Add test for non-trivial KBS policy #703
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fitzthum
force-pushed
the
reference-tests
branch
4 times, most recently
from
33eafad to
64637aa
Compare
In order to set reference values from the integration tests, we need access to the rvps-tool as a crate, rather than a binary. This will also be useful if we want to add rvps functionality to the kbs-client or to the proposed trustee-ctl. To keep things simple, I just added the client as a new module in the existing crate rather than creating a new package like we do for kbs-client. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
Our default policy expects the sample evidence to include a launch digest. We could remove this from the policy, but I'd like to keep it because it helps illustrate how the policy works. Ideally we would add this field to the evidence in the attester, but it doesn't seem worth it to make the extra changes for the sample evidence. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
We had already separated the RVPS server implementation from the RVPS server binary, but we put this server implementation in the bin directory. This is no good for using the server without the binary, which is exactly what we need to do for the integration tests. So, let's move the server implementation into the crate itself. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
It seems a bit more idiomatic to call this RvpsServer Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
This won't be an issue for people running the AS in a container, but if you run the AS as a process, it's very easy to be confused when the policy doesn't update. Add a warning in case there is already a policy there. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
The LocalJson storage backend expects there to be json file (with an array in it) at a given location. In case it isn't there, let's write our own file with an empty array in it. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
Let's test a more complex policy where we need to set reference values. This means introducing the RVPS to the testing framework along with the RVPS tool. To handle this more complex test, let's make the test setup more robust. Right now we only have one test that uses the remote RVPS. When we introduce more tests that use the remote RVPS we'll need to double-check the robustness of the current framework. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
fitzthum
force-pushed
the
reference-tests
branch
from
64637aa to
14ee77a
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduce a test to see if a more complex policy, specifically, this one:
It's still a relatively simple policy, but testing it took a lot of changes. For this policy to pass, the RVPS has to be working. I added support to the testing framework to start the RVPS and add RVs to it. I added a bunch of other stuff to the framework to hopefully make it more robust.
There were no major bugs in Trustee itself, but I made a few minor tweaks that should make things easier to use. I also had to make a couple changes to the RVPS so that the client and the server both could be used as crates.