some(Tee::AzTdxVtpm);
return Tee::AzTdxVtpm;
}

#[cfg(feature = "az-snp-vtpm-attester")]
if az_snp_vtpm::detect_platform() {
return Some(Tee::AzSnpVtpm);
return Tee::AzSnpVtpm;
}

#[cfg(feature = "snp-attester")]
if snp::detect_platform() {
return Some(Tee::Snp);
return Tee::Snp;
}

#[cfg(feature = "csv-attester")]
if csv::detect_platform() {
return Some(Tee::Csv);
return Tee::Csv;
}

#[cfg(feature = "cca-attester")]
if cca::detect_platform() {
return Some(Tee::Cca);
return Tee::Cca;
}

None
log::warn!("No TEE platform detected. Sample Attester will be used.");
Tee::Sample
}
6 changes: 2 additions & 4 deletions attestation-agent/attester/src/sample/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,10 @@ use super::Attester;
use anyhow::*;
use base64::Engine;
use serde::{Deserialize, Serialize};
use std::env;

// If the environment variable "AA_SAMPLE_ATTESTER_TEST" is set,
// the TEE platform is considered as "sample".
// Sample attester is always supported
pub fn detect_platform() -> bool {
env::var("AA_SAMPLE_ATTESTER_TEST").is_ok()
true
}

// A simple example of TEE evidence.
Expand Down
1 change: 1 addition & 0 deletions attestation-agent/coco_keyprovider/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ anyhow.workspace = true
base64.workspace = true
clap = { workspace = true, features = ["derive"] }
ctr.workspace = true
daemonize = "0.5.0"
env_logger = "0.10.0"
futures = "0.3.5"
jwt-simple = "0.11.4"
Expand Down
32 changes: 31 additions & 1 deletion attestation-agent/coco_keyprovider/src/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,10 @@

use anyhow::*;
use clap::{arg, command, Parser};
use daemonize::Daemonize;
use log::*;
use std::{net::SocketAddr, path::PathBuf};
use std::{fs::File, net::SocketAddr, path::PathBuf};
use tokio::fs;

pub mod enc_mods;
pub mod grpc;
Expand All @@ -30,6 +32,15 @@ struct Cli {
/// will be automatically registered into the KBS.
#[arg(long)]
kbs: Option<String>,

/// Whether this process is launched in daemon mode. If it is set to
/// true, the stdio and stderr will be redirected to
/// `/run/confidential-containers/coco_keyprovider.out` and
/// `/run/confidential-containers/coco_keyprovider.err`.
/// The pid will be recorded in
/// `/run/confidential-containers/coco_keyprovider.pid`
#[arg(short, long, default_value = "false")]
daemon: bool,
}

#[tokio::main]
Expand All @@ -48,6 +59,25 @@ async fn main() -> Result<()> {
);
}

if cli.daemon {
fs::create_dir_all("/run/confidential-containers")
.await
.context("create coco run dir failed.")?;
let stdout = File::create("/run/confidential-containers/coco_keyprovider.out")
.context("create stdout redirect file failed.")?;
let stderr = File::create("/run/confidential-containers/coco_keyprovider.err")
.context("create stderr redirect file failed.")?;

let daemonize = Daemonize::new()
.pid_file("/run/confidential-containers/coco_keyprovider.pid")
.chown_pid_file(true)
.working_directory("/run/confidential-containers")
.stdout(stdout)
.stderr(stderr);

daemonize.start().context("daemonize failed")?;
}

grpc::start_service(cli.socket, cli.auth_private_key, cli.kbs).await?;

Ok(())
Expand Down
3 changes: 0 additions & 3 deletions attestation-agent/kbs_protocol/src/error.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,6 @@ pub enum Error {
#[error("get token failed: {0}")]
GetTokenFailed(String),

#[error("get tee type failed: {0}")]
GetTeeTypeFailed(String),

#[error("http request failed: {0}")]
HttpError(String),

Expand Down
Loading

0 comments on commit 9ce601d

Please sign in to comment.