From 028f982213e62d854a5c4a2c8faab490e05c6580 Mon Sep 17 00:00:00 2001 From: aditijannu Date: Fri, 29 Nov 2024 14:56:53 +0100 Subject: [PATCH 1/2] API changes --- ENV_VARS.md | 2 - api-model/src/converter.rs | 36 +++++ api-model/src/enclave.rs | 41 ++++- tools/container-converter/Cargo.lock | 2 + tools/container-converter/Cargo.toml | 2 + .../src/image_builder/enclave.rs | 22 ++- .../src/image_builder/mod.rs | 4 +- tools/container-converter/src/lib.rs | 153 +++++++++++++----- vsock-proxy/enclave/src/app_configuration.rs | 22 ++- vsock-proxy/enclave/src/dsm_key_config.rs | 99 +++++++----- vsock-proxy/enclave/src/enclave.rs | 51 ++++-- vsock-proxy/enclave/src/file_system.rs | 42 ++--- vsock-proxy/parent/src/parent.rs | 5 +- vsock-proxy/shared/src/models.rs | 36 ----- 14 files changed, 341 insertions(+), 176 deletions(-) diff --git a/ENV_VARS.md b/ENV_VARS.md index 6d47934..deee9ca 100644 --- a/ENV_VARS.md +++ b/ENV_VARS.md @@ -9,8 +9,6 @@ Format used to describe the variables - key name -- description -- example (opti The following list of variables are used while running the converted salmiac image. ##### Filesystem related variables -- FS_DSM_ENDPOINT - Override the default value of DSM_ENDPOINT used for filesystem persistence. - The default value is "https://amer.smartkey.io/" - FS_API_KEY - API key used for authenticating with DSM if the salmiac app is not converted with app certs enabled. diff --git a/api-model/src/converter.rs b/api-model/src/converter.rs index de5bc53..7e9d1c4 100644 --- a/api-model/src/converter.rs +++ b/api-model/src/converter.rs @@ -174,6 +174,12 @@ pub struct ConverterOptions { /// filesystem persistance #[cfg_attr(feature = "serde", serde(default = "default_to_false"))] pub enable_overlay_filesystem_persistence: Option, + + #[cfg_attr(feature = "serde", serde(skip_serializing_if = "Option::is_none"))] + pub ccm_configuration: Option, + + #[cfg_attr(feature = "serde", serde(skip_serializing_if = "Option::is_none"))] + pub dsm_configuration: Option } #[cfg(feature = "serde")] @@ -274,3 +280,33 @@ impl CertificateConfig { } } } + +/// Describes the information required to access CCM +#[derive(Clone, Eq, PartialEq, Debug)] +#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))] +pub struct CcmConfiguration { + pub ccm_url: String, +} + +impl Default for CcmConfiguration { + fn default() -> Self { + CcmConfiguration { + ccm_url: "ccm.fortanix.com:443".to_string(), + } + } +} + +/// Describes the information required to access DSM +#[derive(Clone, Eq, PartialEq, Debug)] +#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))] +pub struct DsmConfiguration { + pub dsm_url: String, +} + +impl Default for DsmConfiguration { + fn default() -> Self { + DsmConfiguration { + dsm_url: "https://apps.amer.smartkey.io/".to_string(), + } + } +} \ No newline at end of file diff --git a/api-model/src/enclave.rs b/api-model/src/enclave.rs index ac81ef2..e552f9f 100644 --- a/api-model/src/enclave.rs +++ b/api-model/src/enclave.rs @@ -7,7 +7,7 @@ #[cfg(feature = "serde")] use serde::{Deserialize, Serialize}; -use crate::converter::CertificateConfig; +use crate::converter::{CertificateConfig, DsmConfiguration}; use std::ops::Deref; @@ -26,6 +26,10 @@ pub struct EnclaveManifest { pub env_vars: Vec, pub enable_overlay_filesystem_persistence: bool, + + pub ccm_backend_url: CcmBackendUrl, + + pub dsm_configuration: DsmConfiguration, } #[derive(Debug)] @@ -116,4 +120,39 @@ impl From<&str> for User { User(value.to_string()) } } +} + +#[derive(Debug, Clone, Eq, PartialEq)] +#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))] +pub struct CcmBackendUrl { + pub host: String, + + pub port: u16, +} + +impl CcmBackendUrl { + pub fn new(url: &str) -> Result { + let split: Vec<_> = url.split(":").collect(); + + if split.len() != 2 { + return Err("ccm_url should be in format :".to_string()); + } + + match split[1].parse::() { + Err(err) => Err(format!("ccm_url port should be a number. {:?}", err)), + Ok(port) => Ok(CcmBackendUrl { + host: split[0].to_string(), + port, + }), + } + } +} + +impl Default for CcmBackendUrl { + fn default() -> Self { + CcmBackendUrl { + host: "ccm.fortanix.com".to_string(), + port: 443, + } + } } \ No newline at end of file diff --git a/tools/container-converter/Cargo.lock b/tools/container-converter/Cargo.lock index 4516d47..1947cef 100644 --- a/tools/container-converter/Cargo.lock +++ b/tools/container-converter/Cargo.lock @@ -328,6 +328,7 @@ dependencies = [ "exitcode", "futures", "http", + "lazy_static", "log", "nix", "rand", @@ -339,6 +340,7 @@ dependencies = [ "tempfile", "tokio", "toml", + "url", ] [[package]] diff --git a/tools/container-converter/Cargo.toml b/tools/container-converter/Cargo.toml index 6347f8d..9a9d9bb 100644 --- a/tools/container-converter/Cargo.toml +++ b/tools/container-converter/Cargo.toml @@ -29,6 +29,8 @@ tar = { git = "https://github.com/alexcrichton/tar-rs" } tempfile = "3.2.0" tokio = { version = "1.0.1", features = ["macros", "rt"] } toml = "0.5.8" +url = "2.2.2" +lazy_static = "1.4.0" [dev-dependencies] chrono = "0.4.22" diff --git a/tools/container-converter/src/image_builder/enclave.rs b/tools/container-converter/src/image_builder/enclave.rs index 110b289..44e009b 100644 --- a/tools/container-converter/src/image_builder/enclave.rs +++ b/tools/container-converter/src/image_builder/enclave.rs @@ -4,8 +4,8 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -use api_model::enclave::{EnclaveManifest, FileSystemConfig, UserConfig}; -use api_model::converter::{ConverterOptions, CertificateConfig}; +use api_model::enclave::{EnclaveManifest, FileSystemConfig, UserConfig, CcmBackendUrl}; +use api_model::converter::{ConverterOptions, CertificateConfig, DsmConfiguration}; use docker_image_reference::Reference as DockerReference; use log::{info, debug, warn}; use nix::unistd::chown; @@ -86,7 +86,7 @@ pub(crate) fn get_image_env(input_image: &ImageWithDetails<'_>, converter_option } result } - +#[derive(Debug, Eq, PartialEq)] pub(crate) struct EnclaveSettings { user_name: String, @@ -94,7 +94,11 @@ pub(crate) struct EnclaveSettings { is_debug: bool, - enable_overlay_filesystem_persistence: bool + enable_overlay_filesystem_persistence: bool, + + ccm_backend_url: CcmBackendUrl, + + dsm_configuration: DsmConfiguration } impl EnclaveSettings { @@ -103,7 +107,9 @@ impl EnclaveSettings { user_name: input_image.details.config.user.clone(), env_vars: vec![rust_log_env_var("enclave")], is_debug: converter_options.debug.unwrap_or(false), - enable_overlay_filesystem_persistence: converter_options.enable_overlay_filesystem_persistence.unwrap_or(false) + enable_overlay_filesystem_persistence: converter_options.enable_overlay_filesystem_persistence.unwrap_or(false), + ccm_backend_url: CcmBackendUrl::new(converter_options.ccm_configuration.clone().unwrap_or_default().ccm_url.as_str()).unwrap_or_default(), + dsm_configuration: converter_options.dsm_configuration.clone().unwrap_or_default() } } } @@ -152,6 +158,8 @@ impl<'a> EnclaveImageBuilder<'a> { ) -> Result { let is_debug = enclave_settings.is_debug; let enable_overlay_filesystem_persistence = enclave_settings.enable_overlay_filesystem_persistence; + let ccm_backend_url = enclave_settings.ccm_backend_url.clone(); + let dsm_configuration = enclave_settings.dsm_configuration.clone(); let build_context = BuildContext::new(&self.dir.path()).map_err(|message| ConverterError { message, @@ -172,7 +180,9 @@ impl<'a> EnclaveImageBuilder<'a> { file_system_config, is_debug, env_vars, - enable_overlay_filesystem_persistence + enable_overlay_filesystem_persistence, + ccm_backend_url, + dsm_configuration, }; self.create_manifest_file(enclave_manifest, &build_context)?; diff --git a/tools/container-converter/src/image_builder/mod.rs b/tools/container-converter/src/image_builder/mod.rs index c6e82f5..c87bfbe 100644 --- a/tools/container-converter/src/image_builder/mod.rs +++ b/tools/container-converter/src/image_builder/mod.rs @@ -184,7 +184,9 @@ mod tests { push_converted_image: None, env_vars: vec![], java_mode: None, - enable_overlay_filesystem_persistence: None + enable_overlay_filesystem_persistence: None, + ccm_configuration: None, + dsm_configuration: None, }; let mut test = |input_image_env_vars: Option>, diff --git a/tools/container-converter/src/lib.rs b/tools/container-converter/src/lib.rs index f00c2c4..c2472da 100644 --- a/tools/container-converter/src/lib.rs +++ b/tools/container-converter/src/lib.rs @@ -3,9 +3,8 @@ * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - use api_model::HexString; -use api_model::enclave::{UserConfig, UserProgramConfig}; +use api_model::enclave::{CcmBackendUrl, UserConfig, UserProgramConfig}; use api_model::converter::{AuthConfig, ConvertedImageInfo, ConverterOptions, HashAlgorithm, NitroEnclavesConfig, NitroEnclavesConversionRequest, NitroEnclavesConversionResponse, NitroEnclavesMeasurements, NitroEnclavesVersion}; use async_process::{Command, Stdio}; use docker_image_reference::Reference as DockerReference; @@ -57,7 +56,9 @@ pub enum ConverterErrorKind { ImageFileSystemExport, ContainerCreation, BlockFileFull, - BadCertConfig + BadCertConfig, + BadCcmConfiguration, + BadDsmConfiguration } impl fmt::Display for ConverterError { @@ -131,6 +132,25 @@ fn validate_request(request: &NitroEnclavesConversionRequest) -> Result<()> { kind: ConverterErrorKind::BadCertConfig, }); } + + if let Some(c) = &request.request.converter_options.ccm_configuration { + if CcmBackendUrl::new(c.ccm_url.as_str()).is_err() { + return Err(ConverterError { + message: "CcmConfiguration:ccm_url should be in : format".to_string(), + kind: ConverterErrorKind::BadCcmConfiguration, + }); + } + } + + if let Some(d) = &request.request.converter_options.dsm_configuration { + if url::Url::parse(&d.dsm_url).is_err() { + return Err(ConverterError { + message: "DsmConfiguration:dsm_url is not a valid url".to_string(), + kind: ConverterErrorKind::BadDsmConfiguration, + }); + } + } + Ok(()) } @@ -453,11 +473,47 @@ pub(crate) async fn run_subprocess + Debug, A: AsRef + De #[cfg(test)] mod tests { use std::env; - use api_model::converter::{CaCertificateConfig, CertificateConfig, CertIssuer, ConversionRequest, ConversionRequestImageInfo, ConverterOptions, KeyType, NitroEnclavesConversionRequest, NitroEnclavesConversionRequestOptions}; + use api_model::converter::{CertificateConfig, CertIssuer, ConversionRequest, ConversionRequestImageInfo, ConverterOptions, KeyType, NitroEnclavesConversionRequest, NitroEnclavesConversionRequestOptions, CcmConfiguration, CaCertificateConfig, DsmConfiguration}; use serde_json::Value; + use lazy_static::lazy_static; use crate::{preserve_images_list, ImageKind, validate_request, ConverterErrorKind}; + lazy_static! { + static ref SAMPLE_REQUEST: NitroEnclavesConversionRequest = NitroEnclavesConversionRequest { + request: ConversionRequest { + input_image: ConversionRequestImageInfo { name: "input-image".to_string(), auth_config: None }, + output_image: ConversionRequestImageInfo { name: "output-image".to_string(), auth_config: None }, + converter_options: ConverterOptions { + allow_cmdline_args: None, + allow_docker_pull_failure: None, + app: None, + ca_certificates: vec![], + certificates: vec![CertificateConfig { + issuer: CertIssuer::ManagerCa, + subject: None, + alt_names: vec![], + key_type: KeyType::Rsa, + key_param: Some(Value::from(2048)), + key_path: None, + cert_path: None, + chain_path: None, + }], + debug: None, + entry_point: vec![], + entry_point_args: vec![], + push_converted_image: None, + env_vars: vec![], + java_mode: None, + enable_overlay_filesystem_persistence: None, + ccm_configuration: None, + dsm_configuration: None, + }, + }, + nitro_enclaves_options: NitroEnclavesConversionRequestOptions { cpu_count: None, mem_size: None }, + }; + } + #[test] fn preserve_image_list_correct_pass() -> () { env::remove_var("PRESERVE_IMAGES"); @@ -511,6 +567,8 @@ mod tests { env_vars: vec![], java_mode: None, enable_overlay_filesystem_persistence: None, + ccm_configuration: None, + dsm_configuration: None, }, }, nitro_enclaves_options: NitroEnclavesConversionRequestOptions { cpu_count: None, mem_size: None } }; let res = validate_request(&request); @@ -548,6 +606,8 @@ mod tests { env_vars: vec![], java_mode: None, enable_overlay_filesystem_persistence: None, + ccm_configuration: None, + dsm_configuration: None, }, }, nitro_enclaves_options: NitroEnclavesConversionRequestOptions { cpu_count: None, mem_size: None } }; let res = validate_request(&request); @@ -581,6 +641,8 @@ mod tests { env_vars: vec![], java_mode: None, enable_overlay_filesystem_persistence: None, + ccm_configuration: None, + dsm_configuration: None, }, }, nitro_enclaves_options: NitroEnclavesConversionRequestOptions { cpu_count: None, mem_size: None } }; let res = validate_request(&request); @@ -618,6 +680,8 @@ mod tests { env_vars: vec![], java_mode: None, enable_overlay_filesystem_persistence: None, + ccm_configuration: None, + dsm_configuration: None, }, }, nitro_enclaves_options: NitroEnclavesConversionRequestOptions { cpu_count: None, mem_size: None } }; let res = validate_request(&request); @@ -627,45 +691,62 @@ mod tests { assert!(converter_error.message.contains("Chain path is not supported on this platform yet")); assert!(converter_error.kind == ConverterErrorKind::BadCertConfig); } + #[test] fn validate_converter_request_unsupported_ca_certificates() -> () { - let request = NitroEnclavesConversionRequest { request: ConversionRequest { - input_image: ConversionRequestImageInfo { name: "input-image".to_string(), auth_config: None }, - output_image: ConversionRequestImageInfo { name: "output-image".to_string(), auth_config: None }, - converter_options: ConverterOptions { - allow_cmdline_args: None, - allow_docker_pull_failure: None, - app: None, - ca_certificates: vec![ CaCertificateConfig { - ca_path: None, - ca_cert: None, - system: None, - } ], - certificates: vec![ CertificateConfig{ - issuer: CertIssuer::ManagerCa, - subject: None, - alt_names: vec![], - key_type: KeyType::Rsa, - key_param: Some(Value::from(2048)), - key_path: None, - cert_path: None, - chain_path: None, - }], - debug: None, - entry_point: vec![], - entry_point_args: vec![], - push_converted_image: None, - env_vars: vec![], - java_mode: None, - enable_overlay_filesystem_persistence: None, - }, - }, nitro_enclaves_options: NitroEnclavesConversionRequestOptions { cpu_count: None, mem_size: None } }; + let mut request = SAMPLE_REQUEST.clone(); + request.request.converter_options.ca_certificates = vec![CaCertificateConfig { + ca_path: None, + ca_cert: None, + system: None, + }]; let res = validate_request(&request); assert!(res.is_err()); let converter_error = res.expect_err(""); assert!(converter_error.message.contains("CA certificates are not supported on this platform yet")); - assert!(converter_error.kind == ConverterErrorKind::BadCertConfig); + assert_eq!(converter_error.kind, ConverterErrorKind::BadCertConfig); + } + + #[test] + fn validate_converter_request_ccm_configuration() -> () { + let mut request = SAMPLE_REQUEST.clone(); + + // Test 1 - Default config i.e. No ccm config set + assert!(validate_request(&request).is_ok()); + + // Test 2 - Invalid CCM configuration set + request.request.converter_options.ccm_configuration = Some(CcmConfiguration { ccm_url: "InvalidUrl".to_string() }); + let res = validate_request(&request); + assert!(res.is_err()); + + let converter_error = res.expect_err(""); + assert_eq!(converter_error.message, "CcmConfiguration:ccm_url should be in : format"); + assert_eq!(converter_error.kind, ConverterErrorKind::BadCcmConfiguration); + + // Test 3 - Valid CCM configuration set + request.request.converter_options.ccm_configuration = Some(CcmConfiguration { ccm_url: "ccm.sample.fortanix.com:267".to_string() }); + assert!(validate_request(&request).is_ok()); } + #[test] + fn validate_converter_request_dsm_configuration() -> () { + let mut request = SAMPLE_REQUEST.clone(); + + // Test 1 - Default config i.e. No dsm config set + assert!(validate_request(&request).is_ok()); + + // Test 2 - Invalid DSM configuration set + request.request.converter_options.dsm_configuration = Some(DsmConfiguration { dsm_url: "InvalidUrl".to_string() }); + let res = validate_request(&request); + assert!(res.is_err()); + + let converter_error = res.expect_err(""); + assert_eq!(converter_error.message, "DsmConfiguration:dsm_url is not a valid url"); + assert_eq!(converter_error.kind, ConverterErrorKind::BadDsmConfiguration); + + // Test 3 - Valid DSM configuration set + request.request.converter_options.dsm_configuration = Some(DsmConfiguration { dsm_url: "https://someregion.smartkey.io".to_string() }); + assert!(validate_request(&request).is_ok()); + } } diff --git a/vsock-proxy/enclave/src/app_configuration.rs b/vsock-proxy/enclave/src/app_configuration.rs index 68873f7..625bbdf 100644 --- a/vsock-proxy/enclave/src/app_configuration.rs +++ b/vsock-proxy/enclave/src/app_configuration.rs @@ -8,7 +8,7 @@ use std::collections::BTreeMap; use std::fs; use std::path::{Component, Path, PathBuf}; use std::sync::Arc; - +use api_model::enclave::CcmBackendUrl; use em_app::utils::models::{ ApplicationConfigContents, ApplicationConfigExtra, ApplicationConfigSdkmsCredentials, RuntimeAppConfig, }; @@ -17,7 +17,6 @@ use mbedtls::alloc::List as MbedtlsList; use mbedtls::pk::Pk; use mbedtls::x509::Certificate; use sdkms::api_model::Blob; -use shared::models::CCMBackendUrl; use crate::certificate::CertificateResult; use crate::enclave::write_to_file; @@ -46,7 +45,7 @@ const LOCATION_FILE: &str = "location.txt"; pub(crate) fn setup_application_configuration( em_app_credentials: &EmAppCredentials, - ccm_backend_url: &CCMBackendUrl, + ccm_backend_url: &CcmBackendUrl, api: T, fs_root: &Path, app_config_id: Blob @@ -58,7 +57,7 @@ where let app_config = api .runtime_config_api() - .get_runtime_configuration(&ccm_backend_url, em_app_credentials)?; + .get_runtime_configuration(ccm_backend_url, em_app_credentials)?; let _app_config_id_check = check_application_config_id(&app_config.config, app_config_id); @@ -321,7 +320,7 @@ pub(crate) struct EmAppRuntimeConfiguration {} impl RuntimeConfiguration for EmAppRuntimeConfiguration { fn get_runtime_configuration( &self, - ccm_backend_url: &CCMBackendUrl, + ccm_backend_url: &CcmBackendUrl, credentials: &EmAppCredentials, ) -> Result { em_app::utils::get_runtime_configuration( @@ -338,7 +337,7 @@ impl RuntimeConfiguration for EmAppRuntimeConfiguration { pub(crate) trait RuntimeConfiguration { fn get_runtime_configuration( &self, - ccm_backend_url: &CCMBackendUrl, + ccm_backend_url: &CcmBackendUrl, credentials: &EmAppCredentials, ) -> Result; } @@ -463,9 +462,8 @@ mod tests { ApplicationConfigDatasetCredentials, ApplicationConfigExtra, ApplicationConfigSdkmsCredentials, RuntimeAppConfig, }; use sdkms::api_model::Blob; - use shared::models::CCMBackendUrl; - use crate::app_configuration::{normalize_path_and_make_relative, setup_app_configs, setup_datasets, ApplicationFiles, DataSetFiles, EmAppCredentials, RuntimeConfiguration, SdkmsDataset, ApplicationConfiguration, check_application_config_id}; + use crate::app_configuration::{normalize_path_and_make_relative, setup_app_configs, setup_datasets, CcmBackendUrl, ApplicationFiles, DataSetFiles, EmAppCredentials, RuntimeConfiguration, SdkmsDataset, ApplicationConfiguration, check_application_config_id}; use em_app::compute_app_config_hash; const TEST_FOLDER: &'static str = "/tmp/salm-unit-test"; @@ -633,7 +631,7 @@ mod tests { impl RuntimeConfiguration for MockDataSet { fn get_runtime_configuration( &self, - _ccm_backend_url: &CCMBackendUrl, + _ccm_backend_url: &CcmBackendUrl, _credentials: &EmAppCredentials, ) -> Result { Ok(serde_json::from_str(self.json_data).expect("Failed serializing test json")) @@ -673,7 +671,7 @@ mod tests { } fn run_setup_runtime_configuration(json_data: &'static str) -> RuntimeAppConfig { - let backend_url = CCMBackendUrl { + let backend_url = CcmBackendUrl { host: String::new(), port: 0, }; @@ -854,7 +852,7 @@ mod tests { let api = MockDataSet { json_data: VALID_APP_CONF, }; - let backend_url = CCMBackendUrl::default(); + let backend_url = CcmBackendUrl::default(); let runtime_config = api.runtime_config_api().get_runtime_configuration(&backend_url, &credentials).expect("Get test data fail"); let app_config_id = { @@ -875,7 +873,7 @@ mod tests { let api = MockDataSet { json_data: VALID_APP_CONF, }; - let backend_url = CCMBackendUrl::default(); + let backend_url = CcmBackendUrl::default(); let runtime_config = api.runtime_config_api().get_runtime_configuration(&backend_url, &credentials).expect("Get test data fail"); let app_config_id = Blob::from("This_is_not_a_valid_hash"); diff --git a/vsock-proxy/enclave/src/dsm_key_config.rs b/vsock-proxy/enclave/src/dsm_key_config.rs index 450859c..d80b913 100644 --- a/vsock-proxy/enclave/src/dsm_key_config.rs +++ b/vsock-proxy/enclave/src/dsm_key_config.rs @@ -25,13 +25,10 @@ use sdkms::SdkmsClient; use url; use crate::certificate::CertificateResult; -use crate::file_system::find_env_or_err; const GCM_TAG_LEN_BITS: usize = 128; const SOBJECT_LIST_LIMIT: usize = 10; -pub const DEFAULT_DSM_ENDPOINT: &str = "https://amer.smartkey.io/"; const OVERLAY_FS_SECURITY_OBJECT_PREFIX: &str = "fortanix-overlayfs-security-object-build-"; -pub const DEFAULT_DSM_APP_ENDPOINT: &str = "https://apps.amer.smartkey.io/"; const TLS_MIN_VERSION: Version = Version::Tls1_2; struct ClientWithKey { @@ -39,20 +36,27 @@ struct ClientWithKey { dsm_client: SdkmsClient, } -fn dsm_create_client(env_vars: &[(String, String)], auth_cert: Option<&mut CertificateResult>) -> Result { - info!("Looking for env variables needed to create DSM client."); - let api_key = find_env_or_err("FS_API_KEY", env_vars).unwrap_or("".to_string()); +/// Information needed to connect to DSM as a client +pub struct ClientConnectionInfo<'a> { + pub fs_api_key: Option, + pub auth_cert: Option<&'a mut CertificateResult>, + pub dsm_url: String, +} + +fn dsm_create_client(conn_info: ClientConnectionInfo) -> Result { + info!("Looking for API key needed to create DSM client."); + let api_key = conn_info.fs_api_key.unwrap_or_default(); if api_key.is_empty() { info!("Using app cert for auth with DSM"); - let endpoint = find_env_or_err("FS_DSM_ENDPOINT", env_vars).unwrap_or(DEFAULT_DSM_APP_ENDPOINT.to_string()); + let endpoint = conn_info.dsm_url; let endoint_url = url::Url::parse(&*endpoint).map_err(|e| format!("Unable to parse endpoint : {:?}", e))?; let host = endoint_url .host_str() .ok_or_else(|| format!("Unable to get host from endpoint"))?; let hyper_client = dsm_create_hyper_client_with_cert( host.to_string(), - auth_cert.ok_or_else(|| format!("Unable to get auth cert for connection to DSM"))?, + conn_info.auth_cert.ok_or_else(|| format!("Unable to get auth cert for connection to DSM"))?, )?; Ok(SdkmsClient::builder() @@ -64,7 +68,7 @@ fn dsm_create_client(env_vars: &[(String, String)], auth_cert: Option<&mut Certi .map_err(|_| format!("Unable to auth with app cert"))?) } else { info!("Using API key for auth with DSM"); - let endpoint = find_env_or_err("FS_DSM_ENDPOINT", env_vars).unwrap_or(DEFAULT_DSM_ENDPOINT.to_string()); + let endpoint = conn_info.dsm_url; // Note - mapping an empty error here, mapping an error type results in a hang // Needs to be investigated. Ok(SdkmsClient::builder() @@ -207,11 +211,8 @@ fn dsm_decrypt_blob(dec_req: &DecryptRequest, client: &SdkmsClient) -> Result, - env_vars: &[(String, String)], -) -> Result { - let client = dsm_create_client(env_vars, cert_list)?; +fn dsm_get_overlayfs_key(conn_info: ClientConnectionInfo) -> Result { + let client = dsm_create_client(conn_info)?; let overlay_fs_key = dsm_get_key_by_prefix(&client, OVERLAY_FS_SECURITY_OBJECT_PREFIX)?; Ok(ClientWithKey { overlayfs_key: overlay_fs_key, @@ -220,23 +221,21 @@ fn dsm_get_overlayfs_key( } pub(crate) fn dsm_enc_with_overlayfs_key( - cert_list: Option<&mut CertificateResult>, - env_vars: &[(String, String)], + conn_info: ClientConnectionInfo, plaintext: Blob, ) -> Result { - let client_key_pair = dsm_get_overlayfs_key(cert_list, env_vars)?; + let client_key_pair = dsm_get_overlayfs_key(conn_info)?; let enc_req = dsm_generate_enc_req(&client_key_pair.overlayfs_key, plaintext)?; dsm_encrypt_blob(&enc_req, &client_key_pair.dsm_client) } pub(crate) fn dsm_dec_with_overlayfs_key( - cert_list: Option<&mut CertificateResult>, - env_vars: &[(String, String)], + conn_info: ClientConnectionInfo, ciphertext: Blob, iv: Blob, tag: Blob, ) -> Result { - let client_key_pair = dsm_get_overlayfs_key(cert_list, env_vars)?; + let client_key_pair = dsm_get_overlayfs_key(conn_info)?; let dec_req = dsm_generate_dec_req(&client_key_pair.overlayfs_key, ciphertext, iv, tag)?; dsm_decrypt_blob(&dec_req, &client_key_pair.dsm_client) } @@ -254,32 +253,27 @@ mod tests { use sdkms::api_model::Blob; use crate::certificate::CertificateResult; - use crate::dsm_key_config::{ - dsm_create_client, dsm_dec_with_overlayfs_key, dsm_enc_with_overlayfs_key, dsm_get_overlayfs_key, - OVERLAY_FS_SECURITY_OBJECT_PREFIX, - }; + use crate::dsm_key_config::{dsm_create_client, dsm_dec_with_overlayfs_key, dsm_enc_with_overlayfs_key, dsm_get_overlayfs_key, ClientConnectionInfo, OVERLAY_FS_SECURITY_OBJECT_PREFIX}; const PLAINTEXT: &str = "hello world. This is a test string."; const DSM_ENDPOINT: &str = "https://amer.smartkey.io/"; + const DSM_APP_ENDPOINT: &str = "https://apps.amer.smartkey.io/"; lazy_static! { static ref DSM_API_KEY: String = env::var("FORTANIX_API_KEY").expect("The environment variable FORTANIX_API_KEY must be set for this unit test"); static ref DSM_TEST_API_KEY: String = env::var("OVERLAYFS_UNIT_TEST_API_KEY") .expect("The environment variable OVERLAYFS_UNIT_TEST_API_KEY must be set for this unit test"); - static ref DSM_ENV_VARS: Vec<(String, String)> = vec![ - ("FS_DSM_ENDPOINT".to_string(), DSM_ENDPOINT.to_string()), - ("FS_API_KEY".to_string(), DSM_API_KEY.to_string()), - ]; - static ref DSM_ERR_ENV_VARS: Vec<(String, String)> = vec![ - ("FS_DSM_ENDPOINT".to_string(), DSM_ENDPOINT.to_string()), - ("FS_API_KEY".to_string(), DSM_TEST_API_KEY.to_string()), - ]; } #[test] fn test_connection_to_dsm() { - let dsm_client = dsm_create_client(&DSM_ENV_VARS, None); + let conn_info = ClientConnectionInfo { + fs_api_key: Some(DSM_API_KEY.to_string()), + auth_cert: None, + dsm_url: DSM_ENDPOINT.to_string(), + }; + let dsm_client = dsm_create_client(conn_info); let version = dsm_client .expect("Client creation failed") .version() @@ -313,13 +307,22 @@ mod tests { key, }; - // Note - Do not pass DSM_ENV_VARS here otherwise the API key will be used for auth to DSM + // Note - Do not pass api key here otherwise the API key will be used for auth to DSM // rather than use the appcert - let enc_resp = dsm_enc_with_overlayfs_key(Some(&mut cert_res), &vec![], Blob::from(PLAINTEXT)).unwrap(); + let conn_info_enc = ClientConnectionInfo { + fs_api_key: None, + auth_cert: Some(&mut cert_res), + dsm_url: DSM_APP_ENDPOINT.to_string(), + }; + let enc_resp = dsm_enc_with_overlayfs_key(conn_info_enc, Blob::from(PLAINTEXT)).unwrap(); + let conn_info_dec = ClientConnectionInfo { + fs_api_key: None, + auth_cert: Some(&mut cert_res), + dsm_url: DSM_APP_ENDPOINT.to_string(), + }; let dec_resp = dsm_dec_with_overlayfs_key( - Some(&mut cert_res), - &vec![], + conn_info_dec, enc_resp.cipher, enc_resp.iv.unwrap(), enc_resp.tag.unwrap(), @@ -330,11 +333,20 @@ mod tests { #[test] fn test_enc_dec_blob() { - let enc_resp = dsm_enc_with_overlayfs_key(None, &DSM_ENV_VARS, Blob::from(PLAINTEXT)).unwrap(); + let conn_info_enc = ClientConnectionInfo { + fs_api_key: Some(DSM_API_KEY.to_string()), + auth_cert: None, + dsm_url: DSM_ENDPOINT.to_string(), + }; + let enc_resp = dsm_enc_with_overlayfs_key(conn_info_enc, Blob::from(PLAINTEXT)).unwrap(); + let conn_info_dec = ClientConnectionInfo { + fs_api_key: Some(DSM_API_KEY.to_string()), + auth_cert: None, + dsm_url: DSM_ENDPOINT.to_string(), + }; let dec_resp = dsm_dec_with_overlayfs_key( - None, - &DSM_ENV_VARS, + conn_info_dec, enc_resp.cipher, enc_resp.iv.unwrap(), enc_resp.tag.unwrap(), @@ -345,7 +357,12 @@ mod tests { #[test] fn test_multiple_overlayfs_keys() { - match dsm_get_overlayfs_key(None, &DSM_ERR_ENV_VARS) { + let conn_info = ClientConnectionInfo { + fs_api_key: Some(DSM_TEST_API_KEY.to_string()), + auth_cert: None, + dsm_url: DSM_ENDPOINT.to_string(), + }; + match dsm_get_overlayfs_key(conn_info) { Ok(_) => { assert!(false); } diff --git a/vsock-proxy/enclave/src/enclave.rs b/vsock-proxy/enclave/src/enclave.rs index 8b5eeaf..46a77e4 100644 --- a/vsock-proxy/enclave/src/enclave.rs +++ b/vsock-proxy/enclave/src/enclave.rs @@ -9,9 +9,8 @@ use std::fs; use std::path::Path; use std::process::Stdio; use std::string::ToString; - -use api_model::converter::CertificateConfig; -use api_model::enclave::EnclaveManifest; +use api_model::converter::{CertificateConfig}; +use api_model::enclave::{CcmBackendUrl, EnclaveManifest}; use async_process::{Child, Command}; use async_trait::async_trait; use futures::io::{BufReader, Lines}; @@ -41,6 +40,7 @@ use tun::{AsyncDevice, Device}; use crate::app_configuration::{setup_application_configuration, EmAppApplicationConfiguration, EmAppCredentials}; use crate::certificate::{create_signer_key, default_certificate, request_certificate, write_certificate, CSRApi, CertificateResult, CertificateWithPath, EmAppCSRApi, DEFAULT_CERT_DIR, DEFAULT_CERT_RSA_KEY_SIZE}; +use crate::dsm_key_config::ClientConnectionInfo; use crate::file_system::{ close_dm_crypt_device, close_dm_verity_volume, copy_dns_file_to_mount, copy_startup_binary_to_mount, create_fortanix_directories, create_overlay_dirs, fetch_fs_mount_options, get_available_encrypted_space, @@ -107,7 +107,7 @@ pub(crate) async fn run(vsock_port: u32, settings_path: &Path) -> Result addr)?; let exit_status = start_and_await_user_program_return(setup_result, hostname, log_conn_addrs).await?; @@ -174,7 +174,12 @@ async fn startup( debug!("Running user program with the args - {:?}", existing_arguments); } - let app_config = extract_enum_value!(parent_port.read_lv().await?, SetupMessages::ApplicationConfig(e) => e)?; + let mut app_config = extract_enum_value!(parent_port.read_lv().await?, SetupMessages::ApplicationConfig(e) => e)?; + + // Always enable server verification for appconfigs in non-debug enclaves + if !enclave_manifest.is_debug { + app_config.skip_server_verify = false; + } let networking_setup_result = setup_tap_devices(parent_port).await?; @@ -207,6 +212,7 @@ fn convert_to_tuples(env_strs: &Vec) -> Result, St fn setup_app_configuration( app_config: &ApplicationConfiguration, certificate_info: Option, + ccm_backend_url: &CcmBackendUrl, ) -> Result<(), String> { if let (Some(certificate_info), Some(id)) = (certificate_info, &app_config.id) { let api = EmAppApplicationConfiguration::new(); @@ -216,7 +222,7 @@ fn setup_app_configuration( setup_application_configuration( &credentials, - &app_config.ccm_backend_url, + ccm_backend_url, api, Path::new(ENCLAVE_FS_OVERLAY_ROOT), Blob::from(id.as_str()), @@ -259,8 +265,9 @@ struct FileSystemSetupApiImpl {} impl<'a> FileSystemSetupApi<'a> for FileSystemSetupApiImpl { async fn setup(&self, nbd_config: NBDConfiguration, arg: FileSystemSetupConfig<'a>) -> Result { let enclave_manifest = arg.enclave_manifest; - let env_vars = arg.env_vars; - let cert_list = arg.cert_list; + let auth_cert = arg.cert_list; + let dsm_url = (&arg.enclave_manifest.dsm_configuration.dsm_url).to_string(); + let fs_api_key = get_fs_api_key(arg.env_vars, arg.enclave_manifest.is_debug); for export in &nbd_config.exports { run_nbd_client(nbd_config.address, export.port, &export.name).await?; @@ -283,7 +290,13 @@ impl<'a> FileSystemSetupApi<'a> for FileSystemSetupApiImpl { mount_read_only_file_system().await?; info!("Finished read only file system mount."); - mount_read_write_file_system(env_vars, cert_list, enclave_manifest.enable_overlay_filesystem_persistence).await?; + let conn_info = ClientConnectionInfo { + fs_api_key, + auth_cert, + dsm_url + }; + + mount_read_write_file_system(enclave_manifest.enable_overlay_filesystem_persistence, conn_info).await?; info!("Finished read/write file system mount."); mount_overlay_fs().await?; @@ -700,7 +713,7 @@ pub(crate) fn write_to_file + ?Sized>(path: &Path, data: &C, enti mod tests { use std::net::{IpAddr, Ipv4Addr}; - use api_model::enclave::{EnclaveManifest, FileSystemConfig, User, UserConfig, UserProgramConfig, WorkingDir}; + use api_model::{converter::{DsmConfiguration}, enclave::{CcmBackendUrl, EnclaveManifest, FileSystemConfig, User, UserConfig, UserProgramConfig, WorkingDir}}; use async_trait::async_trait; use shared::models::NBDConfiguration; use shared::socket::InMemorySocket; @@ -740,6 +753,13 @@ mod tests { is_debug: false, env_vars: vec![], enable_overlay_filesystem_persistence: false, + ccm_backend_url: CcmBackendUrl { + host: "".to_string(), + port: 0, + }, + dsm_configuration: DsmConfiguration { + dsm_url: "".to_string() + }, }, env_vars: &[], cert_list: None, @@ -764,3 +784,14 @@ mod tests { }); } } + +/// If it is a debug enclave, search for and return the FS_API_KEY. For a regular, +/// (non-debug) enclave, do not allow usage of an api key +fn get_fs_api_key(env_vars: &[(String, String)], is_debug: bool) -> Option { + if is_debug { + return env_vars + .iter() + .find_map(|e| if e.0 == "FS_API_KEY" { Some(e.1.clone()) } else { None }); + } + None +} diff --git a/vsock-proxy/enclave/src/file_system.rs b/vsock-proxy/enclave/src/file_system.rs index a9afe69..2aade97 100644 --- a/vsock-proxy/enclave/src/file_system.rs +++ b/vsock-proxy/enclave/src/file_system.rs @@ -18,8 +18,8 @@ use serde::{Deserialize, Serialize}; use serde_json; use shared::{run_subprocess, run_subprocess_with_output_setup, CommandOutputConfig}; -use crate::certificate::{CertificateResult, DEFAULT_CERT_DIR}; -use crate::dsm_key_config::{dsm_dec_with_overlayfs_key, dsm_enc_with_overlayfs_key, DEFAULT_DSM_ENDPOINT}; +use crate::certificate::{DEFAULT_CERT_DIR}; +use crate::dsm_key_config::{dsm_dec_with_overlayfs_key, dsm_enc_with_overlayfs_key, ClientConnectionInfo}; const ENCLAVE_FS_LOWER: &str = "/mnt/lower"; const ENCLAVE_FS_RW_ROOT: &str = "/mnt/overlayfs"; @@ -82,7 +82,7 @@ pub(crate) async fn mount_file_system_nodes(nodes: &[FileSystemNode], mount_opti FileSystemNode::TreeNode(node_path) => { let formatted_mount_point_str = format!("{}{node_path}", ENCLAVE_FS_OVERLAY_ROOT, node_path = node_path); let mut mount_args = vec!["--rbind", node_path, &formatted_mount_point_str]; - if node_path.clone() == "/tmp" && mount_options.is_tmp_exec { + if *node_path == "/tmp" && mount_options.is_tmp_exec { mount_args.push("-o"); mount_args.push("exec"); // Make the tmp directory of the enclave base image executable first @@ -178,10 +178,7 @@ async fn update_luks_token(device_path: &str, token_path: &str, op: TokenOp) -> /// Opens the output token file. Parses it into a luks2 token object. /// After parsing the token to obtain parameters needed to access DSM, /// fetch the overlay fs key used to wrap the RW volume passkey. -async fn get_key_from_out_token( - env_vars: &[(String, String)], - cert_list: Option<&mut CertificateResult>, -) -> Result<(), String> { +async fn get_key_from_out_token(conn_info: ClientConnectionInfo<'_>) -> Result<(), String> { // Open and parse the dmcrypt volume token file let mut token_file = fs::File::open(TOKEN_OUT_FILE).map_err(|err| format!("Unable to open token out file : {:?}", err))?; let mut token_contents = [0; MAX_TOKEN_SIZE]; @@ -200,8 +197,7 @@ async fn get_key_from_out_token( // Fetch the decrypted volume passkey let dec_resp = dsm_dec_with_overlayfs_key( - cert_list, - env_vars, + conn_info, token_json_obj.enc_key, token_json_obj.iv, token_json_obj.tag, @@ -226,8 +222,7 @@ async fn get_key_from_out_token( /// of this function creates a ext4 filesystem on it after opening /// the device async fn get_key_file( - env_vars: &[(String, String)], - cert_list: Option<&mut CertificateResult>, + conn_info: ClientConnectionInfo<'_>, conv_use_dsm_key: bool, ) -> Result { let device_path = NBD_RW_DEVICE; @@ -239,7 +234,7 @@ async fn get_key_file( match update_luks_token(device_path, TOKEN_OUT_FILE, TokenOp::Export).await { Ok(_) => { info!("Fetching key file by using token object."); - get_key_from_out_token(env_vars, cert_list).await?; + get_key_from_out_token(conn_info).await?; } Err(_) => { error!("Can't re-run apps which are converted without filesystem persistence enabled. Filesystem persistence is set to {}", conv_use_dsm_key); @@ -259,9 +254,10 @@ async fn get_key_file( // Use DSM for overlayfs persistance blockfile encryption. if conv_use_dsm_key { + let dsm_url = conn_info.dsm_url.clone(); info!("Accessing DSM to store passkey in luks2 token"); - let enc_resp = dsm_enc_with_overlayfs_key(cert_list, env_vars, passkey)?; - create_luks2_token_input(TOKEN_IN_FILE, env_vars, enc_resp)?; + let enc_resp = dsm_enc_with_overlayfs_key(conn_info, passkey)?; + create_luks2_token_input(TOKEN_IN_FILE, dsm_url, enc_resp)?; info!("Adding token object to the RW device"); update_luks_token(device_path, TOKEN_IN_FILE, TokenOp::Import).await?; @@ -274,7 +270,7 @@ async fn get_key_file( /// Generate the luks2 token object and write the same to /// the json file which will be used to add a luks2 header /// to the RW blockfile -fn create_luks2_token_input(token_path: &str, env_vars: &[(String, String)], enc_resp: EncryptResponse) -> Result<(), String> { +fn create_luks2_token_input(token_path: &str, dsm_url: String, enc_resp: EncryptResponse) -> Result<(), String> { info!("Creating Luks2 token object"); let iv = enc_resp .iv @@ -287,7 +283,7 @@ fn create_luks2_token_input(token_path: &str, env_vars: &[(String, String)], enc let token_object = LuksToken { token_type: "Fortanix-sealing-key".to_string(), key_slots: vec!["0".to_string()], - endpoint: find_env_or_err("FS_DSM_ENDPOINT", env_vars).unwrap_or(DEFAULT_DSM_ENDPOINT.to_string()), + endpoint: dsm_url, isvsvn: None, tag, enc_key: enc_resp.cipher, @@ -307,15 +303,14 @@ fn create_luks2_token_input(token_path: &str, env_vars: &[(String, String)], enc } pub(crate) async fn mount_read_write_file_system( - env_vars: &[(String, String)], - cert_list: Option<&mut CertificateResult>, enable_overlayfs_persistence: bool, + conn_info: ClientConnectionInfo<'_> ) -> Result<(), String> { // Create dir to get rid of the warning that is printed to the console by cryptsetup fs::create_dir_all(DM_CRYPT_FOLDER) .map_err(|err| format!("Failed to create folder {} for cryptsetup path. {:?}", DM_CRYPT_FOLDER, err))?; - let create_ext4 = get_key_file(env_vars, cert_list, enable_overlayfs_persistence).await?; + let create_ext4 = get_key_file(conn_info, enable_overlayfs_persistence).await?; let crypt_setup_args: [&str; 7] = [ "open", @@ -531,11 +526,4 @@ async fn generate_volume_passkey() -> Result { // Return key material as a blob Ok(Blob::from(key_blob)) -} - -pub(crate) fn find_env_or_err(key: &str, env_vars: &[(String, String)]) -> Result { - env_vars - .iter() - .find_map(|e| if e.0 == key { Some(e.1.clone()) } else { None }) - .ok_or(format!("{:?} is missing!", key)) -} +} \ No newline at end of file diff --git a/vsock-proxy/parent/src/parent.rs b/vsock-proxy/parent/src/parent.rs index 62d5622..76860c9 100644 --- a/vsock-proxy/parent/src/parent.rs +++ b/vsock-proxy/parent/src/parent.rs @@ -17,7 +17,7 @@ use ipnetwork::IpNetwork; use log::{debug, info, warn}; use parent_lib::{communicate_certificates, setup_file_system, CertificateApi, NBDExportConfig, NBD_EXPORTS}; use shared::models::{ - ApplicationConfiguration, CCMBackendUrl, FileWithPath, GlobalNetworkSettings, SetupMessages, UserProgramExitStatus, + ApplicationConfiguration, FileWithPath, GlobalNetworkSettings, SetupMessages, UserProgramExitStatus, }; use shared::socket::{AsyncReadLvStream, AsyncWriteLvStream}; use shared::tap::{start_tap_loops, PRIVATE_TAP_MTU, PRIVATE_TAP_NAME}; @@ -596,8 +596,6 @@ impl CertificateApi for EmAppCertificateApi { } async fn send_application_configuration(vsock: &mut AsyncVsockStream) -> Result<(), String> { - let ccm_backend_url = env_var_or_none("CCM_BACKEND").map_or(Ok(CCMBackendUrl::default()), |e| CCMBackendUrl::new(&e))?; - let id = get_app_config_id(); let skip_server_verify = env_var_or_none("SKIP_SERVER_VERIFY") @@ -606,7 +604,6 @@ async fn send_application_configuration(vsock: &mut AsyncVsockStream) -> Result< let application_configuration = ApplicationConfiguration { id, - ccm_backend_url, skip_server_verify, }; diff --git a/vsock-proxy/shared/src/models.rs b/vsock-proxy/shared/src/models.rs index 5a639af..abd74f5 100644 --- a/vsock-proxy/shared/src/models.rs +++ b/vsock-proxy/shared/src/models.rs @@ -49,45 +49,9 @@ pub struct NBDExport { pub struct ApplicationConfiguration { pub id: Option, - pub ccm_backend_url: CCMBackendUrl, - pub skip_server_verify: bool, } -#[derive(Serialize, Deserialize, Debug)] -pub struct CCMBackendUrl { - pub host: String, - - pub port: u16, -} - -impl CCMBackendUrl { - pub fn new(url: &str) -> Result { - let split: Vec<_> = url.split(":").collect(); - - if split.len() != 2 { - return Err("CCM_BACKEND should be in format :".to_string()); - } - - match split[1].parse::() { - Err(err) => Err(format!("CCM_BACKEND port should be a number. {:?}", err)), - Ok(port) => Ok(CCMBackendUrl { - host: split[0].to_string(), - port, - }), - } - } -} - -impl Default for CCMBackendUrl { - fn default() -> Self { - CCMBackendUrl { - host: "ccm.fortanix.com".to_string(), - port: 443, - } - } -} - #[derive(Serialize, Deserialize, Debug)] pub struct NetworkDeviceSettings { pub vsock_port_number: u32, From 4b5ed717aae577a5b276dc6950db5203dd8728c1 Mon Sep 17 00:00:00 2001 From: aditijannu Date: Fri, 29 Nov 2024 17:28:51 +0100 Subject: [PATCH 2/2] review changes --- api-model/src/converter.rs | 2 +- api-model/src/enclave.rs | 2 +- tools/container-converter/src/image_builder/enclave.rs | 2 +- vsock-proxy/enclave/src/dsm_key_config.rs | 8 ++++---- vsock-proxy/enclave/src/file_system.rs | 8 ++++---- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/api-model/src/converter.rs b/api-model/src/converter.rs index 7e9d1c4..236fa55 100644 --- a/api-model/src/converter.rs +++ b/api-model/src/converter.rs @@ -309,4 +309,4 @@ impl Default for DsmConfiguration { dsm_url: "https://apps.amer.smartkey.io/".to_string(), } } -} \ No newline at end of file +} diff --git a/api-model/src/enclave.rs b/api-model/src/enclave.rs index e552f9f..38bf16f 100644 --- a/api-model/src/enclave.rs +++ b/api-model/src/enclave.rs @@ -155,4 +155,4 @@ impl Default for CcmBackendUrl { port: 443, } } -} \ No newline at end of file +} diff --git a/tools/container-converter/src/image_builder/enclave.rs b/tools/container-converter/src/image_builder/enclave.rs index 44e009b..acfef6d 100644 --- a/tools/container-converter/src/image_builder/enclave.rs +++ b/tools/container-converter/src/image_builder/enclave.rs @@ -109,7 +109,7 @@ impl EnclaveSettings { is_debug: converter_options.debug.unwrap_or(false), enable_overlay_filesystem_persistence: converter_options.enable_overlay_filesystem_persistence.unwrap_or(false), ccm_backend_url: CcmBackendUrl::new(converter_options.ccm_configuration.clone().unwrap_or_default().ccm_url.as_str()).unwrap_or_default(), - dsm_configuration: converter_options.dsm_configuration.clone().unwrap_or_default() + dsm_configuration: converter_options.dsm_configuration.clone().unwrap_or_default(), } } } diff --git a/vsock-proxy/enclave/src/dsm_key_config.rs b/vsock-proxy/enclave/src/dsm_key_config.rs index d80b913..0f52e06 100644 --- a/vsock-proxy/enclave/src/dsm_key_config.rs +++ b/vsock-proxy/enclave/src/dsm_key_config.rs @@ -37,10 +37,10 @@ struct ClientWithKey { } /// Information needed to connect to DSM as a client -pub struct ClientConnectionInfo<'a> { - pub fs_api_key: Option, - pub auth_cert: Option<&'a mut CertificateResult>, - pub dsm_url: String, +pub(crate) struct ClientConnectionInfo<'a> { + pub(crate) fs_api_key: Option, + pub(crate) auth_cert: Option<&'a mut CertificateResult>, + pub(crate) dsm_url: String, } fn dsm_create_client(conn_info: ClientConnectionInfo) -> Result { diff --git a/vsock-proxy/enclave/src/file_system.rs b/vsock-proxy/enclave/src/file_system.rs index 2aade97..d2a14c4 100644 --- a/vsock-proxy/enclave/src/file_system.rs +++ b/vsock-proxy/enclave/src/file_system.rs @@ -257,7 +257,7 @@ async fn get_key_file( let dsm_url = conn_info.dsm_url.clone(); info!("Accessing DSM to store passkey in luks2 token"); let enc_resp = dsm_enc_with_overlayfs_key(conn_info, passkey)?; - create_luks2_token_input(TOKEN_IN_FILE, dsm_url, enc_resp)?; + create_luks2_token_input(TOKEN_IN_FILE, &dsm_url, enc_resp)?; info!("Adding token object to the RW device"); update_luks_token(device_path, TOKEN_IN_FILE, TokenOp::Import).await?; @@ -270,7 +270,7 @@ async fn get_key_file( /// Generate the luks2 token object and write the same to /// the json file which will be used to add a luks2 header /// to the RW blockfile -fn create_luks2_token_input(token_path: &str, dsm_url: String, enc_resp: EncryptResponse) -> Result<(), String> { +fn create_luks2_token_input(token_path: &str, dsm_url: &String, enc_resp: EncryptResponse) -> Result<(), String> { info!("Creating Luks2 token object"); let iv = enc_resp .iv @@ -283,7 +283,7 @@ fn create_luks2_token_input(token_path: &str, dsm_url: String, enc_resp: Encrypt let token_object = LuksToken { token_type: "Fortanix-sealing-key".to_string(), key_slots: vec!["0".to_string()], - endpoint: dsm_url, + endpoint: dsm_url.into(), isvsvn: None, tag, enc_key: enc_resp.cipher, @@ -526,4 +526,4 @@ async fn generate_volume_passkey() -> Result { // Return key material as a blob Ok(Blob::from(key_blob)) -} \ No newline at end of file +}