docs/ci: abondon HTTPS_CRYPTO and update token verifier config

Due to latest change, KBS will not maintain both rustls and openssl suites for HTTPS. Thus we need to delete all the options of HTTPS_CRYPTO config in documents and codes. Also, the latest change changes the config format of `attestation_token_config`, so we also change the type field to new name and rename `Jwk` to `ITA`. Signed-off-by: Xynnn007 <[email protected]>
confidential-containers · Oct 10, 2024 · 8c27e4f · 8c27e4f
1 parent a0d800b
commit 8c27e4f
Show file tree

Hide file tree

Showing 20 changed files with 29 additions and 36 deletions.
diff --git a/.github/workflows/kbs-rust.yml b/.github/workflows/kbs-rust.yml
@@ -59,7 +59,7 @@ jobs:
 
     - name: KBS Build [Built-in CoCo AS, OpenSSL]
       working-directory: kbs
-      run: make HTTPS_CRYPTO=openssl
+      run: make
 
     - name: KBS Build [gRPC CoCo AS, RustTLS]
       working-directory: kbs

diff --git a/.github/workflows/push-kbs-image-to-ghcr.yml b/.github/workflows/push-kbs-image-to-ghcr.yml
@@ -25,15 +25,12 @@ jobs:
         include:
           - tag: kbs
             docker_file: kbs/docker/Dockerfile
-            https_crypto: openssl
             name: build-in AS
           - tag: kbs-grpc-as
             docker_file: kbs/docker/coco-as-grpc/Dockerfile
-            https_crypto: rustls
             name: gRPC AS
           - tag: kbs-ita-as
             docker_file: kbs/docker/intel-trust-authority/Dockerfile
-            https_crypto: rustls
             name: Intel Trust Authority AS
 
     runs-on: ${{ matrix.instance }}
@@ -56,12 +53,10 @@ jobs:
       run: |
         commit_sha=${{ github.sha }}
         arch=$(uname -m)
-        https_crypto=${{ matrix.https_crypto }}
-        [ "${arch}" = "s390x" ] && https_crypto=openssl
         DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" --push \
           -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \
           -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" \
-          --build-arg ARCH="${arch}" --build-arg HTTPS_CRYPTO="${https_crypto}" .
+          --build-arg ARCH="${arch}" .
 
   publish_multi_arch_image:
     needs: build_and_push

diff --git a/deps/verifier/src/se/README.md b/deps/verifier/src/se/README.md
@@ -67,7 +67,7 @@ openssl pkey -in kbs.key -pubout -out kbs.pem
 
 - Build KBS
 ```bash
-cargo install --locked --debug --path kbs/src/kbs --no-default-features --features coco-as-builtin,openssl,resource,opa 
+cargo install --locked --debug --path kbs/src/kbs --no-default-features --features coco-as-builtin,resource,opa 
 ```
 
 - Prepare the material retrieved above, similar as:
@@ -101,7 +101,7 @@ auth_public_key = "/kbs/kbs.pem"
 insecure_http = true
 
 [attestation_token_config]
-attestation_token_type = "CoCo"
+type = "CoCo"
 
 [as_config]
 work_dir = "/opt/confidential-containers/attestation-service"
@@ -128,7 +128,7 @@ export SE_SKIP_CERTS_VERIFICATION=true
 ## (Option 2) Launch KBS via docker-compose
 - Build the docker image
 ```
-DOCKER_BUILDKIT=1 docker build --build-arg HTTPS_CRYPTO="openssl" --build-arg ARCH="s390x" -t ghcr.io/confidential-containers/staged-images/kbs:latest . -f kbs/docker/Dockerfile
+DOCKER_BUILDKIT=1 docker build --build-arg --build-arg ARCH="s390x" -t ghcr.io/confidential-containers/staged-images/kbs:latest . -f kbs/docker/Dockerfile
 ```
 
 - Prepare a docker compose file, similar as:

diff --git a/kbs/Makefile b/kbs/Makefile
@@ -1,5 +1,4 @@
 AS_TYPE ?= coco-as
-HTTPS_CRYPTO ?= rustls
 POLICY_ENGINE ?=
 ALIYUN ?= false
 
@@ -39,16 +38,16 @@ build: background-check-kbs
 
 .PHONY: background-check-kbs
 background-check-kbs:
-	cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(HTTPS_CRYPTO),$(POLICY_ENGINE),$(FEATURES)
+	cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(POLICY_ENGINE),$(FEATURES)
 
 .PHONY: passport-issuer-kbs
 passport-issuer-kbs:
-	cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(HTTPS_CRYPTO),$(FEATURES)
+	cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(FEATURES)
 	mv ../target/release/kbs ../target/release/issuer-kbs
 
 .PHONY: passport-resource-kbs
 passport-resource-kbs:
-	cargo build -p kbs --locked --release --no-default-features --features $(HTTPS_CRYPTO),resource,$(POLICY_ENGINE),$(FEATURES)
+	cargo build -p kbs --locked --release --no-default-features --features resource,$(POLICY_ENGINE),$(FEATURES)
 	mv ../target/release/kbs ../target/release/resource-kbs
 
 .PHONY: cli

diff --git a/kbs/README.md b/kbs/README.md
@@ -90,11 +90,10 @@ The Makefile supports a number of other configuration parameters.
 
 For example,
 ```shell
-make background-check-kbs [HTTPS_CRYPTO=?] [POLICY_ENGINE=?] [AS_TYPES=?] [COCO_AS_INTEGRATION_TYPE=?] [ALIYUN=?]
+make background-check-kbs [POLICY_ENGINE=?] [AS_TYPES=?] [COCO_AS_INTEGRATION_TYPE=?] [ALIYUN=?]
 ```
 
 The parameters
-- `HTTPS_CRYPTO`: either `rustls` or `openssl` can be specified. If not provided, `rustls` is default.
 - `POLICY_ENGINE`: The KBS has a policy engine to facilitate access control. This should not be confused with the policy engine in the AS, which determines whether or not TEE evidence is valid. `POLICY_ENGINE` determines which type of policy engine the KBS will use. Today only `opa` is supported. The KBS can also be built without a policy engine
 if it is not required.
 - `AS_TYPES`: The KBS supports multiple backend attestation services. `AS_TYPES` selects which verifier to use. The options are `coco-as` and `intel-trust-authority-as`.
@@ -103,8 +102,6 @@ if it is not required.
 ## HTTPS Support
 
 The KBS can use HTTPS. This requires a crypto backend.
-`HTTPS_CRYPTO` determines which backend will be used.
-The options are `rustls` and `openssl`. The default is `rustls`.
 
 If you want a self-signed cert for test cases, please refer to [the document](docs/self-signed-https.md).
 

diff --git a/kbs/config/docker-compose/kbs-config.toml b/kbs/config/docker-compose/kbs-config.toml
@@ -3,7 +3,8 @@ auth_public_key = "/opt/confidential-containers/kbs/user-keys/public.pub"
 insecure_http = true
 
 [attestation_token_config]
-attestation_token_type = "CoCo"
+type = "CoCo"
+insecure_key = true
 
 [grpc_config]
 as_addr = "http://as:50004"
diff --git a/kbs/config/kbs-config-grpc.toml b/kbs/config/kbs-config-grpc.toml
@@ -2,7 +2,8 @@ insecure_http = true
 insecure_api = true
 
 [attestation_token_config]
-attestation_token_type = "CoCo"
+type = "CoCo"
+insecure_key = true
 
 [grpc_config]
 as_addr = "http://127.0.0.1:50004"

diff --git a/kbs/config/kbs-config-intel-trust-authority.toml b/kbs/config/kbs-config-intel-trust-authority.toml
@@ -2,7 +2,7 @@ insecure_http = true
 insecure_api = true
 
 [attestation_token_config]
-attestation_token_type = "Jwk"
+type = "ITA"
 trusted_certs_paths = ["https://portal.trustauthority.intel.com"]
 
 [intel_trust_authority_config]

diff --git a/kbs/config/kbs-config.toml b/kbs/config/kbs-config.toml
@@ -2,7 +2,8 @@ insecure_http = true
 insecure_api = true
 
 [attestation_token_config]
-attestation_token_type = "CoCo"
+type = "CoCo"
+insecure_key = true
 
 [repository_config]
 type = "LocalFs"

diff --git a/kbs/config/kubernetes/base/kbs-config.toml b/kbs/config/kubernetes/base/kbs-config.toml
@@ -5,7 +5,8 @@ auth_public_key = "/kbs/kbs.pem"
 insecure_http = true
 
 [attestation_token_config]
-attestation_token_type = "CoCo"
+type = "CoCo"
+insecure_key = true
 
 [as_config]
 work_dir = "/opt/confidential-containers/attestation-service"

diff --git a/kbs/config/kubernetes/ita/kbs-config.toml b/kbs/config/kubernetes/ita/kbs-config.toml
@@ -5,7 +5,7 @@ auth_public_key = "/kbs/kbs.pem"
 insecure_http = true
 
 [attestation_token_config]
-attestation_token_type = "Jwk"
+type = "ITA"
 trusted_certs_paths = ["https://portal.trustauthority.intel.com"]
 
 [intel_trust_authority_config]

diff --git a/kbs/docker/Dockerfile b/kbs/docker/Dockerfile
@@ -1,6 +1,5 @@
 FROM rust:slim as builder
 ARG ARCH=x86_64
-ARG HTTPS_CRYPTO=rustls
 ARG ALIYUN=false
 
 ENV DEBIAN_FRONTEND noninteractive
@@ -37,7 +36,7 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-s
 WORKDIR /usr/src/kbs
 COPY . .
 
-RUN cd kbs && make AS_FEATURE=coco-as-builtin HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \
+RUN cd kbs && make AS_FEATURE=coco-as-builtin POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \
     make install-kbs
 
 FROM ubuntu:22.04

diff --git a/kbs/docker/coco-as-grpc/Dockerfile b/kbs/docker/coco-as-grpc/Dockerfile
@@ -1,6 +1,5 @@
 FROM rust:latest as builder
 ARG ARCH=x86_64
-ARG HTTPS_CRYPTO=rustls
 ARG ALIYUN=false
 
 WORKDIR /usr/src/kbs
@@ -9,7 +8,7 @@ COPY . .
 RUN apt-get update && apt install -y protobuf-compiler git
 
 # Build and Install KBS
-RUN cd kbs && make AS_FEATURE=coco-as-grpc HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \
+RUN cd kbs && make AS_FEATURE=coco-as-grpc POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \
     make install-kbs
 
 FROM ubuntu:22.04

diff --git a/kbs/docker/intel-trust-authority/Dockerfile b/kbs/docker/intel-trust-authority/Dockerfile
@@ -1,5 +1,4 @@
 FROM rust:latest as builder
-ARG HTTPS_CRYPTO=rustls
 ARG ALIYUN=false
 
 WORKDIR /usr/src/kbs
@@ -8,7 +7,7 @@ COPY . .
 RUN apt-get update && apt install -y git
 
 # Build and Install KBS
-RUN cd kbs && make AS_FEATURE=intel-trust-authority-as HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \
+RUN cd kbs && make AS_FEATURE=intel-trust-authority-as POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \
     make install-kbs
 
 FROM ubuntu:22.04

diff --git a/kbs/docker/rhel-ubi/Dockerfile b/kbs/docker/rhel-ubi/Dockerfile
@@ -15,7 +15,7 @@ dnf -y install --nogpgcheck --repofrompath "sgx,file:///root/sgx_rpm_local_repo"
 # Build.
 WORKDIR /usr/src/kbs
 COPY . .
-ARG KBS_FEATURES=coco-as-builtin,rustls,resource,opa
+ARG KBS_FEATURES=coco-as-builtin,resource,opa
 RUN \
 cargo install --locked --root /usr/local/ --path kbs --bin kbs --no-default-features --features ${KBS_FEATURES} && \
 # Collect linked files necessary for the binary to run.

diff --git a/kbs/docs/config.md b/kbs/docs/config.md
@@ -207,7 +207,7 @@ insecure_http = true
 insecure_api = true
 
 [attestation_token_config]
-attestation_token_type = "Jwk"
+type = "ITA"
 trusted_certs_paths = ["https://portal.trustauthority.intel.com"]
 
 [repository_config]

diff --git a/kbs/docs/self-signed-https.md b/kbs/docs/self-signed-https.md
@@ -72,7 +72,7 @@ auth_public_key = "/etc/public.pub"
 insecure_api = true
 
 [attestation_token_config]
-attestation_token_type = "CoCo"
+type = "CoCo"
 
 [repository_config]
 type = "LocalFs"

diff --git a/kbs/quickstart.md b/kbs/quickstart.md
@@ -245,7 +245,7 @@ which used to verify the trustworthy of the certificate in Attestation Token:
 
 ```toml
 [attestation_token_config]
-attestation_token_type = "CoCo"
+type = "CoCo"
 trusted_certs_paths = ["/path/to/trusted_cacert.pem"]
 ```
 

diff --git a/kbs/test/config/kbs.toml b/kbs/test/config/kbs.toml
@@ -5,7 +5,8 @@ private_key = "./work/https.key"
 certificate = "./work/https.crt"
 
 [attestation_token_config]
-attestation_token_type = "CoCo"
+type = "CoCo"
+trusted_certs_paths = ["./work/token-cert.pem"]
 
 [repository_config]
 type = "LocalFs"

diff --git a/kbs/test/config/resource-kbs.toml b/kbs/test/config/resource-kbs.toml
@@ -3,7 +3,7 @@ auth_public_key = "./work/kbs.pem"
 insecure_http = true
 
 [attestation_token_config]
-attestation_token_type = "CoCo"
+type = "CoCo"
 trusted_certs_paths = ["./work/ca-cert.pem"]
 
 [repository_config]