github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-13 13:46:46 +00:00
Code Issues Projects Releases Wiki Activity

agent: deliver initdata toml to attestation agent

Browse Source 
Now AA supports to receive initdata toml plaintext and deliver it in the
attestation. This patch creates a file under
'/run/confidential-containers/initdata'
to store the initdata toml and give it to AA process.

When we have a separate component to handle initdata, we will move the
logic to that component.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
This commit is contained in:
Xynnn007 2025-07-15 16:32:31 +08:00
parent 19001af1e2
commit 4da31bf2f9
2 changed files with 14 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/agent/src/initdata.rs
View File

@ -27,6 +27,9 @@ const AA_CONFIG_KEY: &str = "aa.toml";
const CDH_CONFIG_KEY: &str = "cdh.toml"; const CDH_CONFIG_KEY: &str = "cdh.toml";
const POLICY_KEY: &str = "policy.rego"; const POLICY_KEY: &str = "policy.rego";
/// The path of initdata toml
pub const INITDATA_TOML_PATH: &str = concatcp!(INITDATA_PATH, "/initdata.toml");
/// The path of AA's config file /// The path of AA's config file
pub const AA_CONFIG_PATH: &str = concatcp!(INITDATA_PATH, "/aa.toml"); pub const AA_CONFIG_PATH: &str = concatcp!(INITDATA_PATH, "/aa.toml");
@ -95,7 +98,7 @@ pub async fn read_initdata(device_path: &str) -> Result<Vec<u8>> {
} }
pub struct InitdataReturnValue { pub struct InitdataReturnValue {
pub digest: Vec<u8>, pub _digest: Vec<u8>,
pub _policy: Option<String>, pub _policy: Option<String>,
} }
@ -122,7 +125,11 @@ pub async fn initialize_initdata(logger: &Logger) -> Result<Option<InitdataRetur
info!(logger, "Initdata version: {}", initdata.version()); info!(logger, "Initdata version: {}", initdata.version());
initdata.validate()?; initdata.validate()?;
let digest = match initdata.algorithm() { tokio::fs::write(INITDATA_TOML_PATH, &initdata_content)
.await
.context("write initdata toml failed")?;
let _digest = match initdata.algorithm() {
"sha256" => Sha256::digest(&initdata_content).to_vec(), "sha256" => Sha256::digest(&initdata_content).to_vec(),
"sha384" => Sha384::digest(&initdata_content).to_vec(), "sha384" => Sha384::digest(&initdata_content).to_vec(),
"sha512" => Sha512::digest(&initdata_content).to_vec(), "sha512" => Sha512::digest(&initdata_content).to_vec(),
@ -143,10 +150,10 @@ pub async fn initialize_initdata(logger: &Logger) -> Result<Option<InitdataRetur
info!(logger, "write CDH config from initdata"); info!(logger, "write CDH config from initdata");
} }
debug!(logger, "Initdata digest: {}", STANDARD.encode(&digest)); debug!(logger, "Initdata digest: {}", STANDARD.encode(&_digest));
let res = InitdataReturnValue { let res = InitdataReturnValue {
digest, _digest,
_policy: initdata.get_coco_data(POLICY_KEY).cloned(), _policy: initdata.get_coco_data(POLICY_KEY).cloned(),
}; };

10
src/agent/src/main.rs
View File

@ -19,7 +19,6 @@ extern crate scopeguard;
extern crate slog; extern crate slog;
use anyhow::{anyhow, bail, Context, Result}; use anyhow::{anyhow, bail, Context, Result};
use base64::Engine;
use cfg_if::cfg_if; use cfg_if::cfg_if;
use clap::Parser; use clap::Parser;
use const_format::concatcp; use const_format::concatcp;
@ -485,12 +484,9 @@ async fn launch_guest_component_procs(
debug!(logger, "spawning attestation-agent process {}", AA_PATH); debug!(logger, "spawning attestation-agent process {}", AA_PATH);
let mut aa_args = vec!["--attestation_sock", AA_ATTESTATION_URI]; let mut aa_args = vec!["--attestation_sock", AA_ATTESTATION_URI];
let initdata_parameter; if initdata_return_value.is_some() {
if let Some(initdata_return_value) = initdata_return_value { aa_args.push("--initdata-toml");
initdata_parameter = aa_args.push(initdata::INITDATA_TOML_PATH);
base64::engine::general_purpose::STANDARD.encode(&initdata_return_value.digest);
aa_args.push("--initdata");
aa_args.push(&initdata_parameter);
} }
launch_process( launch_process(