github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-30 05:20:41 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #5552 from stevenhorsman/sig-ver-param

Browse Source 
Sig ver param
This commit is contained in:
Fabiano Fidêncio 2022-11-03 11:22:31 +01:00 committed by GitHub
commit 95fbe46891
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 56 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
src/agent/src/config.rs
View File

@ -31,6 +31,7 @@ const AA_KBC_PARAMS: &str = "agent.aa_kbc_params";
const HTTPS_PROXY: &str = "agent.https_proxy";
const NO_PROXY: &str = "agent.no_proxy";
const ENABLE_DATA_INTEGRITY: &str = "agent.data_integrity";
const ENABLE_SIGNATURE_VERIFICATION: &str = "agent.enable_signature_verification";
const DEFAULT_LOG_LEVEL: slog::Level = slog::Level::Info;
const DEFAULT_HOTPLUG_TIMEOUT: time::Duration = time::Duration::from_secs(3);
@ -93,6 +94,7 @@ pub struct AgentConfig {
pub https_proxy: String,
pub no_proxy: String,
pub data_integrity: bool,
pub enable_signature_verification: bool,
}
#[derive(Debug, Deserialize)]
@ -113,6 +115,7 @@ pub struct AgentConfigBuilder {
pub https_proxy: Option<String>,
pub no_proxy: Option<String>,
pub data_integrity: Option<bool>,
pub enable_signature_verification: Option<bool>,
}
macro_rules! config_override {
@ -179,6 +182,7 @@ impl Default for AgentConfig {
https_proxy: String::from(""),
no_proxy: String::from(""),
data_integrity: false,
enable_signature_verification: true,
}
}
}
@ -212,6 +216,11 @@ impl FromStr for AgentConfig {
config_override!(agent_config_builder, agent_config, https_proxy);
config_override!(agent_config_builder, agent_config, no_proxy);
config_override!(agent_config_builder, agent_config, data_integrity);
config_override!(
agent_config_builder,
agent_config,
enable_signature_verification
);
// Populate the allowed endpoints hash set, if we got any from the config file.
if let Some(endpoints) = agent_config_builder.endpoints {
@ -334,6 +343,13 @@ impl AgentConfig {
config.data_integrity,
get_bool_value
);
parse_cmdline_param!(
param,
ENABLE_SIGNATURE_VERIFICATION,
config.enable_signature_verification,
get_bool_value
);
}
if let Ok(addr) = env::var(SERVER_ADDR_ENV_VAR) {
@ -537,6 +553,7 @@ mod tests {
assert_eq!(config.log_level, DEFAULT_LOG_LEVEL);
assert_eq!(config.hotplug_timeout, DEFAULT_HOTPLUG_TIMEOUT);
assert_eq!(config.container_policy_path, "");
assert!(config.enable_signature_verification);
}
#[test]
@ -560,6 +577,7 @@ mod tests {
https_proxy: &'a str,
no_proxy: &'a str,
data_integrity: bool,
enable_signature_verification: bool,
}
impl Default for TestData<'_> {
@ -580,6 +598,7 @@ mod tests {
https_proxy: "",
no_proxy: "",
data_integrity: false,
enable_signature_verification: true,
}
}
}
@ -1009,6 +1028,26 @@ mod tests {
data_integrity: false,
..Default::default()
},
TestData {
contents: "agent.enable_signature_verification=false",
enable_signature_verification: false,
..Default::default()
},
TestData {
contents: "agent.enable_signature_verification=0",
enable_signature_verification: false,
..Default::default()
},
TestData {
contents: "agent.enable_signature_verification=1",
enable_signature_verification: true,
..Default::default()
},
TestData {
contents: "agent.enable_signature_verification=foo",
enable_signature_verification: false,
..Default::default()
},
];
let dir = tempdir().expect("failed to create tmpdir");
@ -1065,6 +1104,11 @@ mod tests {
assert_eq!(d.https_proxy, config.https_proxy, "{}", msg);
assert_eq!(d.no_proxy, config.no_proxy, "{}", msg);
assert_eq!(d.data_integrity, config.data_integrity, "{}", msg);
assert_eq!(
d.enable_signature_verification, config.enable_signature_verification,
"{}",
msg
);
for v in vars_to_unset {
env::remove_var(v);

17
src/agent/src/image_rpc.rs
View File

@ -35,7 +35,6 @@ const OCICRYPT_CONFIG_PATH: &str = "/tmp/ocicrypt_config.json";
const KATA_CC_IMAGE_WORK_DIR: &str = "/run/image/";
const KATA_CC_PAUSE_BUNDLE: &str = "/pause_bundle";
const CONFIG_JSON: &str = "config.json";
const OFFLINE_FS_KBC_RESOURCE_PATH: &str = "/etc/aa-offline_fs_kbc-resources.json";
// Convenience macro to obtain the scope logger
macro_rules! sl {
@ -268,13 +267,15 @@ impl ImageService {
Self::pull_image_from_registry(image, &cid, source_creds, policy_path, aa_kbc_params)?;
Self::unpack_image(&cid)?;
} else {
// TODO #4888 - Create a better way to enable signature verification. This is temporary for the PoC
if aa_kbc_params.eq("offline_fs_kbc::null")
&& Path::new(OFFLINE_FS_KBC_RESOURCE_PATH).exists()
{
info!(sl!(), "Enabling security_validate on image_client");
self.image_client.lock().await.config.security_validate = true;
}
// Read enable signature verification from the agent config and set it in the image_client
let enable_signature_verification =
&AGENT_CONFIG.read().await.enable_signature_verification;
info!(
sl!(),
"enable_signature_verification set to: {}", enable_signature_verification
);
self.image_client.lock().await.config.security_validate =
*enable_signature_verification;
let bundle_path = Path::new(CONTAINER_BASE).join(&cid);
fs::create_dir_all(&bundle_path)?;

6
src/runtime/Makefile
View File

@ -126,9 +126,9 @@ AGENTCONFIGFILEPATH := /etc/agent-config.toml
AGENTCONFIGFILEKERNELPARAM := agent.config_file=$(AGENTCONFIGFILEPATH)
ROOTMEASURECONFIG ?= ""
TDXKERNELPARAMS := tdx_disable_filter $(ROOTMEASURECONFIG)
SEVKERNELPARAMS := $(AGENTCONFIGFILEKERNELPARAM) $(ROOTMEASURECONFIG)
KERNELPARAMS += $(ROOTMEASURECONFIG)
TDXKERNELPARAMS := tdx_disable_filter $(ROOTMEASURECONFIG) agent.enable_signature_verification=false
SEVKERNELPARAMS := $(AGENTCONFIGFILEKERNELPARAM) $(ROOTMEASURECONFIG) agent.enable_signature_verification=false
KERNELPARAMS += $(ROOTMEASURECONFIG) agent.enable_signature_verification=false
# Name of default configuration file the runtime will use.
CONFIG_FILE = configuration.toml