From c5d94d00961c2ae4ad0e2f568832ca1637a1df15 Mon Sep 17 00:00:00 2001 From: Qi Feng Huo Date: Fri, 21 Jun 2024 13:02:40 +0800 Subject: [PATCH] ibmse: use optional root_ca when launch kbs - Make root_ca optional - Check certs offline by default - Corrected the doc Signed-off-by: Qi Feng Huo --- attestation-service/verifier/src/se/README.md | 16 ++++++++-------- attestation-service/verifier/src/se/ibmse.rs | 12 +++++++++--- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/attestation-service/verifier/src/se/README.md b/attestation-service/verifier/src/se/README.md index cb33103e42..a72adef8c0 100644 --- a/attestation-service/verifier/src/se/README.md +++ b/attestation-service/verifier/src/se/README.md @@ -42,26 +42,26 @@ openssl genpkey -algorithm ed25519 > kbs.key openssl pkey -in kbs.key -pubout -out kbs.pem ``` -## Build KBS +## (Option 1) Launch KBS as a program + +- Build KBS ``` cargo install --locked --debug --path kbs/src/kbs --no-default-features --features coco-as-builtin,openssl,resource,opa ``` -## (Option 1) Launch KBS as a program - - Prepare the material retrieved above, similar as: ``` /run/confidential-containers/ibmse# . -├── DigiCertCA.crt ├── certs -│   └── ibm-z-host-key-signing-gen2.crt +│ ├── ibm-z-host-key-signing-gen2.crt +| └── DigiCertCA.crt ├── crls -│   └── ibm-z-host-key-gen2.crl +│ └── ibm-z-host-key-gen2.crl ├── hdr -│   └── hdr.bin +│ └── hdr.bin ├── hkds -│   └── HKD-3931-0275D38.crt +│ └── HKD-3931-0275D38.crt └── rsa ├── encrypt_key.pem └── encrypt_key.pub diff --git a/attestation-service/verifier/src/se/ibmse.rs b/attestation-service/verifier/src/se/ibmse.rs index 84d87429a4..35d6121c25 100644 --- a/attestation-service/verifier/src/se/ibmse.rs +++ b/attestation-service/verifier/src/se/ibmse.rs @@ -25,7 +25,7 @@ const DEFAULT_SE_HOST_KEY_DOCUMENTS_ROOT: &str = "/run/confidential-containers/i const DEFAULT_SE_CERTIFICATES_ROOT: &str = "/run/confidential-containers/ibmse/certs"; -const DEFAULT_SE_CERTIFICATE_ROOT_CA: &str = "/run/confidential-containers/ibmse/DigiCertCA.crt"; +const DEFAULT_SE_CERTIFICATE_ROOT_CA: &str = "/run/confidential-containers/ibmse/root_ca.crt"; const DEFAULT_SE_CERTIFICATE_REVOCATION_LISTS_ROOT: &str = "/run/confidential-containers/ibmse/crls"; @@ -239,6 +239,12 @@ impl SeVerifierImpl { let root_ca_path = env_or_default!("SE_CERTIFICATE_ROOT_CA", DEFAULT_SE_CERTIFICATE_ROOT_CA); + let ca_option: Option; + if std::path::Path::new(&root_ca_path).exists() { + ca_option = Some(String::from(root_ca_path)); + } else { + ca_option = None::; + } let mut attestation_flags = AttestationFlags::default(); attestation_flags.set_image_phkh(); attestation_flags.set_attest_phkh(); @@ -274,13 +280,13 @@ impl SeVerifierImpl { ); let skip_certs: bool = skip_certs_env.parse::().unwrap_or(false); if !skip_certs { - let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), Some(root_ca_path.clone()), false)?; + let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), ca_option.clone(), true)?; verifier.verify(c)?; } } #[cfg(not(debug_assertions))] { - let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), Some(root_ca_path.clone()), false)?; + let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), ca_option.clone(), true)?; verifier.verify(c)?; } arcb.add_hostkey(c.public_key()?);