Support file rather than env based scheme to acquire policy, uvm info…

… and certs. (#23)

Support file rather than env based scheme to acquire policy, uvm info and certs.

To match microsoft/hcsshim#1708

This PR supports both methods to decouple testing/deployment. There will be a subsequent PR to remove support for the environment variable scheme.

---------

Signed-off-by: Ken Gordon <[email protected]>

.gitignore

@@ -1,2 +1,5 @@
+**.o
 /azmount
 /remotefs
+/tools/get-snp-report/bin
+/bin

docker/skr/Dockerfile.debug

@@ -0,0 +1,22 @@
+FROM ubuntu:18.04
+RUN apt update
+RUN apt install --fix-missing -y net-tools wget curl bc jq bash vim ssh
+
+# clearly this is extremely insecure but is only for debugging
+# do not copy this.
+RUN useradd --uid 1000 --gid 0 --non-unique -ms /bin/bash auserwithalongname
+RUN echo "auserwithalongname:shortpassword" | chpasswd
+RUN mkdir /run/sshd
+
+# set the start command which will be used by default by ACI
+# note that this script exposes attestation on an external port
+# NEVER DO THIS IN PRODUCTION as it exposes the attestations
+# which can be used to trick an attestation agent or relying party
+
+COPY ./bin/skr ./bin/get-snp-report ./bin/verbose-report /bin/
+COPY skr.sh skr-debug.sh tests/*_client.sh /
+RUN mkdir -p /tests/skr; mv *_client.sh /tests/skr
+RUN chmod +x /*.sh /tests/skr/*.sh; date > /made-date
+
+# set the start command
+CMD [ "sleep", "1000000" ]

docker/skr/build-debug.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+set -e
+
+# This script builds the binaries and sets up the docker image
+
+mkdir -p bin
+pushd bin
+CGO_ENABLED=0 GOOS=linux go build github.com/Microsoft/confidential-sidecar-containers/cmd/skr
+popd
+
+pushd ../../tools/get-snp-report
+make 
+popd
+
+cp ../../tools/get-snp-report/bin/get-snp-report ./bin
+cp ../../tools/get-snp-report/bin/get-fake-snp-report ./bin
+cp ../../tools/get-snp-report/bin/verbose-report ./bin
+
+docker build --tag skr -f Dockerfile.debug .
+
+# cleanup
+rm -rf bin

docker/skr/skr-debug.sh

@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+# Important note: This script is meant to run from inside the container
+
+echo starting sshd
+/usr/sbin/sshd &
+
+CmdlineArgs="-logfile ./log.txt"
+
+if [ -z "${SkrSideCarArgs}" ]; then
+  SkrSideCarArgs=$1
+fi
+
+echo SkrSideCarArgs = $SkrSideCarArgs
+
+if [ -n "${SkrSideCarArgs}" ]; then
+  CmdlineArgs="${CmdlineArgs} -base64 ${SkrSideCarArgs}"
+fi
+
+if [ -z "${Port}" ]; then
+  Port=$2
+fi
+
+echo Port = $Port
+
+if [ -n "${Port}" ]; then
+  CmdlineArgs="${CmdlineArgs} -port ${Port}"
+fi
+
+echo CmdlineArgs = $CmdlineArgs
+
+if /bin/skr $CmdlineArgs; then
+  echo "1" > result
+else
+  echo "0" > result
+fi

docker/skr/tests/attest_client.sh

@@ -5,20 +5,20 @@
 
 # Important note: This script is meant to run from inside the container
 
-if [[ -z "${AttestClientRuntimeData}" ]]; then
+if [ -z "${AttestClientRuntimeData}" ]; then
   AttestClientRuntimeData=$1  
 fi
 
 echo AttestClientRuntimeData = $AttestClientRuntimeData
 
-if [[ -z "${AttestClientMAAEndpoint}" ]]; then
+if [ -z "${AttestClientMAAEndpoint}" ]; then
   AttestClientMAAEndpoint=$2
 fi
 
 echo AttestClientMAAEndpoint = $AttestClientMAAEndpoint
 
 while true; do
-  if [[ -z "${AttestClientMAAEndpoint}" ]]; then
+  if [ -z "${AttestClientMAAEndpoint}" ]; then
     curl -X POST -H 'Content-Type: application/json' -d "{\"runtime_data\": \"$AttestClientRuntimeData\"}" http://localhost:8080/attest/raw > /raw.out;  
   else
     curl -X POST -H 'Content-Type: application/json' -d "{\"maa_endpoint\": \"$AttestClientMAAEndpoint\", \"runtime_data\": \"$AttestClientRuntimeData\"}" http://localhost:8080/attest/maa > /maatoken.out; 

docker/skr/tests/skr_client.sh

@@ -5,19 +5,19 @@
 
 # Important note: This script is meant to run from inside the container
 
-if [[ -z "${SkrClientMAAEndpoint}" ]]; then
+if [ -z "${SkrClientMAAEndpoint}" ]; then
   SkrClientMAAEndpoint=$1
 fi
 
 echo SkrClientMAAEndpoint = $SkrClientMAAEndpoint
 
-if [[ -z "${SkrClientAKVEndpoint}" ]]; then
+if [ -z "${SkrClientAKVEndpoint}" ]; then
   SkrClientAKVEndpoint=$2
 fi
 
 echo SkrClientAKVEndpoint = $SkrClientAKVEndpoint
 
-if [[ -z "${SkrClientKID}" ]]; then
+if [ -z "${SkrClientKID}" ]; then
   SkrClientKID=$3
 fi
 

pkg/common/info.go

@@ -9,6 +9,7 @@ import (
 
 	"io/ioutil"
 	"os"
+	"path/filepath"
 
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -65,7 +66,26 @@ func THIMtoPEM(encodedHostCertsFromTHIM string) (string, error) {
 	return certsString, nil
 }
 
+// Late in Public Preview, we made a change to pass the UVM information
+// via files instead of environment variables.
+// This code detects which method is being used and calls the appropriate
+// function to get the UVM information.
+
+// The environment variable scheme will go away by "General Availability"
+// but we handle both to decouple this code and the hcsshim/gcs code.
+
+// Matching PR https://github.com/microsoft/hcsshim/pull/1708
+
 func GetUvmInfomation() (UvmInformation, error) {
+	securityContextDir := os.Getenv("UVM_SECURITY_CONTEXT_DIR")
+	if securityContextDir != "" {
+		return GetUvmInfomationFromFiles()
+	} else {
+		return GetUvmInfomationFromEnv()
+	}
+}
+
+func GetUvmInfomationFromEnv() (UvmInformation, error) {
 	var encodedUvmInformation UvmInformation
 	encodedHostCertsFromTHIM := os.Getenv("UVM_HOST_AMD_CERTIFICATE")
 
@@ -90,3 +110,64 @@ func GetUvmInfomation() (UvmInformation, error) {
 
 	return encodedUvmInformation, nil
 }
+
+// From hcsshim pkg/securitypolicy/securitypolicy.go
+
+const (
+	SecurityContextDirTemplate = "security-context-*"
+	PolicyFilename             = "security-policy-base64"
+	HostAMDCertFilename        = "host-amd-cert-base64"
+	ReferenceInfoFilename      = "reference-info-base64"
+)
+
+func readSecurityContextFile(dir string, filename string) (string, error) {
+	targetFilename := filepath.Join(dir, filename)
+	blob, err := os.ReadFile(targetFilename)
+	if err != nil {
+		return "", err
+	}
+	return string(blob), nil
+}
+
+func GetUvmInfomationFromFiles() (UvmInformation, error) {
+	var encodedUvmInformation UvmInformation
+
+	securityContextDir := os.Getenv("UVM_SECURITY_CONTEXT_DIR")
+	if securityContextDir == "" {
+		return encodedUvmInformation, errors.New("UVM_SECURITY_CONTEXT_DIR not set")
+	}
+
+	encodedHostCertsFromTHIM, err := readSecurityContextFile(securityContextDir, HostAMDCertFilename)
+	if err != nil {
+		return encodedUvmInformation, errors.Wrapf(err, "reading host amd cert failed")
+	}
+
+	if GenerateTestData {
+		ioutil.WriteFile("uvm_host_amd_certificate.base64", []byte(encodedHostCertsFromTHIM), 0644)
+	}
+
+	if encodedHostCertsFromTHIM != "" {
+		certChain, err := THIMtoPEM(encodedHostCertsFromTHIM)
+		if err != nil {
+			return encodedUvmInformation, err
+		}
+		encodedUvmInformation.CertChain = certChain
+	}
+
+	encodedUvmInformation.EncodedSecurityPolicy, err = readSecurityContextFile(securityContextDir, PolicyFilename)
+	if err != nil {
+		return encodedUvmInformation, errors.Wrapf(err, "reading security policy failed")
+	}
+
+	encodedUvmInformation.EncodedUvmReferenceInfo, err = readSecurityContextFile(securityContextDir, ReferenceInfoFilename)
+	if err != nil {
+		return encodedUvmInformation, errors.Wrapf(err, "reading uvm reference info failed")
+	}
+
+	if GenerateTestData {
+		ioutil.WriteFile("uvm_security_policy.base64", []byte(encodedUvmInformation.EncodedSecurityPolicy), 0644)
+		ioutil.WriteFile("uvm_reference_info.base64", []byte(encodedUvmInformation.EncodedUvmReferenceInfo), 0644)
+	}
+
+	return encodedUvmInformation, nil
+}

tools/get-snp-report/Makefile

@@ -18,7 +18,7 @@ bin/get-snp-report: get-snp-report.o get-snp-report5.o get-snp-report6.o helpers
 	@mkdir -p bin
 	$(CC) $(LDFLAGS) -o $@ $^
 
-bin/verbose-report: verbose-report.o
+bin/verbose-report: verbose-report.o get-snp-report5.o get-snp-report6.o helpers.o
 	@mkdir -p bin
 	$(CC) $(LDFLAGS) -o $@ $^