EAR Support #516
EAR Support #516
Conversation
fitzthum
force-pushed
the
ear
branch
16 times, most recently
from
a6068df to
fe6af93
Compare
|
This is ready for review. I tried to make this as simple as possible, but there are a lot of interlocking pieces. Please read the commit messages. They will hopefully explain what is happening and highlight a couple of significant changes (like not flattening the tcb claims anymore, not supporting multiple policies, etc) We still have some issues to resolve in the underlying crate before we can merge.
|
fitzthum
force-pushed
the
ear
branch
3 times, most recently
from
007f110 to
e3fa251
Compare
There was a problem hiding this comment.
Thanks Tobin. Nice work about code, tests and documents. I am excited to see that the design that leaves the trusted anchor calculation to users.
I have not dived into the code too deeply, but only for a quick catch for the architecture design.
This PR abondons former AS token format. Maybe we could leave the token plugins still. Probably the difficulty is where should OPA lie. My suggestion is to make OPA a common lib for both legacy AS token and EAR.
In this way, the token type could be configured in the launch toml of AS. Such as
[token]
type = "ear"
# other configs for earor
[token]
type = "simple"
# other configs for simpleThis can be implemented by
#[serde(tag = "type")]
pub enum AttestationTokenConfig {
Ear(EarConfig),
Simple(SimpleConfig),
}
pub type AttestationTokenBroker = Arc<dyn AttestationTokenBrokerTrait + Send + Sync>;
impl TryFrom<AttestationTokenConfig> for AttestationTokenBroker {
type Error = Error;
fn try_from(value: AttestationTokenConfig) -> Result<Self> {
match value {
AttestationTokenConfig::Ear(config) => {
let ear_broker = Arc::new(EarBroker::new(config)?);
Ok(ear_broker as _)
}
AttestationTokenConfig::Simple(config) => {
let simple_broker = Arc::new(SimpleBroker::new(config)?);
Ok(simple_broker as _)
}
}
}
}This would give enough flexibility to downstream users to define their different token format, although they might not be standard as EAR. But for CoCo, we can support EAR by default.
I concur that the format for generating tokens should be modular. We can default to supporting EAR, but simultaneously, retain the previous simple AS token mode as a plugin option. This approach will provide ample room for customization to the users of this project. |
|
@Xynnn007 @jialez0 You are both right that this PR makes our token provisioning less generic. In fact, it's no longer generic at all. There are some reasons for this. First, with EAR tokens the policy is fundamentally tied to the token. Our CoCo token supports just about any policy claims, but with EAR we need to generate an Appraisal. This means that 1) the policy is specific to the type of token we use. 2) A bunch of the code surrounding the policy is specific to the type of token we are using. The first thing isn't a huge problem. It's not a great user experience to require totally different policies for different tokens, but at least that is configurable at runtime. The second thing is a bit more of a problem. There is code in both the policy engine and One option would be to move most of the logic into the token generation code. The policy engine would always process all the claims and return the full results. The results would be provided as-is to the token broker. The token broker would also get the TCB claims and any other pieces of the token. I don't really like broadening the scope of the token broker like this. If we want to keep the token broker abstraction the same, we would probably have to add a bunch of conditional logic to the policy engine and It's possible to keep both tokens, but there would be costs. Keep in mind that we would need to create more tests, more examples, extend the docs, etc. Besides the costs, I actually think there are advantages to supporting fewer things. So far we have tried to make Trustee as generic as possible. In general I think this is good, but currently I think we are in danger of giving users too many ways to configure things without showing them any particular way that actually works end-to-end. I think part of the reason why we have some gaps with policies, the RVPS, etc is that we haven't been prescriptive enough. I think EAR tokens are a good fit because they are supposed to be generic, but they are more opinionated. Anyway, this change wasn't an accident, but I understand that it is kind of scary. I am open to trying to support both, but my question for you is what is the value of keeping the CoCo token? |
|
Another way we could potentially compromise is by keeping the CoCo token but populating the policy results with an EAR-like Appraisal. I'm not sure if this really makes sense tho. |
|
Hi @fitzthum
Actually we are trying to define some own token format in downstream pre-productions benefits from the original plugin design. Let's go back to your worries. The core issues are 1. token generation code and 2. user interface. For 1,
{
"work_dir": "/opt/confidential-containers/attestation-service",
"policy_engine": "opa",
"rvps_config": {
"remote_addr":"http://rvps:50003"
},
"attestation_token_broker": "Simple",
"attestation_token_config": {
"duration_min": 5
}
}After some change, it would be {
"work_dir": "/opt/confidential-containers/attestation-service",
"policy_engine": "opa",
"rvps_config": {
"remote_addr":"http://rvps:50003"
},
"attestation_token_broker": {
"type": "XXX",
...// Other options
}
"attestation_token_config": {
"duration_min": 5
}
}The default one we could set as EAR, together with all other e2e examples. Although we provide "too" many ways to run trustee, I believe most users will directly use the default configuration of our e2e test (probably EAR or Simple token), which needs to be ensured to run normally by us. Some advanced users might want do extension, then the value of extensibility values. |
Ok. This is a valid consideration. Ideally we could converge on one token, but I'm not sure what your requirements are and they might not be public. Keep in mind that the EAR token is in some ways very similar to our CoCo token. For instance, they are both JWT. The EAR token stores a public key in a similar way but with a different path. Consumers can somewhat ignore parsing the AR4SI Trust Claims by just looking at the status field of the Appraisal.
I think we should try to keep the policy engine modular. My opinion of rego/opa is declining and I would love to provide another option (as long as we don't invent it ourselves). Btw, this PR also switches from evaluating multiple policies with the AS, to only taking one policy id. If we keep support for the CoCo token, can it just take one policy or does it need to do multiple? |
One policy is ok for now. |
fitzthum
force-pushed
the
ear
branch
8 times, most recently
from
c412af8 to
927e9cc
Compare
| extensions, | ||
| }; | ||
|
|
||
| let signed_ear = ear.sign_jwt_pem(Algorithm::ES256, &self.private_key_bytes)?; |
There was a problem hiding this comment.
Ok. Could you help to mark a TODO comment or an issue to record this?
|
Found a small issue. Fixing. We should be good to go v soon |
This commit allows the AS to issue EAR tokens with the help of the rust-ear crate. EAR tokens require particular claims. This creates a binding between the AS policy and the EAR token. Specifically, the policy engine must return an EAR appraisal. The policy engine is still generic. Multiple policy engines could be implemented as long as they create an appraisal. Since policy evaluation is now closely tied to the type of token we are going to generate, make the policy engine more generic and move the logic around calling the policy engine out of lib.rs and into the token broker. There are a few other changes, including that the policy engine no longer takes multiple policies. For now, we only evaluate the first policy in the policy list, but future commits will change this convention so that we only ever think about one policy for the attestation service (until we introduce support for validating multiple devices at once). EAR Tokens also do not use flattened claims. The TCB claims are currently flattened so that we can use the key names as the input to the RVPS. This commit breaks this functionality, but a future commit will change the way the RVPS works to accomodate. There isn't a direct pairing between claim names and reference values, so there is no reason to keep flattening all the claims, especially because the flattening code has some corner cases that it does not support. This commit also adds the init_data_claims and runtime_data_claims to the tcb claims as long as the corresponding claims about the hashes are already there. This will allow the init_data to travel with the token, which will be convenient except if the init_data is too big. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]> Signed-off-by: Xynnn007 <[email protected]>
EAR tokens are JWTs. We already have a JWT verifier, so let's use this to validate our EAR tokens. We'll need a few small adjustments. First, add the path to the public key in the EAR token (it's in the endorsed claims). Second, expand the token verifier to support EC JWKs because rust-ear does not seem to support RSA. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
The sample attester is enabled by default. Remove setting the environment variable that used to enable it. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
We now require a keypair to sign/validate the attestation token. Add this keypair to the e2e test. Interestingly, we were using a keypair for validating the old CoCo token in this test, but only for the passport mode. Even in background check mode, this keypair is required or the token won't be validated at all. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
Previously we expected the caller of the RVPS to provide a name for the reference value that they wanted. In the AS we were flattening the TCB claims to get this name. Ultimately, the names of the TCB claims do not map directly onto the names of the required reference values. This changes the interface to have the RVPS determine which reference values to send. At the moment, it simply sends all of them. This allows the reference values that are used to mostly be set within the policy itself, which is probably a good idea. In the future, the RVPS should be improved to include a context abtraction that allows groups of reference values to be provided to the AS. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
THe skeleton for a policy that can be used to validate the TCB claims of all platforms in the context of confidential containers. Only sample and snp are supported currently, but this should give a good idea of how to extend the policy to other platforms. There are a few tweaks we can make later, such as supporting `>` or `<` comparisons. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
Update the attestestion service policy docs to describe the requirements for policies that will generate EAR tokens. Also update various example and default policies. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
EAR tokens do not support an expiration claim by default, but fortunately we can use the Extension framework to add an `exp` field that will match what we would expect in a JWT. Add this extension and check it when we validate the token. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
Now that the as policy engine is more generic, re-enable and update the test. This test is slightly tied to EAR. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
Since we validate Ear tokens using our JWT verifier, there are not many changes required in our test configs. Since we have a JWT, we don't have to add a new keypair for EAR tokens. This means that we're keeping the same parameters as the simple tokens. By default, the provenance of the JWT is not verified. In a future PR, we should think about creating a more secure default configuration but that is orthogonal to the EAR work. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
|
Ok, we're back. I think this is good to go. I will merge tomorrowish if there is no more feedback. One thing to note is that now that we are using the JWK verifier for Ear tokens, we can set Don't worry the Makefile test does check that the full cert chain verification works with Ear. |
|
Time to merge. I will keep a close eye on the CI and make sure I didn't leave any configs behind. Tomorrow I will post some issues with next steps for improving the policy and making tests that actually check the TCB. |
Due to EAR PR (confidential-containers#516), now the policy engine related configurations are moved to attestation_token_broker part. Thus the original `attestation_service.policy_engine` does not work anymore. Also update the configuration file document to align with the latest configuration items. Signed-off-by: Xynnn007 <[email protected]>
Due to EAR PR (confidential-containers#516), now the policy engine related configurations are moved to attestation_token_broker part. Thus the original `attestation_service.policy_engine` does not work anymore. Also update the configuration file document to align with the latest configuration items. Signed-off-by: Xynnn007 <[email protected]>
Due to EAR PR (#516), now the policy engine related configurations are moved to attestation_token_broker part. Thus the original `attestation_service.policy_engine` does not work anymore. Also update the configuration file document to align with the latest configuration items. Signed-off-by: Xynnn007 <[email protected]>
This is the very beginning of this PR. I still need to fix some issues with the underlying crate, add support for verifying tokens in the KBS, and fixup all the tests, examples, and default values.
See commit messages for more info.
Fixes: #353
Progress so far: