Revert "cdh: move kms crate to cdh module"

We use the KMS crate outside of the guest-components. Specifically, we
use some of this functionality in Trustee as part of resource backends
that use KMSes.

We could potentially adjust Trustee to import the CDH and use the KMSes
from there, but Trustee doesn't need anything else from the CDH.

It probably does make sense to have the KMS logic in its own crate,
hence revert the change that brough it into the CDH.

This reverts commit 3ab8129.

Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>

Author: fitzthum

.github/workflows/cdh_basic.yml

@@ -73,13 +73,13 @@ jobs:
 
       - name: Run cargo test
         run: |
-          sudo -E PATH=$PATH -s cargo test --features kbs,aliyun,sev,bin -p confidential-data-hub
+          sudo -E PATH=$PATH -s cargo test --features kbs,aliyun,sev,bin -p kms -p confidential-data-hub
 
       - name: Run cargo fmt check
         run: |
-          sudo -E PATH=$PATH -s cargo fmt -p confidential-data-hub -- --check
+          sudo -E PATH=$PATH -s cargo fmt -p kms -p confidential-data-hub -- --check
 
       - name: Run rust lint check
         run: |
           # We are getting error in generated code due to derive_partial_eq_without_eq check, so ignore it for now
-          sudo -E PATH=$PATH -s cargo clippy -p confidential-data-hub -- -D warnings -A clippy::derive-partial-eq-without-eq 
+          sudo -E PATH=$PATH -s cargo clippy -p kms -p confidential-data-hub -- -D warnings -A clippy::derive-partial-eq-without-eq 

Cargo.lock

@@ -11,6 +11,7 @@ members = [
     "attestation-agent/deps/sev",
     "attestation-agent/coco_keyprovider",
     "confidential-data-hub/hub",
+    "confidential-data-hub/kms",
     "image-rs",
     "ocicrypt-rs",
 ]

Cargo.toml

@@ -56,17 +56,17 @@ Else if `client_type` is set to 'sts_token', provider_settings shall be as follo
 ### Credential files
 
 To connect to a KMS instance with `client_type` set to 'client_key', a client key is needed. A client key is actually
-[an json with encrypted inside](../../hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/clientKey_KAAP.f4c8____.json)
+[an json with encrypted inside](../../kms/src/plugins/aliyun/client/client_key_client/example_credential/clientKey_KAAP.f4c8____.json)
 private key. The name of the client key is always derived from the client key id. Suppose the
 client key ID is `xxx`, then the client key file has name `clientKey_xxx.json`. The key to encrypt
-the private key is derived from a password that is also saved in [a file](../../hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/password_KAAP.f4c8____.json).
+the private key is derived from a password that is also saved in [a file](../../kms/src/plugins/aliyun/client/client_key_client/example_credential/password_KAAP.f4c8____.json).
 Suppose the client key ID is `xxx`, then the password file has name `password_xxx.json`.
-Besides, [a cert of the KMS server](../../hub/src/kms/plugins/aliyun/client/client_key_client/example_credential/PrivateKmsCA_kst-shh64702cf2jvc_____.pem)
+Besides, [a cert of the KMS server](../../kms/src/plugins/aliyun/client/client_key_client/example_credential/PrivateKmsCA_kst-shh64702cf2jvc_____.pem)
 is also needed. Suppose the kms instance id is `xxx`, then the cert of the KMS server has name `PrivateKmsCA_xxx.pem`.
 
 For more details please see the [developer document for aliyun](https://www.alibabacloud.com/help/en/key-management-service/latest/api-overview).
 
-To connect to a KMS instance with `client_type` set to 'ecs_ram_role', a [ecsRamRole.json](../../hub/src/kms/plugins/aliyun/client/ecs_ram_role_client/example_credential/ecsRamRole.json) file is needed.
+To connect to a KMS instance with `client_type` set to 'ecs_ram_role', a [ecsRamRole.json](../../kms/src/plugins/aliyun/client/ecs_ram_role_client/example_credential/ecsRamRole.json) file is needed.
 In the json file, `ecs_ram_role_name` and `region_id` is set in order to get access to Dedicated KMS.
 Among them，`ecs_ram_role_name` refer to RAM role for ECS instances in a VPC network, where CDH runs. Can be set on Aliyun Console.
 And `region_id` refers to region id of Dedicated KMS, to which more details can be refered [here](https://www.alibabacloud.com/help/en/kms/product-overview/supported-regions).

confidential-data-hub/docs/kms-providers/alibaba.md

@@ -28,7 +28,7 @@ The `annotations` should be set empty.
 ### Credential files
 
 To connect to a KMS instance, a credential file is needed. A credential file is actually
-[an json file with app_id and api_key](../../hub/src/kms/plugins/ehsm/example_credential/credential.4eb1____.json). 
+[an json file with app_id and api_key](../../kms/src/plugins/ehsm/example_credential/credential.4eb1____.json). 
 The name of the credential file is always derived from the app id. Suppose the
 App ID is `xxx`, then the credential file has name `credential.xxx.json`.
 

confidential-data-hub/docs/kms-providers/ehsm-kms.md

@@ -35,38 +35,22 @@ required-features = ["cli"]
 [dependencies]
 anyhow = { workspace = true, optional = true }
 async-trait.workspace = true
-attestation-agent = { path = "../../attestation-agent/attestation-agent", default-features = false }
+attestation-agent = { path = "../../attestation-agent/attestation-agent", default-features = false, optional = true }
 base64.workspace = true
-bincode = { workspace = true, optional = true }
 cfg-if.workspace = true
-chrono = { workspace = true, optional = true }
-clap = { workspace = true, features = ["derive"], optional = true }
-config.workspace = true
-const_format.workspace = true
+clap = { workspace = true, features = [ "derive" ], optional = true }
+config = { workspace = true, optional = true }
 crypto.path = "../../attestation-agent/deps/crypto"
-ehsm_client = { git = "https://github.com/intel/ehsm", rev = "3454cac66b968a593c3edc43410c0b52416bbd3e", optional = true }
 env_logger = { workspace = true, optional = true }
-hex = { workspace = true, optional = true }
-image-rs = { path = "../../image-rs", default-features = false, features = [
-    "kata-cc-rustls-tls",
-] }
-kbs_protocol = { path = "../../attestation-agent/kbs_protocol", default-features = false, features = [
-    "passport",
-    "aa_ttrpc",
-    "openssl",
-], optional = true }
+image-rs = { path = "../../image-rs", default-features = false, features = ["kata-cc-rustls-tls"] }
+kms = { path = "../kms", default-features = false }
 log.workspace = true
-p12 = { version = "0.6.3", optional = true }
 prost = { workspace = true, optional = true }
 protobuf = { workspace = true, optional = true }
 rand.workspace = true
-reqwest = { workspace = true, optional = true }
 resource_uri.path = "../../attestation-agent/deps/resource_uri"
-ring = "0.17"
 serde = { workspace = true, optional = true }
 serde_json.workspace = true
-sev = { path = "../../attestation-agent/deps/sev", optional = true }
-sha2 = { workspace = true, optional = true }
 strum = { workspace = true, features = ["derive"] }
 tempfile = { workspace = true, optional = true }
 thiserror.workspace = true
@@ -78,17 +62,13 @@ tokio = { workspace = true, features = [
     "rt-multi-thread",
     "sync",
 ] }
-toml.workspace = true
 tonic = { workspace = true, optional = true }
 ttrpc = { workspace = true, features = ["async"], optional = true }
-url = { workspace = true, optional = true }
-uuid = { workspace = true, features = ["serde", "v4"], optional = true }
-yasna = { version = "0.5.2", optional = true }
 zeroize.workspace = true
 
 [build-dependencies]
 anyhow.workspace = true
-tonic-build.workspace = true
+tonic-build = { workspace = true, optional = true }
 ttrpc-codegen = { workspace = true, optional = true }
 
 [dev-dependencies]
@@ -104,34 +84,21 @@ tokio = { workspace = true, features = ["rt", "macros"] }
 default = ["aliyun", "kbs", "bin", "ttrpc", "grpc", "cli"]
 
 # support aliyun stacks (KMS, ..)
-aliyun = [
-    "anyhow",
-    "chrono",
-    "hex",
-    "p12",
-    "prost",
-    "reqwest/rustls-tls",
-    "sha2",
-    "serde",
-    "tempfile",
-    "tonic",
-    "url",
-    "yasna",
-]
+aliyun = ["tempfile"]
 
 # support coco-KBS to provide confidential resources
-kbs = ["kbs_protocol"]
+kbs = ["kms/kbs"]
 
 # support sev to provide confidential resources
-sev = ["bincode", "dep:sev", "prost", "tonic", "uuid"]
+sev = ["kms/sev"]
 
 # support eHSM stacks (KMS, ...)
-ehsm = ["ehsm_client"]
+ehsm = []
 
 # Binary RPC type
-bin = ["anyhow", "clap", "env_logger", "serde"]
+bin = [ "anyhow", "attestation-agent", "clap", "config", "env_logger", "serde" ]
 ttrpc = ["dep:ttrpc", "protobuf", "ttrpc-codegen", "tokio/signal"]
-grpc = ["prost", "tonic", "tokio/signal"]
+grpc = ["prost", "tonic", "tonic-build", "tokio/signal"]
 
 # for secret_cli
 cli = ["clap/derive", "tokio/rt-multi-thread", "tokio/sync", "tokio/macros"]

confidential-data-hub/hub/Cargo.toml

@@ -4,22 +4,6 @@
 //
 
 fn main() {
-    #[cfg(feature = "aliyun")]
-    tonic_build::compile_protos(
-        "./src/kms/plugins/aliyun/client/client_key_client/protobuf/dkms_api.proto",
-    )
-    .expect("Generate aliyun protocol code failed.");
-
-    #[cfg(feature = "sev")]
-    tonic_build::configure()
-        .build_server(true)
-        .out_dir("./src/kms/plugins/kbs/sev")
-        .compile_protos(
-            &["./src/kms/plugins/kbs/sev/protos/getsecret.proto"],
-            &["./src/kms/plugins/kbs/sev/protos"],
-        )
-        .expect("Generate sev protocol code failed.");
-
     #[cfg(feature = "grpc")]
     {
         tonic_build::configure()

confidential-data-hub/hub/build.rs

@@ -8,10 +8,10 @@
 
 use std::path::PathBuf;
 
+use kms::{plugins::kbs::KbcClient, Annotations, Getter};
 use log::debug;
 use tokio::fs;
 
-use crate::kms::{plugins::kbs::KbcClient, Annotations, Getter};
 use crate::{hub::Hub, Error, Result};
 
 /// This directory is used to store all the kbs resources get by CDH's init

confidential-data-hub/hub/src/auth/kbs.rs

@@ -7,17 +7,16 @@ use std::{env, path::Path};
 
 use base64::{engine::general_purpose::STANDARD, Engine};
 use clap::{command, Args, Parser, Subcommand};
-#[cfg(feature = "aliyun")]
-use confidential_data_hub::kms::plugins::aliyun::AliyunKmsClient;
-#[cfg(feature = "ehsm")]
-use confidential_data_hub::kms::plugins::ehsm::EhsmKmsClient;
-use confidential_data_hub::kms::{Encrypter, ProviderSettings};
 use confidential_data_hub::secret::{
     layout::{envelope::EnvelopeSecret, vault::VaultSecret},
     Secret, SecretContent, VERSION,
 };
-
 use crypto::WrapType;
+#[cfg(feature = "aliyun")]
+use kms::plugins::aliyun::AliyunKmsClient;
+#[cfg(feature = "ehsm")]
+use kms::plugins::ehsm::EhsmKmsClient;
+use kms::{Encrypter, ProviderSettings};
 use rand::Rng;
 #[cfg(feature = "ehsm")]
 use serde_json::Value;

confidential-data-hub/hub/src/bin/secret_cli.rs

@@ -3,7 +3,7 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
-use crate::{image, kms, secret, storage};
+use crate::{image, secret, storage};
 use thiserror::Error;
 
 pub type Result<T> = std::result::Result<T, Error>;