features: support native signature client

Signed-off-by: haokun.xing <haokun.xin@intel.com>

Cargo.toml

@@ -16,7 +16,7 @@ libc = "0.2"
 nix = "0.23.0"
 oci-distribution = { git = "https://github.com/krustlet/oci-distribution", rev = "1ba0d94a900a97aa1bcac032a67ea23766bcfdef" }
 oci-spec = { git = "https://github.com/containers/oci-spec-rs" }
-ocicrypt-rs = { git = "https://github.com/confidential-containers/ocicrypt-rs", rev = "e28e1d922aad72f3faeff480fc26af9c7643124c" }
+ocicrypt-rs = { git = "https://github.com/confidential-containers/ocicrypt-rs", rev = "a216b741375c6ec8d851eebe1e68af9517bb364c" }
 serde = { version = ">=1.0.27", features = ["serde_derive", "rc"] }
 serde_json = ">=1.0.9"
 sha2 = ">=0.10"

signature/Cargo.toml

@@ -19,7 +19,9 @@ tokio = { version = "1.0", features = [ "rt", "macros", "rt-multi-thread" ] }
 tonic = "0.5"
 prost = "0.8"
 strum_macros = "0.24.2"
+ocicrypt-rs = { git = "https://github.com/confidential-containers/ocicrypt-rs", rev = "a216b741375c6ec8d851eebe1e68af9517bb364c" }
+attestation_agent = { git = "https://github.com/confidential-containers/attestation-agent", rev = "3b4716dd3d8bbf0d5f8cec7bc0d528421f00fd06" }
 
 [build-dependencies]
 tonic-build = "0.5"
-shadow-rs = "0.5.25"
+shadow-rs = "0.16.1"

signature/src/agent.rs

@@ -6,8 +6,12 @@
 use std::{collections::HashMap, path::Path};
 
 use anyhow::*;
+use attestation_agent::AttestationAPIs;
+use attestation_agent::AttestationAgent;
 use oci_distribution::Reference;
+use ocicrypt_rs::config::{OcicryptConfig, OCICRYPT_ENVVARNAME};
 use serde::{Deserialize, Serialize};
+use std::result::Result::Ok;
 use tokio::fs;
 use tonic::transport::Channel;
 
@@ -35,13 +39,49 @@ pub const POLICY_FILE_PATH: &str = "/run/image-security/security_policy.json";
 /// Attestation Agent's GetResource gRPC address.
 /// It's given <https://github.com/confidential-containers/attestation-agent#run>
 pub const AA_GETRESOURCE_ADDR: &str = "http://127.0.0.1:50001";
+/// The native attestation agent's name.
+/// It's given <https://github.com/confidential-containers/attestation-agent>
+pub const NATIVE_AA_NAME: &str = "attestation-agent";
 
-/// Signature submodule agent for image signature veriication.
+/// Signature submodule agent for image signature verification.
 pub struct Agent {
- /// Get Resource Service client.
- client: GetResourceServiceClient<Channel>,
+ /// Get Resource Client
+ client: SigClient,
  kbc_name: String,
- kbc_uri: String,
+ kbs_uri: String,
+}
+
+// Types of the signature client
+enum SigClient {
+ /// Get Resource Service gRPC client
+ ServiceGPRC(GetResourceServiceClient<Channel>),
+ /// Get Rserouce native AA client
+ NativeAA(AttestationAgent),
+}
+
+impl SigClient {
+ // get_resource retrieves verification resource
+ async fn get_resource(
+ &mut self,
+ kbc_name: String,
+ kbs_uri: String,
+ resource_description: String,
+ ) -> Result<Vec<u8>> {
+ match self {
+ Self::ServiceGPRC(client) => {
+ let req = tonic::Request::new(GetResourceRequest {
+ kbc_name,
+ kbs_uri,
+ resource_description,
+ });
+ Ok(client.get_resource(req).await?.into_inner().resource)
+ }
+ Self::NativeAA(aa) => {
+ aa.download_confidential_resource(kbc_name, kbs_uri, resource_description)
+ .await
+ }
+ }
+ }
 }
 
 /// The resource description that will be passed to AA when get resource.
@@ -70,15 +110,19 @@ impl Agent {
  if kbc_name.is_empty() {
  return Err(anyhow!("aa_kbc_params: missing KBC name"));
  }
-
  if kbs_uri.is_empty() {
  return Err(anyhow!("aa_kbc_params: missing KBS URI"));
  }
-
  Ok(Self {
- client: GetResourceServiceClient::connect(AA_GETRESOURCE_ADDR).await?,
+ client: if is_native_aa() {
+ SigClient::NativeAA(AttestationAgent::new())
+ } else {
+ SigClient::ServiceGPRC(
+ GetResourceServiceClient::connect(AA_GETRESOURCE_ADDR).await?,
+ )
+ },
+ kbs_uri: kbs_uri.into(),
  kbc_name: kbc_name.into(),
- kbc_uri: kbs_uri.into(),
  })
  } else {
  Err(anyhow!("aa_kbc_params: KBC/KBS pair not found"))
@@ -91,14 +135,15 @@ impl Agent {
  /// Then save the gathered data into `path`
  async fn get_resource(&mut self, resource_name: &str, path: &str) -> Result<()> {
  let resource_description = serde_json::to_string(&ResourceDescription::new(resource_name))?;
- let req = tonic::Request::new(GetResourceRequest {
- kbc_name: self.kbc_name.clone(),
- kbs_uri: self.kbc_uri.clone(),
- resource_description,
- });
- let res = self.client.get_resource(req).await?;
-
- fs::write(path, res.into_inner().resource).await?;
+ let res = self
+ .client
+ .get_resource(
+ self.kbc_name.clone(),
+ self.kbs_uri.clone(),
+ resource_description,
+ )
+ .await?;
+ fs::write(path, res).await?;
  Ok(())
  }
 
@@ -144,3 +189,17 @@ impl Agent {
  .map_err(|e| anyhow!("Validate image failed: {:?}", e))
  }
 }
+
+fn is_native_aa() -> bool {
+ let ocicrypt_config = match OcicryptConfig::from_env(OCICRYPT_ENVVARNAME) {
+ Ok(oc) => oc,
+ Err(_) => return false,
+ };
+ let key_providers = ocicrypt_config.key_providers;
+ for (provider_name, attrs) in key_providers.iter() {
+ if provider_name == NATIVE_AA_NAME && attrs.native.is_some() {
+ return true;
+ }
+ }
+ false
+}

src/config.rs

@@ -12,7 +12,7 @@ use crate::snapshots::SnapshotType;
 use crate::CC_IMAGE_WORK_DIR;
 
 const DEFAULT_WORK_DIR: &str = "/var/lib/image-rs/";
-
+const ENABLE_SECURITY_VALIDATE: &str = "ENABLE_SECURITY_VALIDATE";
 /// `image-rs` configuration information.
 #[derive(Clone, Debug, Deserialize)]
 pub struct ImageConfig {
@@ -32,11 +32,19 @@ impl Default for ImageConfig {
  let work_dir = PathBuf::from(
  std::env::var(CC_IMAGE_WORK_DIR).unwrap_or_else(|_| DEFAULT_WORK_DIR.to_string()),
  );
-
+ let enable_security_validate = std::env::var(ENABLE_SECURITY_VALIDATE).map_or_else(
+ |_| false,
+ |v| {
+ if v == "true" {
+ return true;
+ }
+ false
+ },
+ );
  ImageConfig {
  work_dir,
  default_snapshot: SnapshotType::Overlay,
- security_validate: false,
+ security_validate: enable_security_validate,
  }
  }
 }