diff --git a/.github/workflows/as-docker-build.yml b/.github/workflows/as-docker-build.yml index 0bd1c3720..d987d5013 100644 --- a/.github/workflows/as-docker-build.yml +++ b/.github/workflows/as-docker-build.yml @@ -26,6 +26,10 @@ jobs: - name: Code checkout uses: actions/checkout@v4 + - name: Generate Dockerfiles + run: | + cd attestation-service && make dockerfile + - name: Build gRPC AS Container Image run: | DOCKER_BUILDKIT=1 docker build -t attestation-service:latest . -f attestation-service/docker/as-grpc/Dockerfile diff --git a/.github/workflows/kbs-docker-e2e.yml b/.github/workflows/kbs-docker-e2e.yml index 3d75f6f9c..ceeab97e6 100644 --- a/.github/workflows/kbs-docker-e2e.yml +++ b/.github/workflows/kbs-docker-e2e.yml @@ -33,6 +33,10 @@ jobs: openssl genpkey -algorithm ed25519 > kbs/config/private.key openssl pkey -in kbs/config/private.key -pubout -out kbs/config/public.pub + - name: Generate Dockerfiles + run: | + cd attestation-service && make dockerfile + - name: Build KBS Cluster run: docker compose build diff --git a/.github/workflows/push-as-image-to-ghcr.yml b/.github/workflows/push-as-image-to-ghcr.yml index 5b1ecbc43..dcee9c4dc 100644 --- a/.github/workflows/push-as-image-to-ghcr.yml +++ b/.github/workflows/push-as-image-to-ghcr.yml @@ -19,22 +19,50 @@ jobs: - coco-as-grpc - coco-as-restful - rvps + verifier: + - all-verifier + - se-verifier include: - docker_file: attestation-service/docker/as-grpc/Dockerfile tag: coco-as-grpc name: gRPC CoCo-AS + verifier: all-verifier + instance: ubuntu-latest + - docker_file: attestation-service/docker/as-grpc/Dockerfile + tag: coco-as-grpc + name: gRPC CoCo-AS (IBM SE) + verifier: se-verifier + instance: s390x - docker_file: attestation-service/docker/as-restful/Dockerfile tag: coco-as-restful name: RESTful CoCo-AS + verifier: all-verifier + instance: ubuntu-latest + - docker_file: attestation-service/docker/as-restful/Dockerfile + tag: coco-as-restful + name: RESTful CoCo-AS (IBM SE) + verifier: se-verifier + instance: s390x - docker_file: rvps/docker/Dockerfile tag: rvps name: RVPS + verifier: all-verifier + instance: ubuntu-latest + - docker_file: rvps/docker/Dockerfile + tag: rvps + name: RVPS + verifier: se-verifier + instance: s390x runs-on: ${{ matrix.instance }} steps: - name: Checkout code uses: actions/checkout@v4 + - name: Generate Dockerfiles + run: | + cd attestation-service && make dockerfile VERIFIER=${{ matrix.verifier }} + - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 diff --git a/attestation-service/.gitignore b/attestation-service/.gitignore index 8225730b1..02352aca3 100644 --- a/attestation-service/.gitignore +++ b/attestation-service/.gitignore @@ -7,3 +7,6 @@ tests/e2e/restful-request.json # Output files generated by unit test tests/tmp/ + +# Generated Dockerfile +docker/**/Dockerfile \ No newline at end of file diff --git a/attestation-service/Cargo.toml b/attestation-service/Cargo.toml index f7dfc6115..fce9a5a6c 100644 --- a/attestation-service/Cargo.toml +++ b/attestation-service/Cargo.toml @@ -4,7 +4,7 @@ version = "0.1.0" edition = "2021" [features] -default = [ "restful-bin", "rvps-grpc", "rvps-builtin", "all-verifier" ] +default = ["restful-bin", "rvps-grpc", "rvps-builtin"] all-verifier = [ "verifier/all-verifier" ] tdx-verifier = [ "verifier/tdx-verifier" ] sgx-verifier = [ "verifier/sgx-verifier" ] @@ -64,13 +64,8 @@ thiserror = { workspace = true, optional = true } tokio.workspace = true tonic = { workspace = true, optional = true } uuid = { version = "1.1.2", features = ["v4"] } - -[target.'cfg(not(target_arch = "s390x"))'.dependencies] verifier = { path = "../deps/verifier", default-features = false } -[target.'cfg(target_arch = "s390x")'.dependencies] -verifier = { path = "../deps/verifier", default-features = false, features = ["se-verifier"] } - [build-dependencies] shadow-rs.workspace = true tonic-build.workspace = true diff --git a/attestation-service/Makefile b/attestation-service/Makefile index 67ca32953..e3d14b5cf 100644 --- a/attestation-service/Makefile +++ b/attestation-service/Makefile @@ -8,15 +8,14 @@ BIN_NAMES := grpc-as restful-as DEBUG ?= DESTDIR ?= $(PREFIX)/bin -FEATURES ?= +VERIFIER ?= all-verifier -ifdef FEATURES - OPTIONAL_FEATURES := ,$(FEATURES) - default-features := --no-default-features -else - OPTIONAL_FEATURES := - default-features := -endif +GRPC_AS_DOCKERFILE_TEMPLATE := docker/as-grpc/Dockerfile.template +GRPC_AS_DOCKERFILE := docker/as-grpc/Dockerfile +RESTFUL_AS_DOCKERFILE_TEMPLATE := docker/as-restful/Dockerfile.template +RESTFUL_AS_DOCKERFILE := docker/as-restful/Dockerfile + +DOCKERFILE_GENERATOR := docker/generate-dockerfile.sh ifdef DEBUG release := @@ -29,15 +28,24 @@ endif build: grpc-as restful-as grpc-as: - cargo build --bin grpc-as $(release) $(default-features) --features grpc-bin$(OPTIONAL_FEATURES) + cargo build --bin grpc-as $(release) $(default-features) --features grpc-bin,$(VERIFIER) restful-as: - cargo build --bin restful-as $(release) $(default-features) --features restful-bin$(OPTIONAL_FEATURES) + cargo build --bin restful-as $(release) $(default-features) --features restful-bin,$(VERIFIER) install: for bin_name in $(BIN_NAMES); do \ install -D -m0755 $(TARGET_DIR)/$$bin_name $(DESTDIR); \ done +$(GRPC_AS_DOCKERFILE): $(GRPC_AS_DOCKERFILE_TEMPLATE) $(DOCKERFILE_GENERATOR) + @$(DOCKERFILE_GENERATOR) $(GRPC_AS_DOCKERFILE_TEMPLATE) $(GRPC_AS_DOCKERFILE) VERIFIER=$(VERIFIER) + +$(RESTFUL_AS_DOCKERFILE): $(RESTFUL_AS_DOCKERFILE_TEMPLATE) $(DOCKERFILE_GENERATOR) + @$(DOCKERFILE_GENERATOR) $(RESTFUL_AS_DOCKERFILE_TEMPLATE) $(RESTFUL_AS_DOCKERFILE) VERIFIER=$(VERIFIER) + +dockerfile: $(GRPC_AS_DOCKERFILE) $(RESTFUL_AS_DOCKERFILE) + clean: - cargo clean + cargo clean && \ + rm -rf $(GRPC_AS_DOCKERFILE) $(RESTFUL_AS_DOCKERFILE) diff --git a/attestation-service/docker/as-grpc/Dockerfile b/attestation-service/docker/as-grpc/Dockerfile deleted file mode 100644 index 4ad794068..000000000 --- a/attestation-service/docker/as-grpc/Dockerfile +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright (c) 2023 by Alibaba. -# Licensed under the Apache License, Version 2.0, see LICENSE for details. -# SPDX-License-Identifier: Apache-2.0 - -FROM rust:latest AS builder -ARG ARCH=x86_64 - -WORKDIR /usr/src/attestation-service -COPY . . - -# Install TPM Build Dependencies -RUN apt-get update && apt-get install -y protobuf-compiler clang libtss2-dev - -# Install TDX Build Dependencies -RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \ - echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \ - apt-get update && apt-get install -y libsgx-dcap-quote-verify-dev; fi - -# Build and Install gRPC attestation-service -RUN cargo install --path attestation-service --bin grpc-as --features grpc-bin --locked - - -FROM ubuntu:22.04 -ARG ARCH=x86_64 - -LABEL org.opencontainers.image.source="https://github.com/confidential-containers/attestation-service" - -# Install TDX Runtime Dependencies -RUN apt-get update && apt-get install curl gnupg openssl -y && \ - rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/* - -RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \ - echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \ - apt-get update && \ - apt-get install -y libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \ - rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*; fi - -# Copy TPM Runtime Dependencies -COPY --from=builder /usr/lib/${ARCH}-linux-gnu/libtss* /usr/lib/${ARCH}-linux-gnu - -COPY --from=builder /usr/local/cargo/bin/grpc-as /usr/local/bin/grpc-as - -VOLUME /opt/confidential-containers/attestation-service - -CMD ["grpc-as", "--socket", "0.0.0.0:50004"] - -EXPOSE 50004 diff --git a/attestation-service/docker/as-grpc/Dockerfile.template b/attestation-service/docker/as-grpc/Dockerfile.template new file mode 100644 index 000000000..ac29d3483 --- /dev/null +++ b/attestation-service/docker/as-grpc/Dockerfile.template @@ -0,0 +1,35 @@ +# Copyright (c) 2023 by Alibaba. +# Licensed under the Apache License, Version 2.0, see LICENSE for details. +# SPDX-License-Identifier: Apache-2.0 + +FROM rust:latest AS builder + +WORKDIR /usr/src/attestation-service +COPY . . + +# Install Build Dependencies +RUN apt-get update && apt-get install -y protobuf-compiler clang + +@INSTALL_TPM_DEPENDENCIES@ + +@INSTALL_TDX_DEPENDENCIES@ + +# Build and Install gRPC attestation-service +RUN cargo install --path attestation-service --bin grpc-as --features grpc-bin,@VERIFIER@ --locked + +FROM ubuntu:22.04 +ARG ARCH=x86_64 + +LABEL org.opencontainers.image.source="https://github.com/confidential-containers/trustee/attestation-service" + +@INSTALL_TDX_DEPENDENCIES@ + +@COPY_TPM_DEPENDENCIES@ + +COPY --from=builder /usr/local/cargo/bin/grpc-as /usr/local/bin/grpc-as + +VOLUME /opt/confidential-containers/attestation-service + +CMD ["grpc-as", "--socket", "0.0.0.0:50004"] + +EXPOSE 50004 diff --git a/attestation-service/docker/as-restful/Dockerfile b/attestation-service/docker/as-restful/Dockerfile deleted file mode 100644 index 349621152..000000000 --- a/attestation-service/docker/as-restful/Dockerfile +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright (c) 2023 by Alibaba. -# Licensed under the Apache License, Version 2.0, see LICENSE for details. -# SPDX-License-Identifier: Apache-2.0 - -FROM rust:latest AS builder -ARG ARCH=x86_64 - -WORKDIR /usr/src/attestation-service -COPY . . - -# Install TPM Build Dependencies -RUN apt-get update && apt-get install -y protobuf-compiler clang libtss2-dev - -# Install TDX Build Dependencies -RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \ - echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \ - apt-get update && apt-get install -y libsgx-dcap-quote-verify-dev; fi - -# Build and Install RESTful attestation-service -RUN cargo install --path attestation-service --bin restful-as --features restful-bin --locked - -FROM ubuntu:22.04 -ARG ARCH=x86_64 - -LABEL org.opencontainers.image.source="https://github.com/confidential-containers/attestation-service" - -# Install TDX Runtime Dependencies -RUN apt-get update && apt-get install curl gnupg openssl -y && \ - rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/* - -RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \ - echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \ - apt-get update && \ - apt-get install -y libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \ - rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*; fi - -# Copy TPM Runtime Dependencies -COPY --from=builder /usr/lib/${ARCH}-linux-gnu/libtss* /usr/lib/${ARCH}-linux-gnu - -COPY --from=builder /usr/local/cargo/bin/restful-as /usr/local/bin/restful-as - -COPY ./attestation-service/config.json /etc/config.json - -VOLUME /opt/confidential-containers/attestation-service - -CMD ["restful-as", "--socket", "0.0.0.0:8080", "--config-file", "/etc/config.json"] - -EXPOSE 8080 diff --git a/attestation-service/docker/as-restful/Dockerfile.template b/attestation-service/docker/as-restful/Dockerfile.template new file mode 100644 index 000000000..fed44d4fb --- /dev/null +++ b/attestation-service/docker/as-restful/Dockerfile.template @@ -0,0 +1,39 @@ +# Copyright (c) 2023 by Alibaba. +# Licensed under the Apache License, Version 2.0, see LICENSE for details. +# SPDX-License-Identifier: Apache-2.0 + +FROM rust:latest AS builder + +WORKDIR /usr/src/attestation-service +COPY . . + +# Install Build Dependencies +RUN apt-get update && apt-get install -y protobuf-compiler clang + +@INSTALL_TPM_DEPENDENCIES@ + +@INSTALL_TDX_DEPENDENCIES@ + +# Build and Install RESTful attestation-service +RUN cargo install --path attestation-service --bin restful-as --features restful-bin,@VERIFIER@ --locked + +FROM ubuntu:22.04 +ARG ARCH=x86_64 + +LABEL org.opencontainers.image.source="https://github.com/confidential-containers/trustee/attestation-service" + +@INSTALL_TDX_DEPENDENCIES@ + +@COPY_TPM_DEPENDENCIES@ + +# Copy TPM Runtime Dependencies + +COPY --from=builder /usr/local/cargo/bin/restful-as /usr/local/bin/restful-as + +COPY ./attestation-service/config.json /etc/config.json + +VOLUME /opt/confidential-containers/attestation-service + +CMD ["restful-as", "--socket", "0.0.0.0:8080", "--config-file", "/etc/config.json"] + +EXPOSE 8080 diff --git a/attestation-service/docker/generate-dockerfile.sh b/attestation-service/docker/generate-dockerfile.sh new file mode 100755 index 000000000..7bd0500d5 --- /dev/null +++ b/attestation-service/docker/generate-dockerfile.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +# Copyright (c) 2024 by Alibaba. +# Licensed under the Apache License, Version 2.0, see LICENSE for details. +# SPDX-License-Identifier: Apache-2.0 + +# Usage: +# VERIFIER= generate-dockerfile.sh + +set -euo pipefail + +VERIFIER=${VERIFIER:-all-verifier} + +template_file=$1 +target_file=$2 + +cp "${template_file}" "${target_file}" + +# TDX stacks +INSTALL_DCAP=" +RUN apt-get update \&\& apt-get install -y curl gnupg \&\& \ +curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - \&\& \ +echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list \&\& \ +apt-get update \&\& apt-get install -y libsgx-dcap-quote-verify-dev \&\& \ +rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/* \ +" + +if [ "${VERIFIER}" = "all-verifier" ] || [ "${VERIFIER}" = "tdx-verifier" ]; then + sed -i "s#@INSTALL_TDX_DEPENDENCIES@#${INSTALL_DCAP//$'\n'/\\n}#g" "${target_file}" +else + sed -i "s/@INSTALL_TDX_DEPENDENCIES@//g" "${target_file}" +fi + +# vTPM TSS stacks +INSTALL_TSS="RUN apt-get install libtss2-dev -y" + +COPY_TSS="COPY --from=builder /usr/lib/\${ARCH}-linux-gnu/libtss* /usr/lib/\${ARCH}-linux-gnu" + +if [ "${VERIFIER}" = "all-verifier" ] || [ "${VERIFIER}" = "az-snp-vtpm-verifier" ] || [ "${VERIFIER}" = "az-tdx-vtpm-verifier" ]; then + sed -i "s#@INSTALL_TPM_DEPENDENCIES@#${INSTALL_TSS//$'\n'/\\n}#g" "${target_file}" + sed -i "s#@COPY_TPM_DEPENDENCIES@#${COPY_TSS//$'\n'/\\n}#g" "${target_file}" +else + sed -i "s/@INSTALL_TPM_DEPENDENCIES@//g" "${target_file}" + sed -i "s/@COPY_TPM_DEPENDENCIES@//g" "${target_file}" +fi + +sed -i "s/@VERIFIER@/${VERIFIER}/g" "${target_file}" diff --git a/attestation-service/docs/grpc-as.md b/attestation-service/docs/grpc-as.md index 5fb024a3e..2b24ea5a2 100644 --- a/attestation-service/docs/grpc-as.md +++ b/attestation-service/docs/grpc-as.md @@ -77,7 +77,9 @@ Build and install binary git clone https://github.com/confidential-containers/trustee cd trustee/attestation-service WORKDIR=$(pwd) -make && make install +make ATTESTER=all-attester && make install + +# You can use different attester by changing the value of ATTESTER ``` - For help information, run: @@ -106,6 +108,7 @@ Build and run container image ```shell git clone https://github.com/confidential-containers/trustee cd trustee +cd attestation-service && make dockerfile && cd .. docker build -t coco-as:grpc -f attestation-service/docker/as-grpc/Dockerfile . ``` diff --git a/attestation-service/docs/restful-as.md b/attestation-service/docs/restful-as.md index 9af809707..c69f6e7d8 100644 --- a/attestation-service/docs/restful-as.md +++ b/attestation-service/docs/restful-as.md @@ -67,7 +67,9 @@ Build and install binary git clone https://github.com/confidential-containers/trustee cd trustee/attestation-service WORKDIR=$(pwd) -make && make install +make ATTESTER=all-attester && make install + +# You can use different attester by changing the value of ATTESTER ``` - For help information, run: @@ -96,6 +98,7 @@ Build and run container image ```shell git clone https://github.com/confidential-containers/trustee cd trustee +cd attestation-service && make dockerfile && cd .. docker build -t coco-as:restful -f attestation-service/docker/as-restful/Dockerfile . ``` diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index cd92b38b6..35ff66e39 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -39,7 +39,6 @@ actix-web-httpauth.workspace = true aes-gcm = "0.10.1" anyhow.workspace = true async-trait.workspace = true -attestation-service = { path = "../attestation-service", default-features = false, optional = true } base64.workspace = true cfg-if.workspace = true clap = { workspace = true, features = ["derive", "env"] } @@ -72,6 +71,16 @@ uuid = { version = "1.2.2", features = ["serde", "v4"] } openssl = "0.10.55" az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true } +[target.'cfg(not(target_arch = "s390x"))'.dependencies] +attestation-service = { path = "../attestation-service", default-features = false, features = [ + "all-verifier", +], optional = true } + +[target.'cfg(target_arch = "s390x")'.dependencies] +attestation-service = { path = "../attestation-service", default-features = false, features = [ + "se-verifier", +], optional = true } + [dev-dependencies] tempfile.workspace = true rstest.workspace = true