From 283164e45ce2503396d8ab82c9234f0c34f522de Mon Sep 17 00:00:00 2001 From: chenjiayi Date: Wed, 19 Feb 2025 00:37:50 +0800 Subject: [PATCH] fix: fix some bugs 1. allow bind, unbind and clear resource policy when the resource already exists. 2. use etc as the base directory for resource storage instead of run, to avoid data loss after system reboot. --- ...nbind-and-clear-resource-policy-when.patch | 119 ++++++++++++++++++ ...he-base-directory-for-resource-stora.patch | 39 ++++++ secGear.spec | 11 +- 3 files changed, 168 insertions(+), 1 deletion(-) create mode 100644 0091-fix-allow-bind-unbind-and-clear-resource-policy-when.patch create mode 100644 0092-fix-use-etc-as-the-base-directory-for-resource-stora.patch diff --git a/0091-fix-allow-bind-unbind-and-clear-resource-policy-when.patch b/0091-fix-allow-bind-unbind-and-clear-resource-policy-when.patch new file mode 100644 index 0000000..4a197f1 --- /dev/null +++ b/0091-fix-allow-bind-unbind-and-clear-resource-policy-when.patch @@ -0,0 +1,119 @@ +From 435f93ddb97be16f60fcd1ace909cafb418f642b Mon Sep 17 00:00:00 2001 +From: chenjiayi +Date: Wed, 19 Feb 2025 10:59:20 +0800 +Subject: [PATCH 1/1] fix: allow bind, unbind and clear resource policy when + resource already exists + +This influence the interface behavior for: +resource policy bind, +resource policy unbind, +resource policy clear. +--- + .../src/resource/admin/simple.rs | 2 +- + .../src/resource/storage/mod.rs | 9 +++++++-- + .../src/resource/storage/simple.rs | 19 ++++++++++++------- + 3 files changed, 20 insertions(+), 10 deletions(-) + +diff --git a/service/attestation/attestation-types/src/resource/admin/simple.rs b/service/attestation/attestation-types/src/resource/admin/simple.rs +index 5967be9..bf2b5dd 100644 +--- a/service/attestation/attestation-types/src/resource/admin/simple.rs ++++ b/service/attestation/attestation-types/src/resource/admin/simple.rs +@@ -106,7 +106,7 @@ impl ResourceAdminInterface for SimpleResourceAdmin { + self.storage_engine + .lock() + .await +- .store(location, resource) ++ .store(location, resource, false) + .await + } + +diff --git a/service/attestation/attestation-types/src/resource/storage/mod.rs b/service/attestation/attestation-types/src/resource/storage/mod.rs +index fd7b0c7..3614769 100644 +--- a/service/attestation/attestation-types/src/resource/storage/mod.rs ++++ b/service/attestation/attestation-types/src/resource/storage/mod.rs +@@ -29,7 +29,12 @@ pub(crate) trait StorageOp: Send + Sync { + /// Traverse and collect resource list in particular vendor. + async fn list(&self, vendor: &str) -> Result>; + /// Create a new resource if it does not exist. If the resource already exists, error will be thrown. +- async fn store(&self, location: ResourceLocation, resource: Resource) -> Result<()>; ++ async fn store( ++ &self, ++ location: ResourceLocation, ++ resource: Resource, ++ force: bool, ++ ) -> Result<()>; + /// Override the content field in the resource, while keep other fields the same. + async fn modify(&self, location: ResourceLocation, content: String) -> Result<()>; + /// Delete the resource inside the storage. +@@ -51,7 +56,7 @@ pub(crate) trait PolicyOp: StorageOp + Send + Sync { + /// Get all policy from the resource. + async fn get_all_policies(&self, location: ResourceLocation) -> Result>; + /// Clear the original policy inside the resource. +- async fn clea_policies(&self, location: ResourceLocation) -> Result<()>; ++ async fn clear_policies(&self, location: ResourceLocation) -> Result<()>; + /// Delete the specific policy from the resource. + async fn unbind_policies( + &self, +diff --git a/service/attestation/attestation-types/src/resource/storage/simple.rs b/service/attestation/attestation-types/src/resource/storage/simple.rs +index b8fd536..d5f1bc5 100644 +--- a/service/attestation/attestation-types/src/resource/storage/simple.rs ++++ b/service/attestation/attestation-types/src/resource/storage/simple.rs +@@ -82,10 +82,15 @@ impl StorageOp for SimpleStorage { + Ok(ret) + } + +- async fn store(&self, location: ResourceLocation, resource: Resource) -> Result<()> { ++ async fn store( ++ &self, ++ location: ResourceLocation, ++ resource: Resource, ++ force: bool, ++ ) -> Result<()> { + let regularized = self.regular(&format!("{}", location))?; + +- if regularized.exists() { ++ if !force && regularized.exists() { + return Err(ResourceError::ResourceExist(location.to_string())); + } + +@@ -132,16 +137,16 @@ impl PolicyOp for SimpleStorage { + ) -> Result<()> { + let mut resource = self.get(location.clone()).await?; + resource.set_policy(policy); +- self.store(location, resource).await ++ self.store(location, resource, true).await + } + async fn get_all_policies(&self, location: ResourceLocation) -> Result> { + let resource = self.get(location).await?; + Ok(resource.get_policy()) + } +- async fn clea_policies(&self, location: ResourceLocation) -> Result<()> { ++ async fn clear_policies(&self, location: ResourceLocation) -> Result<()> { + let mut resource = self.get(location.clone()).await?; + resource.policy = vec![]; +- self.store(location, resource).await ++ self.store(location, resource, true).await + } + async fn unbind_policies( + &self, +@@ -155,7 +160,7 @@ impl PolicyOp for SimpleStorage { + resource.policy.remove(idx); + } + } +- self.store(location, resource).await ++ self.store(location, resource, true).await + } + async fn bind_policies( + &self, +@@ -166,7 +171,7 @@ impl PolicyOp for SimpleStorage { + for p in policy.iter() { + resource.policy.push(format!("{}", p)); + } +- self.store(location.clone(), resource).await ++ self.store(location.clone(), resource, true).await + } + } + +-- +2.46.0 + diff --git a/0092-fix-use-etc-as-the-base-directory-for-resource-stora.patch b/0092-fix-use-etc-as-the-base-directory-for-resource-stora.patch new file mode 100644 index 0000000..867f63c --- /dev/null +++ b/0092-fix-use-etc-as-the-base-directory-for-resource-stora.patch @@ -0,0 +1,39 @@ +From 7cd62c2fa0d264ea3a1898d7522cfc55f2b16d39 Mon Sep 17 00:00:00 2001 +From: chenjiayi +Date: Wed, 19 Feb 2025 16:44:44 +0800 +Subject: [PATCH 1/1] fix: use etc as the base directory for resource storage + +--- + .../attestation-types/src/resource/policy/opa/mod.rs | 2 +- + .../attestation-types/src/resource/storage/simple.rs | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/service/attestation/attestation-types/src/resource/policy/opa/mod.rs b/service/attestation/attestation-types/src/resource/policy/opa/mod.rs +index 0ec506a..ad159f5 100644 +--- a/service/attestation/attestation-types/src/resource/policy/opa/mod.rs ++++ b/service/attestation/attestation-types/src/resource/policy/opa/mod.rs +@@ -21,7 +21,7 @@ use async_trait::async_trait; + use std::path::PathBuf; + + pub(crate) const DEFAULT_RESOURCE_POLICY_DIR: &str = +- "/run/attestation/attestation-service/resource/policy/"; ++ "/etc/attestation/attestation-service/resource/policy/"; + pub(crate) const DEFAULT_RESOURCE_VIRTCCA_DEFAULT_POLICY: &str = "virtcca.rego"; + + pub(crate) struct OpenPolicyAgent { +diff --git a/service/attestation/attestation-types/src/resource/storage/simple.rs b/service/attestation/attestation-types/src/resource/storage/simple.rs +index d5f1bc5..dad24e0 100644 +--- a/service/attestation/attestation-types/src/resource/storage/simple.rs ++++ b/service/attestation/attestation-types/src/resource/storage/simple.rs +@@ -24,7 +24,7 @@ use super::PolicyOp; + use super::Resource; + use super::StorageEngine; + +-pub(crate) const STORAGE_BASE: &str = "/run/attestation/attestation-service/resource/storage/"; ++pub(crate) const STORAGE_BASE: &str = "/etc/attestation/attestation-service/resource/storage/"; + + pub(crate) struct SimpleStorage { + base: PathBuf, +-- +2.46.0 + diff --git a/secGear.spec b/secGear.spec index 4f20e68..ebfc376 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 54 +Release: 55 Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features @@ -100,6 +100,8 @@ Patch86: 0087-use-id-when-get-policy.patch Patch87: 0088-fix-evidence-decode-typos.patch Patch88: 0089-features-support-resource-maitainance.patch Patch89: 0090-add-ra_tls-support.patch +Patch90: 0091-fix-allow-bind-unbind-and-clear-resource-policy-when.patch +Patch91: 0092-fix-use-etc-as-the-base-directory-for-resource-stora.patch BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ compat-openssl11-libs compat-openssl11-devel @@ -254,8 +256,10 @@ install -d %{buildroot}%{_sysconfdir}/attestation/attestation-service/token install -d %{buildroot}%{_sysconfdir}/attestation/attestation-service/policy install -d %{buildroot}%{_sysconfdir}/attestation/attestation-service/verifier/itrustee install -d %{buildroot}%{_sysconfdir}/attestation/attestation-service/verifier/virtcca +install -d %{buildroot}%{_sysconfdir}/attestation/attestation-service/resource/policy/oeas install -pm 644 service/attestation/attestation-service/service/attestation-service.conf %{buildroot}%{_sysconfdir}/attestation/attestation-service/ install -pm 644 service/attestation/attestation-service/policy/src/opa/*.rego %{buildroot}%{_sysconfdir}/attestation/attestation-service/policy/ +install -pm 644 service/attestation/attestation-types/src/resource/policy/opa/virtcca.rego %{buildroot}%{_sysconfdir}/attestation/attestation-service/resource/policy/oeas/ install -pm 751 service/attestation/attestation-service/target/release/attestation-service %{buildroot}/%{_bindir} install -pm 751 service/attestation/attestation-client/target/release/attestation-client %{buildroot}/%{_bindir} %endif @@ -321,6 +325,7 @@ popd %{_sysconfdir}/attestation/attestation-service/policy/* %{_sysconfdir}/attestation/attestation-service/verifier/itrustee %{_sysconfdir}/attestation/attestation-service/verifier/virtcca +%{_sysconfdir}/attestation/attestation-service/resource/policy/oeas/virtcca.rego %files ac %{_bindir}/attestation-client @@ -337,6 +342,10 @@ popd systemctl restart rsyslog %changelog +* Wed Feb 19 2025 chenjiayi - 0.1.0-55 +- fix bugs on resource policy binding, unbindg, etc. Also install +- default resource policy. + * Tue Feb 18 2025 xuraoqing - 0.1.0-54 - add ra_tls support -- Gitee