-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add trustee-client - a simple client for Trustee #755
Conversation
Gather evidence, attest and get secrets from Trustee Currently it simply uses AA's kbs_protocol client and attesters. If needed, it can be enhanced later. Signed-off-by: Uri Lublin <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. One comment.
Also, I am not sure the config file is really necessary. it seems a little cumbersome to have to specify the KBS URL in the config file rather than just putting it in the command line, but it's not a big deal.
Btw, it's interesting that we're in the guest-components repo. I think that's fine and maybe having some kind of client in both guest-components and trustee repos will help us decouple the tests a little bit.
@@ -17,6 +17,7 @@ members = [ | |||
"confidential-data-hub/storage", | |||
"image-rs", | |||
"ocicrypt-rs", | |||
"trustee-client", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this name might be too general. This tool only exercises a subset of the Trustee APIs. Btw see this proposal which might end up with a similar name.
Maybe this could be called cc-kbc-resource-getter
or trustee-resource-getter
or trustee-resource-client
or something else
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I'll take a look at that proposal and think of names.
Thanks @fitzthum |
Good job. While this PR functions similarly to a kbs-client. I agree with Tobin's comment that it would be better to move it to the trustee repo if the client is focused on expanding the kbs-client |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work. I noticed that the sub-crate aims to implement a binary for dep kbs_protocol
. Probably we could make it a binary of kbs_protocol
instead of a separate crate. Example for this
The server (trustee) and client (guest-components) codes are in two repos. If we want to have some test for compability of the two repo, it would always require us to pull the other's code/image/... in another repo |
@ChengyuZhu6 @Xynnn007 thanks for looking. The idea is to have a simple program in guest-components repository that can get resources from Trustee. I thought of adding it as a binary under kbs_protocol, but if more features are added later would it stay under kbs_protocol or move ? |
We can see the concrete situation then. Up to now, it seems that we can keep the feature aligning with |
Yeah seems fine to keep it in this repo and I think having a binary under kbs protocol makes sense. It should be relatively easy to move this there. We can move it again if the scope increases, but it seems like the goal of this really is to have an extremely narrow scope. |
Thanks. I'll send another PR under kbs_protocol and close this one. |
All names sound not bad to me, as now |
Gather evidence, attest and get secrets from Trustee
Currently it simply uses AA's kbs_protocol client and attesters. If needed, it can be enhanced later.