Support file rather than env based scheme to acquire policy, uvm info and certs.

.gitignore

@@ -1,2 +1,5 @@
+**.o
 /azmount
 /remotefs
+/tools/get-snp-report/bin
+/bin

docker/skr/Dockerfile.debug

@@ -0,0 +1,22 @@
+FROM ubuntu:18.04
+RUN apt update
+RUN apt install --fix-missing -y net-tools wget curl bc jq bash vim ssh
+
+# clearly this is extremely insecure but is only for debugging
+# do not copy this.
+RUN useradd --uid 1000 --gid 0 --non-unique -ms /bin/bash auserwithalongname
+RUN echo "auserwithalongname:shortpassword" | chpasswd
+RUN mkdir /run/sshd
+
+# set the start command which will be used by default by ACI
+# note that this script exposes attestation on an external port
+# NEVER DO THIS IN PRODUCTION as it exposes the attestations
+# which can be used to trick an attestation agent or relying party
+
+COPY ./bin/skr ./bin/get-snp-report ./bin/verbose-report /bin/
+COPY skr.sh skr-debug.sh tests/*_client.sh /
+RUN mkdir -p /tests/skr; mv *_client.sh /tests/skr
+RUN chmod +x /*.sh /tests/skr/*.sh; date > /made-date
+
+# set the start command
+CMD [ "sleep", "1000000" ]

docker/skr/build-debug.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+set -e
+
+# This script builds the binaries and sets up the docker image
+
+mkdir -p bin
+pushd bin
+CGO_ENABLED=0 GOOS=linux go build github.com/Microsoft/confidential-sidecar-containers/cmd/skr
+popd
+
+pushd ../../tools/get-snp-report
+make 
+popd
+
+cp ../../tools/get-snp-report/bin/get-snp-report ./bin
+cp ../../tools/get-snp-report/bin/get-fake-snp-report ./bin
+cp ../../tools/get-snp-report/bin/verbose-report ./bin
+
+docker build --tag skr -f Dockerfile.debug .
+
+# cleanup
+rm -rf bin

docker/skr/skr-debug.sh

@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+# Important note: This script is meant to run from inside the container
+
+echo starting sshd
+/usr/sbin/sshd &
+
+CmdlineArgs="-logfile ./log.txt"
+
+if [ -z "${SkrSideCarArgs}" ]; then
+ SkrSideCarArgs=$1
+fi
+
+echo SkrSideCarArgs = $SkrSideCarArgs
+
+if [ -n "${SkrSideCarArgs}" ]; then
+ CmdlineArgs="${CmdlineArgs} -base64 ${SkrSideCarArgs}"
+fi
+
+if [ -z "${Port}" ]; then
+ Port=$2
+fi
+
+echo Port = $Port
+
+if [ -n "${Port}" ]; then
+ CmdlineArgs="${CmdlineArgs} -port ${Port}"
+fi
+
+echo CmdlineArgs = $CmdlineArgs
+
+if /bin/skr $CmdlineArgs; then
+ echo "1" > result
+else
+ echo "0" > result
+fi

docker/skr/tests/attest_client.sh

@@ -5,20 +5,20 @@
 
 # Important note: This script is meant to run from inside the container
 
-if [[ -z "${AttestClientRuntimeData}" ]]; then
+if [ -z "${AttestClientRuntimeData}" ]; then
  AttestClientRuntimeData=$1 
 fi
 
 echo AttestClientRuntimeData = $AttestClientRuntimeData
 
-if [[ -z "${AttestClientMAAEndpoint}" ]]; then
+if [ -z "${AttestClientMAAEndpoint}" ]; then
  AttestClientMAAEndpoint=$2
 fi
 
 echo AttestClientMAAEndpoint = $AttestClientMAAEndpoint
 
 while true; do
- if [[ -z "${AttestClientMAAEndpoint}" ]]; then
+ if [ -z "${AttestClientMAAEndpoint}" ]; then
  curl -X POST -H 'Content-Type: application/json' -d "{\"runtime_data\": \"$AttestClientRuntimeData\"}" http://localhost:8080/attest/raw > /raw.out; 
  else
  curl -X POST -H 'Content-Type: application/json' -d "{\"maa_endpoint\": \"$AttestClientMAAEndpoint\", \"runtime_data\": \"$AttestClientRuntimeData\"}" http://localhost:8080/attest/maa > /maatoken.out; 

docker/skr/tests/skr_client.sh

@@ -5,19 +5,19 @@
 
 # Important note: This script is meant to run from inside the container
 
-if [[ -z "${SkrClientMAAEndpoint}" ]]; then
+if [ -z "${SkrClientMAAEndpoint}" ]; then
  SkrClientMAAEndpoint=$1
 fi
 
 echo SkrClientMAAEndpoint = $SkrClientMAAEndpoint
 
-if [[ -z "${SkrClientAKVEndpoint}" ]]; then
+if [ -z "${SkrClientAKVEndpoint}" ]; then
  SkrClientAKVEndpoint=$2
 fi
 
 echo SkrClientAKVEndpoint = $SkrClientAKVEndpoint
 
-if [[ -z "${SkrClientKID}" ]]; then
+if [ -z "${SkrClientKID}" ]; then
  SkrClientKID=$3
 fi
 

pkg/common/info.go

@@ -9,6 +9,7 @@ import (
 
  "io/ioutil"
  "os"
+ "path/filepath"
 
  "github.com/pkg/errors"
  "github.com/sirupsen/logrus"
@@ -65,7 +66,26 @@ func THIMtoPEM(encodedHostCertsFromTHIM string) (string, error) {
  return certsString, nil
 }
 
+// Late in Public Preview, we made a change to pass the UVM information
+// via files instead of environment variables.
+// This code detects which method is being used and calls the appropriate
+// function to get the UVM information.
+
+// The environment variable scheme will go away by "General Availability"
+// but we handle both to decouple this code and the hcsshim/gcs code.
+
+// Matching PR https://github.com/microsoft/hcsshim/pull/1708
+
 func GetUvmInfomation() (UvmInformation, error) {
+ securityContextDir := os.Getenv("UVM_SECURITY_CONTEXT_DIR")
+ if securityContextDir != "" {
+ return GetUvmInfomationFromFiles()
+ } else {
+ return GetUvmInfomationFromEnv()
+ }
+}
+
+func GetUvmInfomationFromEnv() (UvmInformation, error) {
  var encodedUvmInformation UvmInformation
  encodedHostCertsFromTHIM := os.Getenv("UVM_HOST_AMD_CERTIFICATE")
 
@@ -90,3 +110,64 @@ func GetUvmInfomation() (UvmInformation, error) {
 
  return encodedUvmInformation, nil
 }
+
+// From hcsshim pkg/securitypolicy/securitypolicy.go
+
+const (
+ SecurityContextDirTemplate = "security-context-*"
+ PolicyFilename = "security-policy-base64"
+ HostAMDCertFilename = "host-amd-cert-base64"
+ ReferenceInfoFilename = "reference-info-base64"
+)
+
+func readSecurityContextFile(dir string, filename string) (string, error) {
+ targetFilename := filepath.Join(dir, filename)
+ blob, err := os.ReadFile(targetFilename)
+ if err != nil {
+ return "", err
+ }
+ return string(blob), nil
+}
+
+func GetUvmInfomationFromFiles() (UvmInformation, error) {
+ var encodedUvmInformation UvmInformation
+
+ securityContextDir := os.Getenv("UVM_SECURITY_CONTEXT_DIR")
+ if securityContextDir == "" {
+ return encodedUvmInformation, errors.New("UVM_SECURITY_CONTEXT_DIR not set")
+ }
+
+ encodedHostCertsFromTHIM, err := readSecurityContextFile(securityContextDir, HostAMDCertFilename)
+ if err != nil {
+ return encodedUvmInformation, errors.Wrapf(err, "reading host amd cert failed")
+ }
+
+ if GenerateTestData {
+ ioutil.WriteFile("uvm_host_amd_certificate.base64", []byte(encodedHostCertsFromTHIM), 0644)
+ }
+
+ if encodedHostCertsFromTHIM != "" {
+ certChain, err := THIMtoPEM(encodedHostCertsFromTHIM)
+ if err != nil {
+ return encodedUvmInformation, err
+ }
+ encodedUvmInformation.CertChain = certChain
+ }
+
+ encodedUvmInformation.EncodedSecurityPolicy, err = readSecurityContextFile(securityContextDir, PolicyFilename)
+ if err != nil {
+ return encodedUvmInformation, errors.Wrapf(err, "reading security policy failed")
+ }
+
+ encodedUvmInformation.EncodedUvmReferenceInfo, err = readSecurityContextFile(securityContextDir, ReferenceInfoFilename)
+ if err != nil {
+ return encodedUvmInformation, errors.Wrapf(err, "reading uvm reference info failed")
+ }
+
+ if GenerateTestData {
+ ioutil.WriteFile("uvm_security_policy.base64", []byte(encodedUvmInformation.EncodedSecurityPolicy), 0644)
+ ioutil.WriteFile("uvm_reference_info.base64", []byte(encodedUvmInformation.EncodedUvmReferenceInfo), 0644)
+ }
+
+ return encodedUvmInformation, nil
+}

tools/get-snp-report/Makefile

@@ -18,7 +18,7 @@ bin/get-snp-report: get-snp-report.o get-snp-report5.o get-snp-report6.o helpers
  @mkdir -p bin
  $(CC) $(LDFLAGS) -o $@ $^
 
-bin/verbose-report: verbose-report.o
+bin/verbose-report: verbose-report.o get-snp-report5.o get-snp-report6.o helpers.o
  @mkdir -p bin
  $(CC) $(LDFLAGS) -o $@ $^