From 8c27e4f1df5863ce875a74489287861452582420 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Wed, 9 Oct 2024 12:12:51 +0800 Subject: [PATCH] docs/ci: abondon HTTPS_CRYPTO and update token verifier config Due to latest change, KBS will not maintain both rustls and openssl suites for HTTPS. Thus we need to delete all the options of HTTPS_CRYPTO config in documents and codes. Also, the latest change changes the config format of `attestation_token_config`, so we also change the type field to new name and rename `Jwk` to `ITA`. Signed-off-by: Xynnn007 --- .github/workflows/kbs-rust.yml | 2 +- .github/workflows/push-kbs-image-to-ghcr.yml | 7 +------ deps/verifier/src/se/README.md | 6 +++--- kbs/Makefile | 7 +++---- kbs/README.md | 5 +---- kbs/config/docker-compose/kbs-config.toml | 3 ++- kbs/config/kbs-config-grpc.toml | 3 ++- kbs/config/kbs-config-intel-trust-authority.toml | 2 +- kbs/config/kbs-config.toml | 3 ++- kbs/config/kubernetes/base/kbs-config.toml | 3 ++- kbs/config/kubernetes/ita/kbs-config.toml | 2 +- kbs/docker/Dockerfile | 3 +-- kbs/docker/coco-as-grpc/Dockerfile | 3 +-- kbs/docker/intel-trust-authority/Dockerfile | 3 +-- kbs/docker/rhel-ubi/Dockerfile | 2 +- kbs/docs/config.md | 2 +- kbs/docs/self-signed-https.md | 2 +- kbs/quickstart.md | 2 +- kbs/test/config/kbs.toml | 3 ++- kbs/test/config/resource-kbs.toml | 2 +- 20 files changed, 29 insertions(+), 36 deletions(-) diff --git a/.github/workflows/kbs-rust.yml b/.github/workflows/kbs-rust.yml index f99c102a2..d468963b7 100644 --- a/.github/workflows/kbs-rust.yml +++ b/.github/workflows/kbs-rust.yml @@ -59,7 +59,7 @@ jobs: - name: KBS Build [Built-in CoCo AS, OpenSSL] working-directory: kbs - run: make HTTPS_CRYPTO=openssl + run: make - name: KBS Build [gRPC CoCo AS, RustTLS] working-directory: kbs diff --git a/.github/workflows/push-kbs-image-to-ghcr.yml b/.github/workflows/push-kbs-image-to-ghcr.yml index 4c4a25e9e..ed30c3b6b 100644 --- a/.github/workflows/push-kbs-image-to-ghcr.yml +++ b/.github/workflows/push-kbs-image-to-ghcr.yml @@ -25,15 +25,12 @@ jobs: include: - tag: kbs docker_file: kbs/docker/Dockerfile - https_crypto: openssl name: build-in AS - tag: kbs-grpc-as docker_file: kbs/docker/coco-as-grpc/Dockerfile - https_crypto: rustls name: gRPC AS - tag: kbs-ita-as docker_file: kbs/docker/intel-trust-authority/Dockerfile - https_crypto: rustls name: Intel Trust Authority AS runs-on: ${{ matrix.instance }} @@ -56,12 +53,10 @@ jobs: run: | commit_sha=${{ github.sha }} arch=$(uname -m) - https_crypto=${{ matrix.https_crypto }} - [ "${arch}" = "s390x" ] && https_crypto=openssl DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" --push \ -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \ -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" \ - --build-arg ARCH="${arch}" --build-arg HTTPS_CRYPTO="${https_crypto}" . + --build-arg ARCH="${arch}" . publish_multi_arch_image: needs: build_and_push diff --git a/deps/verifier/src/se/README.md b/deps/verifier/src/se/README.md index 0ee09c088..0fe6b3858 100644 --- a/deps/verifier/src/se/README.md +++ b/deps/verifier/src/se/README.md @@ -67,7 +67,7 @@ openssl pkey -in kbs.key -pubout -out kbs.pem - Build KBS ```bash -cargo install --locked --debug --path kbs/src/kbs --no-default-features --features coco-as-builtin,openssl,resource,opa +cargo install --locked --debug --path kbs/src/kbs --no-default-features --features coco-as-builtin,resource,opa ``` - Prepare the material retrieved above, similar as: @@ -101,7 +101,7 @@ auth_public_key = "/kbs/kbs.pem" insecure_http = true [attestation_token_config] -attestation_token_type = "CoCo" +type = "CoCo" [as_config] work_dir = "/opt/confidential-containers/attestation-service" @@ -128,7 +128,7 @@ export SE_SKIP_CERTS_VERIFICATION=true ## (Option 2) Launch KBS via docker-compose - Build the docker image ``` -DOCKER_BUILDKIT=1 docker build --build-arg HTTPS_CRYPTO="openssl" --build-arg ARCH="s390x" -t ghcr.io/confidential-containers/staged-images/kbs:latest . -f kbs/docker/Dockerfile +DOCKER_BUILDKIT=1 docker build --build-arg --build-arg ARCH="s390x" -t ghcr.io/confidential-containers/staged-images/kbs:latest . -f kbs/docker/Dockerfile ``` - Prepare a docker compose file, similar as: diff --git a/kbs/Makefile b/kbs/Makefile index 33d76f642..90c6267d3 100644 --- a/kbs/Makefile +++ b/kbs/Makefile @@ -1,5 +1,4 @@ AS_TYPE ?= coco-as -HTTPS_CRYPTO ?= rustls POLICY_ENGINE ?= ALIYUN ?= false @@ -39,16 +38,16 @@ build: background-check-kbs .PHONY: background-check-kbs background-check-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(HTTPS_CRYPTO),$(POLICY_ENGINE),$(FEATURES) + cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(POLICY_ENGINE),$(FEATURES) .PHONY: passport-issuer-kbs passport-issuer-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(HTTPS_CRYPTO),$(FEATURES) + cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(FEATURES) mv ../target/release/kbs ../target/release/issuer-kbs .PHONY: passport-resource-kbs passport-resource-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(HTTPS_CRYPTO),resource,$(POLICY_ENGINE),$(FEATURES) + cargo build -p kbs --locked --release --no-default-features --features resource,$(POLICY_ENGINE),$(FEATURES) mv ../target/release/kbs ../target/release/resource-kbs .PHONY: cli diff --git a/kbs/README.md b/kbs/README.md index fd322f3ab..6b6e69c6e 100644 --- a/kbs/README.md +++ b/kbs/README.md @@ -90,11 +90,10 @@ The Makefile supports a number of other configuration parameters. For example, ```shell -make background-check-kbs [HTTPS_CRYPTO=?] [POLICY_ENGINE=?] [AS_TYPES=?] [COCO_AS_INTEGRATION_TYPE=?] [ALIYUN=?] +make background-check-kbs [POLICY_ENGINE=?] [AS_TYPES=?] [COCO_AS_INTEGRATION_TYPE=?] [ALIYUN=?] ``` The parameters -- `HTTPS_CRYPTO`: either `rustls` or `openssl` can be specified. If not provided, `rustls` is default. - `POLICY_ENGINE`: The KBS has a policy engine to facilitate access control. This should not be confused with the policy engine in the AS, which determines whether or not TEE evidence is valid. `POLICY_ENGINE` determines which type of policy engine the KBS will use. Today only `opa` is supported. The KBS can also be built without a policy engine if it is not required. - `AS_TYPES`: The KBS supports multiple backend attestation services. `AS_TYPES` selects which verifier to use. The options are `coco-as` and `intel-trust-authority-as`. @@ -103,8 +102,6 @@ if it is not required. ## HTTPS Support The KBS can use HTTPS. This requires a crypto backend. -`HTTPS_CRYPTO` determines which backend will be used. -The options are `rustls` and `openssl`. The default is `rustls`. If you want a self-signed cert for test cases, please refer to [the document](docs/self-signed-https.md). diff --git a/kbs/config/docker-compose/kbs-config.toml b/kbs/config/docker-compose/kbs-config.toml index b99963989..18b26cfd8 100644 --- a/kbs/config/docker-compose/kbs-config.toml +++ b/kbs/config/docker-compose/kbs-config.toml @@ -3,7 +3,8 @@ auth_public_key = "/opt/confidential-containers/kbs/user-keys/public.pub" insecure_http = true [attestation_token_config] -attestation_token_type = "CoCo" +type = "CoCo" +insecure_key = true [grpc_config] as_addr = "http://as:50004" diff --git a/kbs/config/kbs-config-grpc.toml b/kbs/config/kbs-config-grpc.toml index 04bfd1381..4b4689007 100644 --- a/kbs/config/kbs-config-grpc.toml +++ b/kbs/config/kbs-config-grpc.toml @@ -2,7 +2,8 @@ insecure_http = true insecure_api = true [attestation_token_config] -attestation_token_type = "CoCo" +type = "CoCo" +insecure_key = true [grpc_config] as_addr = "http://127.0.0.1:50004" diff --git a/kbs/config/kbs-config-intel-trust-authority.toml b/kbs/config/kbs-config-intel-trust-authority.toml index 48d435b64..879217c00 100644 --- a/kbs/config/kbs-config-intel-trust-authority.toml +++ b/kbs/config/kbs-config-intel-trust-authority.toml @@ -2,7 +2,7 @@ insecure_http = true insecure_api = true [attestation_token_config] -attestation_token_type = "Jwk" +type = "ITA" trusted_certs_paths = ["https://portal.trustauthority.intel.com"] [intel_trust_authority_config] diff --git a/kbs/config/kbs-config.toml b/kbs/config/kbs-config.toml index d04fd5340..5e8bb1a6b 100644 --- a/kbs/config/kbs-config.toml +++ b/kbs/config/kbs-config.toml @@ -2,7 +2,8 @@ insecure_http = true insecure_api = true [attestation_token_config] -attestation_token_type = "CoCo" +type = "CoCo" +insecure_key = true [repository_config] type = "LocalFs" diff --git a/kbs/config/kubernetes/base/kbs-config.toml b/kbs/config/kubernetes/base/kbs-config.toml index c6544eece..9af98fe44 100644 --- a/kbs/config/kubernetes/base/kbs-config.toml +++ b/kbs/config/kubernetes/base/kbs-config.toml @@ -5,7 +5,8 @@ auth_public_key = "/kbs/kbs.pem" insecure_http = true [attestation_token_config] -attestation_token_type = "CoCo" +type = "CoCo" +insecure_key = true [as_config] work_dir = "/opt/confidential-containers/attestation-service" diff --git a/kbs/config/kubernetes/ita/kbs-config.toml b/kbs/config/kubernetes/ita/kbs-config.toml index 0bba5e3f2..c6c28da7a 100644 --- a/kbs/config/kubernetes/ita/kbs-config.toml +++ b/kbs/config/kubernetes/ita/kbs-config.toml @@ -5,7 +5,7 @@ auth_public_key = "/kbs/kbs.pem" insecure_http = true [attestation_token_config] -attestation_token_type = "Jwk" +type = "ITA" trusted_certs_paths = ["https://portal.trustauthority.intel.com"] [intel_trust_authority_config] diff --git a/kbs/docker/Dockerfile b/kbs/docker/Dockerfile index 2831d6a5b..f6bd8294a 100644 --- a/kbs/docker/Dockerfile +++ b/kbs/docker/Dockerfile @@ -1,6 +1,5 @@ FROM rust:slim as builder ARG ARCH=x86_64 -ARG HTTPS_CRYPTO=rustls ARG ALIYUN=false ENV DEBIAN_FRONTEND noninteractive @@ -37,7 +36,7 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-s WORKDIR /usr/src/kbs COPY . . -RUN cd kbs && make AS_FEATURE=coco-as-builtin HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ +RUN cd kbs && make AS_FEATURE=coco-as-builtin POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ make install-kbs FROM ubuntu:22.04 diff --git a/kbs/docker/coco-as-grpc/Dockerfile b/kbs/docker/coco-as-grpc/Dockerfile index 2a96e9045..67f099e6a 100644 --- a/kbs/docker/coco-as-grpc/Dockerfile +++ b/kbs/docker/coco-as-grpc/Dockerfile @@ -1,6 +1,5 @@ FROM rust:latest as builder ARG ARCH=x86_64 -ARG HTTPS_CRYPTO=rustls ARG ALIYUN=false WORKDIR /usr/src/kbs @@ -9,7 +8,7 @@ COPY . . RUN apt-get update && apt install -y protobuf-compiler git # Build and Install KBS -RUN cd kbs && make AS_FEATURE=coco-as-grpc HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ +RUN cd kbs && make AS_FEATURE=coco-as-grpc POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ make install-kbs FROM ubuntu:22.04 diff --git a/kbs/docker/intel-trust-authority/Dockerfile b/kbs/docker/intel-trust-authority/Dockerfile index a2b4f650e..0638b9cf8 100644 --- a/kbs/docker/intel-trust-authority/Dockerfile +++ b/kbs/docker/intel-trust-authority/Dockerfile @@ -1,5 +1,4 @@ FROM rust:latest as builder -ARG HTTPS_CRYPTO=rustls ARG ALIYUN=false WORKDIR /usr/src/kbs @@ -8,7 +7,7 @@ COPY . . RUN apt-get update && apt install -y git # Build and Install KBS -RUN cd kbs && make AS_FEATURE=intel-trust-authority-as HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ +RUN cd kbs && make AS_FEATURE=intel-trust-authority-as POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ make install-kbs FROM ubuntu:22.04 diff --git a/kbs/docker/rhel-ubi/Dockerfile b/kbs/docker/rhel-ubi/Dockerfile index 426c9a8d3..a49ee0aae 100644 --- a/kbs/docker/rhel-ubi/Dockerfile +++ b/kbs/docker/rhel-ubi/Dockerfile @@ -15,7 +15,7 @@ dnf -y install --nogpgcheck --repofrompath "sgx,file:///root/sgx_rpm_local_repo" # Build. WORKDIR /usr/src/kbs COPY . . -ARG KBS_FEATURES=coco-as-builtin,rustls,resource,opa +ARG KBS_FEATURES=coco-as-builtin,resource,opa RUN \ cargo install --locked --root /usr/local/ --path kbs --bin kbs --no-default-features --features ${KBS_FEATURES} && \ # Collect linked files necessary for the binary to run. diff --git a/kbs/docs/config.md b/kbs/docs/config.md index 6181e3d98..fbb71921e 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -207,7 +207,7 @@ insecure_http = true insecure_api = true [attestation_token_config] -attestation_token_type = "Jwk" +type = "ITA" trusted_certs_paths = ["https://portal.trustauthority.intel.com"] [repository_config] diff --git a/kbs/docs/self-signed-https.md b/kbs/docs/self-signed-https.md index 8899f304e..5b735b0a1 100644 --- a/kbs/docs/self-signed-https.md +++ b/kbs/docs/self-signed-https.md @@ -72,7 +72,7 @@ auth_public_key = "/etc/public.pub" insecure_api = true [attestation_token_config] -attestation_token_type = "CoCo" +type = "CoCo" [repository_config] type = "LocalFs" diff --git a/kbs/quickstart.md b/kbs/quickstart.md index d793c750a..66dae5829 100644 --- a/kbs/quickstart.md +++ b/kbs/quickstart.md @@ -245,7 +245,7 @@ which used to verify the trustworthy of the certificate in Attestation Token: ```toml [attestation_token_config] -attestation_token_type = "CoCo" +type = "CoCo" trusted_certs_paths = ["/path/to/trusted_cacert.pem"] ``` diff --git a/kbs/test/config/kbs.toml b/kbs/test/config/kbs.toml index 0f08b733f..e531399f2 100644 --- a/kbs/test/config/kbs.toml +++ b/kbs/test/config/kbs.toml @@ -5,7 +5,8 @@ private_key = "./work/https.key" certificate = "./work/https.crt" [attestation_token_config] -attestation_token_type = "CoCo" +type = "CoCo" +trusted_certs_paths = ["./work/token-cert.pem"] [repository_config] type = "LocalFs" diff --git a/kbs/test/config/resource-kbs.toml b/kbs/test/config/resource-kbs.toml index 5c14ab519..6301f4b2c 100644 --- a/kbs/test/config/resource-kbs.toml +++ b/kbs/test/config/resource-kbs.toml @@ -3,7 +3,7 @@ auth_public_key = "./work/kbs.pem" insecure_http = true [attestation_token_config] -attestation_token_type = "CoCo" +type = "CoCo" trusted_certs_paths = ["./work/ca-cert.pem"] [repository_config]