From 46a6c52ef47df22b77bf94cfd722669add1219ac Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Tue, 11 Oct 2022 12:00:43 +0100 Subject: [PATCH 1/3] agent: Add enable_signature_verification config - Add a new agent config parameter enable_signature_verification which defaults to true for security reasons - Add unit tests to check parsing and defaults Fixes: #4888 Signed-off-by: stevenhorsman --- src/agent/src/config.rs | 44 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/src/agent/src/config.rs b/src/agent/src/config.rs index 860cfcae7c..ac580384f1 100644 --- a/src/agent/src/config.rs +++ b/src/agent/src/config.rs @@ -31,6 +31,7 @@ const AA_KBC_PARAMS: &str = "agent.aa_kbc_params"; const HTTPS_PROXY: &str = "agent.https_proxy"; const NO_PROXY: &str = "agent.no_proxy"; const ENABLE_DATA_INTEGRITY: &str = "agent.data_integrity"; +const ENABLE_SIGNATURE_VERIFICATION: &str = "agent.enable_signature_verification"; const DEFAULT_LOG_LEVEL: slog::Level = slog::Level::Info; const DEFAULT_HOTPLUG_TIMEOUT: time::Duration = time::Duration::from_secs(3); @@ -93,6 +94,7 @@ pub struct AgentConfig { pub https_proxy: String, pub no_proxy: String, pub data_integrity: bool, + pub enable_signature_verification: bool, } #[derive(Debug, Deserialize)] @@ -113,6 +115,7 @@ pub struct AgentConfigBuilder { pub https_proxy: Option, pub no_proxy: Option, pub data_integrity: Option, + pub enable_signature_verification: Option, } macro_rules! config_override { @@ -179,6 +182,7 @@ impl Default for AgentConfig { https_proxy: String::from(""), no_proxy: String::from(""), data_integrity: false, + enable_signature_verification: true, } } } @@ -212,6 +216,11 @@ impl FromStr for AgentConfig { config_override!(agent_config_builder, agent_config, https_proxy); config_override!(agent_config_builder, agent_config, no_proxy); config_override!(agent_config_builder, agent_config, data_integrity); + config_override!( + agent_config_builder, + agent_config, + enable_signature_verification + ); // Populate the allowed endpoints hash set, if we got any from the config file. if let Some(endpoints) = agent_config_builder.endpoints { @@ -334,6 +343,13 @@ impl AgentConfig { config.data_integrity, get_bool_value ); + + parse_cmdline_param!( + param, + ENABLE_SIGNATURE_VERIFICATION, + config.enable_signature_verification, + get_bool_value + ); } if let Ok(addr) = env::var(SERVER_ADDR_ENV_VAR) { @@ -537,6 +553,7 @@ mod tests { assert_eq!(config.log_level, DEFAULT_LOG_LEVEL); assert_eq!(config.hotplug_timeout, DEFAULT_HOTPLUG_TIMEOUT); assert_eq!(config.container_policy_path, ""); + assert!(config.enable_signature_verification); } #[test] @@ -560,6 +577,7 @@ mod tests { https_proxy: &'a str, no_proxy: &'a str, data_integrity: bool, + enable_signature_verification: bool, } impl Default for TestData<'_> { @@ -580,6 +598,7 @@ mod tests { https_proxy: "", no_proxy: "", data_integrity: false, + enable_signature_verification: true, } } } @@ -1009,6 +1028,26 @@ mod tests { data_integrity: false, ..Default::default() }, + TestData { + contents: "agent.enable_signature_verification=false", + enable_signature_verification: false, + ..Default::default() + }, + TestData { + contents: "agent.enable_signature_verification=0", + enable_signature_verification: false, + ..Default::default() + }, + TestData { + contents: "agent.enable_signature_verification=1", + enable_signature_verification: true, + ..Default::default() + }, + TestData { + contents: "agent.enable_signature_verification=foo", + enable_signature_verification: false, + ..Default::default() + }, ]; let dir = tempdir().expect("failed to create tmpdir"); @@ -1065,6 +1104,11 @@ mod tests { assert_eq!(d.https_proxy, config.https_proxy, "{}", msg); assert_eq!(d.no_proxy, config.no_proxy, "{}", msg); assert_eq!(d.data_integrity, config.data_integrity, "{}", msg); + assert_eq!( + d.enable_signature_verification, config.enable_signature_verification, + "{}", + msg + ); for v in vars_to_unset { env::remove_var(v); From 9aa4afee6304420c02d9f879235c7325388a2227 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Tue, 11 Oct 2022 14:33:52 +0100 Subject: [PATCH 2/3] runtime: Disable signature verification in config Add agent.enable_signature_verification=false to the kernel_params default config to get backwards compatibility in config. Note the the agent config will default this setting to true for security reasons if it's unset Fixes: #4888 Signed-off-by: stevenhorsman --- src/runtime/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index f557eb7782..87949626b6 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -126,9 +126,9 @@ AGENTCONFIGFILEPATH := /etc/agent-config.toml AGENTCONFIGFILEKERNELPARAM := agent.config_file=$(AGENTCONFIGFILEPATH) ROOTMEASURECONFIG ?= "" -TDXKERNELPARAMS := tdx_disable_filter $(ROOTMEASURECONFIG) -SEVKERNELPARAMS := $(AGENTCONFIGFILEKERNELPARAM) $(ROOTMEASURECONFIG) -KERNELPARAMS += $(ROOTMEASURECONFIG) +TDXKERNELPARAMS := tdx_disable_filter $(ROOTMEASURECONFIG) agent.enable_signature_verification=false +SEVKERNELPARAMS := $(AGENTCONFIGFILEKERNELPARAM) $(ROOTMEASURECONFIG) agent.enable_signature_verification=false +KERNELPARAMS += $(ROOTMEASURECONFIG) agent.enable_signature_verification=false # Name of default configuration file the runtime will use. CONFIG_FILE = configuration.toml From 360e01c0f4c030a72ed368ff5011d4b72df7ec9c Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Tue, 11 Oct 2022 14:39:15 +0100 Subject: [PATCH 3/3] agent: Set image_client security_validate Replace hard-coded aa_kbc_param check to set the image_client's security_validate, with reading the setting from the agent config Fixes: #4888 Signed-off-by: stevenhorsman --- src/agent/src/image_rpc.rs | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/src/agent/src/image_rpc.rs b/src/agent/src/image_rpc.rs index 1176735351..1e5e22510a 100644 --- a/src/agent/src/image_rpc.rs +++ b/src/agent/src/image_rpc.rs @@ -35,7 +35,6 @@ const OCICRYPT_CONFIG_PATH: &str = "/tmp/ocicrypt_config.json"; const KATA_CC_IMAGE_WORK_DIR: &str = "/run/image/"; const KATA_CC_PAUSE_BUNDLE: &str = "/pause_bundle"; const CONFIG_JSON: &str = "config.json"; -const OFFLINE_FS_KBC_RESOURCE_PATH: &str = "/etc/aa-offline_fs_kbc-resources.json"; // Convenience macro to obtain the scope logger macro_rules! sl { @@ -268,13 +267,15 @@ impl ImageService { Self::pull_image_from_registry(image, &cid, source_creds, policy_path, aa_kbc_params)?; Self::unpack_image(&cid)?; } else { - // TODO #4888 - Create a better way to enable signature verification. This is temporary for the PoC - if aa_kbc_params.eq("offline_fs_kbc::null") - && Path::new(OFFLINE_FS_KBC_RESOURCE_PATH).exists() - { - info!(sl!(), "Enabling security_validate on image_client"); - self.image_client.lock().await.config.security_validate = true; - } + // Read enable signature verification from the agent config and set it in the image_client + let enable_signature_verification = + &AGENT_CONFIG.read().await.enable_signature_verification; + info!( + sl!(), + "enable_signature_verification set to: {}", enable_signature_verification + ); + self.image_client.lock().await.config.security_validate = + *enable_signature_verification; let bundle_path = Path::new(CONTAINER_BASE).join(&cid); fs::create_dir_all(&bundle_path)?;