-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kbs key release rework #2055
base: main
Are you sure you want to change the base?
Kbs key release rework #2055
Conversation
c2e9679
to
4ff368e
Compare
Hi @stevenhorsman ! Could you do me a favor? I need the following change to be able to install kbs on my environment (Fedora); according to
|
Sure - we use |
I also attempted to reduce the brittleness of kbs-related tests and ended up with
this test will only acquire a kbs token that could be used to retrieve secrets, but it actually doesn't retrieve any, so we don't have to bother about secret provisioning, but it'll still cover einitdata, cc_kbc configuration and remote attestation. |
Cool - I knew I'd seen a PR from you updating this code recently, but couldn't find it. It feels like that test is mostly a subset of the testing of |
well. it does require KBS to be deployed, since this is the remote party of the remote attestation. what it doesn't need is actual secrets to be copied around and asserted. |
But the KBS doesn't need to be deployed by our test code for this test, just the KBS endpoint supplied as an envvar? |
it does need to be deployed, otherwise it wouldn't be able to test remote attestation. what the test doesn't bother with is secrets. kbs is actually 2 services (logically, since you can run them in a single instance). a token-kbs and a resource-kbs, the token-kbs does the remote attestation, hands out a token, and using this token you can go to resource-kbs to get the secret. that's why the cdh config has seemingly redundant kbs url entries. in a real deployment you might want token-kbs and resource-kbs to be different systems. |
8372526
to
bc6e1da
Compare
d2fa94b
to
c2816d2
Compare
c2816d2
to
86b481d
Compare
86b481d
to
5fcd43e
Compare
- In `NewKeyBrokerService` we create a default secret in `reponame/workload_key/key.bin` as the KBS needs at least one secret to start - In `SetSampleSecretKey` we are then resetting a resource in the same path, which causes an error ``` Set secret failed: write local fs ``` I guess as the kbs process owns that directory. - Update the code to set a new secret for each test and use a different path to prevent this clash Signed-off-by: stevenhorsman <[email protected]>
…cKey Now the `DoTestKbsKeyRelease` test can have customised secret and resource path, we can re-use it for the trustee test Signed-off-by: stevenhorsman <[email protected]>
7f57dae
to
cbd5923
Compare
We have had an issue where the secret key setting wasn't working and throwing errors and we just ignored it. To help with debugging we should be responding to errors rather than just ignoring them. Signed-off-by: stevenhorsman <[email protected]>
- Trace out the test command being run for debug - Remove unnecessary double if check Signed-off-by: stevenhorsman <[email protected]>
cbd5923
to
8992278
Compare
The KbsKeyRelease tests have had errors setting the secret key, which are revealed when trace is on:
I believe this is base the
reponame/workload_key
directory is created by the KBS at start-up, so it owns the resource. It also leads to error is the KBS log:which isn't helpful when debugging.
This PR changes the secret to be in a different directory and also does some refactoring so that a more dynamic secret can be set to avoid use finding errors late and reduce duplication.