From cb0274212c72754cee086c423984d20ad54fc4b0 Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Fri, 31 Mar 2023 15:32:50 +0200 Subject: [PATCH] podvm: Start Attestation Agent as Systemd Unit fixes #773 - Add Attestation Agent process in podns namespace - Move netns mgmt into its own unit - Add docs for secure key release at runtime Signed-off-by: Magnus Kulke --- docs/runtime-key-release.md | 21 +++++++++++++++++++ podvm/Makefile.inc | 5 ++--- .../systemd/system/attestation-agent.service | 13 ++++++++++++ .../etc/systemd/system/kata-agent.service | 6 ++---- .../attestation-agent.service | 1 + podvm/files/etc/systemd/system/netns@.service | 6 ++++++ 6 files changed, 45 insertions(+), 7 deletions(-) create mode 100644 docs/runtime-key-release.md create mode 100644 podvm/files/etc/systemd/system/attestation-agent.service create mode 120000 podvm/files/etc/systemd/system/multi-user.target.wants/attestation-agent.service create mode 100644 podvm/files/etc/systemd/system/netns@.service diff --git a/docs/runtime-key-release.md b/docs/runtime-key-release.md new file mode 100644 index 000000000..49ee93ace --- /dev/null +++ b/docs/runtime-key-release.md @@ -0,0 +1,21 @@ +# Secure Key Release at Runtime + +To request a key at runtime a Pod can invoke a local Key Broker Client (KBC) implemented in [Attestation Agent](https://github.com/confidential-containers/attestation-agent) (AA). An instance of AA is available as gRPC endpoint in the Pod's network namespace on port `50001`. Depending on the KBC implementation this might trigger a remote attestation exchange with an external [Key Broker Service](https://github.com/confidential-containers/kbs) (KBS). + + +## Example + +The following code is supposed to run in a Peer Pod. It downloads a grpcurl binary, the respective proto files for the gRPC service, and triggers a request to retrieve a key. The example below is using an external KBS via the `cc_kbc` KBC implementation. + +```bash +wget https://github.com/fullstorydev/grpcurl/releases/download/v1.8.7/grpcurl_1.8.7_linux_x86_64.tar.gz -O grpcurl.tar.gz +tar -xvf grpcurl.tar.gz +wget https://raw.githubusercontent.com/confidential-containers/attestation-agent/main/protos/getresource.proto -O aa.proto +./grpcurl -proto aa.proto -plaintext -d @ localhost:50001 getresource.GetResourceService.GetResource <