Merge pull request #5552 from stevenhorsman/sig-ver-param

Sig ver param

src/agent/src/config.rs

@@ -31,6 +31,7 @@ const AA_KBC_PARAMS: &str = "agent.aa_kbc_params";
 const HTTPS_PROXY: &str = "agent.https_proxy";
 const NO_PROXY: &str = "agent.no_proxy";
 const ENABLE_DATA_INTEGRITY: &str = "agent.data_integrity";
+const ENABLE_SIGNATURE_VERIFICATION: &str = "agent.enable_signature_verification";
 
 const DEFAULT_LOG_LEVEL: slog::Level = slog::Level::Info;
 const DEFAULT_HOTPLUG_TIMEOUT: time::Duration = time::Duration::from_secs(3);
@@ -93,6 +94,7 @@ pub struct AgentConfig {
     pub https_proxy: String,
     pub no_proxy: String,
     pub data_integrity: bool,
+    pub enable_signature_verification: bool,
 }
 
 #[derive(Debug, Deserialize)]
@@ -113,6 +115,7 @@ pub struct AgentConfigBuilder {
     pub https_proxy: Option<String>,
     pub no_proxy: Option<String>,
     pub data_integrity: Option<bool>,
+    pub enable_signature_verification: Option<bool>,
 }
 
 macro_rules! config_override {
@@ -179,6 +182,7 @@ impl Default for AgentConfig {
             https_proxy: String::from(""),
             no_proxy: String::from(""),
             data_integrity: false,
+            enable_signature_verification: true,
         }
     }
 }
@@ -212,6 +216,11 @@ impl FromStr for AgentConfig {
         config_override!(agent_config_builder, agent_config, https_proxy);
         config_override!(agent_config_builder, agent_config, no_proxy);
         config_override!(agent_config_builder, agent_config, data_integrity);
+        config_override!(
+            agent_config_builder,
+            agent_config,
+            enable_signature_verification
+        );
 
         // Populate the allowed endpoints hash set, if we got any from the config file.
         if let Some(endpoints) = agent_config_builder.endpoints {
@@ -334,6 +343,13 @@ impl AgentConfig {
                 config.data_integrity,
                 get_bool_value
             );
+
+            parse_cmdline_param!(
+                param,
+                ENABLE_SIGNATURE_VERIFICATION,
+                config.enable_signature_verification,
+                get_bool_value
+            );
         }
 
         if let Ok(addr) = env::var(SERVER_ADDR_ENV_VAR) {
@@ -537,6 +553,7 @@ mod tests {
         assert_eq!(config.log_level, DEFAULT_LOG_LEVEL);
         assert_eq!(config.hotplug_timeout, DEFAULT_HOTPLUG_TIMEOUT);
         assert_eq!(config.container_policy_path, "");
+        assert!(config.enable_signature_verification);
     }
 
     #[test]
@@ -560,6 +577,7 @@ mod tests {
             https_proxy: &'a str,
             no_proxy: &'a str,
             data_integrity: bool,
+            enable_signature_verification: bool,
         }
 
         impl Default for TestData<'_> {
@@ -580,6 +598,7 @@ mod tests {
                     https_proxy: "",
                     no_proxy: "",
                     data_integrity: false,
+                    enable_signature_verification: true,
                 }
             }
         }
@@ -1009,6 +1028,26 @@ mod tests {
                 data_integrity: false,
                 ..Default::default()
             },
+            TestData {
+                contents: "agent.enable_signature_verification=false",
+                enable_signature_verification: false,
+                ..Default::default()
+            },
+            TestData {
+                contents: "agent.enable_signature_verification=0",
+                enable_signature_verification: false,
+                ..Default::default()
+            },
+            TestData {
+                contents: "agent.enable_signature_verification=1",
+                enable_signature_verification: true,
+                ..Default::default()
+            },
+            TestData {
+                contents: "agent.enable_signature_verification=foo",
+                enable_signature_verification: false,
+                ..Default::default()
+            },
         ];
 
         let dir = tempdir().expect("failed to create tmpdir");
@@ -1065,6 +1104,11 @@ mod tests {
             assert_eq!(d.https_proxy, config.https_proxy, "{}", msg);
             assert_eq!(d.no_proxy, config.no_proxy, "{}", msg);
             assert_eq!(d.data_integrity, config.data_integrity, "{}", msg);
+            assert_eq!(
+                d.enable_signature_verification, config.enable_signature_verification,
+                "{}",
+                msg
+            );
 
             for v in vars_to_unset {
                 env::remove_var(v);

src/agent/src/image_rpc.rs

@@ -35,7 +35,6 @@ const OCICRYPT_CONFIG_PATH: &str = "/tmp/ocicrypt_config.json";
 const KATA_CC_IMAGE_WORK_DIR: &str = "/run/image/";
 const KATA_CC_PAUSE_BUNDLE: &str = "/pause_bundle";
 const CONFIG_JSON: &str = "config.json";
-const OFFLINE_FS_KBC_RESOURCE_PATH: &str = "/etc/aa-offline_fs_kbc-resources.json";
 
 // Convenience macro to obtain the scope logger
 macro_rules! sl {
@@ -268,13 +267,15 @@ impl ImageService {
             Self::pull_image_from_registry(image, &cid, source_creds, policy_path, aa_kbc_params)?;
             Self::unpack_image(&cid)?;
         } else {
-            // TODO #4888 - Create a better way to enable signature verification. This is temporary for the PoC
+            // Read enable signature verification from the agent config and set it in the image_client
-            if aa_kbc_params.eq("offline_fs_kbc::null")
+            let enable_signature_verification =
-                && Path::new(OFFLINE_FS_KBC_RESOURCE_PATH).exists()
+                &AGENT_CONFIG.read().await.enable_signature_verification;
-            {
+            info!(
-                info!(sl!(), "Enabling security_validate on image_client");
+                sl!(),
-                self.image_client.lock().await.config.security_validate = true;
+                "enable_signature_verification set to: {}", enable_signature_verification
-            }
+            );
+            self.image_client.lock().await.config.security_validate =
+                *enable_signature_verification;
 
             let bundle_path = Path::new(CONTAINER_BASE).join(&cid);
             fs::create_dir_all(&bundle_path)?;

src/runtime/Makefile

@@ -126,9 +126,9 @@ AGENTCONFIGFILEPATH := /etc/agent-config.toml
 AGENTCONFIGFILEKERNELPARAM := agent.config_file=$(AGENTCONFIGFILEPATH)
 
 ROOTMEASURECONFIG ?= ""
-TDXKERNELPARAMS := tdx_disable_filter $(ROOTMEASURECONFIG)
+TDXKERNELPARAMS := tdx_disable_filter $(ROOTMEASURECONFIG) agent.enable_signature_verification=false
-SEVKERNELPARAMS := $(AGENTCONFIGFILEKERNELPARAM) $(ROOTMEASURECONFIG)
+SEVKERNELPARAMS := $(AGENTCONFIGFILEKERNELPARAM) $(ROOTMEASURECONFIG) agent.enable_signature_verification=false
-KERNELPARAMS += $(ROOTMEASURECONFIG)
+KERNELPARAMS += $(ROOTMEASURECONFIG) agent.enable_signature_verification=false
 
 # Name of default configuration file the runtime will use.
 CONFIG_FILE = configuration.toml