Use attested-tls-proxy rather than cvm-reverse-proxy on Buildernet

mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/azure-override.conf → mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/azure-override.conf

@@ -8,8 +8,10 @@ After=tpm2.target
 ExecStartPre=+/usr/bin/chmod 440 /sys/kernel/security/tpm0/binary_bios_measurements
 ExecStartPre=+/usr/bin/chown root:tss /sys/kernel/security/tpm0/binary_bios_measurements
 ExecStart=
-ExecStart=/usr/bin/cvm-reverse-proxy-client \
-  --listen-addr=localhost:7937 \
-  --target-addr=${BUILDERNET_BUILDERHUB_URL} \
+ExecStart=/usr/bin/attested-tls-proxy client \
+  --listen-addr 127.0.0.1:7937 \
   --client-attestation-type azure-tdx \
-  --server-attestation-type none
+  --allowed-remote-attestation-type none \
+  --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \
+  --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \
+  ${BUILDERNET_BUILDERHUB_URL}

mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/azure-override.conf

@@ -0,0 +1,9 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/attested-tls-proxy server \
+  --listen-addr 0.0.0.0:7936 \
+  --server-attestation-type azure-tdx \
+  --allowed-remote-attestation-type none \
+  --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \
+  --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \
+  127.0.0.1:14727

mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf

@@ -0,0 +1,14 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/attested-tls-proxy client \
+  --listen-addr 127.0.0.1:7937 \
+  --client-attestation-type dcap-tdx
+  --allowed-remote-attestation-type none \
+  --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \
+  --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \
+  ${BUILDERNET_BUILDERHUB_URL} \
+SupplementaryGroups=
+ProtectSystem=strict
+ProtectHome=yes
+AmbientCapabilities=CAP_DAC_OVERRIDE
+ReadWritePaths=/sys/kernel/config/tsm/report

mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf

@@ -0,0 +1,14 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/attested-tls-proxy-server \
+  --listen-addr 0.0.0.0:7936 \
+  --server-attestation-type dcap-tdx \
+  --allowed-remote-attestation-type none \
+  --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \
+  --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \
+  127.0.0.1:14727
+SupplementaryGroups=
+ProtectSystem=strict
+ProtectHome=yes
+AmbientCapabilities=CAP_DAC_OVERRIDE
+ReadWritePaths=/sys/kernel/config/tsm/report

mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+EXPECTED_SHA256="815d6734ac2f78ea7e9e12b02efa8f9b0b3b283e07f898ebf90ede6910eb1843"
+curl -sSfL https://github.com/flashbots/attested-tls-proxy/releases/download/vtest00/attested-tls-proxy_1.vtest00_amd64.deb -o $PACKAGEDIR/attested-tls-proxy.deb
+echo "${EXPECTED_SHA256}" $PACKAGEDIR/attested-tls-proxy.deb | sha256sum --check

mkosi.images/buildernet/mkosi.conf

@@ -12,6 +12,7 @@ Packages=cryptsetup
          curl
          haproxy
          jq
+         libtss2-dev
          openssh-server
          prometheus-node-exporter
          rclone

mkosi.images/buildernet/mkosi.extra/etc/acme-le/hooks/post-post-hook.sh

@@ -10,3 +10,8 @@ ln -fsr "$(dirname $CERT_PATH)/fullchain.cer" /var/lib/persistent/operator-api/c
 chmod 660 /var/lib/persistent/haproxy/certs/*.pem
 chown haproxy:haproxy /var/lib/persistent/haproxy/certs/*.pem
 systemctl reload haproxy.service
+
+# Copy the certificate and private key for use by attested-tls-proxy
+install -D -m 600 --owner=attested-tls-proxy --group=attested-tls-proxy \
+  "$PRIV_KEY" /var/lib/persistent/attested-tls-proxy/key.pem
+ln -fsr "$(dirname $CERT_PATH)/fullchain.cer" /var/lib/persistent/attested-tls-proxy/cert.pem

mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service → mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service

@@ -1,6 +1,6 @@
 [Unit]
 DefaultDependencies=no
-Description=CVM Reverse Proxy client
+Description=Attested TLS Proxy client
 Wants=network-online.target
 After=network.target network-online.target
 
@@ -9,10 +9,11 @@ Type=exec
 DynamicUser=yes
 SupplementaryGroups=tss
 Environment=BUILDERNET_BUILDERHUB_URL=__BUILDERNET_BUILDERHUB_URL
-ExecStart=/usr/bin/cvm-reverse-proxy-client \
-  --listen-addr=localhost:7937 \
-  --target-addr=${BUILDERNET_BUILDERHUB_URL} \
-  --server-attestation-type none
+ExecStart=/usr/bin/attested-tls-proxy client \
+  --listen-addr 127.0.0.1:7937 \
+  --allowed-remote-attestation-type none \
+  --client-attestation-type auto \
+  ${BUILDERNET_BUILDERHUB_URL}
 Restart=on-failure
 
 [Install]

mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service

@@ -0,0 +1,20 @@
+[Unit]
+Description=Attested TLS Proxy server
+Wants=network-online.target
+After=network.target network-online.target acme-le.service
+
+[Service]
+Type=exec
+DynamicUser=yes
+SupplementaryGroups=tss
+ExecStart=/usr/bin/attested-tls-proxy server \
+  --listen-addr 0.0.0.0:7936 \
+  --allowed-remote-attestation-type none \
+  --server-attestation-type auto \
+  --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \
+  --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \
+  127.0.0.1:14727
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

mkosi.images/buildernet/mkosi.extra/etc/systemd/system/render-config.service

@@ -1,8 +1,8 @@
 [Unit]
 DefaultDependencies=no
 Description=Pull and render configs from BuilderHub
-Wants=network-online.target cvm-reverse-proxy-client.service
-After=network.target network-online.target cvm-reverse-proxy-client.service
+Wants=network-online.target attested-tls-proxy-client.service
+After=network.target network-online.target attested-tls-proxy-client.service
 
 [Service]
 Type=oneshot

mkosi.images/buildernet/mkosi.postinst

@@ -16,7 +16,7 @@ for var in "${!BUILDERNET_@}"; do
       replace_underscore_template "$BUILDROOT/etc/systemd/system/persistent-setup.service" "${!var}"
       ;;
     BUILDERNET_BUILDERHUB_URL)
-      replace_underscore_template "$BUILDROOT/etc/systemd/system/cvm-reverse-proxy-client.service" "${!var}"
+      replace_underscore_template "$BUILDROOT/etc/systemd/system/attested-tls-proxy-client.service" "${!var}"
       ;;
     BUILDERNET_SSH_PUBLIC_KEY)
       replace_underscore_template "$BUILDROOT/home/bnet/.ssh/authorized_keys" "${!var}"