Add trustee-client - a simple client for Trustee #755
Conversation
Gather evidence, attest and get secrets from Trustee Currently it simply uses AA's kbs_protocol client and attesters. If needed, it can be enhanced later. Signed-off-by: Uri Lublin <[email protected]>
There was a problem hiding this comment.
Looks good. One comment.
Also, I am not sure the config file is really necessary. it seems a little cumbersome to have to specify the KBS URL in the config file rather than just putting it in the command line, but it's not a big deal.
Btw, it's interesting that we're in the guest-components repo. I think that's fine and maybe having some kind of client in both guest-components and trustee repos will help us decouple the tests a little bit.
| @@ -17,6 +17,7 @@ members = [ | |||
| "confidential-data-hub/storage", | |||
| "image-rs", | |||
| "ocicrypt-rs", | |||
| "trustee-client", | |||
There was a problem hiding this comment.
I think this name might be too general. This tool only exercises a subset of the Trustee APIs. Btw see this proposal which might end up with a similar name.
Maybe this could be called cc-kbc-resource-getter or trustee-resource-getter or trustee-resource-client or something else
There was a problem hiding this comment.
Thanks, I'll take a look at that proposal and think of names.
|
Thanks @fitzthum |
|
Good job. While this PR functions similarly to a kbs-client. I agree with Tobin's comment that it would be better to move it to the trustee repo if the client is focused on expanding the kbs-client |
The server (trustee) and client (guest-components) codes are in two repos. If we want to have some test for compability of the two repo, it would always require us to pull the other's code/image/... in another repo |
|
@ChengyuZhu6 @Xynnn007 thanks for looking. The idea is to have a simple program in guest-components repository that can get resources from Trustee. I thought of adding it as a binary under kbs_protocol, but if more features are added later would it stay under kbs_protocol or move ? |
We can see the concrete situation then. Up to now, it seems that we can keep the feature aligning with |
|
Yeah seems fine to keep it in this repo and I think having a binary under kbs protocol makes sense. It should be relatively easy to move this there. We can move it again if the scope increases, but it seems like the goal of this really is to have an extremely narrow scope. |
|
Thanks. I'll send another PR under kbs_protocol and close this one. |
|
All names sound not bad to me, as now |
Gather evidence, attest and get secrets from Trustee
Currently it simply uses AA's kbs_protocol client and attesters. If needed, it can be enhanced later.