Skip to content

Commit

Permalink
Add trustee-attester - a simple tool to fetch secrets from Trustee
Browse files Browse the repository at this point in the history
The trustee-attester is a simple program that gather Confidential Computing
HW "evidence", send it to Trustee and upon successful attestation get
resources.

As first implementation it directly uses attestation-agent's kbs_protocol
and attesters.

Signed-off-by: Uri Lublin <[email protected]>
  • Loading branch information
uril committed Nov 14, 2024
1 parent 0fe01e4 commit 4693921
Show file tree
Hide file tree
Showing 3 changed files with 131 additions and 0 deletions.
8 changes: 8 additions & 0 deletions attestation-agent/kbs_protocol/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,9 @@ anyhow.workspace = true
async-trait.workspace = true
attester = { path = "../attester", default-features = false }
base64.workspace = true
clap = { workspace = true, features = ["derive"], optional = true }
crypto = { path = "../deps/crypto", default-features = false }
env_logger = { workspace = true, optional = true }
jwt-simple.workspace = true
kbs-types.workspace = true
log.workspace = true
Expand All @@ -36,6 +38,10 @@ tokio = { workspace = true, features = [ "rt", "macros", "fs", "process" ]}
[build-dependencies]
ttrpc-codegen = { workspace = true, optional = true }

[[bin]]
name = "trustee-attester"
required-features = ["bin"]

[features]
default = ["background_check", "passport", "rust-crypto", "all-attesters"]

Expand All @@ -56,3 +62,5 @@ se-attester = ["attester/se-attester"]

rust-crypto = ["reqwest/rustls-tls", "crypto/rust-crypto"]
openssl = ["reqwest/native-tls-vendored", "crypto/openssl"]

bin = ["tokio/rt", "tokio/macros", "clap", "env_logger"]
33 changes: 33 additions & 0 deletions attestation-agent/kbs_protocol/src/bin/trustee-attester/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Trustee attester #

A tool to attest and fetch secrets from Trustee

Trustee attester is a part of [confidential-containers](https://github.com/confidential-containers)
[guest-components](https://github.com/confidential-containers/guest-components)
project but can be used for confidential VMs as well.

Trustee attester is using attestation-agent's kbs_protocol client and
attesters to gather hardware-based confidential-computing evidence
and send it over to Trustee.

A resource with exact same path must be uploaded to Trustee before trustee-attester runs.


## Build: ##

```bash
cargo build -p kbs_protocol --bin trustee-attester --no-default-features
--features "background_check,passport,<openssl|rust-crypto>,bin,<attesters-list>"
```

## Run: ##

```bash
$ trustee-attester --url <Trustee-URL> [--cert-file <path>] get-resource --path <resource-path>
```

## Example: ##

```bash
$ trustee-attester --url http://localhost:50000 get-resource --path default/keys/dummy
```
90 changes: 90 additions & 0 deletions attestation-agent/kbs_protocol/src/bin/trustee-attester/main.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
// Copyright (c) 2023 by Alibaba.
// Copyright (c) 2024 Red Hat, Inc
// Licensed under the Apache License, Version 2.0, see LICENSE for details.
// SPDX-License-Identifier: Apache-2.0

//! Attest and fetch confidential resources from Trustee
use anyhow::Result;
use base64::engine::general_purpose::STANDARD;
use base64::Engine;
use clap::{Parser, Subcommand};
use log::debug;
use std::fs;
use std::path::PathBuf;

use kbs_protocol::evidence_provider::NativeEvidenceProvider;
use kbs_protocol::KbsClientBuilder;
use kbs_protocol::KbsClientCapabilities;
use kbs_protocol::ResourceUri;

#[derive(Parser)]
struct Cli {
/// Trustee URL of format <protocol>://<host>:<port>
#[clap(long, value_parser)]
url: String,

/// Trustee https certificate file path (PEM format)
#[clap(long, value_parser)]
cert_file: Option<PathBuf>,

#[clap(subcommand)]
command: Commands,
}

#[derive(Subcommand)]
enum Commands {
/// Get confidential resource
#[clap(arg_required_else_help = true)]
GetResource {
/// KBS Resource path of format <repository>/<type>/<tag>
/// Document: https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docs/KBS_URI.md
#[clap(long, value_parser)]
path: String,
},
}

#[tokio::main(flavor = "current_thread")]
async fn main() -> Result<()> {
env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));

let cli = Cli::parse();

let url = cli.url;
let cert_file = cli.cert_file;

debug!("url {}", url);
debug!("cert_file {:?}", cert_file);

// Native evidence provider
let evidence_provider = Box::new(NativeEvidenceProvider::new()?);

// a kbs_protocol client with evidence_provider
let mut client_builder = KbsClientBuilder::with_evidence_provider(evidence_provider, &url);

// if a certificate is given, use it
if let Some(cf) = cert_file {
debug!("Reading certificate from cert_file {}", cf.display());
let cert = fs::read_to_string(cf)?;
client_builder = client_builder.add_kbs_cert(&cert)
}

// Build the client. This client is used throughout the program
let mut client = client_builder.build()?;

match cli.command {
Commands::GetResource { path } => {
// resource_path should start with '/' but not with '//'
let resource_path = match path.starts_with('/') {
false => format!("/{}", path),
true => path,
};
let resource = ResourceUri::new("", &resource_path)?;
let resource_bytes = client.get_resource(resource).await?;

println!("{}", STANDARD.encode(resource_bytes));
}
};

Ok(())
}

0 comments on commit 4693921

Please sign in to comment.