From f0e221aac7676f9a60855102c3edda960e3a5451 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Sat, 20 Jul 2024 14:32:45 +0800 Subject: [PATCH] kbs: update docs, dockerfiles and Makefile for aliyun backend Signed-off-by: Xynnn007 --- kbs/Makefile | 12 +++++++++--- kbs/README.md | 11 +++++++++-- kbs/docker/Dockerfile | 6 ++++-- kbs/docker/coco-as-grpc/Dockerfile | 6 ++++-- kbs/docker/intel-trust-authority/Dockerfile | 6 ++++-- kbs/docs/config.md | 15 ++++++++++++--- kbs/docs/resource_repository.md | 11 ++++++++++- 7 files changed, 52 insertions(+), 15 deletions(-) diff --git a/kbs/Makefile b/kbs/Makefile index c5b6190ce6..f1cef76e70 100644 --- a/kbs/Makefile +++ b/kbs/Makefile @@ -1,6 +1,7 @@ AS_TYPE ?= coco-as HTTPS_CRYPTO ?= rustls POLICY_ENGINE ?= +ALIYUN ?= false ARCH := $(shell uname -m) # Check if ARCH is supported, otehrwise return error @@ -10,6 +11,7 @@ endif CLI_FEATURES ?= ATTESTER ?= +FEATURES ?= COCO_AS_INTEGRATION_TYPE ?= builtin @@ -21,6 +23,10 @@ else AS_FEATURE = $(AS_TYPE) endif +ifeq ($(ALIYUN), true) + FEATURES += aliyun +endif + ifndef CLI_FEATURES ifdef ATTESTER CLI_FEATURES = "sample_only,$(ATTESTER)" @@ -33,16 +39,16 @@ build: background-check-kbs .PHONY: background-check-kbs background-check-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(HTTPS_CRYPTO),$(POLICY_ENGINE) + cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(HTTPS_CRYPTO),$(POLICY_ENGINE),$(FEATURES) .PHONY: passport-issuer-kbs passport-issuer-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(HTTPS_CRYPTO) + cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(HTTPS_CRYPTO),$(FEATURES) mv ../target/release/kbs ../target/release/issuer-kbs .PHONY: passport-resource-kbs passport-resource-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(HTTPS_CRYPTO),resource,$(POLICY_ENGINE) + cargo build -p kbs --locked --release --no-default-features --features $(HTTPS_CRYPTO),resource,$(POLICY_ENGINE),$(FEATURES) mv ../target/release/kbs ../target/release/resource-kbs .PHONY: cli diff --git a/kbs/README.md b/kbs/README.md index f683df3c5c..fd322f3ab3 100644 --- a/kbs/README.md +++ b/kbs/README.md @@ -90,7 +90,7 @@ The Makefile supports a number of other configuration parameters. For example, ```shell -make background-check-kbs [HTTPS_CRYPTO=?] [POLICY_ENGINE=?] [AS_TYPES=?] [COCO_AS_INTEGRATION_TYPE=?] +make background-check-kbs [HTTPS_CRYPTO=?] [POLICY_ENGINE=?] [AS_TYPES=?] [COCO_AS_INTEGRATION_TYPE=?] [ALIYUN=?] ``` The parameters @@ -99,7 +99,7 @@ The parameters if it is not required. - `AS_TYPES`: The KBS supports multiple backend attestation services. `AS_TYPES` selects which verifier to use. The options are `coco-as` and `intel-trust-authority-as`. - `COCO_AS_INTEGRATION_TYPE`: The KBS can connect to the CoCo AS in multiple ways. `COCO_AS_INTEGRATION_TYPE` can be set either to `grpc` or `builtin`. With `grpc` the KBS will make a remote connection to the AS. If you are manually building and configuring the components, you'll need to set them up so that this connection can be established. Similar to passport mode, the remote AS can be useful if secret provisioning and attestation verification are not in the same scope. With `builtin` the KBA uses the AS as a crate. This is recommended if you want to avoid the complexity of a remote connection. - +- `ALIYUN`: The kbs support aliyun KMS as secret storage backend. `true` to enable building this feature. By default it is `false`. ## HTTPS Support The KBS can use HTTPS. This requires a crypto backend. @@ -108,6 +108,13 @@ The options are `rustls` and `openssl`. The default is `rustls`. If you want a self-signed cert for test cases, please refer to [the document](docs/self-signed-https.md). +## Storage Backend + +The KBS can use different backend storage. `LocalFs` will always be builtin. +`ALIYUN` determines whether aliyun kms support will be built. The options +are `true` or `false` (by defult). Please refer to [the document](docs/config.md#repository-configuration) +for more details. + ## References ### Attestation Protocol diff --git a/kbs/docker/Dockerfile b/kbs/docker/Dockerfile index 8e8ebab14f..2831d6a5b8 100644 --- a/kbs/docker/Dockerfile +++ b/kbs/docker/Dockerfile @@ -1,6 +1,7 @@ FROM rust:slim as builder ARG ARCH=x86_64 ARG HTTPS_CRYPTO=rustls +ARG ALIYUN=false ENV DEBIAN_FRONTEND noninteractive @@ -36,7 +37,8 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-s WORKDIR /usr/src/kbs COPY . . -RUN cargo install --locked --path kbs --bin kbs --no-default-features --features coco-as-builtin,resource,opa,${HTTPS_CRYPTO} +RUN cd kbs && make AS_FEATURE=coco-as-builtin HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ + make install-kbs FROM ubuntu:22.04 ARG ARCH=x86_64 @@ -60,4 +62,4 @@ RUN apt-get update && \ apt clean all && \ rm -rf /tmp/* -COPY --from=builder /usr/local/cargo/bin/kbs /usr/local/bin/kbs +COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs diff --git a/kbs/docker/coco-as-grpc/Dockerfile b/kbs/docker/coco-as-grpc/Dockerfile index 77ca1f82fe..2a96e9045d 100644 --- a/kbs/docker/coco-as-grpc/Dockerfile +++ b/kbs/docker/coco-as-grpc/Dockerfile @@ -1,6 +1,7 @@ FROM rust:latest as builder ARG ARCH=x86_64 ARG HTTPS_CRYPTO=rustls +ARG ALIYUN=false WORKDIR /usr/src/kbs COPY . . @@ -8,10 +9,11 @@ COPY . . RUN apt-get update && apt install -y protobuf-compiler git # Build and Install KBS -RUN cargo install --path kbs --bin kbs --no-default-features --features coco-as-grpc,resource,opa,${HTTPS_CRYPTO} +RUN cd kbs && make AS_FEATURE=coco-as-grpc HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ + make install-kbs FROM ubuntu:22.04 LABEL org.opencontainers.image.source="https://github.com/confidential-containers/trustee/kbs" -COPY --from=builder /usr/local/cargo/bin/kbs /usr/local/bin/kbs +COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs diff --git a/kbs/docker/intel-trust-authority/Dockerfile b/kbs/docker/intel-trust-authority/Dockerfile index 31679df855..a2b4f650e2 100644 --- a/kbs/docker/intel-trust-authority/Dockerfile +++ b/kbs/docker/intel-trust-authority/Dockerfile @@ -1,5 +1,6 @@ FROM rust:latest as builder ARG HTTPS_CRYPTO=rustls +ARG ALIYUN=false WORKDIR /usr/src/kbs COPY . . @@ -7,7 +8,8 @@ COPY . . RUN apt-get update && apt install -y git # Build and Install KBS -RUN cargo install --path kbs --bin kbs --no-default-features --features intel-trust-authority-as,${HTTPS_CRYPTO},resource,opa +RUN cd kbs && make AS_FEATURE=intel-trust-authority-as HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ + make install-kbs FROM ubuntu:22.04 @@ -15,4 +17,4 @@ LABEL org.opencontainers.image.source="https://github.com/confidential-container RUN apt update && apt install -y ca-certificates -COPY --from=builder /usr/local/cargo/bin/kbs /usr/local/bin/kbs +COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs diff --git a/kbs/docs/config.md b/kbs/docs/config.md index fa2ccc79df..06bf260fed 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -56,9 +56,9 @@ type-specific properties. >This section is available only when the `resource` feature is enabled. -| Property | Type | Description | Required | Default | -|----------|--------|-------------------------------------------------------|----------|-----------| -| `type` | String | The resource repository type. Valid values: `LocalFs` | Yes | - | +| Property | Type | Description | Required | Default | +|----------|--------|-----------------------------------------------------------------|----------|-----------| +| `type` | String | The resource repository type. Valid values: `LocalFs`, `Aliyun` | Yes | `LocalFs` | **`LocalFs` Properties** @@ -66,6 +66,15 @@ type-specific properties. |------------|--------|---------------------------------|----------|-----------------------------------------------------| | `dir_path` | String | Path to a repository directory. | No | `/opt/confidential-containers/kbs/repository` | +**`Aliyun` Properties** + +| Property | Type | Description | Required | Example | +|-------------------|--------|-----------------------------------|----------|-----------------------------------------------------| +| `client_key` | String | The KMS instance's AAP client key | Yes | `{"KeyId": "KA..", "PrivateKeyData": "MIIJqwI..."}` | +| `kms_instance_id` | String | The KMS instance id | Yes | `kst-shh668f7...` | +| `password` | String | AAP client key password | Yes | `8f9989c18d27...` | +| `cert_pem` | String | CA cert for the KMS instance | Yes | `-----BEGIN CERTIFICATE----- ...` | + ### Native Attestation The following properties can be set under the `as_config` section. diff --git a/kbs/docs/resource_repository.md b/kbs/docs/resource_repository.md index 7caaab50cc..ba95b55e9c 100644 --- a/kbs/docs/resource_repository.md +++ b/kbs/docs/resource_repository.md @@ -19,4 +19,13 @@ defined below: | `file://<$(KBS_REPOSITORY_DIR)>///` | `https:///kbs/v0/resource///` | The KBS root file system resource path is specified in the KBS config file -as well, and the default value is `/opt/confidential-containers/kbs/repository`. \ No newline at end of file +as well, and the default value is `/opt/confidential-containers/kbs/repository`. + +### Aliyun KMS + +[Alibaba Cloud KMS](https://www.alibabacloud.com/en/product/kms?_p_lc=1)(a.k.a Aliyun KMS) +can also work as the KBS resource storage backend. +In this mode, resources will be stored with [generic secrets](https://www.alibabacloud.com/help/en/kms/user-guide/manage-and-use-generic-secrets?spm=a2c63.p38356.0.0.dc4d24f7s0ZuW7) in a [KMS instance](https://www.alibabacloud.com/help/en/kms/user-guide/kms-overview?spm=a2c63.p38356.0.0.4aacf9e6V7IQGW). +One KBS can be configured with a specified KMS instance in `repository_config` field of KBS launch config. For config, see the [document](./config.md#repository-configuration). +These materials can be found in KMS instance's [AAP](https://www.alibabacloud.com/help/en/kms/user-guide/manage-aaps?spm=a3c0i.23458820.2359477120.1.4fd96e9bmEFST4). +When being accessed, a resource URI of `kbs:///repo/type/tag` will be translated into the generic secret with name `tag`. Hinting that `repo/type` field will be ignored. \ No newline at end of file