diff --git a/attestation-service/verifier/src/se/README.md b/attestation-service/verifier/src/se/README.md index 971cdf575..cb33103e4 100644 --- a/attestation-service/verifier/src/se/README.md +++ b/attestation-service/verifier/src/se/README.md @@ -44,7 +44,7 @@ openssl pkey -in kbs.key -pubout -out kbs.pem ## Build KBS ``` -cargo install --locked --path kbs/src/kbs --no-default-features --features coco-as-builtin,openssl,resource,opa +cargo install --locked --debug --path kbs/src/kbs --no-default-features --features coco-as-builtin,openssl,resource,opa ``` ## (Option 1) Launch KBS as a program @@ -107,6 +107,7 @@ export SE_SKIP_CERTS_VERIFICATION=true ``` DOCKER_BUILDKIT=1 docker build -t ghcr.io/confidential-containers/staged-images/kbs:latest --build-arg KBS_FEATURES=coco-as-builtin,openssl,resource,opa . -f kbs/docker/Dockerfile ``` +>Note: Please add `--debug` in statement like `cargo install` in file `kbs/docker/Dockerfile` if you're using a development host key document to skip HKD's signature verification. - Prepare a docker compose file, similar as: ``` diff --git a/attestation-service/verifier/src/se/ibmse.rs b/attestation-service/verifier/src/se/ibmse.rs index c01d4ba3b..84d87429a 100644 --- a/attestation-service/verifier/src/se/ibmse.rs +++ b/attestation-service/verifier/src/se/ibmse.rs @@ -38,8 +38,6 @@ const DEFAULT_SE_MEASUREMENT_ENCR_KEY_PRIVATE: &str = const DEFAULT_SE_MEASUREMENT_ENCR_KEY_PUBLIC: &str = "/run/confidential-containers/ibmse/rsa/encrypt_key.pub"; -const DEFAULT_SE_SKIP_CERTS_VERIFICATION: &str = "false"; - macro_rules! env_or_default { ($env:literal, $default:ident) => { match env::var($env) { @@ -255,11 +253,6 @@ impl SeVerifierImpl { DEFAULT_SE_HOST_KEY_DOCUMENTS_ROOT ); let hkds = list_files_in_folder(&hkds_root)?; - let skip_certs_env = env_or_default!( - "SE_SKIP_CERTS_VERIFICATION", - DEFAULT_SE_SKIP_CERTS_VERIFICATION - ); - let skip_certs: bool = skip_certs_env.parse::().unwrap_or(false); for hkd in &hkds { let hk = std::fs::read(hkd).context("read host-key document")?; let certs = read_certs(&hk)?; @@ -272,9 +265,21 @@ impl SeVerifierImpl { let c = certs .first() .ok_or(anyhow!("File does not contain a X509 certificate"))?; - if skip_certs { - warn!("SE_SKIP_CERTS_VERIFICATION set '{skip_certs}' never use it in production!") - } else { + #[cfg(debug_assertions)] + { + const DEFAULT_SE_SKIP_CERTS_VERIFICATION: &str = "false"; + let skip_certs_env = env_or_default!( + "SE_SKIP_CERTS_VERIFICATION", + DEFAULT_SE_SKIP_CERTS_VERIFICATION + ); + let skip_certs: bool = skip_certs_env.parse::().unwrap_or(false); + if !skip_certs { + let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), Some(root_ca_path.clone()), false)?; + verifier.verify(c)?; + } + } + #[cfg(not(debug_assertions))] + { let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), Some(root_ca_path.clone()), false)?; verifier.verify(c)?; }