Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the interaction between AA and CDH #868

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Update the interaction between AA and CDH #868

wants to merge 3 commits into from
+138 −27

Conversation

Xynnn007
Copy link
Member

@Xynnn007 Xynnn007 commented Jan 6, 2025
edited
Loading

Let CDH get evidence rather than token from AA when doing get_resource based on RCAR.

@Xynnn007
Cargo.toml: format the toml file
c018b51 
Signed-off-by: Xynnn007 <[email protected]>
@Xynnn007
AA/kbs_protocol: rename feature name aa_token to aa_ttrpc
3f168cc 
This feature enables dependencies to leverage ttrpc capabilities to
connect to AA via ttrpc, thus `aa_ttrpc` is a better name for future
extension.

Signed-off-by: Xynnn007 <[email protected]>
@Xynnn007
AA/kbs_protocol: add AAEvidenceProvider
198e196 
AAEvidenceProvider gets evidence via ttrpc from AA. This patch also does
some refactoring upon the code structure of ttrpc to avoid duplication
of ttrpc files.

Signed-off-by: Xynnn007 <[email protected]>
@Xynnn007 Xynnn007 requested a review from a team as a code owner January 6, 2025 07:55
@Xynnn007 Xynnn007 marked this pull request as draft January 6, 2025 07:57
@Xynnn007 Xynnn007 marked this pull request as ready for review January 7, 2025 01:43
mkulke
mkulke reviewed Jan 7, 2025
View reviewed changes
Copy link
Contributor

@mkulke mkulke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After this commit, only CDH will access the KBS.

This change will require the KBS that does RCAR and stores resource be
the same in CoCo, s.t. background check model. which is up to now
nearly all the deployments we have met.

This will not break the passport model because kbs_protocol crate still
provides a way for developers to integrate either passport model or
background check model in their own code.

Will coco deployments that provide individual resource-kbs and token-kbs's still work after this change?

If not, what would a user have to do to enable such a deployment?

@fitzthum
Copy link
Member

fitzthum commented Jan 7, 2025

So the key use case here is running multiple CDHs? Maybe we should have a discussion about supporting multi-KBS deployments more generally. I think we should try to have a standard way to enable multi-kbs workloads once init-data is supported.

@Xynnn007
Copy link
Member Author

Xynnn007 commented Jan 8, 2025

Ok. Currently CoCo deployments does not support the scenario where token-KBS and resource-KBS are different as they both are specified with aa_kbc_params.

The concrete case is for scenarios beyond CoCo:

  1. Running AA as a daemon
  2. Use one-shot CDH to connect to different KBS each time

Let me only leave the commits that add AAEvidenceProvider. And we can go back to the interaction to KBS problem then.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkulke mkulke mkulke left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Xynnn007 @fitzthum @mkulke