Skip to content

Commit

Permalink
config: config tweaks for EAR
Browse files Browse the repository at this point in the history
Since we validate Ear tokens using our JWT verifier, there are not many
changes required in our test configs.

Since we have a JWT, we don't have to add a new keypair for EAR tokens.
This means that we're keeping the same parameters as the simple tokens.
By default, the provenance of the JWT is not verified.

In a future PR, we should think about creating a more secure default
configuration but that is orthogonal to the EAR work.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
  • Loading branch information
fitzthum committed Nov 27, 2024
1 parent ad5d9d4 commit ace170a
Show file tree
Hide file tree
Showing 6 changed files with 18 additions and 22 deletions.
18 changes: 9 additions & 9 deletions attestation-service/docs/config.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,16 +18,16 @@ section:
| `work_dir` | String | The location for Attestation Service to store data. | False | Firstly try to read from ENV `AS_WORK_DIR`. If not any, use `/opt/confidential-containers/attestation-service` |
| `policy_engine` | String | Policy engine type. Valid values: `opa` | False | `opa` |
| `rvps_config` | [RVPSConfiguration][2] | RVPS configuration | False | - |
| `attestation_token_broker` | String | Type of the attestation result token broker. Valid values: `Simple` | False | `Simple` |
| `attestation_token_config` | [AttestationTokenConfig][1] | Attestation result token configuration. | False | - |
| `attestation_token_broker` | [AttestationTokeBroker][1] | Attestation result token configuration. | False | - |

[1]: #attestationtokenconfig
[2]: #rvps-configuration

#### AttestationTokenConfig
#### AttestationTokenBroker

| Property | Type | Description | Required | Default |
|----------------|-------------------------|------------------------------------------------------|----------|---------|
| `type` | String | Type of token to issue (Ear or Simple) | No | `Ear` |
| `duration_min` | Integer | Duration of the attestation result token in minutes. | No | `5` |
| `issuer_name` | String | Issure name of the attestation result token. | No |`CoCo-Attestation-Service`|
| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | None |
Expand Down Expand Up @@ -97,8 +97,8 @@ Running with a built-in RVPS:
"file_path": "/var/lib/attestation-service/reference-values"
}
},
"attestation_token_broker": "Simple",
"attestation_token_config": {
"attestation_token_broker": {
"type": "Ear",
"duration_min": 5
}
}
Expand All @@ -114,8 +114,8 @@ Running with a remote RVPS:
"type": "GrpcRemote",
"address": "127.0.0.1:50003"
},
"attestation_token_broker": "Simple",
"attestation_token_config": {
"attestation_token_broker": {
"type": "Ear",
"duration_min": 5
}
}
Expand All @@ -131,8 +131,8 @@ Configurations for token signer
"type": "GrpcRemote",
"address": "127.0.0.1:50003"
},
"attestation_token_broker": "Simple",
"attestation_token_config": {
"attestation_token_broker": {
"type": "Ear",
"duration_min": 5,
"issuer_name": "some-body",
"signer": {
Expand Down
1 change: 1 addition & 0 deletions attestation-service/src/config.rs
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ impl TryFrom<&Path> for Config {
/// "remote_addr": ""
/// },
/// "attestation_token_broker": {
/// "type": "Ear",
/// "duration_min": 5
/// }
/// }
Expand Down
8 changes: 2 additions & 6 deletions kbs/config/as-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,6 @@
},
"attestation_token_broker": {
"type": "Ear",
"duration_min": 5,
"signer": {
"key_path":"/opt/confidential-containers/attestation-service/keys/private_key.pem"

}
"duration_min": 5
}
}
}
5 changes: 2 additions & 3 deletions kbs/config/kubernetes/base/as-config.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
{
"work_dir": "/opt/confidential-containers/attestation-service",
"policy_engine": "opa",
"attestation_token_broker": "Simple",
"attestation_token_config": {
"attestation_token_broker": {
"type": "Ear",
"duration_min": 5
}
}
6 changes: 3 additions & 3 deletions kbs/docs/config.md
Original file line number Diff line number Diff line change
Expand Up @@ -86,17 +86,17 @@ When `type` is set to `coco_as_builtin`, the following properties can be set.
| `work_dir` | String | The location for Attestation Service to store data. | First try from env `AS_WORK_DIR`. If no this env, then use `/opt/confidential-containers/attestation-service` |
| `policy_engine` | String | Policy engine type. Valid values: `opa` | `opa` |
| `rvps_config` | [RVPSConfiguration][2] | RVPS configuration | See [RVPSConfiguration][2] |
| `attestation_token_broker` | String | Type of the attestation result token broker. | `Simple` |
| `attestation_token_config` | [AttestationTokenConfig][1] | Attestation result token configuration. | See [AttestationTokenConfig][1] |
| `attestation_token_broker` | [AttestationTokenConfig][1] | Attestation result token configuration. | See [AttestationTokenConfig][1] |

[1]: #attestationtokenconfig
[2]: #rvps-configuration


##### AttestationTokenConfig
##### AttestationTokenBroker

| Property | Type | Description | Default |
|----------------|-------------------------|------------------------------------------------------|----------|
| `type` | String | Type of token to generate (Ear or simple) | Ear |
| `duration_min` | Integer | Duration of the attestation result token in minutes. | 5 |
| `issuer_name` | String | Issure name of the attestation result token. | `CoCo-Attestation-Service` |
| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | None |
Expand Down
2 changes: 1 addition & 1 deletion kbs/quickstart.md
Original file line number Diff line number Diff line change
Expand Up @@ -247,7 +247,7 @@ Adding the following content to the config file of Resource KBS to specify trust
or JWK set which are used to verify the trustworthy of the Attestation Token:

```toml
[attestation_token_config]
[attestation_token_broker]
# Path of root certificate used to verify the trustworthy of `x5c` extension in the JWT
trusted_certs_paths = ["/path/to/trusted_cacert.pem"]

Expand Down

0 comments on commit ace170a

Please sign in to comment.