Merge pull request #470 from gkurz/backport-1.8

Backports for 1.8.0

Author: gkurz

config/metrics/metrics-prometheus-rules.yaml

@@ -0,0 +1,25 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: osc-alerts
+  namespace: openshift-sandboxed-containers-operator
+spec:
+  groups:
+  - name: osc_alerts
+    rules:
+    - alert: KataRemoteWorkloadFailureHigh
+      expr: kata_remote_workload_failure_ratio > 25
+      for: 30m
+      labels:
+        severity: warning
+      annotations:
+        summary: "High Kata Remote Workload Failure Ratio"
+        description: "The failure ratio of kata-remote workloads is above 25% for more than 30 minutes. This may indicate issues with the runtime or configuration."
+
+    - alert: kata_active_instance
+      expr: vector(1)
+      labels:
+        severity: info
+        purpose: "alive_signal"
+      annotations:
+        summary: "Kata instance alive signal"

config/peerpods/podvm/lib.sh

@@ -246,15 +246,18 @@ function prepare_source_code() {
 
     # Enable image signature check
     if [[ "$CONFIDENTIAL_COMPUTE_ENABLED" == "yes" ]]; then
-	cat<<EOF>"${podvm_dir}"/files/etc/agent-config.toml
+        local agent_config_file="/etc/agent-config.toml"
+
+        cat<<EOF>"${podvm_dir}/files${agent_config_file}"
 server_addr = "unix:///run/kata-containers/agent.sock"
 guest_components_procs = "none"
 image_registry_auth = "file:///run/peerpod/auth.json"
 enable_signature_verification = true
 image_policy_file = "kbs:///default/security-policy/osc"
 EOF
-	sed -i 's,/run/peerpod/agent-config.toml,/etc/agent-config.toml,' \
-	    "${podvm_dir}"/files/etc/systemd/system/kata-agent.service
+        sed -i "s,/run/peerpod/agent-config.toml,${agent_config_file},g" \
+            "${podvm_dir}"/files/etc/systemd/system/kata-agent.service
+        echo "sudo cp -a /tmp/files${agent_config_file} ${agent_config_file}" >>"${podvm_dir}"/qcow2/copy-files.sh
     fi
 }
 

hack/Rvps-Extraction/GetRvps.sh

@@ -0,0 +1,193 @@
+#!/bin/bash
+# Getting RVPS Parameters
+
+function install_packages() {
+    echo "***Installing necessary packages for RVPS values extraction ***"
+    dnf install -y python3 python3-cryptography kmod 
+    echo "***Installation Finished ***"
+}
+
+# Function to mount the image and extract se.img
+function mount_and_extract_image() {
+    local img_path=$1
+    
+    # Cleanup any previous files and directories
+    rm -rf se.img /mnt/myvm
+    mkdir /mnt/myvm
+    
+    # Load nbd module and mount the image
+    modprobe nbd
+    if [ $? -ne 0 ]; then
+        echo "Error: Failed to load nbd module."
+        exit 1
+    fi
+
+    qemu-nbd -c /dev/nbd3 $img_path
+    if [ $? -ne 0 ]; then
+        echo "Error: Failed to connect to nbd device."
+        exit 1
+    fi
+
+
+    mount /dev/nbd3p1 /mnt/myvm
+    if [ $? -ne 0 ]; then
+         echo "Error: Failed to mount the image. Retrying..."
+         sleep 2
+         mount /dev/nbd3p1 /mnt/myvm
+         if [ $? -ne 0 ]; then
+     		echo "Retrial for mounting failed. Please rerun the script"
+     		exit 1
+	 else
+		echo "Mounting on second attempt passed"
+         fi
+     fi
+    # Extract and process image
+    rm -rf $PWD/output-files
+    mkdir -p $PWD/output-files        
+    rm -rf se.img 
+    cp /mnt/myvm/se.img ./
+    mv se.img $PWD/output-files/
+    
+    umount /mnt/myvm
+    qemu-nbd -d /dev/nbd3
+}
+
+# Function to generate se-sample and ibmse-policy.rego files
+function generate_policy_files() {
+    local se_tag=$1
+    local se_image_phkh=$2
+
+    # Create se-sample file
+    cat <<EOF > $PWD/output-files/se-sample
+{
+    "se.attestation_phkh": [
+        "$se_image_phkh"
+    ],
+    "se.tag": [
+        "$se_tag"
+    ],
+    "se.image_phkh": [
+        "$se_image_phkh"
+    ],
+    "se.user_data": [
+        "00"
+    ],
+    "se.version": [
+        "256"
+    ]
+}
+EOF
+
+    # Create ibmse-policy.rego file
+    cat <<EOF > $PWD/output-files/ibmse-policy.rego
+package policy
+import rego.v1
+default allow = false
+converted_version := sprintf("%v", [input["se.version"]])
+allow if {
+    input["se.attestation_phkh"] == "$se_image_phkh"
+    input["se.image_phkh"] == "$se_image_phkh"
+    input["se.tag"] == "$se_tag"
+    input["se.user_data"] == "00"
+    converted_version == "256"
+}
+EOF
+
+}
+
+# Main function
+install_packages
+
+PS3='Please enter your choice: '
+options=("Generate the RVPS From Local Image from User pc" "Generate RVPS from Volume"  "Quit")
+select opt in "${options[@]}"
+do
+    case $opt in
+        "Generate the RVPS From Local Image from User pc")
+            echo "Enter the Qcow2 image with Full path"
+            read -r img_path
+
+            mount_and_extract_image $img_path
+            
+            $PWD/static-files/pvextract-hdr -o $PWD/output-files/hdr.bin $PWD/output-files/se.img
+            
+            # Extract necessary values
+            se_tag=$(python3 $PWD/static-files/se_parse_hdr.py $PWD/output-files/hdr.bin $PWD/static-files/HKD.crt | grep se.tag | awk -F ":" '{ print $2 }')
+            se_image_phkh=$(python3 $PWD/static-files/se_parse_hdr.py $PWD/output-files/hdr.bin $PWD/static-files/HKD.crt | grep se.image_phkh | awk -F ":" '{ print $2 }')
+            
+            echo "se.tag: $se_tag"
+            echo "se.image_phkh: $se_image_phkh"
+
+            generate_policy_files $se_tag $se_image_phkh
+            
+            provenance=$(cat $PWD/output-files/se-sample | base64 --wrap=0)
+            echo "provenance = $provenance"
+
+            # Create se-message file
+            cat <<EOF > $PWD/output-files/se-message
+{
+    "version" : "0.1.0",
+    "type": "sample",
+    "payload": "$provenance"
+}
+EOF
+
+            ls -lrt $PWD/output-files/hdr.bin $PWD/output-files/se-message $PWD/output-files/ibmse-policy.rego
+            ;;
+        
+        "Generate RVPS from Volume")
+            echo "Enter the Libvirt Pool Name"
+            read -r LIBVIRT_POOL
+            echo "Enter the Libvirt URI Name"
+            read -r LIBVIRT_URI
+            echo "Enter the Libvirt Volume Name"
+            read -r LIBVIRT_VOL
+
+            # Download the volume
+            echo "Downloading from PODVM Volume..."
+            rm -rf $PWD/PODVM-VOL-IMAGE
+            mkdir -p $PWD/PODVM-VOL-IMAGE
+            virsh -c $LIBVIRT_URI vol-download --vol $LIBVIRT_VOL --pool $LIBVIRT_POOL --file $PWD/PODVM-VOL-IMAGE/podvm_test.qcow2 --sparse
+            if [ $? -ne 0 ]; then
+                echo "Downloading Failed"
+                exit 1
+            fi
+            
+            img_path=$PWD/PODVM-VOL-IMAGE/podvm_test.qcow2
+            
+            mount_and_extract_image $img_path
+            
+            $PWD/static-files/pvextract-hdr -o $PWD/output-files/hdr.bin $PWD/output-files/se.img
+
+            # Extract necessary values
+            se_tag=$(python3 $PWD/static-files/se_parse_hdr.py $PWD/output-files/hdr.bin $PWD/static-files/HKD.crt | grep se.tag | awk -F ":" '{ print $2 }')
+            se_image_phkh=$(python3 $PWD/static-files/se_parse_hdr.py $PWD/output-files/hdr.bin $PWD/static-files/HKD.crt | grep se.image_phkh | awk -F ":" '{ print $2 }')
+
+            echo "se.tag: $se_tag"
+            echo "se.image_phkh: $se_image_phkh"
+
+            generate_policy_files $se_tag $se_image_phkh
+            
+            provenance=$(cat $PWD/output-files/se-sample | base64 --wrap=0)
+            echo "provenance = $provenance"
+
+            # Create se-message file
+            cat <<EOF > $PWD/output-files/se-message
+{
+    "version" : "0.1.0",
+    "type": "sample",
+    "payload": "$provenance"
+}
+EOF
+
+            ls -lrt $PWD/output-files/hdr.bin $PWD/output-files/se-message $PWD/output-files/ibmse-policy.rego
+            ;;
+        
+        "Quit")
+            break
+            ;;
+        
+        *) echo "Invalid option: $REPLY";;
+    esac
+done
+

hack/Rvps-Extraction/RVPS_Reference.md

@@ -0,0 +1,71 @@
+
+# RVPS (Reference Value Provider Service) Usage
+
+The RVPS (Reference Value Provider Service) values are used for remote attestation.
+
+It is responsible for verifying, storing, and providing reference values. RVPS receives and verifies inputs from the software supply chain, stores the measurement values, and generates reference value claims for the Attestation Service.
+
+This operation is performed based on the evidence verified by the Attestation Service (AS).
+
+## RVPS Values
+
+The values are:
+
+1. `image_phkh`
+2. `image_tag`
+3. `se.version`
+4. `se.tag`
+5. `se.attestation_phk`
+
+## Script Options
+
+The script will help retrieve the RVPS via the following two options:
+
+1. **Calculate the RVPS values based on the SE PODVM image stored locally** on the user’s machine where the script is being executed. The script will expect the absolute path of the SE PODVM image.
+
+2. **Calculate the RVPS values based on the SE PODVM image uploaded to a libvirt volume**. The script will expect the following inputs:
+    - Libvirt Pool Name
+    - Libvirt URI Name
+    - Libvirt Volume Name
+
+## Output
+
+After successful execution, you will get `se-message` and `ibmse-policy.rego` in a directory called `output-files`. These files will contain the RVPS parameters.
+
+## Prerequisites
+
+The user needs to copy the `Rvps-Extraction` folder locally:
+
+```bash
+[root@a3elp36 Rvps-Extraction]# ls -lrt
+total 8
+drwxr-xr-x. 2 root root   65 Oct 19 16:52 static-files
+-rwxr-xr-x. 1 root root 6078 Oct 19 16:52 GetRvps.sh
+```
+
+Once copied, the script can be executed as follows:
+
+```bash
+./GetRvps.sh
+```
+
+### Options
+1. Generate the RVPS from a local image on the user’s PC
+2. Generate RVPS from a volume
+3. Quit
+
+Once the script finishes, the output directory will be created, and the files will be copied to the same path where the script is executed. For example:
+
+```bash
+-rw-r--r--. 1 root root 640 Oct 9 13:25 /root/gaurav-rvps-test/COCO-1010/output-files/hdr.bin
+-rw-r--r--. 1 root root 446 Oct 9 13:25 /root/gaurav-rvps-test/COCO-1010/output-files/ibmse-policy.rego
+-rw-r--r--. 1 root root 561 Oct 9 13:25 /root/gaurav-rvps-test/COCO-1010/output-files/se-message
+```
+
+## Static Files
+
+Some static files will also be used to generate the RVPS. These include:
+
+- **`pvextract-hdr`**: This is used to extract the SE header from the PODVM SE image (input). It generates an intermediate file, `hdr.bin`, which will be used for further extraction.
+- **`se_parse_hdr.py`**: A Python parser used to generate the actual RVPS values.
+- **`HKD.crt`**: This certificate will vary between labs. The user needs to copy the same `HKD.crt` used to generate the uploaded PODVM SE image into this path.

hack/Rvps-Extraction/static-files/HKD.crt

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID7jCCAdagAwIBAgIJBFlsRgUYzLtIMA0GCSqGSIb3DQEBDQUAMGMxCzAJBgNV
+BAYTAlVTMQwwCgYDVQQKDANJQk0xEDAOBgNVBAsMB1Rlc3RpbmcxDDAKBgNVBAcM
+A1BPSzELMAkGA1UECAwCTlkxGTAXBgNVBAMMEFFTYWZlIEhLIHNpZ25pbmcwHhcN
+MjQwMjI4MTAzNjE4WhcNMjUwMjI3MTAzNjE4WjBbMQswCQYDVQQGEwJVUzEMMAoG
+A1UECgwDSUJNMRAwDgYDVQQLDAdUZXN0aW5nMQwwCgYDVQQHDANQT0sxCzAJBgNV
+BAgMAk5ZMREwDwYDVQQDDAhRc2FmZSBISzCBmzAQBgcqhkjOPQIBBgUrgQQAIwOB
+hgAEAIs8F4mItSnho7Wx/ngnZTfsQ9LtSchfKvc1r6Op5vNKGOuiuJ30GTOZUoZD
+M/MqioakC4EB0cpSTllh6qrYuxz2AUHgstGQNAFctkCKE3GqMEuFrcgazUvbV4JD
+NXSl/KB6uaKCgAeOuxw37+WkWaUpNOvpsh/dCjZ3pJeWYjv92r6BozUwMzAOBgNV
+HQ8BAf8EBAMCAwgwIQYDVR0fBBowGDAWoBSgEoYQaHR0cDovL3NvbWV3aGVyZTAN
+BgkqhkiG9w0BAQ0FAAOCAgEAas/Vg/xdwA3BqroBY+aRAfd6hwMNdVjbooYjga9M
+WeM6zDW+JOPuVYWij/yWGvRzKrmxwdpDrlEwQNFvh9uiwZorv6PCMnrF0Qprdwyl
+rvUzwXV28xrRgJtCpU5PDw2NSXZse7nsZD9zxtEYu8RywhtVO6LnXViAeTZLn1jK
+LMc+P1FlEA/+aVmNT3hr+sfFTDKn1oP4RbYJy4T9cbIGRgtRWpMyQaSqEX1bPytW
+ZjdK+LU55bZceAIrfR0um+gGSB+rRdyDQU0g9BS0dDXxVhDkzKVrD/UG2dqXd106
+Q3JeuROVwdd55dvwD5b+UmSS52oRlmTff1uJg6BF6tHWP7zh5rqLJdH3ds5AfITb
+2tHK3M1KhwIivbtBzogWH+LaxEF3n5V2FCc8bx92zB81IhKycSLnmE9OZ602d/0j
+BCU0hkh8BZS7o6A3sTHZHFh65jjFwRMQSDY43MLeNBWhdX8ymOcuiwVPWsHrrIBK
+w01nAbpR4IedQgwc0SJtExsqWKGS6OEyaDV5QcZh97/PA8ddBmsaJyZESJuwj1hp
+hq6jU/NtOT/J33vnoO0UWX8FaX58+4MCG638/fatMsdCUmt1OTw1b9Qry/p7pn56
+53FvYE30z1G7Arsu7LzTaz8EfLzQ57MVKb9cj2/NKzqhh5PMIb+9SdznQGuDqj5F
+++c=
+-----END CERTIFICATE-----