agent:cdh: Introduces secure_mount API in cdh

Introduces `secure_mount` API in the cdh. It includes: - Adding the `SecureMountServiceClient`. - Implementing the `secure_mount` function to handle secure mounting requests. - Updating the confidential_data_hub.proto file to define SecureMountRequest and SecureMountResponse messages and adding the SecureMountService service. Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
2025-09-17 23:07:55 +00:00 · 2024-07-22 09:32:32 +08:00
parent 1528d543b2
commit a9b436f788
4 changed files with 54 additions and 9 deletions
--- a/src/agent/src/cdh.rs
+++ b/src/agent/src/cdh.rs
@@ -11,7 +11,7 @@ use anyhow::Result;
 use derivative::Derivative;
 use protocols::{
    confidential_data_hub, confidential_data_hub_ttrpc_async,
-    confidential_data_hub_ttrpc_async::SealedSecretServiceClient,
+    confidential_data_hub_ttrpc_async::{SealedSecretServiceClient, SecureMountServiceClient},
 };

 use crate::CDH_SOCKET_URI;
@@ -25,15 +25,20 @@ const SEALED_SECRET_PREFIX: &str = "sealed.";
 pub struct CDHClient {
    #[derivative(Debug = "ignore")]
    sealed_secret_client: SealedSecretServiceClient,
+    #[derivative(Debug = "ignore")]
+    secure_mount_client: SecureMountServiceClient,
 }

 impl CDHClient {
    pub fn new() -> Result<Self> {
        let client = ttrpc::asynchronous::Client::connect(CDH_SOCKET_URI)?;
        let sealed_secret_client =
-            confidential_data_hub_ttrpc_async::SealedSecretServiceClient::new(client);
+            confidential_data_hub_ttrpc_async::SealedSecretServiceClient::new(client.clone());
+        let secure_mount_client =
+            confidential_data_hub_ttrpc_async::SecureMountServiceClient::new(client);
        Ok(CDHClient {
            sealed_secret_client,
+            secure_mount_client,
        })
    }

@@ -60,6 +65,26 @@ impl CDHClient {

        Ok((*env.to_owned()).to_string())
    }
+
+    pub async fn secure_mount(
+        &self,
+        volume_type: &str,
+        options: &std::collections::HashMap<String, String>,
+        flags: Vec<String>,
+        mount_point: &str,
+    ) -> Result<()> {
+        let req = confidential_data_hub::SecureMountRequest {
+            volume_type: volume_type.to_string(),
+            options: options.clone(),
+            flags,
+            mount_point: mount_point.to_string(),
+            ..Default::default()
+        };
+        self.secure_mount_client
+            .secure_mount(ttrpc::context::with_timeout(CDH_API_TIMEOUT), &req)
+            .await?;
+        Ok(())
+    }
 }

 #[cfg(test)]
--- a/src/agent/src/image.rs
+++ b/src/agent/src/image.rs
@@ -21,7 +21,7 @@ use tokio::sync::Mutex;
 use crate::rpc::CONTAINER_BASE;
 use crate::AGENT_CONFIG;

-const KATA_IMAGE_WORK_DIR: &str = "/run/kata-containers/image/";
+pub const KATA_IMAGE_WORK_DIR: &str = "/run/kata-containers/image/";
 const CONFIG_JSON: &str = "config.json";
 const KATA_PAUSE_BUNDLE: &str = "/pause_bundle";

--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@@ -59,6 +59,7 @@ use crate::device::{
    add_devices, get_virtio_blk_pci_device_name, update_env_pci, wait_for_net_interface,
 };
 use crate::features::get_build_features;
+use crate::image::KATA_IMAGE_WORK_DIR;
 use crate::linux_abi::*;
 use crate::metrics::get_metrics;
 use crate::mount::baremount;
@@ -106,9 +107,7 @@ use kata_types::k8s;

 pub const CONTAINER_BASE: &str = "/run/kata-containers";
 const MODPROBE_PATH: &str = "/sbin/modprobe";
-const INIT_TRUSTED_STORAGE: &str = "/usr/bin/kata-init-trusted-storage";
 const TRUSTED_IMAGE_STORAGE_DEVICE: &str = "/dev/trusted_store";
-
 /// the iptables seriers binaries could appear either in /sbin
 /// or /usr/sbin, we need to check both of them
 const USR_IPTABLES_SAVE: &str = "/usr/sbin/iptables-save";
@@ -262,10 +261,16 @@ impl AgentService {
                        secure_storage_integrity
                    );

-                    Command::new(INIT_TRUSTED_STORAGE)
-                        .args([dev_major_minor.as_str(), &secure_storage_integrity])
-                        .output()
-                        .expect("Failed to initialize trusted storage");
+                    if let Some(cdh) = self.cdh_client.as_ref() {
+                        let options = std::collections::HashMap::from([
+                            ("deviceId".to_string(), dev_major_minor),
+                            ("encryptType".to_string(), "LUKS".to_string()),
+                            ("dataIntegrity".to_string(), secure_storage_integrity),
+                        ]);
+                        cdh.secure_mount("BlockDevice", &options, vec![], KATA_IMAGE_WORK_DIR)
+                            .await?;
+                        break;
+                    }
                }
            }
        }
--- a/src/libs/protocols/protos/confidential_data_hub.proto
+++ b/src/libs/protocols/protos/confidential_data_hub.proto
@@ -17,6 +17,21 @@ message UnsealSecretOutput {
    bytes plaintext = 1;
 }

+message SecureMountRequest {
+    string volume_type = 1;
+    map<string, string> options = 2;
+    repeated string flags = 3;
+    string mount_point = 4;
+}
+
+message SecureMountResponse {
+    string mount_path = 1;
+}
+
 service SealedSecretService {
    rpc UnsealSecret(UnsealSecretInput) returns (UnsealSecretOutput) {};
 }
+
+service SecureMountService {
+    rpc SecureMount(SecureMountRequest) returns (SecureMountResponse) {};
+}