github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-01 00:46:38 +00:00
Code Issues Projects Releases Wiki Activity

agent: initialize trusted storage device

Browse Source 
Initialize the trusted stroage when the device is defined
as "/dev/trusted_store" with shell script as first step.

Fixes: #4882

Signed-off-by: Wang, Arron <arron.wang@intel.com>
This commit is contained in:
Wang, Arron
2022-08-07 16:37:58 +08:00
committed by Samuel Ortiz
parent 813e36e615
commit 4831193bde
3 changed files with 108 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/agent/src/rpc.rs
View File

@@ -89,6 +89,8 @@ pub const CONTAINER_BASE: &str = "/run/kata-containers";
const MODPROBE_PATH: &str = "/sbin/modprobe"; const MODPROBE_PATH: &str = "/sbin/modprobe";
const ANNO_K8S_IMAGE_NAME: &str = "io.kubernetes.cri.image-name"; const ANNO_K8S_IMAGE_NAME: &str = "io.kubernetes.cri.image-name";
const CONFIG_JSON: &str = "config.json"; const CONFIG_JSON: &str = "config.json";
const INIT_TRUSTED_STORAGE: &str = "/usr/bin/kata-init-trusted-storage";
const TRUSTED_STORAGE_DEVICE: &str = "/dev/trusted_store";
const IPTABLES_SAVE: &str = "/sbin/iptables-save"; const IPTABLES_SAVE: &str = "/sbin/iptables-save";
const IPTABLES_RESTORE: &str = "/sbin/iptables-restore"; const IPTABLES_RESTORE: &str = "/sbin/iptables-restore";
@@ -217,6 +219,30 @@ impl AgentService {
// cannot predict everything from the caller. // cannot predict everything from the caller.
add_devices(&req.devices.to_vec(), &mut oci, &self.sandbox).await?; add_devices(&req.devices.to_vec(), &mut oci, &self.sandbox).await?;
let linux = oci
.linux
.as_mut()
.ok_or_else(|| anyhow!("Spec didn't contain linux field"))?;
for specdev in &mut linux.devices {
let dev_major_minor = format!("{}:{}", specdev.major, specdev.minor);
if specdev.path == TRUSTED_STORAGE_DEVICE {
let data_integrity = AGENT_CONFIG.read().await.data_integrity;
info!(
sl!(),
"trusted_store device major:min {}, enable data integrity {}",
dev_major_minor,
data_integrity.to_string()
);
Command::new(INIT_TRUSTED_STORAGE)
.args(&[&dev_major_minor, &data_integrity.to_string()])
.output()
.expect("Failed to initialize confidential storage");
}
}
// Both rootfs and volumes (invoked with --volume for instance) will // Both rootfs and volumes (invoked with --volume for instance) will
// be processed the same way. The idea is to always mount any provided // be processed the same way. The idea is to always mount any provided
// storage to the specified MountPoint, so that it will match what's // storage to the specified MountPoint, so that it will match what's

79
tools/osbuilder/rootfs-builder/init_trusted_storage.sh Executable file
View File

@@ -0,0 +1,79 @@
#!/bin/bash
#
# Copyright (c) 2022 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
set -o errexit
set -o nounset
set -o pipefail
set -o errtrace
[ -n "${DEBUG:-}" ] && set -o xtrace
handle_error() {
local exit_code="${?}"
local line_number="${1:-}"
echo "error:"
echo "Failed at $line_number: ${BASH_COMMAND}"
exit "${exit_code}"
}
trap 'handle_error $LINENO' ERR
die()
{
local msg="$*"
echo >&2 "ERROR: $msg"
exit 1
}
setup()
{
local cmds=()
cmds+=("cryptsetup" "mkfs.ext4" "mount")
local cmd
for cmd in "${cmds[@]}"
do
command -v "$cmd" &>/dev/null || die "need command: '$cmd'"
done
}
setup
device_num=${1:-}
if [ -z "$device_num" ]; then
die "invalid arguments, at least one param for device num"
fi
data_integrity="true"
if [ -n "${2-}" ]; then
data_integrity="$2"
fi
device_name=$(sed -e 's/DEVNAME=//g;t;d' /sys/dev/block/${device_num}/uevent)
device_path="/dev/$device_name"
if [[ -n "$device_name" && -b "$device_path" ]]; then
storage_key_path="/run/cc_storage.key"
dd if=/dev/urandom of="$storage_key_path" bs=1 count=4096
if [ "$data_integrity" == "false" ]; then
echo "YES" | cryptsetup luksFormat --type luks2 "$device_path" --sector-size 4096 \
--cipher aes-xts-plain64 "$storage_key_path"
else
echo "YES" | cryptsetup luksFormat --type luks2 "$device_path" --sector-size 4096 \
--cipher aes-xts-plain64 --integrity hmac-sha256 "$storage_key_path"
fi
cryptsetup luksOpen -d "$storage_key_path" "$device_path" ephemeral_image_encrypted_disk
rm "$storage_key_path"
mkfs.ext4 /dev/mapper/ephemeral_image_encrypted_disk
[ ! -d "/run/image" ] && mkdir /run/image
mount /dev/mapper/ephemeral_image_encrypted_disk /run/image
else
die "Invalid device: '$device_path'"
fi

3
tools/osbuilder/rootfs-builder/rootfs.sh
View File

@@ -704,6 +704,9 @@ EOF
skopeo copy "${pause_repo}":"${pause_version}" oci:pause:"${pause_version}" skopeo copy "${pause_repo}":"${pause_version}" oci:pause:"${pause_version}"
umoci unpack --image pause:"${pause_version}" "${ROOTFS_DIR}/pause_bundle" umoci unpack --image pause:"${pause_version}" "${ROOTFS_DIR}/pause_bundle"
info "Install init_trusted_storage script for CC"
install -o root -g root -m 0500 "${script_dir}/init_trusted_storage.sh" "${ROOTFS_DIR}/usr/bin/kata-init-trusted-storage"
fi fi
info "Creating summary file" info "Creating summary file"