Skip to content

Commit

Permalink
doc: update end-to-end/walkthrough.md
Browse files Browse the repository at this point in the history
Update the end-to-end walkthrough to reflect the latest changes to the
code line, and to improve its maintainability going forward.

- Mention native deployment as an alternative to Docker.
- Remove the installation instructions, pointing to the deployments'
  READMEs instead, and only giving the actual make command.
- Remove references to external `cocli` and `evcli` tools, instead
  relying on the ones that are part of the deployment and on the JSON
  "templates" that are part of this code base. This way, there is no
  risk of things getting out of sync.
- Remove relative paths from commands, instead using pre-defined root
  locations. This removes ambiguity as to where things are (are paths
  relative to the file, to the repo, PWD, etc), and make commands more
  robust when being executed via copying and pasting, as they won't rely
  on PWD.
- Adjust the instructions so that no new files are created or existing
  files modified in the source-controlled repo. Instead use a dedicated
  working directory created as part of the walkthrough for any new or
  modified files. This makes it clearer afterwards what was
  changed/crated, and reduced the possibility of stray changes being
  committed.
- Update CoRIM/CoMID "template" listings to reflect the updated formats.
- Reformat for readability and consistency with the rest of
  documentation: 79 column lines, use ```sh for shell listings.
- Minor typo fixes.

In addition to the walkthrough itself, the following related updates are
included:

- Update end-to-end inputs build script to build evidence, as well as
  corims from source.
- Update deployments' READMEs to include "git clone" followed by "cd" as
  part of the initial listing to give better context to where the rest
  of the commands in the READMEs are supposed to be executed.

Signed-off-by: Sergei Trofimov <[email protected]>
  • Loading branch information
setrofim committed Aug 27, 2024
1 parent 293bdee commit 285200e
Show file tree
Hide file tree
Showing 16 changed files with 617 additions and 302 deletions.
104 changes: 83 additions & 21 deletions deployments/docker/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,24 @@
This directory contains the [Docker](https://www.docker.com/) source for the
deployment of Veraison. In order to build it, you need to have Docker
installed, and current user must be in the docker group.
deployment of Veraison.

## Dependencies

You will need to make sure you have `make`, `git`, `docker` (and its builder),
and `jq` installed on your system. Optionally, `tmux` can be used to
conveniently monitor output from running services. The CLI front-end relies on
`bash` shell, which should already be installed on most systems, but if not, it
would also need to be installed.

```sh
# on Ubuntu
sudo apt install bash make git docker.io docker-buildx jq tmux

# on Arch
sudo pacman -S bash make git docker docker-buildx jq tmux

# On MacOSX with Homebrew
brew install step coreutils gettext openssl sqlite3 protobuf jq
brew link --force gettext

> **Warning** for `Ubuntu` users:
> Make sure you have docker installed natively (via `sudo apt
Expand All @@ -9,29 +27,65 @@ installed, and current user must be in the docker group.
> locations via the config, however we cannot guarantee that there won't be
> other issues -- if you decide to stick with `snap`, you're on your own.
### Docker set up
If you're not already set up to use Docker on your system, you will need to
make sure that it is enabled and running, and that you can access it by adding
your account to the `docker` group:

```sh
sudo systemctl enable --now docker
sudo usrmod -a -G docker $USER
```

The user group modification won't take effect until you log out and log back
in, or, alternatively, you can force in a specific shell with
```sh
newgrp docker
```
## Creating the Deployment
Once you have the pre-requisites, you can create the deployment on your local
system simply by running
system
make
```sh
git clone https://github.com/veraison/services.git
cd services/deployments/docker
make
```
Once the deployment is created, you can set up the front end by executing
source env.bash
```sh
source env.bash
```
Inside a bash shell. There is an equivalent `env.zsh` for zsh (other shells are
inside a bash shell. There is an equivalent `env.zsh` for zsh (other shells are
currently not supported). You can interact with the deployment via the
`veraison` command. E.g.:
$ veraison status
vts: stopped
provisioning: stopped
verification: stopped
management: stopped
keycloak: stopped
```sh
veraison status
```
You should see output similar to
```
vts: stopped
provisioning: stopped
verification: stopped
management: stopped
keycloak: stopped
```
To start Veraison services run:
veraison start
```sh
veraison start
```
The provisioning service is now listening on port 8888, and verification
service on port 8080 (these can be changed via configuration -- see below).
Expand Down Expand Up @@ -116,14 +170,18 @@ First, assuming you have frontend set up, and the services running, (if not,
you can do so with `source env.bash; veraison start`), you will need to stop
the "production" VTS service with:

veraison stop vts
```sh
veraison stop vts
```

this will stop `vts-service` but should leave the other services running (you
can verify that by running `veraison status`).

Next, enter the debug shell:

make DEBUG_HOST=vts-service debug
```sh
make DEBUG_HOST=vts-service debug
```

this will pop open a `bash` shell inside the builder. The `DEBUG_HOST` argument
will set the hostname of the builder container. Here, we're setting it to the
Expand All @@ -139,9 +197,11 @@ Next, navigate to the location of the VTS service executable (keeping in mind
that the root of the repo is mapped to `/veraison/build` inside the container),
and start the debugger:
# inside the debug shell:
cd /veraison/build/vts/cmd/vts-service
debug
```sh
# inside the debug shell:
cd /veraison/build/vts/cmd/vts-service
debug
```
The `debug` command is an alias for `dlv debug` that will make sure that the
debug executable will be built with evidence handling plugins compiled in (same
Expand All @@ -158,6 +218,8 @@ that, so you don't need to worry about it. However, if you want to run the
service executable directly, then you must remember to specify the appropriate
config, e.g.
# inside the debug shell:
cd /veraison/build/vts/cmd/vts-service
./veraison-service --config config-docker.yaml
```sh
# inside the debug shell:
cd /veraison/build/vts/cmd/vts-service
./vts-service --config config-docker.yaml
```
3 changes: 3 additions & 0 deletions deployments/native/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,9 @@ Arch, Ubuntu, and MacOSX (using [homebrew](https://brew.sh)) (see `bootstrap/`
subdirectory). Running
```bash
git clone https://github.com/veraison/services.git
cd services/deployments/native
make bootstrap
```
Expand Down
Binary file modified end-to-end/input/cca-evidence.cbor
Binary file not shown.
Binary file modified end-to-end/input/psa-evidence.cbor
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
#!/bin/bash
# Copyright 2024 Contributors to the Veraison project.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC2086
set -e

TEMP_DIR=/tmp/veraison-end-to-end
Expand All @@ -18,3 +19,12 @@ for scheme in psa cca cca-realm; do
--output ${SCRIPT_DIR}/../${scheme}-endorsements.cbor
done

evcli psa create --claims ${SCRIPT_DIR}/psa-evidence.json \
--key ${SCRIPT_DIR}/../ec256.json \
--token ${SCRIPT_DIR}/../psa-evidence.cbor

evcli cca create --claims ${SCRIPT_DIR}/cca-evidence.json \
--iak ${SCRIPT_DIR}/../ec256.json --rak ${SCRIPT_DIR}/../ec384.json \
--token ${SCRIPT_DIR}/../cca-evidence.cbor

echo "done."
51 changes: 51 additions & 0 deletions end-to-end/input/src/cca-evidence.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
{
"cca-platform-token": {
"cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
"cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC",
"cca-platform-config": "AQID",
"cca-platform-lifecycle": 12288,
"cca-platform-sw-components": [
{
"measurement-type": "BL",
"measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
"version": "3.4.2"
},
{
"measurement-type": "M1",
"measurement-value": "CwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
"version": "1.2.0"
},
{
"measurement-type": "M2",
"measurement-value": "DwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
"version": "1.2.3"
},
{
"measurement-type": "M3",
"measurement-value": "EwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
"version": "1.0.0"
}
],
"cca-platform-service-indicator": "https://veraison.example/v1/challenge-response",
"cca-platform-hash-algo-id": "sha-256"
},
"cca-realm-delegated-token": {
"cca-realm-challenge": "QUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQg==",
"cca-realm-personalization-value": "QURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBRA==",
"cca-realm-initial-measurement": "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
"cca-realm-extensible-measurements": [
"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw=="
],
"cca-realm-hash-algo-id": "sha-256",
"cca-realm-public-key": "BIL70TKptcOWh5+7FTQNkFCXjlXHnVJ5oroOlYVPN+IM0vZPO3K1cLvXc+7iznaEJe31Re2+if+v4OlrvUbicPIHlsRIuY2vRqdk0nRC5ubthPjOyBfm7ManHTo959Z+zQ==",
"cca-realm-public-key-hash-algo-id": "sha-512"
}
}
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
31 changes: 31 additions & 0 deletions end-to-end/input/src/psa-evidence.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
{
"eat-profile": "http://arm.com/psa/2.0.0",
"psa-client-id": 1,
"psa-security-lifecycle": 12288,
"psa-implementation-id": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=",
"psa-boot-seed": "3q2+796tvu/erb7v3q2+796tvu/erb7v3q2+796tvu8=",
"psa-hardware-version": "1234567890123",
"psa-software-components": [
{
"measurement-type": "BL",
"measurement-value": "h0KPxSKAPTEGXnvOPPA/5HUJZjHl4Hu9eg/eYMTPJcc=",
"signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=",
"version": "2.1.0"
},
{
"measurement-type": "PRoT",
"measurement-value": "AmOCmYm2/ZVPcrqvL8ZLwuLwHWktTecphuqAj26ZgT8=",
"signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=",
"version": "1.3.5"
},
{
"measurement-type": "ARoT",
"measurement-value": "o6XnFfDMV0pzw/m+u2vCTzL/1bZ7OHJEwskJ2neaFHg=",
"signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=",
"version": "0.1.4"
}
],
"psa-instance-id": "Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI",
"psa-verification-service-indicator": "https://psa-verifier.org",
"psa-nonce": "QUp8F0FBs9DpodKK8xUg8NQimf6sQAfe2J1ormzZLxk="
}
Loading

0 comments on commit 285200e

Please sign in to comment.