CDH: kbs kms plugin should get aa_kbc_params from cdh config file if it's provided #593

huoqifeng · 2024-06-20T14:28:50Z

Flow like below causes the aa_kbc_params still comes from kata-agent configure file (/etc/agent-config.toml) even a cdh configure file provided via like -c cdh.toml

guest-components/confidential-data-hub/kms/src/plugins/kbs/mod.rs

Line 36 in 2f1380f

let params = aa_kbc_params::get_params()?;

https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/attestation-agent/src/config/aa_kbc_params.rs#L73
https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/attestation-agent/src/config/aa_kbc_params.rs#L65
https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/attestation-agent/src/config/aa_kbc_params.rs#L89

fn from_config_file() -> Result<String, ParamError> {
    debug!("get aa_kbc_params from file");

    // check env for KATA_AGENT_CONFIG_PATH, fall back to default path
    let path: &String = KATA_AGENT_CONFIG_PATH.get_or_init(|| {
        env::var("KATA_AGENT_CONFIG_PATH").unwrap_or_else(|_| "/etc/agent-config.toml".into())
    });

    debug!("reading agent config from {}", path);
    let agent_config_str = std::fs::read_to_string(path)?;

    let agent_config: AgentConfig = toml::from_str(&agent_config_str)?;

    Ok(agent_config.aa_kbc_params)
}

We need figure out an algorithm that cdh.toml will always take top priority as parameters when it's provided.

The text was updated successfully, but these errors were encountered:

huoqifeng · 2024-06-20T14:30:55Z

@mkulke @stevenhorsman @liudalibj @bpradipt FYI.

Xynnn007 · 2024-06-21T02:34:58Z

Oh. This is messy. We need to fix this thoroughly in this thread. Current logic on CDH side

flowchart TD;
    A[Start] --> B{Is the configuration para is given?};
    B -- Yes --> C[Read the configuration];
    B -- No --> D[Use default configuration using offline_fs_kbc];
    D --> E
    C --> E{Try to read aa_kbc_params from env, kata's config, cmdline?}
    E -- Yes --> G[Finish]
    E -- No --> F[Set aa_kbc_param using CDH's config]
    F --> G

The expected priority should be

flowchart TD;
    A[Start] --> B{Is the configuration para is given?};
    B -- Yes --> C[Read the configuration];
    B -- No --> D[Try to build a configuration];
    D --> E{Try to read aa_kbc_params from env, kata's config, cmdline successfully?}
    E -- Yes --> F[Use aa_kbc_params]
    E -- No --> G[Use offline_fs_kbc]
    F --> H[Generate other parts with default value]
    G --> H[Generate other parts with default value]
    H --> I[Finish]
    C --> I

huoqifeng · 2024-06-21T02:54:17Z

@Xynnn007 yes, the expected logic is what I want. Seems there are 2 separate path today:

Logs looks like as following when startup cdh:

[2024-06-20T09:08:13Z DEBUG attestation_agent::config::aa_kbc_params] get aa_kbc_params from file
[2024-06-20T09:08:13Z DEBUG attestation_agent::config::aa_kbc_params] reading agent config from /etc/agent-config.toml
[2024-06-20T09:08:13Z DEBUG attestation_agent::config::aa_kbc_params] get aa_kbc_params from file
[2024-06-20T09:08:13Z DEBUG attestation_agent::config::aa_kbc_params] reading agent config from /etc/agent-config.toml

Xynnn007 · 2024-06-21T03:08:02Z

@Xynnn007 yes, the expected logic is what I want. Seems there are 2 separate path today:

https://github.com/confidential-containers/guest-components/blob/main/confidential-data-hub/hub/src/bin/config/mod.rs#L129

https://github.com/confidential-containers/guest-components/blob/main/confidential-data-hub/kms/src/plugins/kbs/mod.rs#L36

Logs looks like as following when startup cdh:
[2024-06-20T09:08:13Z DEBUG attestation_agent::config::aa_kbc_params] get aa_kbc_params from file
[2024-06-20T09:08:13Z DEBUG attestation_agent::config::aa_kbc_params] reading agent config from /etc/agent-config.toml
[2024-06-20T09:08:13Z DEBUG attestation_agent::config::aa_kbc_params] get aa_kbc_params from file
[2024-06-20T09:08:13Z DEBUG attestation_agent::config::aa_kbc_params] reading agent config from /etc/agent-config.toml

This is a little messy but reasonable. In CDH config it will set ENV, thus then kms/kbs plugin could get it from env.

CDH should firstly read config specified with commandline, and then env. aa_kbc_param should be firstly read directly from CDH's config file. If there is no config file, try to read from env and then kernel cmdline. If still no values found, use a default one with offline_fs_kbc. Close confidential-containers#593 Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>

huoqifeng mentioned this issue Jun 20, 2024

attestation-agent-config: generate attestation-agent config when createVM instance confidential-containers/cloud-api-adaptor#1868

Merged

mkulke mentioned this issue Jun 21, 2024

v0.9 TODOs confidential-containers/cloud-api-adaptor#1863

Closed

5 tasks

Xynnn007 mentioned this issue Jun 24, 2024

CDH: fix aa_kbc_params and config reading #596

Merged

Xynnn007 closed this as completed in #596 Jun 24, 2024

Xynnn007 closed this as completed in 7afa473 Jun 24, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CDH: kbs kms plugin should get aa_kbc_params from cdh config file if it's provided #593

CDH: kbs kms plugin should get aa_kbc_params from cdh config file if it's provided #593

huoqifeng commented Jun 20, 2024

huoqifeng commented Jun 20, 2024

Xynnn007 commented Jun 21, 2024 •

edited

Loading

huoqifeng commented Jun 21, 2024

Xynnn007 commented Jun 21, 2024

CDH: kbs kms plugin should get aa_kbc_params from cdh config file if it's provided #593

CDH: kbs kms plugin should get aa_kbc_params from cdh config file if it's provided #593

Comments

huoqifeng commented Jun 20, 2024

huoqifeng commented Jun 20, 2024

Xynnn007 commented Jun 21, 2024 • edited Loading

huoqifeng commented Jun 21, 2024

Xynnn007 commented Jun 21, 2024

Xynnn007 commented Jun 21, 2024 •

edited

Loading