confidential-containers · Xynnn007 · Nov 6, 2024 · Sep 27, 2024 · Sep 27, 2024 · Sep 27, 2024
@@ -16,7 +16,6 @@ jobs:
     - name: Build KBS Container Image
       run: |
         DOCKER_BUILDKIT=1 docker build -t kbs:coco-as . -f kbs/docker/Dockerfile; \
-        DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-openssl --build-arg KBS_FEATURES=coco-as-builtin,openssl,resource,opa . -f kbs/docker/Dockerfile; \
         DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-grpc . -f kbs/docker/coco-as-grpc/Dockerfile; \
         DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-rhel-ubi . -f kbs/docker/rhel-ubi/Dockerfile; \
         DOCKER_BUILDKIT=1 docker build -t kbs:coco-as-ita . -f kbs/docker/intel-trust-authority/Dockerfile
@@ -56,11 +56,11 @@ jobs:
       working-directory: kbs
       run: make
 
-    - name: KBS Build [Built-in CoCo AS, OpenSSL]
+    - name: KBS Build [Built-in CoCo AS]
       working-directory: kbs
       run: make
 
-    - name: KBS Build [gRPC CoCo AS, RustTLS]
+    - name: KBS Build [gRPC CoCo AS]
       working-directory: kbs
       run: make COCO_AS_INTEGRATE_TYPE=grpc
 

@@ -50,9 +50,9 @@ log.workspace = true
 openssl = "0.10.55"
 prost = { workspace = true, optional = true }
 rand = "0.8.5"
-rsa = { version = "0.9.2", features = ["sha2"] }
 reference-value-provider-service = { path = "../rvps", optional = true }
 regorus.workspace = true
+rsa = { version = "0.9.2", features = ["sha2"] }
 serde.workspace = true
 serde_json.workspace = true
 serde_variant = "0.1.2"

@@ -10,7 +10,7 @@ use thiserror::Error;
 const AS_WORK_DIR: &str = "AS_WORK_DIR";
 const DEFAULT_WORK_DIR: &str = "/opt/confidential-containers/attestation-service";
 
-#[derive(Clone, Debug, Deserialize)]
+#[derive(Clone, Debug, Deserialize, PartialEq)]
 pub struct Config {
     /// The location for Attestation Service to store data.
     pub work_dir: PathBuf,
@@ -19,6 +19,7 @@ pub struct Config {
     pub policy_engine: String,
 
     /// Configurations for RVPS.
+    #[serde(default)]
     pub rvps_config: RvpsConfig,
 
     /// The Attestation Result Token Broker type.
@@ -28,6 +29,7 @@ pub struct Config {
     pub attestation_token_broker: AttestationTokenBrokerType,
 
     /// The Attestation Result Token Broker Config
+    #[serde(default)]
     pub attestation_token_config: AttestationTokenConfig,
 }
 

@@ -6,9 +6,9 @@
 
 pub mod config;
 pub mod policy_engine;
-mod rvps;
-mod token;
-mod utils;
+pub mod rvps;
+pub mod token;
+pub mod utils;
 
 use crate::token::AttestationTokenBroker;
 

@@ -5,7 +5,9 @@
 
 use anyhow::Result;
 use log::{info, warn};
-use reference_value_provider_service::config::{Config as RvpsCrateConfig, DEFAULT_STORAGE_TYPE};
+pub use reference_value_provider_service::config::{
+    Config as RvpsCrateConfig, DEFAULT_STORAGE_TYPE,
+};
 use serde::Deserialize;
 use serde_json::{json, Value};
 use thiserror::Error;
@@ -38,7 +40,7 @@ fn default_store_config() -> Value {
     json!({})
 }
 
-#[derive(Deserialize, Clone, Debug)]
+#[derive(Deserialize, Clone, Debug, PartialEq)]
 pub struct RvpsConfig {
     /// Address of remote RVPS. If this field is given, a remote RVPS will be connected to.
     /// If this field is not given, a built-in RVPS will be used.

@@ -6,12 +6,12 @@
 use anyhow::*;
 use serde::Deserialize;
 use serde_json::Value;
-use simple::COCO_AS_ISSUER_NAME;
 use strum::{Display, EnumString};
 
 mod simple;
 
-const DEFAULT_TOKEN_TIMEOUT: i64 = 5;
+pub const COCO_AS_ISSUER_NAME: &str = "CoCo-Attestation-Service";
+pub const DEFAULT_TOKEN_TIMEOUT: i64 = 5;
 
 pub trait AttestationTokenBroker {
     /// Issue an signed attestation token with custom claims.
@@ -23,7 +23,7 @@ pub trait AttestationTokenBroker {
     fn pubkey_jwks(&self) -> Result<String>;
 }
 
-#[derive(Deserialize, Debug, Clone, EnumString, Display)]
+#[derive(Deserialize, Debug, Clone, EnumString, Display, PartialEq)]
 pub enum AttestationTokenBrokerType {
     Simple,
 }
@@ -42,9 +42,10 @@ impl AttestationTokenBrokerType {
     }
 }
 
-#[derive(Deserialize, Debug, Clone)]
+#[derive(Deserialize, Debug, Clone, PartialEq)]
 pub struct AttestationTokenConfig {
     /// The Attestation Result Token duration time(in minute)
+    #[serde(default = "default_duration_min")]
     pub duration_min: i64,
 
     #[serde(default = "default_issuer_name")]
@@ -53,11 +54,15 @@ pub struct AttestationTokenConfig {
     pub signer: Option<TokenSignerConfig>,
 }
 
+fn default_duration_min() -> i64 {
+    DEFAULT_TOKEN_TIMEOUT
+}
+
 fn default_issuer_name() -> String {
     COCO_AS_ISSUER_NAME.to_string()
 }
 
-#[derive(Deserialize, Debug, Clone)]
+#[derive(Deserialize, Debug, Clone, PartialEq)]
 pub struct TokenSignerConfig {
     pub key_path: String,
     pub cert_url: Option<String>,

@@ -18,7 +18,6 @@ use serde_json::{json, Value};
 
 use crate::token::{AttestationTokenBroker, AttestationTokenConfig};
 
-pub const COCO_AS_ISSUER_NAME: &str = "CoCo-Attestation-Service";
 const RSA_KEY_BITS: u32 = 2048;
 const SIMPLE_TOKEN_ALG: &str = "RS384";
 

@@ -100,7 +100,7 @@ auth_public_key = "/kbs/kbs.pem"
 # https://cert-manager.io/docs/configuration/acme/
 insecure_http = true
 
-[attestation_token_config]
+[attestation_token]
 insecure_key = true
 
 [as_config]

@@ -7,23 +7,14 @@ documentation.workspace = true
 edition.workspace = true
 
 [features]
-default = ["coco-as-builtin", "resource", "opa"]
-
-# Feature that allows to access resources from KBS
-resource = ["rsa", "reqwest", "aes-gcm", "jsonwebtoken"]
+default = ["coco-as-builtin", "coco-as-grpc", "intel-trust-authority-as"]
 
 # Support a backend attestation service for KBS
 as = []
 
 # Use CoCo-AS as backend attestation service
 coco-as = ["as"]
 
-# Support resource policy for KBS
-policy = []
-
-# Use OPA/Rego as resource policy for KBS
-opa = ["policy"]
-
 # Use built-in CoCo-AS as backend attestation service
 coco-as-builtin = ["coco-as", "attestation-service/default"]
 
@@ -34,15 +25,15 @@ coco-as-builtin-no-verifier = ["coco-as", "attestation-service/rvps-builtin"]
 coco-as-grpc = ["coco-as", "mobc", "tonic", "tonic-build", "prost"]
 
 # Use Intel TA as backend attestation service
-intel-trust-authority-as = ["as", "reqwest", "resource", "az-cvm-vtpm"]
+intel-trust-authority-as = ["as", "az-cvm-vtpm"]
 
 # Use aliyun KMS as KBS backend
 aliyun = ["kms/aliyun"]
 
 [dependencies]
 actix-web = { workspace = true, features = ["openssl"] }
 actix-web-httpauth.workspace = true
-aes-gcm = { version = "0.10.1", optional = true }
+aes-gcm = "0.10.1"
 anyhow.workspace = true
 async-trait.workspace = true
 attestation-service = { path = "../attestation-service", default-features = false, optional = true }
@@ -51,7 +42,7 @@ cfg-if.workspace = true
 clap = { workspace = true, features = ["derive", "env"] }
 config.workspace = true
 env_logger.workspace = true
-jsonwebtoken = { workspace = true, default-features = false, optional = true }
+jsonwebtoken = { workspace = true, default-features = false }
 jwt-simple.workspace = true
 kbs-types.workspace = true
 kms = { workspace = true, default-features = false }
@@ -60,9 +51,10 @@ log.workspace = true
 mobc = { version = "0.8.3", optional = true }
 prost = { workspace = true, optional = true }
 rand = "0.8.5"
+regex = "1.11.1"
 regorus.workspace = true
-reqwest = { workspace = true, features = ["json"], optional = true }
-rsa = { version = "0.9.2", optional = true, features = ["sha2"] }
+reqwest = { workspace = true, features = ["json"] }
+rsa = { version = "0.9.2", features = ["sha2"] }
 scc = "2"
 semver = "1.0.16"
 serde = { workspace = true, features = ["derive"] }

@@ -1,5 +1,4 @@
 AS_TYPE ?= coco-as
-POLICY_ENGINE ?=
 ALIYUN ?= false
 
 ARCH := $(shell uname -m)
@@ -17,9 +16,9 @@ COCO_AS_INTEGRATION_TYPE ?= builtin
 INSTALL_DESTDIR ?= /usr/local/bin
 
 ifeq ($(AS_TYPE), coco-as)
-  AS_FEATURE = $(AS_TYPE)-$(COCO_AS_INTEGRATION_TYPE)
-else
-  AS_FEATURE = $(AS_TYPE)
+  AS_FEATURE += $(AS_TYPE)-$(COCO_AS_INTEGRATION_TYPE),
+else ifneq ($(AS_TYPE), )
+  AS_FEATURE += $(AS_TYPE),
 endif
 
 ifeq ($(ALIYUN), true)
@@ -38,7 +37,7 @@ build: background-check-kbs
 
 .PHONY: background-check-kbs
 background-check-kbs:
-	cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(POLICY_ENGINE),$(FEATURES)
+	cargo build -p kbs --locked --release --no-default-features --features $(FEATURES),$(AS_FEATURE)
 
 .PHONY: passport-issuer-kbs
 passport-issuer-kbs:
@@ -47,7 +46,7 @@ passport-issuer-kbs:
 
 .PHONY: passport-resource-kbs
 passport-resource-kbs:
-	cargo build -p kbs --locked --release --no-default-features --features resource,$(POLICY_ENGINE),$(FEATURES)
+	cargo build -p kbs --locked --release --no-default-features --features $(FEATURES),
 	mv ../target/release/kbs ../target/release/resource-kbs
 
 .PHONY: cli

@@ -90,18 +90,16 @@ The Makefile supports a number of other configuration parameters.
 
 For example,
 ```shell
-make background-check-kbs [POLICY_ENGINE=?] [AS_TYPES=?] [COCO_AS_INTEGRATION_TYPE=?] [ALIYUN=?]
+make background-check-kbs [AS_TYPES=?] [COCO_AS_INTEGRATION_TYPE=?] [ALIYUN=?]
 ```
 
 The parameters
-- `POLICY_ENGINE`: The KBS has a policy engine to facilitate access control. This should not be confused with the policy engine in the AS, which determines whether or not TEE evidence is valid. `POLICY_ENGINE` determines which type of policy engine the KBS will use. Today only `opa` is supported. The KBS can also be built without a policy engine
-if it is not required.
 - `AS_TYPES`: The KBS supports multiple backend attestation services. `AS_TYPES` selects which verifier to use. The options are `coco-as` and `intel-trust-authority-as`.
 - `COCO_AS_INTEGRATION_TYPE`:  The KBS can connect to the CoCo AS in multiple ways. `COCO_AS_INTEGRATION_TYPE` can be set either to `grpc` or `builtin`. With `grpc` the KBS will make a remote connection to the AS. If you are manually building and configuring the components, you'll need to set them up so that this connection can be established. Similar to passport mode, the remote AS can be useful if secret provisioning and attestation verification are not in the same scope. With `builtin` the KBA uses the AS as a crate. This is recommended if you want to avoid the complexity of a remote connection.
 - `ALIYUN`: The kbs support aliyun KMS as secret storage backend. `true` to enable building this feature. By default it is `false`.
 ## HTTPS Support
 
-The KBS can use HTTPS. This requires a crypto backend.
+The KBS can use HTTPS. This is facilitated by openssl crypto backend.
 
 If you want a self-signed cert for test cases, please refer to [the document](docs/self-signed-https.md).
 

@@ -1,9 +1,18 @@
+[http_server]
 sockets = ["0.0.0.0:8080"]
-auth_public_key = "/opt/confidential-containers/kbs/user-keys/public.pub"
 insecure_http = true
 
-[attestation_token_config]
+[attestation_token]
 insecure_key = true
 
-[grpc_config]
+[attestation_service]
+type = "coco_as_grpc"
 as_addr = "http://as:50004"
+
+[admin]
+auth_public_key = "/opt/confidential-containers/kbs/user-keys/public.pub"
+
+[[plugins]]
+name = "resource"
+type = "LocalFs"
+dir_path = "/opt/confidential-containers/kbs/repository"
@@ -1,9 +1,13 @@
+[http_server]
 insecure_http = true
-insecure_api = true
 
-[attestation_token_config]
+[attestation_token]
 insecure_key = true
 
-[grpc_config]
+[attestation_service]
+type = "coco_as_grpc"
 as_addr = "http://127.0.0.1:50004"
-pool_size = 200
+pool_size = 200
+
+[admin]
+insecure_api = true
@@ -1,10 +1,14 @@
+[http_server]
 insecure_http = true
+
+[admin]
 insecure_api = true
 
-[attestation_token_config]
-trusted_certs_paths = ["https://portal.trustauthority.intel.com"]
+[attestation_token]
+trusted_jwk_sets = ["https://portal.trustauthority.intel.com"]
 
-[intel_trust_authority_config]
+[attestation_service]
+type = "intel_ta"
 base_url = "https://api.trustauthority.intel.com"
 api_key = "tBfd5kKX2x9ahbodKV1..."
 certs_file = "https://portal.trustauthority.intel.com"