diff --git a/Cargo.lock b/Cargo.lock index c9ec47efc..ca9cf35d2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -496,6 +496,28 @@ version = "1.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0" +[[package]] +name = "attestation-agent" +version = "0.1.0" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" +dependencies = [ + "anyhow", + "async-trait", + "attester", + "base64 0.21.7", + "config", + "const_format", + "log", + "serde", + "serde_json", + "sha2", + "strum", + "tempfile", + "thiserror", + "tokio", + "toml 0.8.15", +] + [[package]] name = "attestation-service" version = "0.1.0" @@ -514,7 +536,7 @@ dependencies = [ "lazy_static", "log", "openssl", - "prost", + "prost 0.12.6", "rand", "reference-value-provider-service", "regorus", @@ -531,8 +553,8 @@ dependencies = [ "thiserror", "time", "tokio", - "tonic", - "tonic-build", + "tonic 0.11.0", + "tonic-build 0.11.0", "uuid", "verifier", ] @@ -540,15 +562,16 @@ dependencies = [ [[package]] name = "attester" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=df60725afe0ba452a25a740cf460c2855442c49a#df60725afe0ba452a25a740cf460c2855442c49a" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" dependencies = [ "anyhow", "async-trait", - "az-snp-vtpm", - "az-tdx-vtpm", + "az-snp-vtpm 0.6.0", + "az-tdx-vtpm 0.6.0", "base64 0.21.7", "codicon", "csv-rs", + "hex", "hyper 0.14.28", "hyper-tls 0.5.0", "kbs-types", @@ -652,13 +675,33 @@ dependencies = [ "zerocopy", ] +[[package]] +name = "az-cvm-vtpm" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1940b5a30bbaa585acd365e329c8c4c5c119345fef81830bd5f38f2360caa7d6" +dependencies = [ + "bincode", + "jsonwebkey", + "memoffset", + "openssl", + "serde", + "serde-big-array", + "serde_json", + "sev", + "sha2", + "thiserror", + "tss-esapi", + "zerocopy", +] + [[package]] name = "az-snp-vtpm" version = "0.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d9da68a854978d9d32cc03ba6cd4a24b1f43fafad91eb7e15578cdf9a9cbdfe7" dependencies = [ - "az-cvm-vtpm", + "az-cvm-vtpm 0.5.3", "bincode", "clap 4.5.4", "openssl", @@ -668,14 +711,45 @@ dependencies = [ "ureq", ] +[[package]] +name = "az-snp-vtpm" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7a276bcc39a8cf650ebc32941409f89c751cf8266c67f233872ac8c50ffa5405" +dependencies = [ + "az-cvm-vtpm 0.6.0", + "bincode", + "clap 4.5.4", + "serde", + "sev", + "thiserror", + "ureq", +] + [[package]] name = "az-tdx-vtpm" version = "0.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8575eeaefa72d9591355597f5acf9b4ddee8cc19d8b03d947173ae8fcf1e8c2e" dependencies = [ - "az-cvm-vtpm", - "base64-url", + "az-cvm-vtpm 0.5.3", + "base64-url 2.0.2", + "bincode", + "serde", + "serde_json", + "thiserror", + "ureq", + "zerocopy", +] + +[[package]] +name = "az-tdx-vtpm" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eb795802e685a153ea4906349c86f5760012478a72e349538dd47012409465de" +dependencies = [ + "az-cvm-vtpm 0.6.0", + "base64-url 3.0.0", "bincode", "serde", "serde_json", @@ -732,6 +806,15 @@ dependencies = [ "base64 0.21.7", ] +[[package]] +name = "base64-url" +version = "3.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "38e2b6c78c06f7288d5e3c3d683bde35a79531127c83b087e5d0d77c974b4b28" +dependencies = [ + "base64 0.22.1", +] + [[package]] name = "base64ct" version = "1.6.0" @@ -783,7 +866,7 @@ dependencies = [ "lazycell", "log", "peeking_take_while", - "prettyplease", + "prettyplease 0.2.20", "proc-macro2", "quote", "regex", @@ -1129,7 +1212,7 @@ dependencies = [ "rust-ini", "serde", "serde_json", - "toml", + "toml 0.5.11", "yaml-rust", ] @@ -1285,7 +1368,7 @@ checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" [[package]] name = "crypto" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=df60725afe0ba452a25a740cf460c2855442c49a#df60725afe0ba452a25a740cf460c2855442c49a" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" dependencies = [ "aes-gcm", "anyhow", @@ -1503,6 +1586,15 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "des" +version = "0.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ffdd80ce8ce993de27e9f063a444a4d53ce8e8db4c1f00cc03af5ad5a9867a1e" +dependencies = [ + "cipher", +] + [[package]] name = "digest" version = "0.10.7" @@ -2475,6 +2567,15 @@ version = "1.70.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f8478577c03552c21db0e2724ffb8986a5ce7af88107e6be5d2ee6e158c12800" +[[package]] +name = "itertools" +version = "0.10.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473" +dependencies = [ + "either", +] + [[package]] name = "itertools" version = "0.12.1" @@ -2532,7 +2633,7 @@ dependencies = [ "serde", "serde_json", "thiserror", - "yasna", + "yasna 0.4.0", "zeroize", ] @@ -2635,11 +2736,12 @@ dependencies = [ "jsonwebtoken", "jwt-simple 0.11.9", "kbs-types", + "kms", "lazy_static", "log", "mobc", "openssl", - "prost", + "prost 0.12.6", "rand", "regorus", "reqwest 0.12.4", @@ -2656,8 +2758,8 @@ dependencies = [ "thiserror", "time", "tokio", - "tonic", - "tonic-build", + "tonic 0.11.0", + "tonic-build 0.11.0", "uuid", ] @@ -2691,7 +2793,7 @@ dependencies = [ [[package]] name = "kbs_protocol" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=df60725afe0ba452a25a740cf460c2855442c49a#df60725afe0ba452a25a740cf460c2855442c49a" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" dependencies = [ "anyhow", "async-trait", @@ -2712,6 +2814,39 @@ dependencies = [ "zeroize", ] +[[package]] +name = "kms" +version = "0.1.0" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" +dependencies = [ + "anyhow", + "async-trait", + "attestation-agent", + "base64 0.21.7", + "chrono", + "const_format", + "hex", + "lazy_static", + "log", + "p12", + "prost 0.11.9", + "rand", + "reqwest 0.12.4", + "resource_uri", + "ring 0.17.8", + "serde", + "serde_json", + "sha2", + "strum", + "thiserror", + "tokio", + "toml 0.8.15", + "tonic 0.9.2", + "tonic-build 0.9.2", + "url", + "yasna 0.5.2", +] + [[package]] name = "language-tags" version = "0.3.2" @@ -3237,6 +3372,23 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39" +[[package]] +name = "p12" +version = "0.6.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d4873306de53fe82e7e484df31e1e947d61514b6ea2ed6cd7b45d63006fd9224" +dependencies = [ + "cbc", + "cipher", + "des", + "getrandom", + "hmac", + "lazy_static", + "rc2", + "sha1", + "yasna 0.5.2", +] + [[package]] name = "p256" version = "0.13.2" @@ -3657,6 +3809,16 @@ version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de" +[[package]] +name = "prettyplease" +version = "0.1.25" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6c8646e95016a7a6c4adea95bafa8a16baab64b583356217f2c85db4a39d9a86" +dependencies = [ + "proc-macro2", + "syn 1.0.109", +] + [[package]] name = "prettyplease" version = "0.2.20" @@ -3709,6 +3871,16 @@ dependencies = [ "unicode-ident", ] +[[package]] +name = "prost" +version = "0.11.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0b82eaa1d779e9a4bc1c3217db8ffbeabaae1dca241bf70183242128d48681cd" +dependencies = [ + "bytes", + "prost-derive 0.11.9", +] + [[package]] name = "prost" version = "0.12.6" @@ -3716,7 +3888,29 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "deb1435c188b76130da55f17a466d252ff7b1418b2ad3e037d127b94e3411f29" dependencies = [ "bytes", - "prost-derive", + "prost-derive 0.12.6", +] + +[[package]] +name = "prost-build" +version = "0.11.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "119533552c9a7ffacc21e099c24a0ac8bb19c2a2a3f363de84cd9b844feab270" +dependencies = [ + "bytes", + "heck 0.4.1", + "itertools 0.10.5", + "lazy_static", + "log", + "multimap", + "petgraph", + "prettyplease 0.1.25", + "prost 0.11.9", + "prost-types 0.11.9", + "regex", + "syn 1.0.109", + "tempfile", + "which", ] [[package]] @@ -3727,19 +3921,32 @@ checksum = "22505a5c94da8e3b7c2996394d1c933236c4d743e81a410bcca4e6989fc066a4" dependencies = [ "bytes", "heck 0.5.0", - "itertools", + "itertools 0.12.1", "log", "multimap", "once_cell", "petgraph", - "prettyplease", - "prost", - "prost-types", + "prettyplease 0.2.20", + "prost 0.12.6", + "prost-types 0.12.6", "regex", "syn 2.0.60", "tempfile", ] +[[package]] +name = "prost-derive" +version = "0.11.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e5d2d8d10f3c6ded6da8b05b5fb3b8a5082514344d56c9f871412d29b4e075b4" +dependencies = [ + "anyhow", + "itertools 0.10.5", + "proc-macro2", + "quote", + "syn 1.0.109", +] + [[package]] name = "prost-derive" version = "0.12.6" @@ -3747,19 +3954,28 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "81bddcdb20abf9501610992b6759a4c888aef7d1a7247ef75e2404275ac24af1" dependencies = [ "anyhow", - "itertools", + "itertools 0.12.1", "proc-macro2", "quote", "syn 2.0.60", ] +[[package]] +name = "prost-types" +version = "0.11.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "213622a1460818959ac1181aaeb2dc9c7f63df720db7d788b3e24eacd1983e13" +dependencies = [ + "prost 0.11.9", +] + [[package]] name = "prost-types" version = "0.12.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9091c90b0a32608e984ff2fa4091273cbdd755d54935c51d520887f4a1dbd5b0" dependencies = [ - "prost", + "prost 0.12.6", ] [[package]] @@ -3817,6 +4033,15 @@ dependencies = [ "getrandom", ] +[[package]] +name = "rc2" +version = "0.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "62c64daa8e9438b84aaae55010a93f396f8e60e3911590fcba770d04643fc1dd" +dependencies = [ + "cipher", +] + [[package]] name = "redox_syscall" version = "0.2.16" @@ -3861,7 +4086,7 @@ dependencies = [ "env_logger 0.10.2", "log", "path-clean", - "prost", + "prost 0.12.6", "rstest", "serde", "serde_json", @@ -3872,8 +4097,8 @@ dependencies = [ "strum", "tempfile", "tokio", - "tonic", - "tonic-build", + "tonic 0.11.0", + "tonic-build 0.11.0", "walkdir", ] @@ -3916,7 +4141,7 @@ dependencies = [ "chrono", "chrono-tz", "data-encoding", - "itertools", + "itertools 0.12.1", "lazy_static", "num", "rand", @@ -4028,7 +4253,7 @@ dependencies = [ [[package]] name = "resource_uri" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=df60725afe0ba452a25a740cf460c2855442c49a#df60725afe0ba452a25a740cf460c2855442c49a" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" dependencies = [ "anyhow", "serde", @@ -4560,6 +4785,15 @@ dependencies = [ "serde", ] +[[package]] +name = "serde_spanned" +version = "0.6.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "79e674e01f999af37c49f70a6ede167a8a60b2503e56c5599532a65baa5969a0" +dependencies = [ + "serde", +] + [[package]] name = "serde_urlencoded" version = "0.7.1" @@ -5105,9 +5339,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.37.0" +version = "1.38.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1adbebffeca75fcfd058afa480fb6c0b81e165a0323f9c9d39c9697e37c46787" +checksum = "eb2caba9f80616f438e09748d5acda951967e1ea58508ef53d9c6402485a46df" dependencies = [ "backtrace", "bytes", @@ -5134,9 +5368,9 @@ dependencies = [ [[package]] name = "tokio-macros" -version = "2.2.0" +version = "2.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5b8a1e28f2deaa14e508979454cb3a223b10b938b45af148bc0986de36f1923b" +checksum = "5f5ae998a069d4b5aba8ee9dad856af7d520c3699e6159b185c2acd48155d39a" dependencies = [ "proc-macro2", "quote", @@ -5231,6 +5465,68 @@ dependencies = [ "serde", ] +[[package]] +name = "toml" +version = "0.8.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac2caab0bf757388c6c0ae23b3293fdb463fee59434529014f85e3263b995c28" +dependencies = [ + "serde", + "serde_spanned", + "toml_datetime", + "toml_edit", +] + +[[package]] +name = "toml_datetime" +version = "0.6.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4badfd56924ae69bcc9039335b2e017639ce3f9b001c393c1b2d1ef846ce2cbf" +dependencies = [ + "serde", +] + +[[package]] +name = "toml_edit" +version = "0.22.16" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "278f3d518e152219c994ce877758516bca5e118eaed6996192a774fb9fbf0788" +dependencies = [ + "indexmap 2.2.6", + "serde", + "serde_spanned", + "toml_datetime", + "winnow", +] + +[[package]] +name = "tonic" +version = "0.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3082666a3a6433f7f511c7192923fa1fe07c69332d3c6a2e6bb040b569199d5a" +dependencies = [ + "async-trait", + "axum", + "base64 0.21.7", + "bytes", + "futures-core", + "futures-util", + "h2 0.3.26", + "http 0.2.12", + "http-body 0.4.6", + "hyper 0.14.28", + "hyper-timeout", + "percent-encoding", + "pin-project", + "prost 0.11.9", + "tokio", + "tokio-stream", + "tower", + "tower-layer", + "tower-service", + "tracing", +] + [[package]] name = "tonic" version = "0.11.0" @@ -5249,7 +5545,7 @@ dependencies = [ "hyper-timeout", "percent-encoding", "pin-project", - "prost", + "prost 0.12.6", "tokio", "tokio-stream", "tower", @@ -5258,15 +5554,28 @@ dependencies = [ "tracing", ] +[[package]] +name = "tonic-build" +version = "0.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a6fdaae4c2c638bb70fe42803a26fbd6fc6ac8c72f5c59f67ecc2a2dcabf4b07" +dependencies = [ + "prettyplease 0.1.25", + "proc-macro2", + "prost-build 0.11.9", + "quote", + "syn 1.0.109", +] + [[package]] name = "tonic-build" version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "be4ef6dd70a610078cb4e338a0f79d06bc759ff1b22d2120c2ff02ae264ba9c2" dependencies = [ - "prettyplease", + "prettyplease 0.2.20", "proc-macro2", - "prost-build", + "prost-build 0.12.6", "quote", "syn 2.0.60", ] @@ -5594,8 +5903,8 @@ dependencies = [ "asn1-rs", "assert-json-diff", "async-trait", - "az-snp-vtpm", - "az-tdx-vtpm", + "az-snp-vtpm 0.5.3", + "az-tdx-vtpm 0.5.3", "base64 0.21.7", "bincode", "byteorder", @@ -5624,7 +5933,7 @@ dependencies = [ "strum", "thiserror", "tokio", - "tonic-build", + "tonic-build 0.11.0", "veraison-apiclient", "x509-parser", ] @@ -5970,6 +6279,15 @@ version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bec47e5bfd1bff0eeaf6d8b485cc1074891a197ab4225d504cb7a1ab88b02bf0" +[[package]] +name = "winnow" +version = "0.6.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "59b5e5f6c299a3c7890b876a2a587f3115162487e704907d9b6cd29473052ba1" +dependencies = [ + "memchr", +] + [[package]] name = "winreg" version = "0.50.0" @@ -6026,6 +6344,12 @@ dependencies = [ "num-bigint", ] +[[package]] +name = "yasna" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd" + [[package]] name = "zerocopy" version = "0.7.32" diff --git a/Cargo.toml b/Cargo.toml index 06feea925..3d7bd6bbc 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,7 +29,9 @@ config = "0.13.3" env_logger = "0.10.0" hex = "0.4.3" jwt-simple = "0.11" +kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev="9bd6f06a9704e01808e91abde130dffb20e632a5", default-features = false } kbs-types = "0.6.0" +kms = { git = "https://github.com/confidential-containers/guest-components.git", rev="9bd6f06a9704e01808e91abde130dffb20e632a5", default-features = false } jsonwebtoken = { version = "9", default-features = false } log = "0.4.17" prost = "0.12" @@ -44,7 +46,7 @@ sha2 = "0.10" shadow-rs = "0.19.0" strum = { version = "0.25", features = ["derive"] } thiserror = "1.0" -tokio = { version = "1.23.0", features = ["full"] } +tokio = { version = "1", features = ["full"] } tempfile = "3.4.0" tonic = "0.11" tonic-build = "0.11" \ No newline at end of file diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index 98f08db18..a983769c5 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -42,6 +42,9 @@ rustls = ["actix-web/rustls", "dep:rustls", "dep:rustls-pemfile"] # Use openssl crypto stack for KBS openssl = ["actix-web/openssl", "dep:openssl"] +# Use aliyun KMS as KBS backend +aliyun = ["kms/aliyun"] + [dependencies] actix-web.workspace = true actix-web-httpauth.workspace = true @@ -57,6 +60,7 @@ env_logger.workspace = true jsonwebtoken = { workspace = true, default-features = false, optional = true } jwt-simple.workspace = true kbs-types.workspace = true +kms = { workspace = true, default-features = false } lazy_static = "1.4.0" log.workspace = true mobc = { version = "0.8.3", optional = true } diff --git a/kbs/Makefile b/kbs/Makefile index c5b6190ce..f1cef76e7 100644 --- a/kbs/Makefile +++ b/kbs/Makefile @@ -1,6 +1,7 @@ AS_TYPE ?= coco-as HTTPS_CRYPTO ?= rustls POLICY_ENGINE ?= +ALIYUN ?= false ARCH := $(shell uname -m) # Check if ARCH is supported, otehrwise return error @@ -10,6 +11,7 @@ endif CLI_FEATURES ?= ATTESTER ?= +FEATURES ?= COCO_AS_INTEGRATION_TYPE ?= builtin @@ -21,6 +23,10 @@ else AS_FEATURE = $(AS_TYPE) endif +ifeq ($(ALIYUN), true) + FEATURES += aliyun +endif + ifndef CLI_FEATURES ifdef ATTESTER CLI_FEATURES = "sample_only,$(ATTESTER)" @@ -33,16 +39,16 @@ build: background-check-kbs .PHONY: background-check-kbs background-check-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(HTTPS_CRYPTO),$(POLICY_ENGINE) + cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(HTTPS_CRYPTO),$(POLICY_ENGINE),$(FEATURES) .PHONY: passport-issuer-kbs passport-issuer-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(HTTPS_CRYPTO) + cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(HTTPS_CRYPTO),$(FEATURES) mv ../target/release/kbs ../target/release/issuer-kbs .PHONY: passport-resource-kbs passport-resource-kbs: - cargo build -p kbs --locked --release --no-default-features --features $(HTTPS_CRYPTO),resource,$(POLICY_ENGINE) + cargo build -p kbs --locked --release --no-default-features --features $(HTTPS_CRYPTO),resource,$(POLICY_ENGINE),$(FEATURES) mv ../target/release/kbs ../target/release/resource-kbs .PHONY: cli diff --git a/kbs/README.md b/kbs/README.md index f683df3c5..fd322f3ab 100644 --- a/kbs/README.md +++ b/kbs/README.md @@ -90,7 +90,7 @@ The Makefile supports a number of other configuration parameters. For example, ```shell -make background-check-kbs [HTTPS_CRYPTO=?] [POLICY_ENGINE=?] [AS_TYPES=?] [COCO_AS_INTEGRATION_TYPE=?] +make background-check-kbs [HTTPS_CRYPTO=?] [POLICY_ENGINE=?] [AS_TYPES=?] [COCO_AS_INTEGRATION_TYPE=?] [ALIYUN=?] ``` The parameters @@ -99,7 +99,7 @@ The parameters if it is not required. - `AS_TYPES`: The KBS supports multiple backend attestation services. `AS_TYPES` selects which verifier to use. The options are `coco-as` and `intel-trust-authority-as`. - `COCO_AS_INTEGRATION_TYPE`: The KBS can connect to the CoCo AS in multiple ways. `COCO_AS_INTEGRATION_TYPE` can be set either to `grpc` or `builtin`. With `grpc` the KBS will make a remote connection to the AS. If you are manually building and configuring the components, you'll need to set them up so that this connection can be established. Similar to passport mode, the remote AS can be useful if secret provisioning and attestation verification are not in the same scope. With `builtin` the KBA uses the AS as a crate. This is recommended if you want to avoid the complexity of a remote connection. - +- `ALIYUN`: The kbs support aliyun KMS as secret storage backend. `true` to enable building this feature. By default it is `false`. ## HTTPS Support The KBS can use HTTPS. This requires a crypto backend. @@ -108,6 +108,13 @@ The options are `rustls` and `openssl`. The default is `rustls`. If you want a self-signed cert for test cases, please refer to [the document](docs/self-signed-https.md). +## Storage Backend + +The KBS can use different backend storage. `LocalFs` will always be builtin. +`ALIYUN` determines whether aliyun kms support will be built. The options +are `true` or `false` (by defult). Please refer to [the document](docs/config.md#repository-configuration) +for more details. + ## References ### Attestation Protocol diff --git a/kbs/docker/Dockerfile b/kbs/docker/Dockerfile index 8e8ebab14..2831d6a5b 100644 --- a/kbs/docker/Dockerfile +++ b/kbs/docker/Dockerfile @@ -1,6 +1,7 @@ FROM rust:slim as builder ARG ARCH=x86_64 ARG HTTPS_CRYPTO=rustls +ARG ALIYUN=false ENV DEBIAN_FRONTEND noninteractive @@ -36,7 +37,8 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-s WORKDIR /usr/src/kbs COPY . . -RUN cargo install --locked --path kbs --bin kbs --no-default-features --features coco-as-builtin,resource,opa,${HTTPS_CRYPTO} +RUN cd kbs && make AS_FEATURE=coco-as-builtin HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ + make install-kbs FROM ubuntu:22.04 ARG ARCH=x86_64 @@ -60,4 +62,4 @@ RUN apt-get update && \ apt clean all && \ rm -rf /tmp/* -COPY --from=builder /usr/local/cargo/bin/kbs /usr/local/bin/kbs +COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs diff --git a/kbs/docker/coco-as-grpc/Dockerfile b/kbs/docker/coco-as-grpc/Dockerfile index 77ca1f82f..2a96e9045 100644 --- a/kbs/docker/coco-as-grpc/Dockerfile +++ b/kbs/docker/coco-as-grpc/Dockerfile @@ -1,6 +1,7 @@ FROM rust:latest as builder ARG ARCH=x86_64 ARG HTTPS_CRYPTO=rustls +ARG ALIYUN=false WORKDIR /usr/src/kbs COPY . . @@ -8,10 +9,11 @@ COPY . . RUN apt-get update && apt install -y protobuf-compiler git # Build and Install KBS -RUN cargo install --path kbs --bin kbs --no-default-features --features coco-as-grpc,resource,opa,${HTTPS_CRYPTO} +RUN cd kbs && make AS_FEATURE=coco-as-grpc HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ + make install-kbs FROM ubuntu:22.04 LABEL org.opencontainers.image.source="https://github.com/confidential-containers/trustee/kbs" -COPY --from=builder /usr/local/cargo/bin/kbs /usr/local/bin/kbs +COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs diff --git a/kbs/docker/intel-trust-authority/Dockerfile b/kbs/docker/intel-trust-authority/Dockerfile index 31679df85..a2b4f650e 100644 --- a/kbs/docker/intel-trust-authority/Dockerfile +++ b/kbs/docker/intel-trust-authority/Dockerfile @@ -1,5 +1,6 @@ FROM rust:latest as builder ARG HTTPS_CRYPTO=rustls +ARG ALIYUN=false WORKDIR /usr/src/kbs COPY . . @@ -7,7 +8,8 @@ COPY . . RUN apt-get update && apt install -y git # Build and Install KBS -RUN cargo install --path kbs --bin kbs --no-default-features --features intel-trust-authority-as,${HTTPS_CRYPTO},resource,opa +RUN cd kbs && make AS_FEATURE=intel-trust-authority-as HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \ + make install-kbs FROM ubuntu:22.04 @@ -15,4 +17,4 @@ LABEL org.opencontainers.image.source="https://github.com/confidential-container RUN apt update && apt install -y ca-certificates -COPY --from=builder /usr/local/cargo/bin/kbs /usr/local/bin/kbs +COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs diff --git a/kbs/docs/config.md b/kbs/docs/config.md index fa2ccc79d..5c9de577a 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -54,11 +54,11 @@ This section is **optional**. When omitted, a default configuration is used. Repository configuration is **specific to a repository type**. See the following sections for type-specific properties. ->This section is available only when the `resource` feature is enabled. +>This section is available only when the `resource` feature is enabled. Only one repository is available at a time. -| Property | Type | Description | Required | Default | -|----------|--------|-------------------------------------------------------|----------|-----------| -| `type` | String | The resource repository type. Valid values: `LocalFs` | Yes | - | +| Property | Type | Description | Required | Default | +|----------|--------|-----------------------------------------------------------------|----------|-----------| +| `type` | String | The resource repository type. Valid values: `LocalFs`, `Aliyun` | Yes | `LocalFs` | **`LocalFs` Properties** @@ -66,6 +66,15 @@ type-specific properties. |------------|--------|---------------------------------|----------|-----------------------------------------------------| | `dir_path` | String | Path to a repository directory. | No | `/opt/confidential-containers/kbs/repository` | +**`Aliyun` Properties** + +| Property | Type | Description | Required | Example | +|-------------------|--------|-----------------------------------|----------|-----------------------------------------------------| +| `client_key` | String | The KMS instance's AAP client key | Yes | `{"KeyId": "KA..", "PrivateKeyData": "MIIJqwI..."}` | +| `kms_instance_id` | String | The KMS instance id | Yes | `kst-shh668f7...` | +| `password` | String | AAP client key password | Yes | `8f9989c18d27...` | +| `cert_pem` | String | CA cert for the KMS instance | Yes | `-----BEGIN CERTIFICATE----- ...` | + ### Native Attestation The following properties can be set under the `as_config` section. diff --git a/kbs/docs/resource_repository.md b/kbs/docs/resource_repository.md index 7caaab50c..ba95b55e9 100644 --- a/kbs/docs/resource_repository.md +++ b/kbs/docs/resource_repository.md @@ -19,4 +19,13 @@ defined below: | `file://<$(KBS_REPOSITORY_DIR)>///` | `https:///kbs/v0/resource///` | The KBS root file system resource path is specified in the KBS config file -as well, and the default value is `/opt/confidential-containers/kbs/repository`. \ No newline at end of file +as well, and the default value is `/opt/confidential-containers/kbs/repository`. + +### Aliyun KMS + +[Alibaba Cloud KMS](https://www.alibabacloud.com/en/product/kms?_p_lc=1)(a.k.a Aliyun KMS) +can also work as the KBS resource storage backend. +In this mode, resources will be stored with [generic secrets](https://www.alibabacloud.com/help/en/kms/user-guide/manage-and-use-generic-secrets?spm=a2c63.p38356.0.0.dc4d24f7s0ZuW7) in a [KMS instance](https://www.alibabacloud.com/help/en/kms/user-guide/kms-overview?spm=a2c63.p38356.0.0.4aacf9e6V7IQGW). +One KBS can be configured with a specified KMS instance in `repository_config` field of KBS launch config. For config, see the [document](./config.md#repository-configuration). +These materials can be found in KMS instance's [AAP](https://www.alibabacloud.com/help/en/kms/user-guide/manage-aaps?spm=a3c0i.23458820.2359477120.1.4fd96e9bmEFST4). +When being accessed, a resource URI of `kbs:///repo/type/tag` will be translated into the generic secret with name `tag`. Hinting that `repo/type` field will be ignored. \ No newline at end of file diff --git a/kbs/src/http/resource.rs b/kbs/src/http/resource.rs index b4045ef5d..c0f17265b 100644 --- a/kbs/src/http/resource.rs +++ b/kbs/src/http/resource.rs @@ -118,7 +118,7 @@ pub(crate) async fn get_resource( .await .read_secret_resource(resource_description) .await - .map_err(|e| Error::ReadSecretFailed(e.to_string()))?; + .map_err(|e| Error::ReadSecretFailed(format!("{e:?}")))?; let jwe = jwe(pubkey, resource_byte)?; diff --git a/kbs/src/resource/aliyun_kms.rs b/kbs/src/resource/aliyun_kms.rs new file mode 100644 index 000000000..0c380f67f --- /dev/null +++ b/kbs/src/resource/aliyun_kms.rs @@ -0,0 +1,59 @@ +// Copyright (c) 2024 by Alibaba. +// Licensed under the Apache License, Version 2.0, see LICENSE for details. +// SPDX-License-Identifier: Apache-2.0 + +use super::{Repository, ResourceDesc}; +use anyhow::{Context, Result}; +use kms::{plugins::aliyun::AliyunKmsClient, Annotations, Getter}; +use log::info; +use serde::Deserialize; + +#[derive(Debug, Deserialize, Clone)] +pub struct AliyunKmsBackendConfig { + client_key: String, + kms_instance_id: String, + password: String, + cert_pem: String, +} + +pub struct AliyunKmsBackend { + client: AliyunKmsClient, +} + +#[async_trait::async_trait] +impl Repository for AliyunKmsBackend { + async fn read_secret_resource(&self, resource_desc: ResourceDesc) -> Result> { + info!( + "Use aliyun KMS backend. Ignore {}/{}", + resource_desc.repository_name, resource_desc.resource_type + ); + let name = resource_desc.resource_tag; + let resource_bytes = self + .client + .get_secret(&name, &Annotations::default()) + .await + .context("failed to get resource from aliyun KMS")?; + Ok(resource_bytes) + } + + async fn write_secret_resource( + &mut self, + _resource_desc: ResourceDesc, + _data: &[u8], + ) -> Result<()> { + todo!("Does not support!") + } +} + +impl AliyunKmsBackend { + pub fn new(repo_desc: &AliyunKmsBackendConfig) -> Result { + let client = AliyunKmsClient::new( + &repo_desc.client_key, + &repo_desc.kms_instance_id, + &repo_desc.password, + &repo_desc.cert_pem, + ) + .context("create aliyun KMS backend")?; + Ok(Self { client }) + } +} diff --git a/kbs/src/resource/mod.rs b/kbs/src/resource/mod.rs index f548c5903..7f5ce4228 100644 --- a/kbs/src/resource/mod.rs +++ b/kbs/src/resource/mod.rs @@ -7,11 +7,13 @@ use serde::Deserialize; use std::fs; use std::path::Path; use std::sync::Arc; -use strum::EnumString; use tokio::sync::RwLock; mod local_fs; +#[cfg(feature = "aliyun")] +mod aliyun_kms; + /// Interface of a `Repository`. #[async_trait::async_trait] pub trait Repository { @@ -46,10 +48,13 @@ impl ResourceDesc { } } -#[derive(Clone, Debug, Deserialize, EnumString)] +#[derive(Clone, Debug, Deserialize)] #[serde(tag = "type")] pub enum RepositoryConfig { LocalFs(local_fs::LocalFsRepoDesc), + + #[cfg(feature = "aliyun")] + Aliyun(aliyun_kms::AliyunKmsBackendConfig), } impl RepositoryConfig { @@ -73,6 +78,11 @@ impl RepositoryConfig { Ok(Arc::new(RwLock::new(local_fs::LocalFs::new(desc)?)) as Arc>) } + #[cfg(feature = "aliyun")] + Self::Aliyun(config) => { + let client = aliyun_kms::AliyunKmsBackend::new(config)?; + Ok(Arc::new(RwLock::new(client)) as Arc>) + } } } } diff --git a/tools/kbs-client/Cargo.toml b/tools/kbs-client/Cargo.toml index 83085dc04..c960e62c1 100644 --- a/tools/kbs-client/Cargo.toml +++ b/tools/kbs-client/Cargo.toml @@ -18,7 +18,7 @@ base64.workspace = true clap = { version = "4.0.29", features = ["derive"] } env_logger.workspace = true jwt-simple.workspace = true -kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev="df60725afe0ba452a25a740cf460c2855442c49a", default-features = false } +kbs_protocol = { workspace = true, default-features = false } log.workspace = true reqwest = { workspace = true, default-features = false, features = ["cookies", "json"] } serde = { workspace = true, features = ["derive"] }