Move AA abilities to CDH #427
Merged
Commits on Jan 9, 2024
-
image-rs: use CDH for GetResource API and abondon AA lib dep
As stated in confidential-containers#412, AA will never be used as a component that provides abilities more than attestation. This commit changes the ttrpc socket path from AA to CDH for image-rs to GetResource API. Also, for enclave-cc, the Native resource client will instead use the kbs_protocol crate to do the RCAR handshake and do GetResource. For gRPC, we still use the legacy address, but the API was changed as we do not assume that the API is provided by AA but CDH. Signed-off-by: Xynnn007 <[email protected]>
-
ocicrypt-rs: abondon AA lib dep for UnwrapKey
As stated in confidential-containers#412, AA will never be used as a component that provides abilities more than attestation. This commit changes the AA lib calling to decrypt image. This will influence enclave-cc behavior. Signed-off-by: Xynnn007 <[email protected]>
-
Signed-off-by: Xynnn007 <[email protected]>
-
ci: delete duplicated ocicrypt-rs test cases
Signed-off-by: Xynnn007 <[email protected]>
-
CDH: add log for launch and requests
add logs for every request. Also deletes previous ttrpc socket file every time the CDH launches. Also, create the parent directory tree when given a unix socket path. Signed-off-by: Xynnn007 <[email protected]>
-
CDH: update ttrpc generated files
Signed-off-by: Xynnn007 <[email protected]>
-
CDH: delete default RESOURCE_PROVIDER in Makefile
Before this commit, if we do not specify the RESOURCE_PROVIDER field when make, kbs and sev features will be enabled. This will prevent offline-fs-kbc from being activated. This patch requires programmers that manually provide the RESOURCE_PROVIDER parameter when executing make command. Signed-off-by: Xynnn007 <[email protected]>
-
CDH/hub: fix the KeyProvider Protobuf
In protobuf, the `package` matters when a client calls to a server. In ocicrypt-rs, the proto of KeyProvider follows ocicrypt standard, where the package is `keyprovider`. We once use a common name `api` for all apis of CDH, but this does not follow the ocicrypt standard. This patch splits the ocicrypt parts into a separate proto file, whose package is `keyprovider`. Signed-off-by: Xynnn007 <[email protected]>
-
CDH/image: fix unwrap key logic
1. Fix the place of AnnotationPacket. The old code points to a wrong place that was never test so we never found that. 2. Fix the provider comparation logic. The scheme of KBS should be `kbs` rather than `Kbs`. Signed-off-by: Xynnn007 <[email protected]>
-
image-rs: fix integration test
We used to request AA for image decryption keys and public keys, etc. Now we are using CDH for these non-attestation APIs. This patch brings a workaround that make the test environment look like it is a "peer pod" environment, then the CDH will read aa_kbc_params from a file rather than kernel cmdline. In future, we will define a launch configuration file for CDH. After that, this workaround can be depreciated. Signed-off-by: Xynnn007 <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.