Skip to content

Commit

Permalink
KMS signing support: new structs
Browse files Browse the repository at this point in the history 
Signed-off-by: Eugene Koira <[email protected]>
  • Loading branch information
@eugkoira
eugkoira committed Apr 15, 2024
1 parent d8bb682 commit 1ce640c
Show file tree
Hide file tree
Showing 6 changed files with 93 additions and 102 deletions.
3 changes: 3 additions & 0 deletions Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@ vsock = "0.3"
vmm-sys-util = "0.12.1"
sha2 = "0.9.5"
hex = "0.4"
aws-config = "0.55"
tokio = { version = "1.20", features = ["rt-multi-thread"] }
aws-types = "0.55"

lazy_static = "1.4.0"

Expand Down
29 changes: 13 additions & 16 deletions enclave_build/src/lib.rs
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2019-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
// Copyright 2019-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
#![allow(clippy::too_many_arguments)]

Expand All @@ -12,7 +12,7 @@ mod yaml_generator;

use aws_nitro_enclaves_image_format::defs::{EifBuildInfo, EifIdentityInfo, EIF_HDR_ARCH_ARM64};
use aws_nitro_enclaves_image_format::utils::identity::parse_custom_metadata;
use aws_nitro_enclaves_image_format::utils::{EifBuilder, SignEnclaveInfo};
use aws_nitro_enclaves_image_format::utils::{EifBuilder, SignKeyData, SignKeyDataInfo};
use docker::DockerUtil;
use serde_json::json;
use sha2::Digest;
Expand All @@ -31,7 +31,7 @@ pub struct Docker2Eif<'a> {
linuxkit_path: String,
artifacts_prefix: String,
output: &'a mut File,
sign_info: Option<SignEnclaveInfo>,
sign_info: Option<SignKeyDataInfo>,
img_name: Option<String>,
img_version: Option<String>,
metadata_path: Option<String>,
Expand Down Expand Up @@ -68,8 +68,7 @@ impl<'a> Docker2Eif<'a> {
linuxkit_path: String,
output: &'a mut File,
artifacts_prefix: String,
certificate_path: &Option<String>,
key_path: &Option<String>,
sign_info: &Option<SignKeyDataInfo>,
img_name: Option<String>,
img_version: Option<String>,
metadata_path: Option<String>,
Expand Down Expand Up @@ -98,15 +97,6 @@ impl<'a> Docker2Eif<'a> {
}
}

let sign_info = match (certificate_path, key_path) {
(None, None) => None,
(Some(cert_path), Some(key_path)) => Some(
SignEnclaveInfo::new(cert_path, key_path)
.map_err(|err| Docker2EifError::SignImageError(format!("{err:?}")))?,
),
_ => return Err(Docker2EifError::SignArgsError),
};

Ok(Docker2Eif {
docker_image,
docker,
Expand All @@ -117,7 +107,7 @@ impl<'a> Docker2Eif<'a> {
linuxkit_path,
output,
artifacts_prefix,
sign_info,
sign_info: sign_info.clone(),
img_name,
img_version,
metadata_path,
Expand Down Expand Up @@ -275,10 +265,17 @@ impl<'a> Docker2Eif<'a> {
_ => return Err(Docker2EifError::UnsupportedArchError),
};

let sign_data = self
.sign_info
.as_ref()
.map(|info| SignKeyData::new(info))
.transpose()
.map_err(|err| Docker2EifError::SignImageError(format!("{:?}", err)))?;

let mut build = EifBuilder::new(
Path::new(&self.kernel_img_path),
self.cmdline.clone(),
self.sign_info.clone(),
sign_data,
sha2::Sha384::new(),
flags,
self.generate_identity_info()?,
Expand Down
15 changes: 12 additions & 3 deletions enclave_build/src/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,10 @@
use clap::{App, AppSettings, Arg};
use std::fs::OpenOptions;

use aws_nitro_enclaves_image_format::generate_build_info;
use aws_nitro_enclaves_image_format::{
generate_build_info,
utils::{SignKeyDataInfo, SignKeyInfo},
};
use enclave_build::Docker2Eif;

fn main() {
Expand Down Expand Up @@ -148,6 +151,13 @@ fn main() {
.open(output)
.expect("Failed to create output file");

let sign_info = signing_certificate.as_ref().map(|cert| SignKeyDataInfo {
cert_path: cert.to_string(),
key_info: SignKeyInfo::LocalPrivateKeyInfo {
path: private_key.unwrap(),
},
});

let mut img = Docker2Eif::new(
docker_image.to_string(),
init_path.to_string(),
Expand All @@ -157,8 +167,7 @@ fn main() {
linuxkit_path.to_string(),
&mut output,
".".to_string(),
&signing_certificate,
&private_key,
&sign_info,
img_name,
img_version,
metadata,
Expand Down
22 changes: 13 additions & 9 deletions src/common/commands_parser.rs
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
// Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
// Copyright 2019-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
#![deny(missing_docs)]
#![deny(warnings)]

use aws_nitro_enclaves_image_format::utils::{SignKeyDataInfo, SignKeyInfo};
use clap::ArgMatches;
use libc::VMADDR_CID_HOST;
#[cfg(test)]
Expand Down Expand Up @@ -104,10 +105,8 @@ pub struct BuildEnclavesArgs {
pub docker_dir: Option<String>,
/// The path where the enclave image file will be written to.
pub output: String,
/// The path to the signing certificate for signed enclaves.
pub signing_certificate: Option<String>,
/// The path to the private key for signed enclaves.
pub private_key: Option<String>,
/// Details of key and certificate used for signing the EIF
pub sign_info: Option<SignKeyDataInfo>,
/// The name of the enclave image.
pub img_name: Option<String>,
/// The version of the enclave image.
Expand All @@ -122,7 +121,7 @@ impl BuildEnclavesArgs {
let signing_certificate = parse_signing_certificate(args);
let private_key = parse_private_key(args);

match (&signing_certificate, &private_key) {
let sign_info = match (&signing_certificate, &private_key) {
(Some(_), None) => {
return Err(new_nitro_cli_failure!(
"`private-key` argument not found",
Expand All @@ -137,7 +136,13 @@ impl BuildEnclavesArgs {
)
.add_info(vec!["signing-certificate"]))
}
_ => (),
(Some(cert_path), Some(key_path)) => Some(SignKeyDataInfo {
cert_path: cert_path.clone(),
key_info: SignKeyInfo::LocalPrivateKeyInfo {
path: key_path.clone(),
},
}),
(None, None) => None,
};

Ok(BuildEnclavesArgs {
Expand All @@ -156,8 +161,7 @@ impl BuildEnclavesArgs {
)
.add_info(vec!["output"])
})?,
signing_certificate,
private_key,
sign_info,
img_name: parse_image_name(args),
img_version: parse_image_version(args),
metadata: parse_metadata(args),
Expand Down
12 changes: 5 additions & 7 deletions src/lib.rs
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
// Copyright 2019-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
#![deny(missing_docs)]
#![deny(warnings)]
Expand All @@ -17,6 +17,7 @@ pub mod utils;

use aws_nitro_enclaves_image_format::defs::eif_hasher::EifHasher;
use aws_nitro_enclaves_image_format::utils::eif_reader::EifReader;
use aws_nitro_enclaves_image_format::utils::SignKeyDataInfo;
use aws_nitro_enclaves_image_format::{generate_build_info, utils::get_pcrs};
use log::{debug, info};
use sha2::{Digest, Sha384};
Expand Down Expand Up @@ -56,8 +57,7 @@ pub fn build_enclaves(args: BuildEnclavesArgs) -> NitroCliResult<()> {
&args.docker_uri,
&args.docker_dir,
&args.output,
&args.signing_certificate,
&args.private_key,
&args.sign_info,
&args.img_name,
&args.img_version,
&args.metadata,
Expand All @@ -71,8 +71,7 @@ pub fn build_from_docker(
docker_uri: &str,
docker_dir: &Option<String>,
output_path: &str,
signing_certificate: &Option<String>,
private_key: &Option<String>,
sign_info: &Option<SignKeyDataInfo>,
img_name: &Option<String>,
img_version: &Option<String>,
metadata_path: &Option<String>,
Expand Down Expand Up @@ -134,8 +133,7 @@ pub fn build_from_docker(
format!("{}/linuxkit", blobs_path),
&mut file_output,
artifacts_path()?,
signing_certificate,
private_key,
sign_info,
img_name.clone(),
img_version.clone(),
metadata_path.clone(),
Expand Down
Loading

0 comments on commit 1ce640c

Please sign in to comment.