Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

guest-components: Bump guest-components dependency #1865

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/azure-podvm-image-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ jobs:

- name: Build binaries
run: make binaries \
AA_KBC="cc_kbc_az_snp_vtpm,cc_kbc_az_tdx_vtpm" \
ATTESTER="az_snp_vtpm_attester,az_tdx_vtpm_attester" \
LIBC=gnu

- uses: azure/login@v1
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/podvm_binaries.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build and push
run: AA_KBC=cc_kbc make podvm-binaries
run: make podvm-binaries
env:
PUSH: true
REGISTRY: ${{ inputs.registry }}
Expand Down
3 changes: 2 additions & 1 deletion src/cloud-api-adaptor/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ BINARIES := cloud-api-adaptor agent-protocol-forwarder process-user-data
SOURCEDIRS := ./cmd ./pkg
PACKAGES := $(shell go list $(addsuffix /...,$(SOURCEDIRS)))
SOURCES := $(shell find $(SOURCEDIRS) -name '*.go' -print)
ATTESTER ?= none
# End-to-end tests overall run timeout.
TEST_E2E_TIMEOUT ?= 60m

Expand Down Expand Up @@ -193,7 +194,7 @@ podvm-binaries:
--build-arg BUILDER_IMG=$(PODVM_BUILDER_IMAGE) \
--build-arg PODVM_DISTRO=$(PODVM_DISTRO) \
--build-arg ARCH=$(ARCH) \
--build-arg AA_KBC=$(AA_KBC) \
--build-arg ATTESTER=$(ATTESTER) \
$(if $(DEFAULT_AGENT_POLICY_FILE),--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE),) \
$(DOCKER_OPTS) .
rm -rf .git
Expand Down
2 changes: 1 addition & 1 deletion src/cloud-api-adaptor/azure/build-image.md
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ export PKR_VAR_az_gallery_image_version="0.0.1"
export PKR_VAR_offer=0001-com-ubuntu-confidential-vm-jammy
export PKR_VAR_sku=22_04-lts-cvm

export AA_KBC="cc_kbc_az_snp_vtpm"
export ATTESTER="az-snp-vtpm-attester,az-tdx-vtpm-attester"
export LIBC=gnu
export CLOUD_PROVIDER=azure
PODVM_DISTRO=ubuntu make image
Expand Down
4 changes: 2 additions & 2 deletions src/cloud-api-adaptor/docker/image/Makefile
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
AA_KBC ?= offline_fs_kbc
ARCH ?= $(subst x86_64,amd64,$(shell uname -m))
BUILDER = ubuntu-binaries-builder-$(ARCH)
PODVM_IMG ?= quay.io/confidential-containers/podvm-docker-image
AGENT_POLICY = no
ATTESTER ?= none

.DEFAULT_GOAL := all
.PHONY: all
Expand Down Expand Up @@ -35,7 +35,7 @@ binaries:
cp -rf ../../../../.git ../../../.git
docker buildx build \
--build-arg BUILDER_IMG=$(BUILDER) \
--build-arg AA_KBC=$(AA_KBC) \
--build-arg ATTESTER=$(ATTESTER) \
$(if $(DEFAULT_AGENT_POLICY_FILE),--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE),) \
-o type=local,dest="./resources/binaries-tree" \
-f ../../podvm/Dockerfile.podvm_binaries ../../../
Expand Down
2 changes: 1 addition & 1 deletion src/cloud-api-adaptor/libvirt/kcli_cluster.sh
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ create () {
fi
echo "Download $CLUSTER_IMAGE ${TARGET_ARCH} image"
# kcli support download image with archs: 'x86_64', 'aarch64', 'ppc64le', 's390x'
kcli download image $CLUSTER_IMAGE -a ${ARCH}
kcli download image $CLUSTER_IMAGE -P arch=${ARCH}

kcli create kube generic $parameters "$CLUSTER_NAME"

Expand Down
8 changes: 4 additions & 4 deletions src/cloud-api-adaptor/podvm-mkosi/Makefile
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
include ../Makefile.defaults

AA_KBC ?= cc_kbc
ARCH ?= $(subst x86_64,amd64,$(shell uname -m))
BUILDER = fedora-binaries-builder-$(ARCH)
ATTESTER ?= none
ARCH ?= $(subst x86_64,amd64,$(shell uname -m))
BUILDER = fedora-binaries-builder-$(ARCH)

REGISTRY ?= quay.io/confidential-containers
PODVM_DISTRO ?= fedora
Expand Down Expand Up @@ -43,7 +43,7 @@ binaries:
cp -rf ../../../.git ../../.git
docker buildx build \
--build-arg BUILDER_IMG=$(BUILDER) \
--build-arg AA_KBC=$(AA_KBC) \
--build-arg ATTESTER=$(ATTESTER) \
$(if $(DEFAULT_AGENT_POLICY_FILE),--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE),) \
-o type=local,dest="./resources/binaries-tree" \
-f ../podvm/Dockerfile.podvm_binaries.fedora ../../
Expand Down
6 changes: 4 additions & 2 deletions src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@ ARG CLOUD_PROVIDER
ARG PODVM_DISTRO=ubuntu
ARG GUEST_COMPONENTS_VERSION
ARG GUEST_COMPONENTS_REPO
ARG AA_KBC="cc_kbc"
# By default AA will be built with the `all-attesters` feature,
# which doesn't compile ootb on ubuntu.
ARG ATTESTER=none
# If not provided, uses system architecture
ARG ARCH
#This is the name of the policy file under
Expand All @@ -23,7 +25,7 @@ ENV CLOUD_PROVIDER ${CLOUD_PROVIDER}
ENV PODVM_DISTRO ${PODVM_DISTRO}
ENV GUEST_COMPONENTS_VERSION ${GUEST_COMPONENTS_VERSION}
ENV GUEST_COMPONENTS_REPO ${GUEST_COMPONENTS_REPO}
ENV AA_KBC ${AA_KBC}
ENV ATTESTER ${ATTESTER}
ENV ARCH ${ARCH}
ENV DEFAULT_AGENT_POLICY_FILE ${DEFAULT_AGENT_POLICY_FILE}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@ ARG CLOUD_PROVIDER
ARG PODVM_DISTRO=rhel
ARG GUEST_COMPONENTS_VERSION
ARG GUEST_COMPONENTS_REPO
ARG AA_KBC="cc_kbc"
# By default AA will be built with the `all-attesters` feature,
# which doesn't compile on fedora.
ARG ATTESTER=none
# If not provided, uses system architecture
ARG ARCH
#This is the name of the policy file under
Expand All @@ -23,7 +25,7 @@ ENV CLOUD_PROVIDER ${CLOUD_PROVIDER}
ENV PODVM_DISTRO ${PODVM_DISTRO}
ENV GUEST_COMPONENTS_VERSION ${GUEST_COMPONENTS_VERSION}
ENV GUEST_COMPONENTS_REPO ${GUEST_COMPONENTS_REPO}
ENV AA_KBC ${AA_KBC}
ENV ATTESTER ${ATTESTER}
ENV ARCH ${ARCH}
ENV DEFAULT_AGENT_POLICY_FILE ${DEFAULT_AGENT_POLICY_FILE}

Expand Down
6 changes: 4 additions & 2 deletions src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,17 @@ ARG BUILDER_IMG
FROM ${BUILDER_IMG} AS podvm_builder

ARG PODVM_DISTRO=rhel
ARG AA_KBC="cc_kbc"
# By default AA will be built with the `all-attesters` feature,
# which doesn't compile ootb on RHEL.
ARG ATTESTER=none
# If not provided, uses system architecture
ARG ARCH
#This is the name of the policy file under
#files/etc/kata-opa
ARG DEFAULT_AGENT_POLICY_FILE=allow-all.rego

ENV PODVM_DISTRO ${PODVM_DISTRO}
ENV AA_KBC ${AA_KBC}
ENV ATTESTER ${ATTESTER}
ENV ARCH ${ARCH}
ENV DEFAULT_AGENT_POLICY_FILE ${DEFAULT_AGENT_POLICY_FILE}

Expand Down
5 changes: 3 additions & 2 deletions src/cloud-api-adaptor/podvm/Makefile.inc
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,13 @@ ARCH := $(or $(ARCH),$(HOST_ARCH))
# Normalise x86_64 / amd64 for input ARCH
ARCH := $(subst amd64,x86_64,$(ARCH))
DEB_ARCH := $(subst x86_64,amd64,$(ARCH))
AA_KBC ?= cc_kbc
AA_KBC ?= offline_fs_kbc
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Magnus, just to check I understand - the attestation-agent doesn't build in the KBCs supported now, but uses attesters that communicate specifics with the matching verifier that runs on the KBS? What is the behaviour for aa_kbc_params=offline_fs_kbc::null? is the offline_fs_kbc always included as well as cc_kbc?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I understand this part well either. it's probably good that we upgrade. cc_kbc doesn't exist anymore as a specific flag. AA now exposes only this API:

#[async_trait]
pub trait AttestationAPIs {
    /// Get attestation Token
    async fn get_token(&mut self, token_type: &str) -> Result<Vec<u8>>;

    /// Get TEE hardware signed evidence that includes the runtime data.
    async fn get_evidence(&mut self, runtime_data: &[u8]) -> Result<Vec<u8>>;

    /// Extend runtime measurement register
    async fn extend_runtime_measurement(
        &mut self,
        events: Vec<Vec<u8>>,
        register_index: Option<u64>,
    ) -> Result<()>;

    /// Check the initdata binding
    async fn check_init_data(&mut self, init_data: &[u8]) -> Result<InitdataResult>;

While it used to be like this:

#[async_trait]
pub trait AttestationAPIs {
    /// Decrypt the encrypted information in `annotation`.
    ///
    /// The specific format of `annotation` is defined by different KBC and corresponding KBS.
    /// The decryption method may be to obtain the key from KBS for decryption, or
    /// directly send the `annotation` to KBS for decryption, which depends on the
    /// specific implementation of each KBC module.
    ///
    /// TODO: move this API to Confidential Data Hub
    async fn decrypt_image_layer_annotation(
        &mut self,
        kbc_name: &str,
        kbs_uri: &str,
        annotation: &str,
    ) -> Result<Vec<u8>>;

    /// Request KBS to obtain confidential resources, including confidential data or files.
    ///
    /// `resource_uri` is a KBS Resource URI pointing to a specific resource.
    ///
    /// TODO: remove this API
    async fn download_confidential_resource(
        &mut self,
        kbc_name: &str,
        resource_path: &str,
        kbs_uri: &str,
    ) -> Result<Vec<u8>>;

    /// Get attestation Token
    async fn get_token(&mut self, token_type: &str) -> Result<Vec<u8>>;

    /// Get TEE hardware signed evidence that includes the runtime data.
    async fn get_evidence(&mut self, runtime_data: &[u8]) -> Result<Vec<u8>>;

    /// Extend runtime measurement register
    async fn extend_runtime_measurement(
        &mut self,
        events: Vec<Vec<u8>>,
        register_index: Option<u64>,
    ) -> Result<()>;

    /// Check the initdata binding
    async fn check_init_data(&mut self, init_data: &[u8]) -> Result<()>;
}

/// Attestation agent to provide attestation service.
pub struct AttestationAgent {
    kbc_module_list: KbcModuleList,
    kbc_instance_map: HashMap<String, KbcInstance>,
    config: Option<Config>,
}

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so, I assume, the kbc is picked in the CDH config now:

# KBC related configs.
[kbc]
# Required. The KBC name. It could be `cc_kbc`, `online_sev_kbc` or
# `offline_fs_kbc`. All the items under `[credentials]` will be
# retrieved using the kbc.
name = "cc_kbc"

# Required. The URL of KBS. If `name` is either `cc_kbc` or
# `online_sev_kbc`, this URL will be used to connect to the
# CoCoKBS (for cc_kbc) or Simple-KBS (for online_sev_kbc). If
# `name` is `offline_fs_kbc`, This URL will be ignored.
url = "http://example.io:8080"

that means for offline_fs_kbc to work, the CDH would in theory need to be populated. we currently do this via CAA + Cloud-Config, if the --aa-kbc-params is set. However, if it isn't set, there will be no CDH config file. However² CDH falls back to offline_fs_kbc if there's no config file afaik ...so it should work ootb 🍀

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK - I guess we don't have any upstream testing of offline_fs_kbc any more (and no downstream testing since we switched to main?), so we might have found a(nother) hole, but that's not a reason to not try and stay current.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure. things might also just miraculously keep working... let's see what the e2e tests will report.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In theory everything should continue working. The startup-up code is really convoluted tho. Hopefully we will clean it up when we finally switch to the init-data approach.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mkulke does it really make sense to keep AA_KBC option to populate agent-config.toml anymore?
Or should we use AA_KBC to create a static CDH config during pod vm image building ?

Copy link
Collaborator Author

@mkulke mkulke Jun 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes indeed, that makes sense, we would always create a CDH config file, defaulting to offline_fs_kbc if —aa-kbc-params is not provided.

it would need more work though, since CDH depends on the AA sock atm, and AA also needs the templated kata agent-config.toml

So, I suggest we defer this to another PR, introducing an AA config file.

KBC_URI ?= null
LIBC ?= $(if $(filter $(ARCH),s390x ppc64le),gnu,musl)
RUST_ARCH ?= $(subst ppc64le,powerpc64le,$(ARCH))
RUST_TARGET := $(RUST_ARCH)-unknown-linux-$(LIBC)

ATTESTER ?= none
CDH_RESOURCE_PROVIDER ?= kbs
SEALED_SECRET ?= yes

Expand Down Expand Up @@ -169,7 +170,7 @@ $(GUEST_COMPONENTS_SRC):
$(call git_clone_repo_ref,$(GUEST_COMPONENTS_REPO),$(GUEST_COMPONENTS_SRC),$(GUEST_COMPONENTS_VERSION))

$(ATTESTATION_AGENT): $(FORCE_TARGET) | $(GUEST_COMPONENTS_SRC)
cd "$(GUEST_COMPONENTS_SRC)/attestation-agent" && CC= ARCH=$(ARCH) $(MAKE) KBC="$(AA_KBC)" ttrpc=true LIBC="$(LIBC)"
cd "$(GUEST_COMPONENTS_SRC)/attestation-agent" && CC= ARCH=$(ARCH) $(MAKE) ATTESTER=$(ATTESTER) ttrpc=true LIBC="$(LIBC)"
mkdir -p "$(@D)"
install --compare "$(GUEST_COMPONENTS_SRC)/target/$(RUST_TARGET)/release/attestation-agent" "$@"

Expand Down
4 changes: 2 additions & 2 deletions src/cloud-api-adaptor/test/e2e/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,10 +64,10 @@ popd
popd
```

We need build and use the PodVM image with `AA_KBC=cc_kbc` enabled, for example:
We need build and use the PodVM image:
```
pushd ${cloud-api-adaptor}
AA_KBC=cc_kbc make podvm-builder podvm-binaries podvm-image
make podvm-builder podvm-binaries podvm-image
popd
```
Then extract the PodVM image and use it following [extracting-the-qcow2-image](../../podvm/README.md#extracting-the-qcow2-image)
Expand Down
5 changes: 5 additions & 0 deletions src/cloud-api-adaptor/test/e2e/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

const CURL_IMAGE = "quay.io/curl/curl:latest"
const BUSYBOX_IMAGE = "quay.io/prometheus/busybox:latest"
const WAIT_DEPLOYMENT_AVAILABLE_TIMEOUT = time.Second * 180
const DEFAULT_AUTH_SECRET = "auth-json-secret-default"
Expand Down Expand Up @@ -140,6 +141,10 @@ func NewBusyboxPod(namespace string) *corev1.Pod {
return NewBusyboxPodWithName(namespace, "busybox")
}

func NewCurlPodWithName(namespace, podName string) *corev1.Pod {
return NewPod(namespace, podName, "curl", CURL_IMAGE, WithCommand([]string{"/bin/sh", "-c", "sleep 3600"}))
}

func NewBusyboxPodWithName(namespace, podName string) *corev1.Pod {
return NewPod(namespace, podName, "busybox", BUSYBOX_IMAGE, WithCommand([]string{"/bin/sh", "-c", "sleep 3600"}))
}
Expand Down
7 changes: 4 additions & 3 deletions src/cloud-api-adaptor/test/e2e/common_suite.go
Original file line number Diff line number Diff line change
Expand Up @@ -595,13 +595,14 @@ func DoTestKbsKeyRelease(t *testing.T, e env.Environment, assert CloudAssert) {
func DoTestKbsKeyReleaseForFailure(t *testing.T, e env.Environment, assert CloudAssert) {

log.Info("Do test kbs key release failure case")
pod := NewBusyboxPodWithName(E2eNamespace, "busybox-wget-failure")
pod := NewCurlPodWithName(E2eNamespace, "curl-failure")
testCommands := []TestCommand{
{
Command: []string{"wget", "-q", "-O-", "http://127.0.0.1:8006/cdh/resource/reponame/workload_key/key.bin"},
Command: []string{"curl", "-s", "http://127.0.0.1:8006/cdh/resource/reponame/workload_key/key.bin"},
ContainerName: pod.Spec.Containers[0].Name,
TestCommandStdoutFn: func(stdout bytes.Buffer) bool {
if strings.Contains(stdout.String(), "request unautorized") {
body := stdout.String()
if strings.Contains(strings.ToLower(body), "error") {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be good to have a more specific error, but I think that depends on confidential-containers/guest-components#587, so this is okay for now.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess what we want to do is assert on an http status code (401 in this case once we have this). instead of relying on error strings

log.Infof("Pass failure case as: %s", stdout.String())
return true
} else {
Expand Down
2 changes: 1 addition & 1 deletion src/cloud-api-adaptor/versions.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ tools:
git:
guest-components:
url: https://github.com/confidential-containers/guest-components
reference: 277617af60c32661819c1132ffbf3db8dc6e1b9f
reference: 9bcc7c1addcbad1e249a6d870d9df68f2824254b
kata-containers:
url: https://github.com/kata-containers/kata-containers
reference: 59ff40f05484da2a462fa44f18fe95e7c8484546
Expand Down
Loading