diff --git a/.github/workflows/cdh_basic.yml b/.github/workflows/cdh_basic.yml index 0f6a266ee..010aa65f8 100644 --- a/.github/workflows/cdh_basic.yml +++ b/.github/workflows/cdh_basic.yml @@ -69,13 +69,13 @@ jobs: - name: Run cargo test run: | - sudo -E PATH=$PATH -s cargo test --features kbs,aliyun,sev,bin -p confidential-data-hub + sudo -E PATH=$PATH -s cargo test --features kbs,aliyun,sev,bin -p kms -p confidential-data-hub - name: Run cargo fmt check run: | - sudo -E PATH=$PATH -s cargo fmt -p confidential-data-hub -- --check + sudo -E PATH=$PATH -s cargo fmt -p kms -p confidential-data-hub -- --check - name: Run rust lint check run: | # We are getting error in generated code due to derive_partial_eq_without_eq check, so ignore it for now - sudo -E PATH=$PATH -s cargo clippy -p confidential-data-hub -- -D warnings -A clippy::derive-partial-eq-without-eq + sudo -E PATH=$PATH -s cargo clippy -p kms -p confidential-data-hub -- -D warnings -A clippy::derive-partial-eq-without-eq diff --git a/Cargo.lock b/Cargo.lock index 3689a3c9c..8580f6b43 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1146,45 +1146,31 @@ dependencies = [ "async-trait", "attestation-agent", "base64 0.22.1", - "bincode", "cfg-if", - "chrono", "clap 4.2.7", "config", - "const_format", "crypto", - "ehsm_client", "env_logger 0.11.6", - "hex", "image-rs", - "kbs_protocol", + "kms", "log", "nix 0.29.0", - "p12", "prost 0.13.5", "protobuf 3.7.1", "rand 0.9.0", - "reqwest 0.12.12", "resource_uri", - "ring", "rstest", "serde", "serde_json", "serial_test", - "sev 0.1.0", - "sha2 0.10.8", "strum", "tempfile", "thiserror 2.0.12", "tokio", - "toml 0.8.20", "tonic", "tonic-build", "ttrpc", "ttrpc-codegen", - "url", - "uuid", - "yasna 0.5.2", "zeroize", ] @@ -2576,9 +2562,9 @@ dependencies = [ [[package]] name = "hermit-abi" -version = "0.4.0" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fbf6a919d6cf397374f7dfeeea91d974c7c0a7221d0d0f4f20d859d329e53fcc" +checksum = "fbd780fe5cc30f81464441920d82ac8740e2e46b29a6fad543ddd075229ce37e" [[package]] name = "hex" @@ -3149,11 +3135,11 @@ checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130" [[package]] name = "is-terminal" -version = "0.4.15" +version = "0.4.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e19b23d53f35ce9f56aebc7d1bb4e6ac1e9c0db7ac85c8d1760c04379edced37" +checksum = "e04d7f318608d35d4b61ddd75cbdaee86b023ebe2bd5a66ee0915f0bf93095a9" dependencies = [ - "hermit-abi 0.4.0", + "hermit-abi 0.5.0", "libc", "windows-sys 0.59.0", ] @@ -3464,6 +3450,45 @@ dependencies = [ "zeroize", ] +[[package]] +name = "kms" +version = "0.1.0" +dependencies = [ + "anyhow", + "async-trait", + "attestation-agent", + "base64 0.22.1", + "bincode", + "chrono", + "const_format", + "crypto", + "ehsm_client", + "hex", + "kbs_protocol", + "log", + "p12", + "prost 0.13.5", + "rand 0.9.0", + "reqwest 0.12.12", + "resource_uri", + "ring", + "rstest", + "serde", + "serde_json", + "sev 0.1.0", + "sha2 0.10.8", + "strum", + "thiserror 2.0.12", + "tokio", + "toml 0.8.20", + "tonic", + "tonic-build", + "url", + "uuid", + "yasna 0.5.2", + "zeroize", +] + [[package]] name = "lalrpop" version = "0.20.2" @@ -3646,6 +3671,12 @@ version = "0.4.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d26c52dbd32dccf2d10cac7725f8eae5296885fb5703b261f7d0a0739ec807ab" +[[package]] +name = "linux-raw-sys" +version = "0.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6db9c683daf087dc577b7506e9695b3d556a9f3849903fa28186283afd6809e9" + [[package]] name = "litemap" version = "0.7.4" @@ -5089,7 +5120,7 @@ checksum = "3779b94aeb87e8bd4e834cee3650289ee9e0d5677f976ecdb6d219e5f4f6cd94" dependencies = [ "rand_chacha 0.9.0", "rand_core 0.9.3", - "zerocopy 0.8.22", + "zerocopy 0.8.23", ] [[package]] @@ -5340,9 +5371,9 @@ dependencies = [ [[package]] name = "ring" -version = "0.17.12" +version = "0.17.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed9b823fa29b721a59671b41d6b06e66b29e0628e207e8b1c3ceeda701ec928d" +checksum = "70ac5d832aa16abd7d1def883a8545280c20a60f523a370aa3a9617c2b8550ee" dependencies = [ "cc", "cfg-if", @@ -5485,7 +5516,20 @@ dependencies = [ "bitflags 2.9.0", "errno 0.3.10", "libc", - "linux-raw-sys", + "linux-raw-sys 0.4.15", + "windows-sys 0.59.0", +] + +[[package]] +name = "rustix" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dade4812df5c384711475be5fcd8c162555352945401aed22a35bffeab61f657" +dependencies = [ + "bitflags 2.9.0", + "errno 0.3.10", + "libc", + "linux-raw-sys 0.9.2", "windows-sys 0.59.0", ] @@ -6416,15 +6460,15 @@ dependencies = [ [[package]] name = "tempfile" -version = "3.17.1" +version = "3.18.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22e5a0acb1f3f55f65cc4a866c361b2fb2a0ff6366785ae6fbb5f85df07ba230" +checksum = "2c317e0a526ee6120d8dabad239c8dadca62b24b6f168914bbbc8e2fb1f0e567" dependencies = [ "cfg-if", "fastrand", "getrandom 0.3.1", "once_cell", - "rustix", + "rustix 1.0.1", "windows-sys 0.59.0", ] @@ -7402,7 +7446,7 @@ dependencies = [ "either", "home", "once_cell", - "rustix", + "rustix 0.38.44", ] [[package]] @@ -7762,13 +7806,12 @@ dependencies = [ [[package]] name = "xattr" -version = "1.4.0" +version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e105d177a3871454f754b33bb0ee637ecaaac997446375fd3e5d43a2ed00c909" +checksum = "0d65cbf2f12c15564212d48f4e3dfb87923d25d611f2aed18f4cb23f0413d89e" dependencies = [ "libc", - "linux-raw-sys", - "rustix", + "rustix 1.0.1", ] [[package]] @@ -7839,11 +7882,11 @@ dependencies = [ [[package]] name = "zerocopy" -version = "0.8.22" +version = "0.8.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "09612fda0b63f7cb9e0af7e5916fe5a1f8cdcb066829f10f36883207628a4872" +checksum = "fd97444d05a4328b90e75e503a34bad781f14e28a823ad3557f0750df1ebcbc6" dependencies = [ - "zerocopy-derive 0.8.22", + "zerocopy-derive 0.8.23", ] [[package]] @@ -7859,9 +7902,9 @@ dependencies = [ [[package]] name = "zerocopy-derive" -version = "0.8.22" +version = "0.8.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "79f81d38d7a2ed52d8f034e62c568e111df9bf8aba2f7cf19ddc5bf7bd89d520" +checksum = "6352c01d0edd5db859a63e2605f4ea3183ddbd15e2c4a9e7d32184df75e4f154" dependencies = [ "proc-macro2", "quote", diff --git a/Cargo.toml b/Cargo.toml index a9e34d48f..c00144948 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -11,6 +11,7 @@ members = [ "attestation-agent/deps/sev", "attestation-agent/coco_keyprovider", "confidential-data-hub/hub", + "confidential-data-hub/kms", "image-rs", "ocicrypt-rs", ] diff --git a/confidential-data-hub/docs/kms-providers/alibaba.md b/confidential-data-hub/docs/kms-providers/alibaba.md index 94da5f5f4..6cc1e7dda 100644 --- a/confidential-data-hub/docs/kms-providers/alibaba.md +++ b/confidential-data-hub/docs/kms-providers/alibaba.md @@ -56,17 +56,17 @@ Else if `client_type` is set to 'sts_token', provider_settings shall be as follo ### Credential files To connect to a KMS instance with `client_type` set to 'client_key', a client key is needed. A client key is actually -[an json with encrypted inside](../../hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/clientKey_KAAP.f4c8____.json) +[an json with encrypted inside](../../kms/src/plugins/aliyun/client/client_key_client/example_credential/clientKey_KAAP.f4c8____.json) private key. The name of the client key is always derived from the client key id. Suppose the client key ID is `xxx`, then the client key file has name `clientKey_xxx.json`. The key to encrypt -the private key is derived from a password that is also saved in [a file](../../hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/password_KAAP.f4c8____.json). +the private key is derived from a password that is also saved in [a file](../../kms/src/plugins/aliyun/client/client_key_client/example_credential/password_KAAP.f4c8____.json). Suppose the client key ID is `xxx`, then the password file has name `password_xxx.json`. -Besides, [a cert of the KMS server](../../hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/PrivateKmsCA_kst-shh64702cf2jvc_____.pem) +Besides, [a cert of the KMS server](../../kms/src/plugins/aliyun/client/client_key_client/example_credential/PrivateKmsCA_kst-shh64702cf2jvc_____.pem) is also needed. Suppose the kms instance id is `xxx`, then the cert of the KMS server has name `PrivateKmsCA_xxx.pem`. For more details please see the [developer document for aliyun](https://www.alibabacloud.com/help/en/key-management-service/latest/api-overview). -To connect to a KMS instance with `client_type` set to 'ecs_ram_role', a [ecsRamRole.json](../../hub/src/kms/plugins/aliyun/client/ecs_ram_role_client/example_credential/ecsRamRole.json) file is needed. +To connect to a KMS instance with `client_type` set to 'ecs_ram_role', a [ecsRamRole.json](../../kms/src/plugins/aliyun/client/ecs_ram_role_client/example_credential/ecsRamRole.json) file is needed. In the json file, `ecs_ram_role_name` and `region_id` is set in order to get access to Dedicated KMS. Among them,`ecs_ram_role_name` refer to RAM role for ECS instances in a VPC network, where CDH runs. Can be set on Aliyun Console. And `region_id` refers to region id of Dedicated KMS, to which more details can be refered [here](https://www.alibabacloud.com/help/en/kms/product-overview/supported-regions). diff --git a/confidential-data-hub/docs/kms-providers/ehsm-kms.md b/confidential-data-hub/docs/kms-providers/ehsm-kms.md index 20d0dd7cd..1671fb15f 100644 --- a/confidential-data-hub/docs/kms-providers/ehsm-kms.md +++ b/confidential-data-hub/docs/kms-providers/ehsm-kms.md @@ -28,7 +28,7 @@ The `annotations` should be set empty. ### Credential files To connect to a KMS instance, a credential file is needed. A credential file is actually -[an json file with app_id and api_key](../../hub/src/kms/plugins/ehsm/example_credential/credential.4eb1____.json). +[an json file with app_id and api_key](../../kms/src/plugins/ehsm/example_credential/credential.4eb1____.json). The name of the credential file is always derived from the app id. Suppose the App ID is `xxx`, then the credential file has name `credential.xxx.json`. diff --git a/confidential-data-hub/hub/Cargo.toml b/confidential-data-hub/hub/Cargo.toml index 1de493156..d8dce2c34 100644 --- a/confidential-data-hub/hub/Cargo.toml +++ b/confidential-data-hub/hub/Cargo.toml @@ -35,38 +35,22 @@ required-features = ["cli"] [dependencies] anyhow = { workspace = true, optional = true } async-trait.workspace = true -attestation-agent = { path = "../../attestation-agent/attestation-agent", default-features = false } +attestation-agent = { path = "../../attestation-agent/attestation-agent", default-features = false, optional = true } base64.workspace = true -bincode = { workspace = true, optional = true } cfg-if.workspace = true -chrono = { workspace = true, optional = true } -clap = { workspace = true, features = ["derive"], optional = true } -config.workspace = true -const_format.workspace = true +clap = { workspace = true, features = [ "derive" ], optional = true } +config = { workspace = true, optional = true } crypto.path = "../../attestation-agent/deps/crypto" -ehsm_client = { git = "https://github.com/intel/ehsm", rev = "3454cac66b968a593c3edc43410c0b52416bbd3e", optional = true } env_logger = { workspace = true, optional = true } -hex = { workspace = true, optional = true } -image-rs = { path = "../../image-rs", default-features = false, features = [ - "kata-cc-rustls-tls", -] } -kbs_protocol = { path = "../../attestation-agent/kbs_protocol", default-features = false, features = [ - "passport", - "aa_ttrpc", - "openssl", -], optional = true } +image-rs = { path = "../../image-rs", default-features = false, features = ["kata-cc-rustls-tls"] } +kms = { path = "../kms", default-features = false } log.workspace = true -p12 = { version = "0.6.3", optional = true } prost = { workspace = true, optional = true } protobuf = { workspace = true, optional = true } rand.workspace = true -reqwest = { workspace = true, optional = true } resource_uri.path = "../../attestation-agent/deps/resource_uri" -ring = "0.17" serde = { workspace = true, optional = true } serde_json.workspace = true -sev = { path = "../../attestation-agent/deps/sev", optional = true } -sha2 = { workspace = true, optional = true } strum = { workspace = true, features = ["derive"] } tempfile = { workspace = true, optional = true } thiserror.workspace = true @@ -78,17 +62,13 @@ tokio = { workspace = true, features = [ "rt-multi-thread", "sync", ] } -toml.workspace = true tonic = { workspace = true, optional = true } ttrpc = { workspace = true, features = ["async"], optional = true } -url = { workspace = true, optional = true } -uuid = { workspace = true, features = ["serde", "v4"], optional = true } -yasna = { version = "0.5.2", optional = true } zeroize.workspace = true [build-dependencies] anyhow.workspace = true -tonic-build.workspace = true +tonic-build = { workspace = true, optional = true } ttrpc-codegen = { workspace = true, optional = true } [dev-dependencies] @@ -104,34 +84,21 @@ tokio = { workspace = true, features = ["rt", "macros"] } default = ["aliyun", "kbs", "bin", "ttrpc", "grpc", "cli"] # support aliyun stacks (KMS, ..) -aliyun = [ - "anyhow", - "chrono", - "hex", - "p12", - "prost", - "reqwest/rustls-tls", - "sha2", - "serde", - "tempfile", - "tonic", - "url", - "yasna", -] +aliyun = ["tempfile"] # support coco-KBS to provide confidential resources -kbs = ["kbs_protocol"] +kbs = ["kms/kbs"] # support sev to provide confidential resources -sev = ["bincode", "dep:sev", "prost", "tonic", "uuid"] +sev = ["kms/sev"] # support eHSM stacks (KMS, ...) -ehsm = ["ehsm_client"] +ehsm = [] # Binary RPC type -bin = ["anyhow", "clap", "env_logger", "serde"] +bin = [ "anyhow", "attestation-agent", "clap", "config", "env_logger", "serde" ] ttrpc = ["dep:ttrpc", "protobuf", "ttrpc-codegen", "tokio/signal"] -grpc = ["prost", "tonic", "tokio/signal"] +grpc = ["prost", "tonic", "tonic-build", "tokio/signal"] # for secret_cli cli = ["clap/derive", "tokio/rt-multi-thread", "tokio/sync", "tokio/macros"] diff --git a/confidential-data-hub/hub/build.rs b/confidential-data-hub/hub/build.rs index b91f2373b..a87a5612a 100644 --- a/confidential-data-hub/hub/build.rs +++ b/confidential-data-hub/hub/build.rs @@ -4,22 +4,6 @@ // fn main() { - #[cfg(feature = "aliyun")] - tonic_build::compile_protos( - "./src/kms/plugins/aliyun/client/client_key_client/protobuf/dkms_api.proto", - ) - .expect("Generate aliyun protocol code failed."); - - #[cfg(feature = "sev")] - tonic_build::configure() - .build_server(true) - .out_dir("./src/kms/plugins/kbs/sev") - .compile_protos( - &["./src/kms/plugins/kbs/sev/protos/getsecret.proto"], - &["./src/kms/plugins/kbs/sev/protos"], - ) - .expect("Generate sev protocol code failed."); - #[cfg(feature = "grpc")] { tonic_build::configure() diff --git a/confidential-data-hub/hub/src/auth/kbs.rs b/confidential-data-hub/hub/src/auth/kbs.rs index 4eee1d711..32d2c0410 100644 --- a/confidential-data-hub/hub/src/auth/kbs.rs +++ b/confidential-data-hub/hub/src/auth/kbs.rs @@ -8,10 +8,10 @@ use std::path::PathBuf; +use kms::{plugins::kbs::KbcClient, Annotations, Getter}; use log::debug; use tokio::fs; -use crate::kms::{plugins::kbs::KbcClient, Annotations, Getter}; use crate::{hub::Hub, Error, Result}; /// This directory is used to store all the kbs resources get by CDH's init diff --git a/confidential-data-hub/hub/src/bin/secret_cli.rs b/confidential-data-hub/hub/src/bin/secret_cli.rs index a2814d420..0605d5e6b 100644 --- a/confidential-data-hub/hub/src/bin/secret_cli.rs +++ b/confidential-data-hub/hub/src/bin/secret_cli.rs @@ -7,17 +7,16 @@ use std::{env, path::Path}; use base64::{engine::general_purpose::STANDARD, Engine}; use clap::{command, Args, Parser, Subcommand}; -#[cfg(feature = "aliyun")] -use confidential_data_hub::kms::plugins::aliyun::AliyunKmsClient; -#[cfg(feature = "ehsm")] -use confidential_data_hub::kms::plugins::ehsm::EhsmKmsClient; -use confidential_data_hub::kms::{Encrypter, ProviderSettings}; use confidential_data_hub::secret::{ layout::{envelope::EnvelopeSecret, vault::VaultSecret}, Secret, SecretContent, VERSION, }; - use crypto::WrapType; +#[cfg(feature = "aliyun")] +use kms::plugins::aliyun::AliyunKmsClient; +#[cfg(feature = "ehsm")] +use kms::plugins::ehsm::EhsmKmsClient; +use kms::{Encrypter, ProviderSettings}; use rand::Rng; #[cfg(feature = "ehsm")] use serde_json::Value; diff --git a/confidential-data-hub/hub/src/error.rs b/confidential-data-hub/hub/src/error.rs index f8b0f8f68..8b31eaff2 100644 --- a/confidential-data-hub/hub/src/error.rs +++ b/confidential-data-hub/hub/src/error.rs @@ -3,7 +3,7 @@ // SPDX-License-Identifier: Apache-2.0 // -use crate::{image, kms, secret, storage}; +use crate::{image, secret, storage}; use thiserror::Error; pub type Result = std::result::Result; diff --git a/confidential-data-hub/hub/src/hub.rs b/confidential-data-hub/hub/src/hub.rs index 871874140..a850703e7 100644 --- a/confidential-data-hub/hub/src/hub.rs +++ b/confidential-data-hub/hub/src/hub.rs @@ -7,11 +7,10 @@ use std::{collections::HashMap, path::Path}; use async_trait::async_trait; use image_rs::{builder::ClientBuilder, config::ImageConfig, image::ImageClient}; +use kms::{Annotations, ProviderSettings}; use log::{debug, info}; use tokio::sync::{Mutex, OnceCell}; -use crate::kms; -use crate::kms::{Annotations, ProviderSettings}; use crate::storage::volume_type::Storage; use crate::{image, secret, CdhConfig, DataHub, Error, Result}; diff --git a/confidential-data-hub/hub/src/image/annotation_packet/v1.rs b/confidential-data-hub/hub/src/image/annotation_packet/v1.rs index 8670c26d5..4af2f30cd 100644 --- a/confidential-data-hub/hub/src/image/annotation_packet/v1.rs +++ b/confidential-data-hub/hub/src/image/annotation_packet/v1.rs @@ -7,7 +7,6 @@ use resource_uri::ResourceUri; use serde::{Deserialize, Serialize}; use crate::image::{Error, Result}; -use crate::kms; /// `AnnotationPacket` is what a encrypted image layer's /// `org.opencontainers.image.enc.keys.provider.attestation-agent` diff --git a/confidential-data-hub/hub/src/image/annotation_packet/v2.rs b/confidential-data-hub/hub/src/image/annotation_packet/v2.rs index 12b66aad5..f745c0f15 100644 --- a/confidential-data-hub/hub/src/image/annotation_packet/v2.rs +++ b/confidential-data-hub/hub/src/image/annotation_packet/v2.rs @@ -8,12 +8,11 @@ use anyhow::anyhow; use base64::{engine::general_purpose::STANDARD, Engine}; +use kms::{plugins::VaultProvider, Annotations, ProviderSettings}; use serde::{Deserialize, Serialize}; use serde_json::Map; use crate::image::{Error, Result}; -use crate::kms; -use crate::kms::{plugins::VaultProvider, Annotations, ProviderSettings}; pub const DEFAULT_VERSION: &str = "0.1.0"; diff --git a/confidential-data-hub/hub/src/image/error.rs b/confidential-data-hub/hub/src/image/error.rs index af6e3e8b2..557be45f9 100644 --- a/confidential-data-hub/hub/src/image/error.rs +++ b/confidential-data-hub/hub/src/image/error.rs @@ -5,8 +5,6 @@ use thiserror::Error; -use crate::kms; - pub type Result = std::result::Result; #[derive(Error, Debug)] diff --git a/confidential-data-hub/hub/src/lib.rs b/confidential-data-hub/hub/src/lib.rs index 62e829856..0118fb138 100644 --- a/confidential-data-hub/hub/src/lib.rs +++ b/confidential-data-hub/hub/src/lib.rs @@ -17,6 +17,5 @@ pub mod config; pub use config::*; pub mod image; -pub mod kms; pub mod secret; pub mod storage; diff --git a/confidential-data-hub/hub/src/secret/layout/envelope.rs b/confidential-data-hub/hub/src/secret/layout/envelope.rs index 0996aae58..945fb4a17 100644 --- a/confidential-data-hub/hub/src/secret/layout/envelope.rs +++ b/confidential-data-hub/hub/src/secret/layout/envelope.rs @@ -3,16 +3,15 @@ // SPDX-License-Identifier: Apache-2.0 // +pub use kms::Annotations; + use base64::{engine::general_purpose::STANDARD, Engine}; use crypto::WrapType; +use kms::ProviderSettings; use serde::{Deserialize, Serialize}; use thiserror::Error; use zeroize::Zeroizing; -use crate::kms; -pub use crate::kms::Annotations; -use crate::kms::ProviderSettings; - pub type Result = std::result::Result; #[derive(Error, Debug)] diff --git a/confidential-data-hub/hub/src/secret/layout/vault.rs b/confidential-data-hub/hub/src/secret/layout/vault.rs index 40e10fb60..24bc60adc 100644 --- a/confidential-data-hub/hub/src/secret/layout/vault.rs +++ b/confidential-data-hub/hub/src/secret/layout/vault.rs @@ -6,8 +6,8 @@ use serde::{Deserialize, Serialize}; use thiserror::Error; -use crate::kms; -pub use crate::kms::{Annotations, ProviderSettings}; +pub use kms::Annotations; +pub use kms::ProviderSettings; pub type Result = std::result::Result; diff --git a/confidential-data-hub/hub/src/storage/volume_type/blockdevice/mod.rs b/confidential-data-hub/hub/src/storage/volume_type/blockdevice/mod.rs index f2203f793..27e76fd44 100644 --- a/confidential-data-hub/hub/src/storage/volume_type/blockdevice/mod.rs +++ b/confidential-data-hub/hub/src/storage/volume_type/blockdevice/mod.rs @@ -6,17 +6,15 @@ pub mod error; pub mod luks; use super::SecureMount; +use crate::secret; use async_trait::async_trait; use error::{BlockDeviceError, Result}; +use kms::{Annotations, ProviderSettings}; use log::{debug, error}; use serde::{Deserialize, Serialize}; use std::collections::HashMap; use strum::{Display, EnumString}; -use crate::kms; -use crate::kms::{Annotations, ProviderSettings}; -use crate::secret; - #[derive(EnumString, Serialize, Deserialize, Display, Debug, PartialEq, Eq)] pub enum BlockDeviceEncryptType { #[strum(serialize = "luks")] diff --git a/confidential-data-hub/kms/Cargo.toml b/confidential-data-hub/kms/Cargo.toml new file mode 100644 index 000000000..d5e42f119 --- /dev/null +++ b/confidential-data-hub/kms/Cargo.toml @@ -0,0 +1,59 @@ +[package] +name = "kms" +version = "0.1.0" +authors = ["The Confidential Container Authors"] +publish = false +edition = "2021" + +[dependencies] +anyhow.workspace = true +async-trait.workspace = true +attestation-agent = { path = "../../attestation-agent/attestation-agent", default-features = false } +base64.workspace = true +bincode = { workspace = true, optional = true } +chrono = { workspace = true, optional = true } +const_format.workspace = true +crypto = { path = "../../attestation-agent/deps/crypto", optional = true } +ehsm_client = {git = "https://github.com/intel/ehsm", rev = "3454cac66b968a593c3edc43410c0b52416bbd3e", optional = true } +hex = { workspace = true, optional = true } +kbs_protocol = { path = "../../attestation-agent/kbs_protocol", default-features = false, features = [ + "passport", + "aa_ttrpc", + "openssl", +], optional = true } +log.workspace = true +p12 = { version = "0.6.3", optional = true } +prost = { workspace = true, optional = true } +rand = { workspace = true, optional = true } +reqwest = { workspace = true, optional = true } +resource_uri = { path = "../../attestation-agent/deps/resource_uri" } +ring = "0.17" +sha2 = { workspace = true, optional = true } +serde.workspace = true +serde_json.workspace = true +sev = { path = "../../attestation-agent/deps/sev", optional = true } +strum.workspace = true +thiserror.workspace = true +tokio = { workspace = true, features = ["fs"] } +toml.workspace = true +tonic = { workspace = true, optional = true } +url = { workspace = true, optional = true } +uuid = { workspace = true, features = ["serde", "v4"], optional = true } +yasna = { version = "0.5.2", optional = true } +zeroize = { workspace = true, optional = true } + +[dev-dependencies] +rstest.workspace = true +tokio = { workspace = true, features = ["rt", "macros" ] } + +[build-dependencies] +anyhow.workspace = true +tonic-build.workspace = true + +[features] +default = ["aliyun", "kbs"] + +aliyun = ["chrono", "hex", "p12", "prost", "rand", "reqwest/rustls-tls", "sha2", "tonic", "url", "yasna"] +kbs = ["kbs_protocol"] +ehsm = ["ehsm_client"] +sev = ["bincode", "crypto", "dep:sev", "prost", "tonic", "uuid", "zeroize"] diff --git a/confidential-data-hub/kms/build.rs b/confidential-data-hub/kms/build.rs new file mode 100644 index 000000000..2ad98883c --- /dev/null +++ b/confidential-data-hub/kms/build.rs @@ -0,0 +1,20 @@ +#![allow(missing_docs)] + +// extern crate tonic_build; + +use anyhow::*; + +fn main() -> Result<()> { + #[cfg(feature = "aliyun")] + tonic_build::compile_protos( + "./src/plugins/aliyun/client/client_key_client/protobuf/dkms_api.proto", + )?; + + #[cfg(feature = "sev")] + tonic_build::configure() + .build_server(true) + .out_dir("./src/plugins/kbs/sev") + .compile_protos(&["./src/plugins/kbs/sev/protos/getsecret.proto"], &[""])?; + + Ok(()) +} diff --git a/confidential-data-hub/hub/src/kms/api.rs b/confidential-data-hub/kms/src/api.rs similarity index 99% rename from confidential-data-hub/hub/src/kms/api.rs rename to confidential-data-hub/kms/src/api.rs index 4a807f460..fec9f08cc 100644 --- a/confidential-data-hub/hub/src/kms/api.rs +++ b/confidential-data-hub/kms/src/api.rs @@ -29,7 +29,7 @@ //! - `Decrypter` and `Getter` are used in-guest, while `Encrypter` and `Setter` //! are used userside. They do not need to be implemented by a same object. -use crate::kms::Result; +use crate::Result; use async_trait::async_trait; use serde_json::{Map, Value}; diff --git a/confidential-data-hub/hub/src/kms/error.rs b/confidential-data-hub/kms/src/error.rs similarity index 100% rename from confidential-data-hub/hub/src/kms/error.rs rename to confidential-data-hub/kms/src/error.rs diff --git a/confidential-data-hub/hub/src/kms/mod.rs b/confidential-data-hub/kms/src/lib.rs similarity index 100% rename from confidential-data-hub/hub/src/kms/mod.rs rename to confidential-data-hub/kms/src/lib.rs diff --git a/confidential-data-hub/hub/src/kms/plugins/aliyun/annotations.rs b/confidential-data-hub/kms/src/plugins/aliyun/annotations.rs similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/aliyun/annotations.rs rename to confidential-data-hub/kms/src/plugins/aliyun/annotations.rs diff --git a/confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/config.rs b/confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/config.rs similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/config.rs rename to confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/config.rs diff --git a/confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/credential.rs b/confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/credential.rs similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/credential.rs rename to confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/credential.rs diff --git a/confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/PrivateKmsCA_kst-shh64702cf2jvc_____.pem b/confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/example_credential/PrivateKmsCA_kst-shh64702cf2jvc_____.pem similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/PrivateKmsCA_kst-shh64702cf2jvc_____.pem rename to confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/example_credential/PrivateKmsCA_kst-shh64702cf2jvc_____.pem diff --git a/confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/clientKey_KAAP.f4c8____.json b/confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/example_credential/clientKey_KAAP.f4c8____.json similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/clientKey_KAAP.f4c8____.json rename to confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/example_credential/clientKey_KAAP.f4c8____.json diff --git a/confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/password_KAAP.f4c8____.json b/confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/example_credential/password_KAAP.f4c8____.json similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/password_KAAP.f4c8____.json rename to confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/example_credential/password_KAAP.f4c8____.json diff --git a/confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/mod.rs b/confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/mod.rs similarity index 99% rename from confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/mod.rs rename to confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/mod.rs index aead70dab..c86db6e7f 100644 --- a/confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/mod.rs +++ b/confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/mod.rs @@ -19,8 +19,8 @@ use tokio::fs; mod config; mod credential; -use crate::kms::{Annotations, Decrypter, Encrypter, ProviderSettings}; -use crate::kms::{Error, Result}; +use crate::{Annotations, Decrypter, Encrypter, ProviderSettings}; +use crate::{Error, Result}; use super::super::annotations::*; use super::ALIYUN_IN_GUEST_DEFAULT_KEY_PATH; diff --git a/confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/protobuf/dkms_api.proto b/confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/protobuf/dkms_api.proto similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/aliyun/client/client_key_client/protobuf/dkms_api.proto rename to confidential-data-hub/kms/src/plugins/aliyun/client/client_key_client/protobuf/dkms_api.proto diff --git a/confidential-data-hub/hub/src/kms/plugins/aliyun/client/ecs_ram_role_client/example_credential/ecsRamRole.json b/confidential-data-hub/kms/src/plugins/aliyun/client/ecs_ram_role_client/example_credential/ecsRamRole.json similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/aliyun/client/ecs_ram_role_client/example_credential/ecsRamRole.json rename to confidential-data-hub/kms/src/plugins/aliyun/client/ecs_ram_role_client/example_credential/ecsRamRole.json diff --git a/confidential-data-hub/hub/src/kms/plugins/aliyun/client/ecs_ram_role_client/mod.rs b/confidential-data-hub/kms/src/plugins/aliyun/client/ecs_ram_role_client/mod.rs similarity index 98% rename from confidential-data-hub/hub/src/kms/plugins/aliyun/client/ecs_ram_role_client/mod.rs rename to confidential-data-hub/kms/src/plugins/aliyun/client/ecs_ram_role_client/mod.rs index 322602d7a..376ffb6b0 100644 --- a/confidential-data-hub/hub/src/kms/plugins/aliyun/client/ecs_ram_role_client/mod.rs +++ b/confidential-data-hub/kms/src/plugins/aliyun/client/ecs_ram_role_client/mod.rs @@ -11,7 +11,8 @@ use serde::Deserialize; use serde_json::Value; use tokio::fs; -use crate::kms::{Annotations, Error, ProviderSettings, Result}; +use crate::{Annotations, ProviderSettings}; +use crate::{Error, Result}; use super::sts_token_client::credential::StsCredential; use super::{sts_token_client::StsTokenClient, ALIYUN_IN_GUEST_DEFAULT_KEY_PATH}; diff --git a/confidential-data-hub/hub/src/kms/plugins/aliyun/client/mod.rs b/confidential-data-hub/kms/src/plugins/aliyun/client/mod.rs similarity index 98% rename from confidential-data-hub/hub/src/kms/plugins/aliyun/client/mod.rs rename to confidential-data-hub/kms/src/plugins/aliyun/client/mod.rs index 0d6887abc..419f456f1 100644 --- a/confidential-data-hub/hub/src/kms/plugins/aliyun/client/mod.rs +++ b/confidential-data-hub/kms/src/plugins/aliyun/client/mod.rs @@ -12,9 +12,9 @@ mod client_key_client; mod ecs_ram_role_client; mod sts_token_client; -use crate::kms::plugins::_IN_GUEST_DEFAULT_KEY_PATH; -use crate::kms::{Annotations, Decrypter, Encrypter, Getter, ProviderSettings}; -use crate::kms::{Error, Result}; +use crate::plugins::_IN_GUEST_DEFAULT_KEY_PATH; +use crate::{Annotations, Decrypter, Encrypter, Getter, ProviderSettings}; +use crate::{Error, Result}; use client_key_client::ClientKeyClient; use ecs_ram_role_client::EcsRamRoleClient; @@ -206,7 +206,7 @@ mod tests { use rstest::rstest; use serde_json::{json, Map, Value}; - use crate::kms::{ + use crate::{ plugins::aliyun::client::AliyunKmsClient, Annotations, Decrypter, Encrypter, Getter, }; diff --git a/confidential-data-hub/hub/src/kms/plugins/aliyun/client/sts_token_client/credential.rs b/confidential-data-hub/kms/src/plugins/aliyun/client/sts_token_client/credential.rs similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/aliyun/client/sts_token_client/credential.rs rename to confidential-data-hub/kms/src/plugins/aliyun/client/sts_token_client/credential.rs diff --git a/confidential-data-hub/hub/src/kms/plugins/aliyun/client/sts_token_client/mod.rs b/confidential-data-hub/kms/src/plugins/aliyun/client/sts_token_client/mod.rs similarity index 99% rename from confidential-data-hub/hub/src/kms/plugins/aliyun/client/sts_token_client/mod.rs rename to confidential-data-hub/kms/src/plugins/aliyun/client/sts_token_client/mod.rs index 98e18f09b..eff86d307 100644 --- a/confidential-data-hub/hub/src/kms/plugins/aliyun/client/sts_token_client/mod.rs +++ b/confidential-data-hub/kms/src/plugins/aliyun/client/sts_token_client/mod.rs @@ -20,7 +20,7 @@ use serde::Deserialize; use serde_json::Value; use tokio::fs; -use crate::kms::{ +use crate::{ error::{Error, Result}, plugins::aliyun::annotations::AliSecretAnnotations, Annotations, ProviderSettings, diff --git a/confidential-data-hub/hub/src/kms/plugins/aliyun/mod.rs b/confidential-data-hub/kms/src/plugins/aliyun/mod.rs similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/aliyun/mod.rs rename to confidential-data-hub/kms/src/plugins/aliyun/mod.rs diff --git a/confidential-data-hub/hub/src/kms/plugins/ehsm/README.md b/confidential-data-hub/kms/src/plugins/ehsm/README.md similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/ehsm/README.md rename to confidential-data-hub/kms/src/plugins/ehsm/README.md diff --git a/confidential-data-hub/hub/src/kms/plugins/ehsm/annotations.rs b/confidential-data-hub/kms/src/plugins/ehsm/annotations.rs similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/ehsm/annotations.rs rename to confidential-data-hub/kms/src/plugins/ehsm/annotations.rs diff --git a/confidential-data-hub/hub/src/kms/plugins/ehsm/client.rs b/confidential-data-hub/kms/src/plugins/ehsm/client.rs similarity index 97% rename from confidential-data-hub/hub/src/kms/plugins/ehsm/client.rs rename to confidential-data-hub/kms/src/plugins/ehsm/client.rs index ce1d42743..4aa632840 100644 --- a/confidential-data-hub/hub/src/kms/plugins/ehsm/client.rs +++ b/confidential-data-hub/kms/src/plugins/ehsm/client.rs @@ -15,10 +15,9 @@ use log::info; use serde_json::Value; use tokio::fs; -use crate::kms::{ - plugins::_IN_GUEST_DEFAULT_KEY_PATH, Annotations, Decrypter, Encrypter, Error, - ProviderSettings, Result, -}; +use crate::plugins::_IN_GUEST_DEFAULT_KEY_PATH; +use crate::{Annotations, Decrypter, Encrypter, ProviderSettings}; +use crate::{Error, Result}; use super::annotations::EhsmProviderSettings; use super::credential::Credential; @@ -158,7 +157,7 @@ mod tests { use rstest::rstest; use serde_json::json; - use crate::kms::{plugins::ehsm::client::EhsmKmsClient, Decrypter, Encrypter}; + use crate::{plugins::ehsm::client::EhsmKmsClient, Decrypter, Encrypter}; #[ignore] #[tokio::test] diff --git a/confidential-data-hub/hub/src/kms/plugins/ehsm/credential.rs b/confidential-data-hub/kms/src/plugins/ehsm/credential.rs similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/ehsm/credential.rs rename to confidential-data-hub/kms/src/plugins/ehsm/credential.rs diff --git a/confidential-data-hub/hub/src/kms/plugins/ehsm/example_credential/credential.4eb1____.json b/confidential-data-hub/kms/src/plugins/ehsm/example_credential/credential.4eb1____.json similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/ehsm/example_credential/credential.4eb1____.json rename to confidential-data-hub/kms/src/plugins/ehsm/example_credential/credential.4eb1____.json diff --git a/confidential-data-hub/hub/src/kms/plugins/ehsm/mod.rs b/confidential-data-hub/kms/src/plugins/ehsm/mod.rs similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/ehsm/mod.rs rename to confidential-data-hub/kms/src/plugins/ehsm/mod.rs diff --git a/confidential-data-hub/hub/src/kms/plugins/kbs/cc_kbc.rs b/confidential-data-hub/kms/src/plugins/kbs/cc_kbc.rs similarity index 98% rename from confidential-data-hub/hub/src/kms/plugins/kbs/cc_kbc.rs rename to confidential-data-hub/kms/src/plugins/kbs/cc_kbc.rs index 2e8e77052..222edd03f 100644 --- a/confidential-data-hub/hub/src/kms/plugins/kbs/cc_kbc.rs +++ b/confidential-data-hub/kms/src/plugins/kbs/cc_kbc.rs @@ -13,7 +13,7 @@ use kbs_protocol::{ }; use log::{info, warn}; -use super::{Error, Result}; +use crate::{Error, Result}; use super::Kbc; diff --git a/confidential-data-hub/hub/src/kms/plugins/kbs/mod.rs b/confidential-data-hub/kms/src/plugins/kbs/mod.rs similarity index 98% rename from confidential-data-hub/hub/src/kms/plugins/kbs/mod.rs rename to confidential-data-hub/kms/src/plugins/kbs/mod.rs index 91c593d41..6d95f0b36 100644 --- a/confidential-data-hub/hub/src/kms/plugins/kbs/mod.rs +++ b/confidential-data-hub/kms/src/plugins/kbs/mod.rs @@ -20,7 +20,7 @@ use attestation_agent::config::aa_kbc_params::AaKbcParams; pub use resource_uri::ResourceUri; use tokio::sync::Mutex; -use crate::kms::{Annotations, Error, Getter, Result}; +use crate::{Annotations, Error, Getter, Result}; enum RealClient { #[cfg(feature = "kbs")] diff --git a/confidential-data-hub/hub/src/kms/plugins/kbs/offline_fs.rs b/confidential-data-hub/kms/src/plugins/kbs/offline_fs.rs similarity index 96% rename from confidential-data-hub/hub/src/kms/plugins/kbs/offline_fs.rs rename to confidential-data-hub/kms/src/plugins/kbs/offline_fs.rs index e0d5316dc..6e7907908 100644 --- a/confidential-data-hub/hub/src/kms/plugins/kbs/offline_fs.rs +++ b/confidential-data-hub/kms/src/plugins/kbs/offline_fs.rs @@ -12,8 +12,9 @@ use log::warn; use resource_uri::ResourceUri; use tokio::fs; +use crate::{Error, Result}; + use super::Kbc; -use super::{Error, Result}; const KEYS_PATH: &str = "/etc/aa-offline_fs_kbc-keys.json"; const RESOURCES_PATH: &str = "/etc/aa-offline_fs_kbc-resources.json"; @@ -81,7 +82,7 @@ mod tests { use resource_uri::ResourceUri; use rstest::rstest; - use crate::kms::plugins::kbs::{offline_fs::OfflineFsKbc, Kbc}; + use crate::plugins::kbs::{offline_fs::OfflineFsKbc, Kbc}; #[rstest] #[tokio::test] diff --git a/confidential-data-hub/hub/src/kms/plugins/kbs/sev/client.rs b/confidential-data-hub/kms/src/plugins/kbs/sev/client.rs similarity index 99% rename from confidential-data-hub/hub/src/kms/plugins/kbs/sev/client.rs rename to confidential-data-hub/kms/src/plugins/kbs/sev/client.rs index 5b4e6fb8d..579a170b0 100644 --- a/confidential-data-hub/hub/src/kms/plugins/kbs/sev/client.rs +++ b/confidential-data-hub/kms/src/plugins/kbs/sev/client.rs @@ -17,7 +17,7 @@ use tonic::transport::Uri; use uuid::Uuid; use zeroize::Zeroizing; -use crate::kms::{plugins::kbs::Kbc, Error, Result}; +use crate::{plugins::kbs::Kbc, Error, Result}; use super::keybroker::{ key_broker_service_client::KeyBrokerServiceClient, OnlineSecretRequest, RequestDetails, diff --git a/confidential-data-hub/hub/src/kms/plugins/kbs/sev/keybroker.rs b/confidential-data-hub/kms/src/plugins/kbs/sev/keybroker.rs similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/kbs/sev/keybroker.rs rename to confidential-data-hub/kms/src/plugins/kbs/sev/keybroker.rs diff --git a/confidential-data-hub/hub/src/kms/plugins/kbs/sev/mod.rs b/confidential-data-hub/kms/src/plugins/kbs/sev/mod.rs similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/kbs/sev/mod.rs rename to confidential-data-hub/kms/src/plugins/kbs/sev/mod.rs diff --git a/confidential-data-hub/hub/src/kms/plugins/kbs/sev/protos/getsecret.proto b/confidential-data-hub/kms/src/plugins/kbs/sev/protos/getsecret.proto similarity index 100% rename from confidential-data-hub/hub/src/kms/plugins/kbs/sev/protos/getsecret.proto rename to confidential-data-hub/kms/src/plugins/kbs/sev/protos/getsecret.proto diff --git a/confidential-data-hub/hub/src/kms/plugins/mod.rs b/confidential-data-hub/kms/src/plugins/mod.rs similarity index 97% rename from confidential-data-hub/hub/src/kms/plugins/mod.rs rename to confidential-data-hub/kms/src/plugins/mod.rs index 5f65badfb..280f59070 100644 --- a/confidential-data-hub/hub/src/kms/plugins/mod.rs +++ b/confidential-data-hub/kms/src/plugins/mod.rs @@ -7,7 +7,7 @@ use std::str::FromStr; use strum::{AsRefStr, EnumString}; -use super::{Decrypter, Error, Getter, ProviderSettings, Result}; +use crate::{Decrypter, Error, Getter, ProviderSettings, Result}; const _IN_GUEST_DEFAULT_KEY_PATH: &str = "/run/confidential-containers/cdh/kms-credential";