diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock index fd0799f36d..7afdf286a4 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -398,11 +398,12 @@ checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0" [[package]] name = "attester" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=2c5ac6b01aafcb0be3875f5743c77d654a548146#2c5ac6b01aafcb0be3875f5743c77d654a548146" +source = "git+https://github.com/confidential-containers/guest-components?rev=51e967045296570abb4ad8bef215e92323306ed4#51e967045296570abb4ad8bef215e92323306ed4" dependencies = [ "anyhow", "async-trait", "base64 0.21.7", + "hex", "kbs-types", "log", "serde", @@ -1156,7 +1157,7 @@ checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" [[package]] name = "crypto" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=2c5ac6b01aafcb0be3875f5743c77d654a548146#2c5ac6b01aafcb0be3875f5743c77d654a548146" +source = "git+https://github.com/confidential-containers/guest-components?rev=51e967045296570abb4ad8bef215e92323306ed4#51e967045296570abb4ad8bef215e92323306ed4" dependencies = [ "aes-gcm", "anyhow", @@ -2462,7 +2463,7 @@ dependencies = [ [[package]] name = "image-rs" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=2c5ac6b01aafcb0be3875f5743c77d654a548146#2c5ac6b01aafcb0be3875f5743c77d654a548146" +source = "git+https://github.com/confidential-containers/guest-components?rev=51e967045296570abb4ad8bef215e92323306ed4#51e967045296570abb4ad8bef215e92323306ed4" dependencies = [ "anyhow", "async-compression", @@ -2888,7 +2889,7 @@ dependencies = [ [[package]] name = "kbc" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=2c5ac6b01aafcb0be3875f5743c77d654a548146#2c5ac6b01aafcb0be3875f5743c77d654a548146" +source = "git+https://github.com/confidential-containers/guest-components?rev=51e967045296570abb4ad8bef215e92323306ed4#51e967045296570abb4ad8bef215e92323306ed4" dependencies = [ "anyhow", "async-trait", @@ -2917,7 +2918,7 @@ dependencies = [ [[package]] name = "kbs_protocol" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=2c5ac6b01aafcb0be3875f5743c77d654a548146#2c5ac6b01aafcb0be3875f5743c77d654a548146" +source = "git+https://github.com/confidential-containers/guest-components?rev=51e967045296570abb4ad8bef215e92323306ed4#51e967045296570abb4ad8bef215e92323306ed4" dependencies = [ "anyhow", "async-trait", @@ -3671,7 +3672,7 @@ dependencies = [ [[package]] name = "ocicrypt-rs" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=2c5ac6b01aafcb0be3875f5743c77d654a548146#2c5ac6b01aafcb0be3875f5743c77d654a548146" +source = "git+https://github.com/confidential-containers/guest-components?rev=51e967045296570abb4ad8bef215e92323306ed4#51e967045296570abb4ad8bef215e92323306ed4" dependencies = [ "aes", "anyhow", @@ -4676,7 +4677,7 @@ dependencies = [ [[package]] name = "resource_uri" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=2c5ac6b01aafcb0be3875f5743c77d654a548146#2c5ac6b01aafcb0be3875f5743c77d654a548146" +source = "git+https://github.com/confidential-containers/guest-components?rev=51e967045296570abb4ad8bef215e92323306ed4#51e967045296570abb4ad8bef215e92323306ed4" dependencies = [ "anyhow", "serde", diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index efdf652cd2..b545449b89 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -77,7 +77,7 @@ strum = "0.26.2" strum_macros = "0.26.2" # Image pull/decrypt -image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "2c5ac6b01aafcb0be3875f5743c77d654a548146", default-features = false, optional = true } +image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "51e967045296570abb4ad8bef215e92323306ed4", default-features = false, optional = true } # Agent Policy regorus = { version = "0.1.4", default-features = false, features = [ diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs index f731671eca..999eae0454 100644 --- a/src/agent/src/rpc.rs +++ b/src/agent/src/rpc.rs @@ -106,6 +106,8 @@ use kata_types::k8s; pub const CONTAINER_BASE: &str = "/run/kata-containers"; const MODPROBE_PATH: &str = "/sbin/modprobe"; +const INIT_TRUSTED_STORAGE: &str = "/usr/bin/kata-init-trusted-storage"; +const TRUSTED_IMAGE_STORAGE_DEVICE: &str = "/dev/trusted_store"; /// the iptables seriers binaries could appear either in /sbin /// or /usr/sbin, we need to check both of them @@ -243,6 +245,31 @@ impl AgentService { } } + let linux = oci + .linux() + .as_ref() + .ok_or_else(|| anyhow!("Spec didn't contain linux field"))?; + if let Some(devices) = linux.devices() { + for specdev in devices.iter() { + if specdev.path().as_path().to_str() == Some(TRUSTED_IMAGE_STORAGE_DEVICE) { + let dev_major_minor = format!("{}:{}", specdev.major(), specdev.minor()); + let secure_storage_integrity = + AGENT_CONFIG.secure_storage_integrity.to_string(); + info!( + sl(), + "trusted_store device major:min {}, enable data integrity {}", + dev_major_minor, + secure_storage_integrity + ); + + Command::new(INIT_TRUSTED_STORAGE) + .args([dev_major_minor.as_str(), &secure_storage_integrity]) + .output() + .expect("Failed to initialize trusted storage"); + } + } + } + // Both rootfs and volumes (invoked with --volume for instance) will // be processed the same way. The idea is to always mount any provided // storage to the specified MountPoint, so that it will match what's