diff --git a/0091-fix-allow-bind-unbind-and-clear-resource-policy-when.patch b/0091-fix-allow-bind-unbind-and-clear-resource-policy-when.patch new file mode 100644 index 0000000000000000000000000000000000000000..4a197f1ca3856f1fdc0b4ad63deea2bf6c1a6d81 --- /dev/null +++ b/0091-fix-allow-bind-unbind-and-clear-resource-policy-when.patch @@ -0,0 +1,119 @@ +From 435f93ddb97be16f60fcd1ace909cafb418f642b Mon Sep 17 00:00:00 2001 +From: chenjiayi +Date: Wed, 19 Feb 2025 10:59:20 +0800 +Subject: [PATCH 1/1] fix: allow bind, unbind and clear resource policy when + resource already exists + +This influence the interface behavior for: +resource policy bind, +resource policy unbind, +resource policy clear. +--- + .../src/resource/admin/simple.rs | 2 +- + .../src/resource/storage/mod.rs | 9 +++++++-- + .../src/resource/storage/simple.rs | 19 ++++++++++++------- + 3 files changed, 20 insertions(+), 10 deletions(-) + +diff --git a/service/attestation/attestation-types/src/resource/admin/simple.rs b/service/attestation/attestation-types/src/resource/admin/simple.rs +index 5967be9..bf2b5dd 100644 +--- a/service/attestation/attestation-types/src/resource/admin/simple.rs ++++ b/service/attestation/attestation-types/src/resource/admin/simple.rs +@@ -106,7 +106,7 @@ impl ResourceAdminInterface for SimpleResourceAdmin { + self.storage_engine + .lock() + .await +- .store(location, resource) ++ .store(location, resource, false) + .await + } + +diff --git a/service/attestation/attestation-types/src/resource/storage/mod.rs b/service/attestation/attestation-types/src/resource/storage/mod.rs +index fd7b0c7..3614769 100644 +--- a/service/attestation/attestation-types/src/resource/storage/mod.rs ++++ b/service/attestation/attestation-types/src/resource/storage/mod.rs +@@ -29,7 +29,12 @@ pub(crate) trait StorageOp: Send + Sync { + /// Traverse and collect resource list in particular vendor. + async fn list(&self, vendor: &str) -> Result>; + /// Create a new resource if it does not exist. If the resource already exists, error will be thrown. +- async fn store(&self, location: ResourceLocation, resource: Resource) -> Result<()>; ++ async fn store( ++ &self, ++ location: ResourceLocation, ++ resource: Resource, ++ force: bool, ++ ) -> Result<()>; + /// Override the content field in the resource, while keep other fields the same. + async fn modify(&self, location: ResourceLocation, content: String) -> Result<()>; + /// Delete the resource inside the storage. +@@ -51,7 +56,7 @@ pub(crate) trait PolicyOp: StorageOp + Send + Sync { + /// Get all policy from the resource. + async fn get_all_policies(&self, location: ResourceLocation) -> Result>; + /// Clear the original policy inside the resource. +- async fn clea_policies(&self, location: ResourceLocation) -> Result<()>; ++ async fn clear_policies(&self, location: ResourceLocation) -> Result<()>; + /// Delete the specific policy from the resource. + async fn unbind_policies( + &self, +diff --git a/service/attestation/attestation-types/src/resource/storage/simple.rs b/service/attestation/attestation-types/src/resource/storage/simple.rs +index b8fd536..d5f1bc5 100644 +--- a/service/attestation/attestation-types/src/resource/storage/simple.rs ++++ b/service/attestation/attestation-types/src/resource/storage/simple.rs +@@ -82,10 +82,15 @@ impl StorageOp for SimpleStorage { + Ok(ret) + } + +- async fn store(&self, location: ResourceLocation, resource: Resource) -> Result<()> { ++ async fn store( ++ &self, ++ location: ResourceLocation, ++ resource: Resource, ++ force: bool, ++ ) -> Result<()> { + let regularized = self.regular(&format!("{}", location))?; + +- if regularized.exists() { ++ if !force && regularized.exists() { + return Err(ResourceError::ResourceExist(location.to_string())); + } + +@@ -132,16 +137,16 @@ impl PolicyOp for SimpleStorage { + ) -> Result<()> { + let mut resource = self.get(location.clone()).await?; + resource.set_policy(policy); +- self.store(location, resource).await ++ self.store(location, resource, true).await + } + async fn get_all_policies(&self, location: ResourceLocation) -> Result> { + let resource = self.get(location).await?; + Ok(resource.get_policy()) + } +- async fn clea_policies(&self, location: ResourceLocation) -> Result<()> { ++ async fn clear_policies(&self, location: ResourceLocation) -> Result<()> { + let mut resource = self.get(location.clone()).await?; + resource.policy = vec![]; +- self.store(location, resource).await ++ self.store(location, resource, true).await + } + async fn unbind_policies( + &self, +@@ -155,7 +160,7 @@ impl PolicyOp for SimpleStorage { + resource.policy.remove(idx); + } + } +- self.store(location, resource).await ++ self.store(location, resource, true).await + } + async fn bind_policies( + &self, +@@ -166,7 +171,7 @@ impl PolicyOp for SimpleStorage { + for p in policy.iter() { + resource.policy.push(format!("{}", p)); + } +- self.store(location.clone(), resource).await ++ self.store(location.clone(), resource, true).await + } + } + +-- +2.46.0 + diff --git a/0092-fix-use-etc-as-the-base-directory-for-resource-stora.patch b/0092-fix-use-etc-as-the-base-directory-for-resource-stora.patch new file mode 100644 index 0000000000000000000000000000000000000000..867f63cf5beae2a14e89fd883d4224f91d01475d --- /dev/null +++ b/0092-fix-use-etc-as-the-base-directory-for-resource-stora.patch @@ -0,0 +1,39 @@ +From 7cd62c2fa0d264ea3a1898d7522cfc55f2b16d39 Mon Sep 17 00:00:00 2001 +From: chenjiayi +Date: Wed, 19 Feb 2025 16:44:44 +0800 +Subject: [PATCH 1/1] fix: use etc as the base directory for resource storage + +--- + .../attestation-types/src/resource/policy/opa/mod.rs | 2 +- + .../attestation-types/src/resource/storage/simple.rs | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/service/attestation/attestation-types/src/resource/policy/opa/mod.rs b/service/attestation/attestation-types/src/resource/policy/opa/mod.rs +index 0ec506a..ad159f5 100644 +--- a/service/attestation/attestation-types/src/resource/policy/opa/mod.rs ++++ b/service/attestation/attestation-types/src/resource/policy/opa/mod.rs +@@ -21,7 +21,7 @@ use async_trait::async_trait; + use std::path::PathBuf; + + pub(crate) const DEFAULT_RESOURCE_POLICY_DIR: &str = +- "/run/attestation/attestation-service/resource/policy/"; ++ "/etc/attestation/attestation-service/resource/policy/"; + pub(crate) const DEFAULT_RESOURCE_VIRTCCA_DEFAULT_POLICY: &str = "virtcca.rego"; + + pub(crate) struct OpenPolicyAgent { +diff --git a/service/attestation/attestation-types/src/resource/storage/simple.rs b/service/attestation/attestation-types/src/resource/storage/simple.rs +index d5f1bc5..dad24e0 100644 +--- a/service/attestation/attestation-types/src/resource/storage/simple.rs ++++ b/service/attestation/attestation-types/src/resource/storage/simple.rs +@@ -24,7 +24,7 @@ use super::PolicyOp; + use super::Resource; + use super::StorageEngine; + +-pub(crate) const STORAGE_BASE: &str = "/run/attestation/attestation-service/resource/storage/"; ++pub(crate) const STORAGE_BASE: &str = "/etc/attestation/attestation-service/resource/storage/"; + + pub(crate) struct SimpleStorage { + base: PathBuf, +-- +2.46.0 + diff --git a/secGear.spec b/secGear.spec index 4f20e689a375753949e5f1167e6874dfe05cdb62..ebfc376e31fc5a1c4b3210b7934ad43a220c9ed3 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 54 +Release: 55 Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features @@ -100,6 +100,8 @@ Patch86: 0087-use-id-when-get-policy.patch Patch87: 0088-fix-evidence-decode-typos.patch Patch88: 0089-features-support-resource-maitainance.patch Patch89: 0090-add-ra_tls-support.patch +Patch90: 0091-fix-allow-bind-unbind-and-clear-resource-policy-when.patch +Patch91: 0092-fix-use-etc-as-the-base-directory-for-resource-stora.patch BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ compat-openssl11-libs compat-openssl11-devel @@ -254,8 +256,10 @@ install -d %{buildroot}%{_sysconfdir}/attestation/attestation-service/token install -d %{buildroot}%{_sysconfdir}/attestation/attestation-service/policy install -d %{buildroot}%{_sysconfdir}/attestation/attestation-service/verifier/itrustee install -d %{buildroot}%{_sysconfdir}/attestation/attestation-service/verifier/virtcca +install -d %{buildroot}%{_sysconfdir}/attestation/attestation-service/resource/policy/oeas install -pm 644 service/attestation/attestation-service/service/attestation-service.conf %{buildroot}%{_sysconfdir}/attestation/attestation-service/ install -pm 644 service/attestation/attestation-service/policy/src/opa/*.rego %{buildroot}%{_sysconfdir}/attestation/attestation-service/policy/ +install -pm 644 service/attestation/attestation-types/src/resource/policy/opa/virtcca.rego %{buildroot}%{_sysconfdir}/attestation/attestation-service/resource/policy/oeas/ install -pm 751 service/attestation/attestation-service/target/release/attestation-service %{buildroot}/%{_bindir} install -pm 751 service/attestation/attestation-client/target/release/attestation-client %{buildroot}/%{_bindir} %endif @@ -321,6 +325,7 @@ popd %{_sysconfdir}/attestation/attestation-service/policy/* %{_sysconfdir}/attestation/attestation-service/verifier/itrustee %{_sysconfdir}/attestation/attestation-service/verifier/virtcca +%{_sysconfdir}/attestation/attestation-service/resource/policy/oeas/virtcca.rego %files ac %{_bindir}/attestation-client @@ -337,6 +342,10 @@ popd systemctl restart rsyslog %changelog +* Wed Feb 19 2025 chenjiayi - 0.1.0-55 +- fix bugs on resource policy binding, unbindg, etc. Also install +- default resource policy. + * Tue Feb 18 2025 xuraoqing - 0.1.0-54 - add ra_tls support