diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs index 27cba075cf..6516442f94 100644 --- a/src/agent/src/rpc.rs +++ b/src/agent/src/rpc.rs @@ -224,76 +224,7 @@ impl AgentService { // cannot predict everything from the caller. add_devices(&sl(), &req.devices, &mut oci, &self.sandbox).await?; - let process = oci - .process_mut() - .as_mut() - .ok_or_else(|| anyhow!("Spec didn't contain process field"))?; - if cdh::is_cdh_client_initialized().await { - if let Some(envs) = process.env_mut().as_mut() { - for env in envs.iter_mut() { - match cdh::unseal_env(env).await { - Ok(unsealed_env) => *env = unsealed_env.to_string(), - Err(e) => { - warn!(sl(), "Failed to unseal secret: {}", e) - } - } - } - } - } - - let mounts = oci - .mounts_mut() - .as_mut() - .ok_or_else(|| anyhow!("Spec didn't contain mounts field"))?; - if cdh::is_cdh_client_initialized().await { - for m in mounts.iter_mut() { - if m.destination().starts_with("/sealed") { - info!( - sl(), - "sealed mount destination: {:?} source: {:?}", - m.destination(), - m.source() - ); - if let Some(source_str) = m.source().as_ref().and_then(|p| p.to_str()) { - cdh::unseal_file(source_str).await?; - } else { - warn!(sl(), "Failed to unseal: Mount source is None or invalid"); - } - } - } - } - - let linux = oci - .linux() - .as_ref() - .ok_or_else(|| anyhow!("Spec didn't contain linux field"))?; - - if cdh::is_cdh_client_initialized().await { - if let Some(devices) = linux.devices() { - for specdev in devices.iter() { - if specdev.path().as_path().to_str() == Some(TRUSTED_IMAGE_STORAGE_DEVICE) { - let dev_major_minor = format!("{}:{}", specdev.major(), specdev.minor()); - let secure_storage_integrity = - AGENT_CONFIG.secure_storage_integrity.to_string(); - info!( - sl(), - "trusted_store device major:min {}, enable data integrity {}", - dev_major_minor, - secure_storage_integrity - ); - - let options = std::collections::HashMap::from([ - ("deviceId".to_string(), dev_major_minor), - ("encryptType".to_string(), "LUKS".to_string()), - ("dataIntegrity".to_string(), secure_storage_integrity), - ]); - cdh::secure_mount("BlockDevice", &options, vec![], KATA_IMAGE_WORK_DIR) - .await?; - break; - } - } - } - } + cdh_handler(&mut oci).await?; // Both rootfs and volumes (invoked with --volume for instance) will // be processed the same way. The idea is to always mount any provided @@ -2115,6 +2046,76 @@ fn load_kernel_module(module: &protocols::agent::KernelModule) -> Result<()> { } } +async fn cdh_handler(oci: &mut Spec) -> Result<()> { + if !cdh::is_cdh_client_initialized().await { + return Ok(()); + } + let process = oci + .process_mut() + .as_mut() + .ok_or_else(|| anyhow!("Spec didn't contain process field"))?; + if let Some(envs) = process.env_mut().as_mut() { + for env in envs.iter_mut() { + match cdh::unseal_env(env).await { + Ok(unsealed_env) => *env = unsealed_env.to_string(), + Err(e) => { + warn!(sl(), "Failed to unseal secret: {}", e) + } + } + } + } + + let mounts = oci + .mounts_mut() + .as_mut() + .ok_or_else(|| anyhow!("Spec didn't contain mounts field"))?; + + for m in mounts.iter_mut() { + if m.destination().starts_with("/sealed") { + info!( + sl(), + "sealed mount destination: {:?} source: {:?}", + m.destination(), + m.source() + ); + if let Some(source_str) = m.source().as_ref().and_then(|p| p.to_str()) { + cdh::unseal_file(source_str).await?; + } else { + warn!(sl(), "Failed to unseal: Mount source is None or invalid"); + } + } + } + + let linux = oci + .linux() + .as_ref() + .ok_or_else(|| anyhow!("Spec didn't contain linux field"))?; + + if let Some(devices) = linux.devices() { + for specdev in devices.iter() { + if specdev.path().as_path().to_str() == Some(TRUSTED_IMAGE_STORAGE_DEVICE) { + let dev_major_minor = format!("{}:{}", specdev.major(), specdev.minor()); + let secure_storage_integrity = AGENT_CONFIG.secure_storage_integrity.to_string(); + info!( + sl(), + "trusted_store device major:min {}, enable data integrity {}", + dev_major_minor, + secure_storage_integrity + ); + + let options = std::collections::HashMap::from([ + ("deviceId".to_string(), dev_major_minor), + ("encryptType".to_string(), "LUKS".to_string()), + ("dataIntegrity".to_string(), secure_storage_integrity), + ]); + cdh::secure_mount("BlockDevice", &options, vec![], KATA_IMAGE_WORK_DIR).await?; + break; + } + } + } + Ok(()) +} + #[cfg(test)] #[allow(dead_code)] mod tests {