aa_kbc_params: parse from kernel cmdlind first #511
Conversation
Signed-off-by: Xynnn007 <[email protected]>
In CoCo, the aa_kbc_params is still passed from the kernel cmdline and will be read in Confidential Data Hub. If we do not provide a default configuration file for CDH, a default one will set the aa_kbc_params env to offline-fs-kbc. This would make the kernel cmdline not work. This fix checks if aa_kbc_params is given. If so, skip the logic of setting env to allow the original aa_kbc_params to work. Signed-off-by: Xynnn007 <[email protected]>
Xynnn007
force-pushed
the
fix-aa-kbc-params
branch
from
172fe9f to
f1d3123
Compare
| "AA_KBC_PARAMS", | ||
| format!("{}::{}", self.kbc.name, self.kbc.url), | ||
| ); | ||
| if let Err(_) = attestation_agent::config::aa_kbc_params::get_value() { |
There was a problem hiding this comment.
Hi @Xynnn007 !
attestation_agent::config::aa_kbc_params::get_value() is a very simple function. I wonder if it wouldn't make sense to simply duplicate it to CDH to avoid creating this dependency CDH -> AA as the build of CDH can get overly complicated.
There was a problem hiding this comment.
Never mind. I just noticed cdh -> AA dependency is already established.
There was a problem hiding this comment.
indeed, but they communicate via API and a clear interface, so a direct dep like this is unfortunate. I think we want to establish what configuration options we want to provide and then build configuration accordingly. At the moment this is more or less spec' ed in the implementation (e.g. "if aa_kbc_params kernel param is unset and there is no CDH config file, set aa_kbc_params as environment parameter to configure the CDH KMS - but without KBS cert").
So, there are a few assumptions, and it would be a good idea to simplify, even if that means duplication, e.g. the introduction of a cdh_kbs_params kernel param if we want to support passport on platforms without dynamic initdata.
Removes one await that we don't need and simplifies one conditional. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
In CoCo, the aa_kbc_params is still passed from the kernel cmdline and will be read in Confidential Data Hub. If we do not provide a default configuration file for CDH, a default one will set the aa_kbc_params env to offline-fs-kbc. This would make the kernel cmdline not work.
As a workaround, this commit bring the kernel cmdline parsing first. The disadvantage is that we will not support to use any other aa_kbc_params if we already set the kernel cmdline. This disadvantage will be covered once initdata is implemented.
following up to kata-containers/kata-containers#8870 (comment)
cc @fitzthum @mkulke @wainersm