From 3620a53e0592eadb1183b538a749012f13c9a3cf Mon Sep 17 00:00:00 2001 From: Uri Lublin Date: Tue, 10 Dec 2024 03:26:16 +0200 Subject: [PATCH 1/3] packaging: add package.license to Cargo.toml files Signed-off-by: Uri Lublin --- attestation-agent/attestation-agent/Cargo.toml | 1 + attestation-agent/attester/Cargo.toml | 1 + attestation-agent/coco_keyprovider/Cargo.toml | 1 + attestation-agent/deps/crypto/Cargo.toml | 1 + attestation-agent/deps/resource_uri/Cargo.toml | 1 + attestation-agent/deps/sev/Cargo.toml | 1 + attestation-agent/kbc/Cargo.toml | 1 + attestation-agent/kbs_protocol/Cargo.toml | 1 + confidential-data-hub/hub/Cargo.toml | 1 + image-rs/libs/test-utils/Cargo.toml | 1 + 10 files changed, 10 insertions(+) diff --git a/attestation-agent/attestation-agent/Cargo.toml b/attestation-agent/attestation-agent/Cargo.toml index 076953ef4..795788383 100644 --- a/attestation-agent/attestation-agent/Cargo.toml +++ b/attestation-agent/attestation-agent/Cargo.toml @@ -4,6 +4,7 @@ version = "0.1.0" authors = ["The Attestation Agent Authors"] publish = false edition = "2021" +license = "Apache-2.0" [[bin]] name = "grpc-aa" diff --git a/attestation-agent/attester/Cargo.toml b/attestation-agent/attester/Cargo.toml index f371e3a06..9c1459e11 100644 --- a/attestation-agent/attester/Cargo.toml +++ b/attestation-agent/attester/Cargo.toml @@ -4,6 +4,7 @@ version = "0.1.0" authors = ["The Attestation Agent Authors"] publish = false edition = "2021" +license = "Apache-2.0" [dependencies] anyhow.workspace = true diff --git a/attestation-agent/coco_keyprovider/Cargo.toml b/attestation-agent/coco_keyprovider/Cargo.toml index 0dd9950d1..9018698ec 100644 --- a/attestation-agent/coco_keyprovider/Cargo.toml +++ b/attestation-agent/coco_keyprovider/Cargo.toml @@ -4,6 +4,7 @@ version = "0.1.0" authors = ["The Attestation Agent Authors"] publish = false edition = "2021" +license = "Apache-2.0" [dependencies] aes-gcm.workspace = true diff --git a/attestation-agent/deps/crypto/Cargo.toml b/attestation-agent/deps/crypto/Cargo.toml index 18c41431a..d7017ef1f 100644 --- a/attestation-agent/deps/crypto/Cargo.toml +++ b/attestation-agent/deps/crypto/Cargo.toml @@ -4,6 +4,7 @@ version = "0.1.0" authors = ["The Attestation Agent Authors"] publish = false edition = "2021" +license = "Apache-2.0" [dependencies] aes-gcm = { workspace = true, optional = true } diff --git a/attestation-agent/deps/resource_uri/Cargo.toml b/attestation-agent/deps/resource_uri/Cargo.toml index 77695afbb..c802b2a85 100644 --- a/attestation-agent/deps/resource_uri/Cargo.toml +++ b/attestation-agent/deps/resource_uri/Cargo.toml @@ -4,6 +4,7 @@ version = "0.1.0" authors = ["The Attestation Agent Authors"] publish = false edition = "2021" +license = "Apache-2.0" [dev-dependencies] rstest.workspace = true diff --git a/attestation-agent/deps/sev/Cargo.toml b/attestation-agent/deps/sev/Cargo.toml index 3ee4ef527..f6d947d97 100644 --- a/attestation-agent/deps/sev/Cargo.toml +++ b/attestation-agent/deps/sev/Cargo.toml @@ -4,6 +4,7 @@ version = "0.1.0" authors = ["The Attestation Agent Authors"] publish = false edition = "2021" +license = "Apache-2.0" [dependencies] anyhow.workspace = true diff --git a/attestation-agent/kbc/Cargo.toml b/attestation-agent/kbc/Cargo.toml index df7eebe28..3c2d82b56 100644 --- a/attestation-agent/kbc/Cargo.toml +++ b/attestation-agent/kbc/Cargo.toml @@ -4,6 +4,7 @@ version = "0.1.0" authors = ["The Attestation Agent Authors"] publish = false edition = "2021" +license = "Apache-2.0" [dependencies] anyhow.workspace = true diff --git a/attestation-agent/kbs_protocol/Cargo.toml b/attestation-agent/kbs_protocol/Cargo.toml index 667969a72..4bfa1ff42 100644 --- a/attestation-agent/kbs_protocol/Cargo.toml +++ b/attestation-agent/kbs_protocol/Cargo.toml @@ -4,6 +4,7 @@ version = "0.1.0" authors = ["The Attestation Agent Authors"] publish = false edition = "2021" +license = "Apache-2.0" [dependencies] anyhow.workspace = true diff --git a/confidential-data-hub/hub/Cargo.toml b/confidential-data-hub/hub/Cargo.toml index 89edc7f62..a7eb030a8 100644 --- a/confidential-data-hub/hub/Cargo.toml +++ b/confidential-data-hub/hub/Cargo.toml @@ -3,6 +3,7 @@ name = "confidential-data-hub" version = "0.1.0" authors = ["The Confidential Container Authors"] edition = "2021" +license = "Apache-2.0" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html diff --git a/image-rs/libs/test-utils/Cargo.toml b/image-rs/libs/test-utils/Cargo.toml index f0d5d3a15..49b9c2427 100644 --- a/image-rs/libs/test-utils/Cargo.toml +++ b/image-rs/libs/test-utils/Cargo.toml @@ -2,6 +2,7 @@ name = "test-utils" version = "0.1.0" edition = "2021" +license = "Apache-2.0" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html From 01d329a28d989339c6b3ec4f12dae68d94afb8d7 Mon Sep 17 00:00:00 2001 From: Uri Lublin Date: Thu, 2 Jan 2025 16:02:40 +0200 Subject: [PATCH 2/3] trustee-attester: add a manual-page Signed-off-by: Uri Lublin --- .../bin/trustee-attester/trustee-attester.1 | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 attestation-agent/kbs_protocol/src/bin/trustee-attester/trustee-attester.1 diff --git a/attestation-agent/kbs_protocol/src/bin/trustee-attester/trustee-attester.1 b/attestation-agent/kbs_protocol/src/bin/trustee-attester/trustee-attester.1 new file mode 100644 index 000000000..91dea36d4 --- /dev/null +++ b/attestation-agent/kbs_protocol/src/bin/trustee-attester/trustee-attester.1 @@ -0,0 +1,52 @@ +.TH trustee-attester 1 +.LO 1 + +.SH NAME +trustee-attester \- attest and fetch secrets from Trustee + +.SH SYNOPSIS +.B trustee-attester +.RB OPTIONS +.RB get-resource \-\-path + +.SH DESCRIPTION +trustee-attester is a simple client to easily attest and fetch secrets +(a.k.a confidential resources) from Trustee. + +.IR get-resource +Do attestation and get a secret from Trustee. +RESOURCE_PATH is a of format // + +It is assumed that the secret was uploaded to Trustee, with the +exact same RESOURCE_PATH, before trustee-attester runs. + +For more information look at +https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docs/KBS_URI.md + +.SH OPTIONS +.RB \-\-url [\-\-cert-file ] + +.RB \-\-url +Format of is ://: +where is +.B http +or +.B https + +.RB \-\-cert-file +Optional. When is https, add a certificate to verify the Trustee server. + +.SH EXAMPLES +trustee-attester --url http://10.0.0.4:50000 get-resource --path default/secrets/secret1 + +trustee-attester --url https://10.0.0.4:50000 --cert-file /etc/trustee-attester/server_cert.pem +get-resource --path myrepo/keys/mykey1 + +.SH NOTES +.B trustee-attester +is a part of https://github.com/confidential-containers/guest-components. + +User must have privileges to request an attestation-report from the hardware. + +.B Trustee +can be found here https://github.com/confidential-containers/trustee From f567ca12c6e7290f125047d98df50cb653d13ae2 Mon Sep 17 00:00:00 2001 From: Uri Lublin Date: Thu, 23 Jan 2025 11:52:05 +0200 Subject: [PATCH 3/3] trustee-attester: attest before get-resource Without it rcar_client complains: Authenticating with KBS failed. Perform a new RCAR handshake No need to keep _token as the kbs_protocol client keeps it. Signed-off-by: Uri Lublin --- attestation-agent/kbs_protocol/src/bin/trustee-attester/main.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/attestation-agent/kbs_protocol/src/bin/trustee-attester/main.rs b/attestation-agent/kbs_protocol/src/bin/trustee-attester/main.rs index 4629e159e..1c9f10e2a 100644 --- a/attestation-agent/kbs_protocol/src/bin/trustee-attester/main.rs +++ b/attestation-agent/kbs_protocol/src/bin/trustee-attester/main.rs @@ -80,6 +80,7 @@ async fn main() -> Result<()> { true => path, }; let resource = ResourceUri::new("", &resource_path)?; + let (_token, _key) = client.get_token().await?; // attest first let resource_bytes = client.get_resource(resource).await?; println!("{}", STANDARD.encode(resource_bytes));