From fcea177d966a4d0fa7131355d2b761c96423cb87 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 3 Mar 2023 13:09:27 +0800 Subject: [PATCH 1/5] agent: add support for ttrpc This commit brings ttrpc of image-rs. It will use the lightweight underlying ttrpc to interact between kata-agent and attestation-agent. Also, this PR brings a patch for `oci-distribution`, because two dependencies of `image-rs` depends on different versions of `oci-distribution`, which will cause that `image-rs` can not be built. We need a specified version of `oci-distribution` to unify. Fixes #6219 Signed-off-by: Xynnn007 --- src/agent/Cargo.lock | 444 ++++++++++++------------------------- src/agent/Cargo.toml | 7 +- src/agent/src/image_rpc.rs | 14 +- 3 files changed, 150 insertions(+), 315 deletions(-) diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock index 097b022b74..e09dd0eec1 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -239,27 +239,6 @@ dependencies = [ "syn", ] -[[package]] -name = "async-stream" -version = "0.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dad5c83079eae9969be7fadefe640a1c566901f05ff91ab221de4b6f68d9507e" -dependencies = [ - "async-stream-impl", - "futures-core", -] - -[[package]] -name = "async-stream-impl" -version = "0.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "10f203db73a71dfa2fb6dd22763990fa26f3d2625a6da2da900d23b87d26be27" -dependencies = [ - "proc-macro2", - "quote", - "syn", -] - [[package]] name = "async-task" version = "4.3.0" @@ -268,9 +247,9 @@ checksum = "7a40729d2133846d9ed0ea60a8b9541bccddab49cd30f0715a1da672fe9a2524" [[package]] name = "async-trait" -version = "0.1.60" +version = "0.1.66" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "677d1d8ab452a3936018a687b20e6f7cf5363d713b732b8884001317b0e48aa3" +checksum = "b84f9ebcc6c1f5b8cb160f6990096a5c127f423fcb6e1ccc46c370cbdfb75dfc" dependencies = [ "proc-macro2", "quote", @@ -309,52 +288,6 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" -[[package]] -name = "axum" -version = "0.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08b108ad2665fa3f6e6a517c3d80ec3e77d224c47d605167aefaa5d7ef97fa48" -dependencies = [ - "async-trait", - "axum-core", - "bitflags", - "bytes 1.3.0", - "futures-util", - "http", - "http-body", - "hyper", - "itoa", - "matchit", - "memchr", - "mime", - "percent-encoding", - "pin-project-lite", - "rustversion", - "serde", - "sync_wrapper", - "tower", - "tower-http", - "tower-layer", - "tower-service", -] - -[[package]] -name = "axum-core" -version = "0.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "79b8558f5a0581152dc94dcd289132a1d377494bdeafcd41869b3258e3e2ad92" -dependencies = [ - "async-trait", - "bytes 1.3.0", - "futures-util", - "http", - "http-body", - "mime", - "rustversion", - "tower-layer", - "tower-service", -] - [[package]] name = "base64" version = "0.13.1" @@ -1767,12 +1700,6 @@ dependencies = [ "pin-project-lite", ] -[[package]] -name = "http-range-header" -version = "0.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0bfe8eed0a9285ef776bb792479ea3834e8b94e13d615c2f66d03dd50a435a29" - [[package]] name = "httparse" version = "1.8.0" @@ -1809,18 +1736,6 @@ dependencies = [ "want", ] -[[package]] -name = "hyper-timeout" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bbb958482e8c7be4bc3cf272a766a2b0bf1a6755e7a6ae777f017a31d11b13b1" -dependencies = [ - "hyper", - "pin-project-lite", - "tokio", - "tokio-io-timeout", -] - [[package]] name = "hyper-tls" version = "0.5.0" @@ -1887,23 +1802,25 @@ dependencies = [ [[package]] name = "image-rs" version = "0.1.0" -source = "git+https://github.com/confidential-containers/image-rs?rev=v0.4.0#948db858579be538724266a650e840e75e7e824d" +source = "git+https://github.com/confidential-containers/image-rs?rev=cc626a97a8225475d3a4c3c7490f6b212ca32466#cc626a97a8225475d3a4c3c7490f6b212ca32466" dependencies = [ "anyhow", "async-compression", "async-trait", "base64", + "cfg-if 1.0.0", "flate2", "flume", "futures-util", "hex", + "lazy_static", "libc", "log", "nix 0.26.2", "oci-distribution", "oci-spec", "ocicrypt-rs", - "prost 0.11.5", + "protobuf 3.2.0", "sequoia-openpgp", "serde", "serde_json", @@ -1914,8 +1831,8 @@ dependencies = [ "strum_macros", "tar", "tokio", - "tonic", - "tonic-build", + "ttrpc 0.7.1", + "ttrpc-codegen 0.4.1", "url", "walkdir", "zstd", @@ -2099,7 +2016,7 @@ dependencies = [ "opentelemetry", "procfs 0.12.0", "prometheus", - "protobuf", + "protobuf 2.28.0", "protocols", "regex", "rtnetlink", @@ -2121,7 +2038,7 @@ dependencies = [ "tracing", "tracing-opentelemetry", "tracing-subscriber", - "ttrpc", + "ttrpc 0.6.1", "url", "vsock-exporter", "which", @@ -2307,12 +2224,6 @@ dependencies = [ "regex-automata", ] -[[package]] -name = "matchit" -version = "0.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b87248edafb776e59e6ee64a79086f65890d3510f2c656c000bf2a7e8a0aea40" - [[package]] name = "md-5" version = "0.9.1" @@ -2707,9 +2618,9 @@ dependencies = [ [[package]] name = "oci-distribution" version = "0.9.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2ac5b780ce1bd6c3c2ff72a3013f4b2d56d53ae03b20d424e99d2f6556125138" +source = "git+https://github.com/krustlet/oci-distribution.git?rev=f44124c#f44124c3c0875821d0b84a6632bf70b6d6eaf9ef" dependencies = [ + "chrono", "futures", "futures-util", "http", @@ -2745,10 +2656,11 @@ dependencies = [ [[package]] name = "ocicrypt-rs" version = "0.1.0" -source = "git+https://github.com/confidential-containers/ocicrypt-rs?rev=453c699#453c699a50326c2f55c7a357e90b9da1535d7c26" +source = "git+https://github.com/confidential-containers/ocicrypt-rs.git?rev=1053963#105396323715ea6787b2241c93ed87a3307dec2a" dependencies = [ "aes 0.8.2", "anyhow", + "async-trait", "base64", "base64-serde", "ctr 0.9.2", @@ -2757,12 +2669,12 @@ dependencies = [ "lazy_static", "openssl", "pin-project-lite", - "prost 0.11.5", + "protobuf 3.2.0", "serde", "serde_json", "sha2 0.10.6", "tokio", - "tonic", + "ttrpc 0.7.1", ] [[package]] @@ -3287,16 +3199,6 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "925383efa346730478fb4838dbe9137d2a47675ad789c546d150a6e1dd4ab31c" -[[package]] -name = "prettyplease" -version = "0.1.22" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2c8992a85d8e93a28bdf76137db888d3874e3b230dee5ed8bebac4c9f7617773" -dependencies = [ - "proc-macro2", - "syn", -] - [[package]] name = "proc-macro-crate" version = "1.2.1" @@ -3382,7 +3284,7 @@ dependencies = [ "memchr", "parking_lot 0.12.1", "procfs 0.14.2", - "protobuf", + "protobuf 2.28.0", "thiserror", ] @@ -3393,17 +3295,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "de5e2533f59d08fcf364fd374ebda0692a70bd6d7e66ef97f306f45c6c5d8020" dependencies = [ "bytes 1.3.0", - "prost-derive 0.8.0", -] - -[[package]] -name = "prost" -version = "0.11.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c01db6702aa05baa3f57dec92b8eeeeb4cb19e894e73996b32a4093289e54592" -dependencies = [ - "bytes 1.3.0", - "prost-derive 0.11.5", + "prost-derive", ] [[package]] @@ -3418,30 +3310,8 @@ dependencies = [ "log", "multimap", "petgraph 0.5.1", - "prost 0.8.0", - "prost-types 0.8.0", - "tempfile", - "which", -] - -[[package]] -name = "prost-build" -version = "0.11.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cb5320c680de74ba083512704acb90fe00f28f79207286a848e730c45dd73ed6" -dependencies = [ - "bytes 1.3.0", - "heck 0.4.0", - "itertools", - "lazy_static", - "log", - "multimap", - "petgraph 0.6.2", - "prettyplease", - "prost 0.11.5", - "prost-types 0.11.5", - "regex", - "syn", + "prost", + "prost-types", "tempfile", "which", ] @@ -3459,19 +3329,6 @@ dependencies = [ "syn", ] -[[package]] -name = "prost-derive" -version = "0.11.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8842bad1a5419bca14eac663ba798f6bc19c413c2fdceb5f3ba3b0932d96720" -dependencies = [ - "anyhow", - "itertools", - "proc-macro2", - "quote", - "syn", -] - [[package]] name = "prost-types" version = "0.8.0" @@ -3479,17 +3336,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "603bbd6394701d13f3f25aada59c7de9d35a6a5887cfc156181234a44002771b" dependencies = [ "bytes 1.3.0", - "prost 0.8.0", -] - -[[package]] -name = "prost-types" -version = "0.11.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "017f79637768cde62820bc2d4fe0e45daaa027755c323ad077767c6c5f173091" -dependencies = [ - "bytes 1.3.0", - "prost 0.11.5", + "prost", ] [[package]] @@ -3502,13 +3349,39 @@ dependencies = [ "serde_derive", ] +[[package]] +name = "protobuf" +version = "3.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b55bad9126f378a853655831eb7363b7b01b81d19f8cb1218861086ca4a1a61e" +dependencies = [ + "once_cell", + "protobuf-support", + "thiserror", +] + [[package]] name = "protobuf-codegen" version = "2.28.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "033460afb75cf755fcfc16dfaed20b86468082a2ea24e05ac35ab4a099a017d6" dependencies = [ - "protobuf", + "protobuf 2.28.0", +] + +[[package]] +name = "protobuf-codegen" +version = "3.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0dd418ac3c91caa4032d37cb80ff0d44e2ebe637b2fb243b6234bf89cdac4901" +dependencies = [ + "anyhow", + "once_cell", + "protobuf 3.2.0", + "protobuf-parse", + "regex", + "tempfile", + "thiserror", ] [[package]] @@ -3517,8 +3390,8 @@ version = "2.28.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "95a29399fc94bcd3eeaa951c715f7bea69409b2445356b00519740bcd6ddd865" dependencies = [ - "protobuf", - "protobuf-codegen", + "protobuf 2.28.0", + "protobuf-codegen 2.28.0", ] [[package]] @@ -3527,8 +3400,33 @@ version = "2.28.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b0a3cf0a7de7570cb67bfb9a9a585b5841b49790a1be0ef104340a2110b91135" dependencies = [ - "protobuf", - "protobuf-codegen", + "protobuf 2.28.0", + "protobuf-codegen 2.28.0", +] + +[[package]] +name = "protobuf-parse" +version = "3.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9d39b14605eaa1f6a340aec7f320b34064feb26c93aec35d6a9a2272a8ddfa49" +dependencies = [ + "anyhow", + "indexmap", + "log", + "protobuf 3.2.0", + "protobuf-support", + "tempfile", + "thiserror", + "which", +] + +[[package]] +name = "protobuf-support" +version = "3.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a5d4d7b8601c814cfb36bcebb79f0e61e45e1e93640cf778837833bbed05c372" +dependencies = [ + "thiserror", ] [[package]] @@ -3537,9 +3435,9 @@ version = "0.1.0" dependencies = [ "async-trait", "oci", - "protobuf", - "ttrpc", - "ttrpc-codegen", + "protobuf 2.28.0", + "ttrpc 0.6.1", + "ttrpc-codegen 0.2.2", ] [[package]] @@ -3856,7 +3754,7 @@ dependencies = [ "nix 0.24.3", "oci", "path-absolutize 1.2.1", - "protobuf", + "protobuf 2.28.0", "protocols", "regex", "rlimit", @@ -4498,12 +4396,6 @@ dependencies = [ "unicode-ident", ] -[[package]] -name = "sync_wrapper" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "20518fe4a4c9acf048008599e464deb21beeae3d3578418951a189c235a7a9a8" - [[package]] name = "synstructure" version = "0.12.6" @@ -4697,16 +4589,6 @@ dependencies = [ "windows-sys 0.42.0", ] -[[package]] -name = "tokio-io-timeout" -version = "1.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "30b74022ada614a1b4834de765f9bb43877f910cc8ce4be40e89042c9223a8bf" -dependencies = [ - "pin-project-lite", - "tokio", -] - [[package]] name = "tokio-macros" version = "1.8.2" @@ -4790,51 +4672,6 @@ dependencies = [ "serde", ] -[[package]] -name = "tonic" -version = "0.8.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f219fad3b929bef19b1f86fbc0358d35daed8f2cac972037ac0dc10bbb8d5fb" -dependencies = [ - "async-stream", - "async-trait", - "axum", - "base64", - "bytes 1.3.0", - "futures-core", - "futures-util", - "h2", - "http", - "http-body", - "hyper", - "hyper-timeout", - "percent-encoding", - "pin-project", - "prost 0.11.5", - "prost-derive 0.11.5", - "tokio", - "tokio-stream", - "tokio-util 0.7.4", - "tower", - "tower-layer", - "tower-service", - "tracing", - "tracing-futures", -] - -[[package]] -name = "tonic-build" -version = "0.8.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5bf5e9b9c0f7e0a7c027dcfaba7b2c60816c7049171f679d99ee2ff65d0de8c4" -dependencies = [ - "prettyplease", - "proc-macro2", - "prost-build 0.11.5", - "quote", - "syn", -] - [[package]] name = "tough" version = "0.12.5" @@ -4862,51 +4699,6 @@ dependencies = [ "walkdir", ] -[[package]] -name = "tower" -version = "0.4.13" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b8fa9be0de6cf49e536ce1851f987bd21a43b771b09473c3549a6c853db37c1c" -dependencies = [ - "futures-core", - "futures-util", - "indexmap", - "pin-project", - "pin-project-lite", - "rand 0.8.5", - "slab", - "tokio", - "tokio-util 0.7.4", - "tower-layer", - "tower-service", - "tracing", -] - -[[package]] -name = "tower-http" -version = "0.3.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f873044bf02dd1e8239e9c1293ea39dad76dc594ec16185d0a1bf31d8dc8d858" -dependencies = [ - "bitflags", - "bytes 1.3.0", - "futures-core", - "futures-util", - "http", - "http-body", - "http-range-header", - "pin-project-lite", - "tower", - "tower-layer", - "tower-service", -] - -[[package]] -name = "tower-layer" -version = "0.3.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c20c8dbed6283a09604c3e69b4b7eeb54e298b8a600d4d5ecb5ad39de609f1d0" - [[package]] name = "tower-service" version = "0.3.2" @@ -4947,16 +4739,6 @@ dependencies = [ "valuable", ] -[[package]] -name = "tracing-futures" -version = "0.2.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "97d095ae15e245a057c8e8451bab9b3ee1e1f68e9ba2b4fbc18d0ac5237835f2" -dependencies = [ - "pin-project", - "tracing", -] - [[package]] name = "tracing-log" version = "0.1.3" @@ -5031,23 +4813,54 @@ dependencies = [ "libc", "log", "nix 0.23.2", - "protobuf", + "protobuf 2.28.0", "protobuf-codegen-pure", "thiserror", "tokio", "tokio-vsock", ] +[[package]] +name = "ttrpc" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a35f22a2964bea14afee161665bb260b83cb48e665e0260ca06ec0e775c8b06c" +dependencies = [ + "async-trait", + "byteorder", + "futures", + "libc", + "log", + "nix 0.23.2", + "protobuf 3.2.0", + "protobuf-codegen 3.2.0", + "thiserror", + "tokio", + "tokio-vsock", +] + [[package]] name = "ttrpc-codegen" version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "df80affc2cf8c589172b05ba2b8e8a88722ebf4e28b86604615497a8b6fb78c0" dependencies = [ - "protobuf", - "protobuf-codegen", + "protobuf 2.28.0", + "protobuf-codegen 2.28.0", "protobuf-codegen-pure3", - "ttrpc-compiler", + "ttrpc-compiler 0.4.2", +] + +[[package]] +name = "ttrpc-codegen" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f3eea6e6c3db96d8d6c5513de779b9ef1a0ae8371fd2adfe5f03eef1cc6b8320" +dependencies = [ + "protobuf 2.28.0", + "protobuf-codegen 3.2.0", + "protobuf-support", + "ttrpc-compiler 0.6.1", ] [[package]] @@ -5057,11 +4870,26 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8db19ce6af25713061dd805d6733b6f0c45904bd63526ce5d2568c858b7edc71" dependencies = [ "derive-new", - "prost 0.8.0", - "prost-build 0.8.0", - "prost-types 0.8.0", - "protobuf", - "protobuf-codegen", + "prost", + "prost-build", + "prost-types", + "protobuf 2.28.0", + "protobuf-codegen 2.28.0", + "tempfile", +] + +[[package]] +name = "ttrpc-compiler" +version = "0.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ec3cb5dbf1f0865a34fe3f722290fe776cacb16f50428610b779467b76ddf647" +dependencies = [ + "derive-new", + "prost", + "prost-build", + "prost-types", + "protobuf 2.28.0", + "protobuf-codegen 2.28.0", "tempfile", ] diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index 0ecd2fb382..a07d397f39 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -72,10 +72,13 @@ openssl = { version = "0.10.38", features = ["vendored"] } # Image pull/decrypt [target.'cfg(target_arch = "s390x")'.dependencies] -image-rs = { git = "https://github.com/confidential-containers/image-rs", rev = "v0.4.0", default-features = false, features = ["kata-cc-s390x"] } +image-rs = { git = "https://github.com/confidential-containers/image-rs", rev = "cc626a97a8225475d3a4c3c7490f6b212ca32466", default-features = false, features = ["kata-cc-s390x"] } [target.'cfg(not(target_arch = "s390x"))'.dependencies] -image-rs = { git = "https://github.com/confidential-containers/image-rs", rev = "v0.4.0", default-features = true, features = ["kata-cc", "signature-simple"] } +image-rs = { git = "https://github.com/confidential-containers/image-rs", rev = "cc626a97a8225475d3a4c3c7490f6b212ca32466", default-features = false, features = ["kata-cc"] } + +[patch.crates-io] +oci-distribution = { git = "https://github.com/krustlet/oci-distribution.git", rev = "f44124c" } [dev-dependencies] tempfile = "3.1.0" diff --git a/src/agent/src/image_rpc.rs b/src/agent/src/image_rpc.rs index ec88aea88c..3ae36cae2f 100644 --- a/src/agent/src/image_rpc.rs +++ b/src/agent/src/image_rpc.rs @@ -26,8 +26,12 @@ use image_rs::image::ImageClient; use std::io::Write; const AA_PATH: &str = "/usr/local/bin/attestation-agent"; -const AA_KEYPROVIDER_PORT: &str = "127.0.0.1:50000"; -const AA_GETRESOURCE_PORT: &str = "127.0.0.1:50001"; + +const AA_KEYPROVIDER_URI: &str = + "unix:///run/confidential-containers/attestation-agent/keyprovider.sock"; +const AA_GETRESOURCE_URI: &str = + "unix:///run/confidential-containers/attestation-agent/getresource.sock"; + const OCICRYPT_CONFIG_PATH: &str = "/tmp/ocicrypt_config.json"; // kata rootfs is readonly, use tmpfs before CC storage is implemented. const KATA_CC_IMAGE_WORK_DIR: &str = "/run/image/"; @@ -95,7 +99,7 @@ impl ImageService { let ocicrypt_config = serde_json::json!({ "key-providers": { "attestation-agent":{ - "grpc":AA_KEYPROVIDER_PORT + "ttrpc":AA_KEYPROVIDER_URI } } }); @@ -106,9 +110,9 @@ impl ImageService { // The Attestation Agent will run for the duration of the guest. Command::new(AA_PATH) .arg("--keyprovider_sock") - .arg(AA_KEYPROVIDER_PORT) + .arg(AA_KEYPROVIDER_URI) .arg("--getresource_sock") - .arg(AA_GETRESOURCE_PORT) + .arg(AA_GETRESOURCE_URI) .spawn()?; Ok(()) } From 30981f81b5f4a2eaf007de8e899a0e0036286ddf Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Wed, 29 Mar 2023 20:21:52 +0800 Subject: [PATCH 2/5] dep: use newest version of attestation-agent Newest AA supports ttrpc, and it will be built when generating guest image. Signed-off-by: Xynnn007 --- versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.yaml b/versions.yaml index ab0112d271..1ae1dde267 100644 --- a/versions.yaml +++ b/versions.yaml @@ -191,7 +191,7 @@ externals: attestation-agent: description: "Provide attested key unwrapping for image decryption" url: "https://github.com/confidential-containers/attestation-agent" - version: "v0.4.0" + version: "d7ace56f2f2c861669ab07b50598a3d3c22709af" cni-plugins: description: "CNI network plugins" From 93f23dcd2a4e5e65b246f167cc3941aba04efe26 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Thu, 30 Mar 2023 09:12:07 +0800 Subject: [PATCH 3/5] osbuilder: add ttrpc as default for attestation-agent `ttrpc=true` parameter tells the Makefile of attestation-agent to build the attestation-agent with ttrpc support Signed-off-by: Xynnn007 --- tools/osbuilder/rootfs-builder/rootfs.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index c246f40322..f7e992e930 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -675,7 +675,7 @@ EOF git fetch --depth=1 origin "${attestation_agent_version}" git checkout FETCH_HEAD [ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ] && LIBC="gnu" - make KBC=${AA_KBC} && make install DESTDIR="${ROOTFS_DIR}/usr/local/bin/" + make KBC=${AA_KBC} ttrpc=true && make install DESTDIR="${ROOTFS_DIR}/usr/local/bin/" popd fi From 1da81308c771d178d9232d8b9f815e4d25dbbcc4 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Fri, 31 Mar 2023 10:39:03 +0200 Subject: [PATCH 4/5] dep: Add depends-on entry for tests PR Depends-on:github.com/kata-containers/tests#5579 Signed-off-by: Jeremi Piotrowski From 38037dbe1f82aee7bbefc50dbf714cdcc17fa19e Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Thu, 23 Mar 2023 21:16:08 +0800 Subject: [PATCH 5/5] osbuilder: Support attestation-agent[cc_kbc] TDX dependencies attestation-agent depends on tdx-attest-rs when cc_kbc is enabled, which depends on libtdx-attest.so. Include the dev package in build container, and the runtime package in the built rootfs. The build of tdx-attest-sys (which is a dep of tdx-attest-rs) uses bindgen, which requires libclang so install that in the build container as well. We specify the tdx stack DCAP v1.15 Fixes: #6519 Signed-off-by: Xynnn007 --- tools/osbuilder/rootfs-builder/rootfs.sh | 2 +- tools/osbuilder/rootfs-builder/ubuntu/config.sh | 17 +++++++++++++++++ .../rootfs-builder/ubuntu/rootfs_lib.sh | 15 +++++++++++++++ .../local-build/kata-deploy-binaries.sh | 2 +- .../packaging/static-build/cache_components.sh | 2 +- 5 files changed, 35 insertions(+), 3 deletions(-) diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index f7e992e930..eceb4f0316 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -674,7 +674,7 @@ EOF pushd attestation-agent git fetch --depth=1 origin "${attestation_agent_version}" git checkout FETCH_HEAD - [ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ] && LIBC="gnu" + ( [ "${AA_KBC}" == "eaa_kbc" ] || [ "${AA_KBC}" == "cc_kbc_tdx" ] ) && [ "${ARCH}" == "x86_64" ] && LIBC="gnu" make KBC=${AA_KBC} ttrpc=true && make install DESTDIR="${ROOTFS_DIR}/usr/local/bin/" popd fi diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh index e66bb137be..5356dfdca0 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh +++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh @@ -37,6 +37,23 @@ RUN echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubu fi fi +if [ "${AA_KBC}" == "cc_kbc_tdx" ] && [ "${ARCH}" == "x86_64" ]; then + source /etc/os-release + + if [ "${OS_VERSION}" == "focal" ] || [ "${OS_VERSION}" == "20.04" ]; then + PACKAGES+=" apt gnupg" + AA_KBC_EXTRAS=" + RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${OS_VERSION} main' \| tee /etc/apt/sources.list.d/intel-sgx.list; \ + curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \| apt-key add -; \ + apt-get update; \ + apt-get install -y libtdx-attest=1.15\* libtdx-attest-dev=1.15\* clang + " + else + echo "libtdx-attest-dev is only provided for Ubuntu 20.04; not for ${OS_VERSION}" + exit 1 + fi +fi + if [ "$(uname -m)" != "$ARCH" ]; then case "$ARCH" in ppc64le) cc_arch=powerpc64le;; diff --git a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh index bae240fa71..cb13c6ba3a 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh +++ b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh @@ -58,6 +58,21 @@ EOF fi fi + if [ "${AA_KBC}" == "cc_kbc_tdx" ] && [ "${ARCH}" == "x86_64" ]; then + source /etc/os-release + if [ "${VERSION_ID}" == "20.04" ]; then + curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | chroot "${rootfs_dir}" apt-key add - + + echo 'deb [arch=amd64] http://security.ubuntu.com/ubuntu focal-security main universe' | tee ${rootfs_dir}/etc/apt/sources.list.d/universe.list + echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee ${rootfs_dir}/etc/apt/sources.list.d/intel-sgx.list + chroot "${rootfs_dir}" apt-get update && chroot "${rootfs_dir}" apt-get install -y libtdx-attest=1.15\* libtdx-attest-dev=1.15\* + echo 'port=4050' | chroot "${rootfs_dir}" tee /etc/tdx-attest.conf + else + echo "libtdx-attest is only provided for Ubuntu 20.04, there's yet no packages for Ubuntu ${VERSION_ID}" + exit 1 + fi + fi + # Reduce image size and memory footprint by removing unnecessary files and directories. rm -rf $rootfs_dir/usr/share/{bash-completion,bug,doc,info,lintian,locale,man,menu,misc,pixmaps,terminfo,zsh} diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 18ac9aed93..92a0152450 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -301,7 +301,7 @@ install_cc_se_image() { } install_cc_tdx_image() { - AA_KBC="eaa_kbc" + AA_KBC="cc_kbc_tdx" image_type="image" image_suffix="tdx" root_hash_suffix="tdx" diff --git a/tools/packaging/static-build/cache_components.sh b/tools/packaging/static-build/cache_components.sh index ef223b1c2a..5d7f292556 100755 --- a/tools/packaging/static-build/cache_components.sh +++ b/tools/packaging/static-build/cache_components.sh @@ -110,7 +110,7 @@ cache_rootfs_artifacts() { if [ -n "${TEE}" ]; then if [ "${TEE}" == "tdx" ]; then rootfs_tarball_name="kata-static-cc-tdx-rootfs-image.tar.xz" - aa_kbc="eaa_kbc" + aa_kbc="cc_kbc_tdx" image_type="image" root_hash_vanilla="" root_hash_tdx="${repo_root_dir}/tools/osbuilder/root_hash_tdx.txt"