Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

initdata: add initdata hash in ibmse evidence #616

Merged
merged 2 commits into from
Aug 13, 2024
Merged

initdata: add initdata hash in ibmse evidence #616

merged 2 commits into from
Aug 13, 2024

Conversation

huoqifeng
Copy link

@huoqifeng huoqifeng commented Jul 17, 2024
edited
Loading

add initdata hash in ibmse evidence, the initdata hash will be checked by AS policy service as a claim field.

Depends on:

Signed-off-by: Qi Feng Huo [email protected]

@huoqifeng huoqifeng mentioned this pull request Jul 17, 2024
Merged
initdata: add initdata hash in ibmse evidence
e557fb3 
- add initdata hash in ibmse evidence,
- the initdata hash will be checked by AS policy service as a claim field.

Signed-off-by: Qi Feng Huo <[email protected]>
@huoqifeng huoqifeng mentioned this pull request Aug 9, 2024
Merged
@huoqifeng huoqifeng marked this pull request as ready for review August 9, 2024 04:40
@huoqifeng huoqifeng requested a review from jialez0 as a code owner August 9, 2024 04:40
@huoqifeng
Copy link
Author

huoqifeng commented Aug 9, 2024
edited
Loading

The flow is like this:

  • Generate initdata following https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/docs/initdata.md
  • Add the initdata in PeerPod yaml in annotation io.katacontainers.config.runtime.cc_init_data
  • Deploy the PeerPod
  • The PeerPod instance will generates aa.toml, cdh.toml, policy, initdata in folder /run/peerpod and calculate the initdata.digest when launch
  • The attester read '/run/peerpod/initdata.digest' and add it to se.user_data and sent to verifier for ibmse
  • Verifier in KBS side will read the se.user_data set in attestation policy before hand and the evaluate this field.
  • Attestation pass if se.user_data match on both side, fails if not match

Example

  • initdata (aa and cdh certificates are optional, not set in this example)
algorithm = "sha384"
version = "0.1.0"

[data]
"aa.toml" = '''
[token_configs]
[token_configs.coco_as]
url = 'http://1xx.xx.xx.xx:8080'

[token_configs.kbs]
url = 'http://xx.xx.xx.xx:8080'
'''

"cdh.toml"  = '''
socket = 'unix:///run/confidential-containers/cdh.sock'
credentials = []

[kbc]
name = 'cc_kbc'
url = 'http://xx.xx.xx.xx:8080'
'''

"policy.rego" = '''
package agent_policy

import future.keywords.in
import future.keywords.every

import input

# Default values, returned by OPA when rules cannot be evaluated to true.
default CopyFileRequest := false
default CreateContainerRequest := false
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default ExecProcessRequest := false
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default OnlineCPUMemRequest := true
default PullImageRequest := true
default ReadStreamRequest := false
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StatsContainerRequest := true
default TtyWinResizeRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := false
'''
  • Pod yaml
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: busybox
  name: initdata-busybox
  annotations:
    io.katacontainers.config.runtime.cc_init_data: YWxnb3JpdGhtID0gInNoYTM4NCIKdmVyc2lvbiA9ICIwLjEuMCIKCltkYXRhXQoiYWEudG9tbCIgPSAnJycKW3Rva2VuX2NvbmZpZ3NdClt0b2tlbl9jb25maWdzLmNvY29fYXNdCnVybCA9ICdodHRwOi8vMTQxLjEyNS4xNjMuMTc5OjgwODAnCgpbdG9rZW5fY29uZmlncy5rYnNdCnVybCA9ICdodHRwOi8vMTQxLjEyNS4xNjMuMTc5OjgwODAnCicnJwoKImNkaC50b21sIiAgPSAnJycKc29ja2V0ID0gJ3VuaXg6Ly8vcnVuL2NvbmZpZGVudGlhbC1jb250YWluZXJzL2NkaC5zb2NrJwpjcmVkZW50aWFscyA9IFtdCgpba2JjXQpuYW1lID0gJ2NjX2tiYycKdXJsID0gJ2h0dHA6Ly8xNDEuMTI1LjE2My4xNzk6ODA4MCcKJycnCgoicG9saWN5LnJlZ28iID0gJycnCnBhY2thZ2UgYWdlbnRfcG9saWN5CgppbXBvcnQgZnV0dXJlLmtleXdvcmRzLmluCmltcG9ydCBmdXR1cmUua2V5d29yZHMuZXZlcnkKCmltcG9ydCBpbnB1dAoKIyBEZWZhdWx0IHZhbHVlcywgcmV0dXJuZWQgYnkgT1BBIHdoZW4gcnVsZXMgY2Fubm90IGJlIGV2YWx1YXRlZCB0byB0cnVlLgpkZWZhdWx0IENvcHlGaWxlUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IENyZWF0ZUNvbnRhaW5lclJlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBDcmVhdGVTYW5kYm94UmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgRGVzdHJveVNhbmRib3hSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBFeGVjUHJvY2Vzc1JlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBHZXRPT01FdmVudFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEd1ZXN0RGV0YWlsc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IE9ubGluZUNQVU1lbVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFB1bGxJbWFnZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFJlYWRTdHJlYW1SZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgUmVtb3ZlQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVtb3ZlU3RhbGVWaXJ0aW9mc1NoYXJlTW91bnRzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU2lnbmFsUHJvY2Vzc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXJ0Q29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU3RhdHNDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBUdHlXaW5SZXNpemVSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVFcGhlbWVyYWxNb3VudHNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVJbnRlcmZhY2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVSb3V0ZXNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBXYWl0UHJvY2Vzc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFdyaXRlU3RyZWFtUmVxdWVzdCA6PSBmYWxzZQonJyc=
spec:
  containers:
  - image: quay.io/prometheus/busybox
    name: initdata-busybox
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
  runtimeClassName: kata-remote
  • Digest in PeerPod
# cat /run/peerpod/initdata.digest 
9c8b2ee7963280a33fe415dac579d01dabc458f4d06ce4ae522ae06fa58ca65fbe9d2330d169f9ff794e6e0277173e28

flattened_claims: {
    "init_data": String(""),
    "report_data": String(""),
    "se.attestation_phkh": String("92d0aff6eb86719b6b1ea0cb98d2c99ff2ec693df3efff2158f54112f6961508"),
    "se.cuid": String("982c8076b725eeccdec4868e36e65f3c"),
    "se.image_phkh": String("92d0aff6eb86719b6b1ea0cb98d2c99ff2ec693df3efff2158f54112f6961508"),
    "se.tag": String("a423dcd5dd9aa0f2e5f68dd2b6de2cb6"),
    "se.user_data": String("9c8b2ee7963280a33fe415dac579d01dabc458f4d06ce4ae522ae06fa58ca65fbe9d2330d169f9ff794e6e0277173e28"),
    "se.version": Number(256),
}
  • Attestation passed because se.user_data equals the value set in attestation policy.

@huoqifeng
Copy link
Author

@Xynnn007 @fitzthum @mkulke @jialez0 @ChengyuZhu6 , May I ask your review?

@huoqifeng huoqifeng mentioned this pull request Aug 12, 2024
Merged
liudalibj
liudalibj approved these changes Aug 12, 2024
View reviewed changes
Copy link
Member

@liudalibj liudalibj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@huoqifeng huoqifeng merged commit cea8df8 into confidential-containers:main Aug 13, 2024
5 checks passed
@huoqifeng huoqifeng deleted the userdata branch August 13, 2024 08:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liudalibj liudalibj liudalibj approved these changes

@Xynnn007 Xynnn007 Xynnn007 approved these changes

@mkulke mkulke mkulke approved these changes

@jialez0 jialez0 Awaiting requested review from jialez0

@fitzthum fitzthum Awaiting requested review from fitzthum

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@huoqifeng @mkulke @Xynnn007 @liudalibj