From 0a85062d9ba3e14bd11c9aadd33dba5ce9ea7555 Mon Sep 17 00:00:00 2001 From: Veena Saini Date: Wed, 23 Jun 2021 19:34:11 +0530 Subject: [PATCH 1/5] Graphene Attestation Inside AKS Signed-off-by: Veena Saini --- Tools/gsc/images/aks-client-deployment.yaml | 26 ++++++ .../aks-ra-tls-secret-prov-server.dockerfile | 93 +++++++++++++++++++ Tools/gsc/images/aks-server-deployment.yaml | 35 +++++++ ...graphene_attestation_inside_aks_readme.rst | 80 ++++++++++++++++ 4 files changed, 234 insertions(+) create mode 100644 Tools/gsc/images/aks-client-deployment.yaml create mode 100644 Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile create mode 100644 Tools/gsc/images/aks-server-deployment.yaml create mode 100644 Tools/gsc/images/graphene_attestation_inside_aks_readme.rst diff --git a/Tools/gsc/images/aks-client-deployment.yaml b/Tools/gsc/images/aks-client-deployment.yaml new file mode 100644 index 0000000000..42bc700995 --- /dev/null +++ b/Tools/gsc/images/aks-client-deployment.yaml @@ -0,0 +1,26 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: gsc-ra-tls-secret-prov-client + labels: + app: gsc-ra-tls-secret-prov-client +spec: + template: + metadata: + labels: + app: gsc-ra-tls-secret-prov-client + spec: + volumes: + - name: var-run-aesmd + hostPath: + path: /var/run/aesmd + containers: + - name: gsc-ra-tls-secret-prov-client-container + image: /gsc-ra-tls-secret-prov-client-img + resources: + limits: + kubernetes.azure.com/sgx_epc_mem_in_MiB: 25 + volumeMounts: + - name: var-run-aesmd + mountPath: /var/run/aesmd + restartPolicy: Never diff --git a/Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile b/Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile new file mode 100644 index 0000000000..10c845daf5 --- /dev/null +++ b/Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile @@ -0,0 +1,93 @@ +# Steps to create ra-tls-secret-prov-server image for AKS: +# +# STEP 1: Prepare Server certificate +# 1.1 Create server certificate signed by your trusted root CA. Ensure Common Name +# field in the server certificate corresponds to used in STEP 5. +# 1.2 Put trusted root CA certificate, server certificate, and server key in +# graphene/Examples/ra-tls-secret-prov/certs directory with existing naming convention. +# 1.3 Provide password for your server key to mbedtls_pk_parse_keyfile(,,pwd) API call, +# available at graphene/Pal/src/host/Linux-SGX/tools/ra-tls/tools/secret_prov_verify.c. +# +# STEP 2: Make sure RA-TLS DCAP libraries are built in Graphene via: +# $ cd graphene/Pal/src/host/Linux-SGX/tools/ra-tls && make dcap +# +# STEP 3: Create base ra-tls-secret-prov server image +# $ cd graphene +# $ docker build -t \ +# -f Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile . +# +# STEP 4: Push resulting image to Docker Hub or your preferred registry +# $ docker tag \ +# / +# $ docker push / +# +# STEP 5: Deploy in AKS confidential compute cluster +# Reference deployment file: graphene/Tools/gsc/images/aks-server-deployment.yaml +# +# NOTE: Server can be deployed at non-confidential compute node as well. However, in that +# QVE-based dcap verification will fail. + +FROM ubuntu:18.04 + +RUN apt-get update \ + && env DEBIAN_FRONTEND=noninteractive apt-get install -y wget \ + build-essential \ + python3 \ + libcurl3-gnutls \ + gnupg2 \ + libcurl4-openssl-dev + +# Installing Azure DCAP Quote Provider Library (az-dcap-client) + +RUN wget https://github.com/microsoft/Azure-DCAP-Client/releases/download/1.8/az-dcap-client_1.8_amd64_18.04.deb \ + && chmod u+x az-dcap-client_1.8_amd64_18.04.deb \ + && dpkg -i az-dcap-client_1.8_amd64_18.04.deb + +# Installing DCAP Quote Verification Library + +RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' \ + > /etc/apt/sources.list.d/intel-sgx.list \ + && wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ + && apt-key add intel-sgx-deb.key + +RUN apt-get update && apt-get install -y libsgx-dcap-quote-verify + +# Build environment of this Dockerfile should point to the root of Graphene directory + +RUN mkdir -p /graphene/Scripts \ + && mkdir -p /graphene/Pal/src/host/Linux-SGX/tools/pf_crypt \ + && mkdir -p /graphene/Pal/src/host/Linux-SGX/tools/common \ + && mkdir -p /graphene/Pal/src/host/Linux-SGX/tools/ra-tls \ + && mkdir -p /graphene/Examples/ra-tls-secret-prov + +# The below files are copied to satisfy Makefile dependencies of graphene/Examples/ra-tls-secret-prov + +COPY Scripts/Makefile.configs /graphene/Scripts/ +COPY Scripts/Makefile.Host /graphene/Scripts/ +COPY Scripts/download /graphene/Scripts/ + +COPY Pal/src/host/Linux-SGX/tools/pf_crypt/pf_crypt /graphene/Pal/src/host/Linux-SGX/tools/pf_crypt/ +COPY Pal/src/host/Linux-SGX/tools/common/libsgx_util.so /graphene/Pal/src/host/Linux-SGX/tools/common/ + +# make sure RA-TLS DCAP libraries are built in host Graphene via: +# cd graphene/Pal/src/host/Linux-SGX/tools/ra-tls && make dcap + +COPY Pal/src/host/Linux-SGX/tools/ra-tls/libsecret_prov_attest.so /graphene/Pal/src/host/Linux-SGX/tools/ra-tls/ +COPY Pal/src/host/Linux-SGX/tools/ra-tls/libsecret_prov_verify_dcap.so /graphene/Pal/src/host/Linux-SGX/tools/ra-tls/ +COPY Pal/src/host/Linux-SGX/tools/ra-tls/secret_prov.h /graphene/Pal/src/host/Linux-SGX/tools/ra-tls/ + +# If user doesn't want to copy above files, then she can build the ra-tls-secret-prov sample locally +# and copy the entire directory with executables + +COPY Examples/ra-tls-secret-prov /graphene/Examples/ra-tls-secret-prov + +WORKDIR /graphene/Examples/ra-tls-secret-prov + +RUN make clean \ + && make dcap files/input.txt + +ENV LD_LIBRARY_PATH = "${LD_LIBRARY_PATH}:./libs" + +ENV PATH = "${PATH}:/graphene/Examples/ra-tls-secret-prov" + +ENTRYPOINT ["/graphene/Examples/ra-tls-secret-prov/secret_prov_server_dcap","&"] diff --git a/Tools/gsc/images/aks-server-deployment.yaml b/Tools/gsc/images/aks-server-deployment.yaml new file mode 100644 index 0000000000..78c72be156 --- /dev/null +++ b/Tools/gsc/images/aks-server-deployment.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ra-tls-secret-prov-server +spec: + replicas: 1 + selector: + matchLabels: + app: ra-tls-secret-prov-server + template: + metadata: + labels: + app: ra-tls-secret-prov-server + spec: + containers: + - name: ra-tls-secret-prov-server-container + image: /ra-tls-secret-prov-server-img + ports: + - containerPort: 4433 + resources: + limits: + kubernetes.azure.com/sgx_epc_mem_in_MiB: 25 +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.kubernetes.io/azure-dns-label-name: + name: ra-tls-secret-prov-server +spec: + type: LoadBalancer + ports: + - port: 4433 + selector: + app: ra-tls-secret-prov-server diff --git a/Tools/gsc/images/graphene_attestation_inside_aks_readme.rst b/Tools/gsc/images/graphene_attestation_inside_aks_readme.rst new file mode 100644 index 0000000000..c1a777f558 --- /dev/null +++ b/Tools/gsc/images/graphene_attestation_inside_aks_readme.rst @@ -0,0 +1,80 @@ +This guide demonstrates how Graphene DCAP attestation quote can be verified inside AKS cluster. + + +Create client and server images for graphene attestation samples +================================================================ +This demonstration is created for graphene/Examples/ra-tls-secret-prov sample. + +# Steps to create ra-tls-secret-prov-server image for AKS: +# +# STEP 1: Please refer graphene/Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile + + +# Steps to create ra-tls-secret-prov-client gsc image for AKS: +# +# STEP 1: Prepare client to connect with remote ra-tls-secret-prov server hosted inside AKS cluster +# 1.1 Provide server dns name to secret_provision_start() API call, +# available at graphene/Examples/ra-tls-secret-prov/src/secret_prov_client.c. +# 1.2 For secret_prov_min_client and secret_prov_pf_client user can provide the server +# dns name as loader.env.SECRET_PROVISION_SERVERS value inside +# graphene/Tools/gsc/test/ubuntu18.04-ra-tls-secret-prov.manifest file. +# +# STEP 2: Create gsc image for ra-tls-secret-prov client +# 2.1 Gsc image creation steps for ra-tls-secret-prov-client image are described +# inside graphene/Tools/gsc/test/ubuntu18.04-ra-tls-secret-prov.manifest. +# +# STEP 3: Push resulting image to Docker Hub or your preferred registry +# $ docker tag \ +# / +# $ docker push / +# +# STEP 4: Deploy in confidential compute AKS cluster +# Reference deployment file: graphene/Tools/gsc/images/aks-client-deployment.yaml + +Deploy both client and server images inside AKS confidential compute cluster +============================================================================ +**Prerequisites:** AKS confidential compute cluster with sgxquotehelper plugin and public ip address. + +AKS confidential compute cluster can be created using the following link: +https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-get-started . + +Graphene performs out-proc mode DCAP quote generation. Out-proc mode quote generation requires aesmd +service. To fulfill this requirement, AKS provides sgxquotehelper daemonset +[https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-out-of-proc-attestation]. +This feature exposes aesmd service for the container node. The service will internally connect with +az-dcap-client to fetch the platform collateral required for quote-generation. +In this demo the aks-client-deployment.yaml uses aesmd service exposed by AKS with the help of +sgxquotehelper plugin. + +In the ra-tls-secret-prov example, the client will generate sgx quote and send the quote embedded in +RA-TLS certificate to the server. Internally the server will verify the quote using +libsgx-dcap-quote-verify library. The libsgx-dcap-quote-verify library will fetch platform +collateral from libsgx-dcap-default-qpl library. Microsoft provides az-dcap-client library as an +alternative for libsgx-dcap-default-qpl library and it fetches platform collateral from +Azure-internal caching service https://global.acccache.azure.net/sgx/certificates/. +The aks-server-deployment.yaml is utilizing az-dcap-client library instead of +libsgx-dcap-default-qpl. + +The requirement of public-ip address is given so that the server is reachable by the client. + +**Deployment** +$ kubectl apply -f aks-server-deployment.yaml + +Once the server container is in running state, +$ kubectl apply -f aks-client-deployment.yaml + +Ensure the quote generation and verification is successful inside AKS cluster +============================================================================= + +Verify the client job is completed +$ kubectl get jobs -l app=gsc-ra-tls-secret-prov-client + +Receive logs to verify the secret has been provisioned to the client +$ kubectl logs -l app=gsc-ra-tls-secret-prov-client --tail=50 + +**Expected Output** +--- Received secret1 = 'XXXXXXXXXXXXXXXXXXXXXXXXXXX', secret2 = 'XX' + +Delete both client and server containers +$ kubectl apply -f aks-server-deployment.yaml +$ kubectl apply -f aks-client-deployment.yaml From 43c4e93fa5e5c762a28536d4543b560acd4ffbd4 Mon Sep 17 00:00:00 2001 From: Veena Saini Date: Thu, 22 Jul 2021 17:34:00 +0530 Subject: [PATCH 2/5] updated aks-ra-tls-secret-prov-server.dockerfile --- .../aks-ra-tls-secret-prov-server.dockerfile | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile b/Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile index 10c845daf5..578dc36145 100644 --- a/Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile +++ b/Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile @@ -2,11 +2,9 @@ # # STEP 1: Prepare Server certificate # 1.1 Create server certificate signed by your trusted root CA. Ensure Common Name -# field in the server certificate corresponds to used in STEP 5. -# 1.2 Put trusted root CA certificate, server certificate, and server key in -# graphene/Examples/ra-tls-secret-prov/certs directory with existing naming convention. -# 1.3 Provide password for your server key to mbedtls_pk_parse_keyfile(,,pwd) API call, -# available at graphene/Pal/src/host/Linux-SGX/tools/ra-tls/tools/secret_prov_verify.c. +# field in the server certificate corresponds to used in STEP 5. +# 1.2 Put trusted root CA certificate, server certificate, and server key in +# graphene/Examples/ra-tls-secret-prov/certs directory with existing naming convention. # # STEP 2: Make sure RA-TLS DCAP libraries are built in Graphene via: # $ cd graphene/Pal/src/host/Linux-SGX/tools/ra-tls && make dcap @@ -24,23 +22,25 @@ # STEP 5: Deploy in AKS confidential compute cluster # Reference deployment file: graphene/Tools/gsc/images/aks-server-deployment.yaml # -# NOTE: Server can be deployed at non-confidential compute node as well. However, in that +# NOTE: Server can be deployed at non-confidential compute node as well. However, in that case # QVE-based dcap verification will fail. FROM ubuntu:18.04 RUN apt-get update \ - && env DEBIAN_FRONTEND=noninteractive apt-get install -y wget \ + && env DEBIAN_FRONTEND=noninteractive apt-get install -y \ build-essential \ - python3 \ - libcurl3-gnutls \ gnupg2 \ - libcurl4-openssl-dev + libcurl3-gnutls \ + libcurl4-openssl-dev \ + python3 \ + wget -# Installing Azure DCAP Quote Provider Library (az-dcap-client) +# Installing Azure DCAP Quote Provider Library (az-dcap-client). +# Here, we are using the deb package that we tested for this demo. +# User can install the latest az-dcap-client as well. RUN wget https://github.com/microsoft/Azure-DCAP-Client/releases/download/1.8/az-dcap-client_1.8_amd64_18.04.deb \ - && chmod u+x az-dcap-client_1.8_amd64_18.04.deb \ && dpkg -i az-dcap-client_1.8_amd64_18.04.deb # Installing DCAP Quote Verification Library @@ -90,4 +90,4 @@ ENV LD_LIBRARY_PATH = "${LD_LIBRARY_PATH}:./libs" ENV PATH = "${PATH}:/graphene/Examples/ra-tls-secret-prov" -ENTRYPOINT ["/graphene/Examples/ra-tls-secret-prov/secret_prov_server_dcap","&"] +ENTRYPOINT ["/graphene/Examples/ra-tls-secret-prov/secret_prov_server_dcap"] From dc1f1a424cb339e50f1a6efa8485fdd2dcdfee7b Mon Sep 17 00:00:00 2001 From: Veena Saini Date: Fri, 23 Jul 2021 12:18:27 +0530 Subject: [PATCH 3/5] Added SERVER name in manifest file for secret_prov_client --- .../ra-tls-secret-prov/secret_prov_client.manifest.template | 2 ++ Examples/ra-tls-secret-prov/src/secret_prov_client.c | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Examples/ra-tls-secret-prov/secret_prov_client.manifest.template b/Examples/ra-tls-secret-prov/secret_prov_client.manifest.template index 9241c5e297..62bfd2265f 100644 --- a/Examples/ra-tls-secret-prov/secret_prov_client.manifest.template +++ b/Examples/ra-tls-secret-prov/secret_prov_client.manifest.template @@ -14,6 +14,8 @@ loader.insecure__use_cmdline_argv = true # Request remote attestation functionality from Graphene sgx.remote_attestation = true +loader.env.SECRET_PROVISION_SERVERS = "dummyserver:80;localhost:4433;anotherdummy:4433" + # Specify your SPID and linkable/unlinkable attestation policy sgx.ra_client_spid = "{{ ra_client_spid }}" sgx.ra_client_linkable = {{ ra_client_linkable }} diff --git a/Examples/ra-tls-secret-prov/src/secret_prov_client.c b/Examples/ra-tls-secret-prov/src/secret_prov_client.c index a0f7952468..6e384d1467 100644 --- a/Examples/ra-tls-secret-prov/src/secret_prov_client.c +++ b/Examples/ra-tls-secret-prov/src/secret_prov_client.c @@ -31,8 +31,9 @@ int main(int argc, char** argv) { if (!is_constructor) { /* secret provisioning was not run as part of initialization, run it now */ - ret = secret_provision_start("dummyserver:80;localhost:4433;anotherdummy:4433", - "certs/test-ca-sha256.crt", &ctx); + char* server = getenv(SECRET_PROVISION_SERVERS); + ret = secret_provision_start(server, "certs/test-ca-sha256.crt", &ctx); + if (ret < 0) { fprintf(stderr, "[error] secret_provision_start() returned %d\n", ret); goto out; From 8f983d20ecd15982c135afe4d76ebfeb5790a18f Mon Sep 17 00:00:00 2001 From: Veena Saini Date: Mon, 26 Jul 2021 12:55:48 +0530 Subject: [PATCH 4/5] updated graphene_attestation_inside_aks_readme --- .../graphene_attestation_inside_aks_readme.md | 96 +++++++++++++++++++ ...graphene_attestation_inside_aks_readme.rst | 80 ---------------- .../ubuntu18.04-ra-tls-secret-prov.manifest | 4 +- 3 files changed, 99 insertions(+), 81 deletions(-) create mode 100644 Tools/gsc/images/graphene_attestation_inside_aks_readme.md delete mode 100644 Tools/gsc/images/graphene_attestation_inside_aks_readme.rst diff --git a/Tools/gsc/images/graphene_attestation_inside_aks_readme.md b/Tools/gsc/images/graphene_attestation_inside_aks_readme.md new file mode 100644 index 0000000000..526cabdf53 --- /dev/null +++ b/Tools/gsc/images/graphene_attestation_inside_aks_readme.md @@ -0,0 +1,96 @@ +# Graphene Attestation Inside AKS cluster + +This guide demonstrates how Graphene DCAP attestation quote can be verified inside AKS cluster. +Here, we provide an end to end example to help CSPs integrate graphene’s RA TLS attestation and +secret provisioning feature with a confidential compute cluster managed by the Azure Kubernetes +Service. The necessary reference wrappers that will enable graphene to use the AKS components +such as the AESMD and quote provider libraries are contributed. A microservice deployment is also +provided for the RA-TLS verifier module that can be readily deployed to the AKS cluster. + +## Create client and server images for graphene attestation samples + +This demonstration is created for ``graphene/Examples/ra-tls-secret-prov`` sample. + +- Steps to create ra-tls-secret-prov-server image for AKS: + +```sh +Please refer graphene/Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile +``` + +- Steps to create ra-tls-secret-prov-client gsc image for AKS: + +```sh +STEP 1: Prepare client to connect with remote ra-tls-secret-prov server hosted inside AKS cluster + 1.1 Provide server dns name as loader.env.SECRET_PROVISION_SERVERS value + inside graphene/Tools/gsc/test/ubuntu18.04-ra-tls-secret-prov.manifest file. + +STEP 2: Create gsc image for ra-tls-secret-prov client + 2.1 Gsc image creation steps for ra-tls-secret-prov-client image are described + inside graphene/Tools/gsc/test/ubuntu18.04-ra-tls-secret-prov.manifest. + +STEP 3: Push resulting image to Docker Hub or your preferred registry + $ docker tag \ + / + $ docker push / + +STEP 4: Deploy in confidential compute AKS cluster + Reference deployment file: graphene/Tools/gsc/images/aks-client-deployment.yaml +``` + +## Deploy both client and server images inside AKS confidential compute cluster + +AKS confidential compute cluster can be created using following +[link](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-get-started). + +Graphene performs out-of-proc mode DCAP quote generation. Out-of-proc mode quote generation requires aesmd +service. To fulfill this requirement, AKS provides +[sgxquotehelper daemonset](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-out-of-proc-attestation). +This feature exposes aesmd service for the container node. The service will internally connect with +az-dcap-client to fetch the platform collateral required for quote generation. In this demo, the +``aks-client-deployment.yaml`` uses aesmd service exposed by AKS with the help of sgxquotehelper +plugin. + +In the ra-tls-secret-prov example, the client will generate out-of-proc mode sgx quote that will be +embedded inside RA-TLS certificate. On receiving the quote, the server will internally verify it +using libsgx-dcap-quote-verify library via az-dcap-client library. Here, +``aks-server-deployment.yaml`` will deploy a ra-tls-secret-prov server container inside AKS cluster. + +**Deployment**
+ +```sh +$ kubectl apply -f aks-server-deployment.yaml +``` + +Once the server container is in running state, start the client container as shown below + +```sh +$ kubectl apply -f aks-client-deployment.yaml +``` + +At this stage, a successful RA-TLS verification would be completed, and the secrets have been +provisioned from the server to the client container. + +## Steps to verify successful quote generation and quote verification using logs + +Verify the client job is completed + +```sh +$ kubectl get jobs -l app=gsc-ra-tls-secret-prov-client +``` + +Receive logs to verify the secret has been provisioned to the client + +```sh +$ kubectl logs -l app=gsc-ra-tls-secret-prov-client --tail=50 +``` + +**Expected Output**
+ +--- Received secret1 = 'XXXXXXXXXXXXXXXXXXXXXXXXXXX', secret2 = 'XX' + +Delete both client and server containers + +```sh +$ kubectl apply -f aks-server-deployment.yaml +$ kubectl apply -f aks-client-deployment.yaml +``` diff --git a/Tools/gsc/images/graphene_attestation_inside_aks_readme.rst b/Tools/gsc/images/graphene_attestation_inside_aks_readme.rst deleted file mode 100644 index c1a777f558..0000000000 --- a/Tools/gsc/images/graphene_attestation_inside_aks_readme.rst +++ /dev/null @@ -1,80 +0,0 @@ -This guide demonstrates how Graphene DCAP attestation quote can be verified inside AKS cluster. - - -Create client and server images for graphene attestation samples -================================================================ -This demonstration is created for graphene/Examples/ra-tls-secret-prov sample. - -# Steps to create ra-tls-secret-prov-server image for AKS: -# -# STEP 1: Please refer graphene/Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile - - -# Steps to create ra-tls-secret-prov-client gsc image for AKS: -# -# STEP 1: Prepare client to connect with remote ra-tls-secret-prov server hosted inside AKS cluster -# 1.1 Provide server dns name to secret_provision_start() API call, -# available at graphene/Examples/ra-tls-secret-prov/src/secret_prov_client.c. -# 1.2 For secret_prov_min_client and secret_prov_pf_client user can provide the server -# dns name as loader.env.SECRET_PROVISION_SERVERS value inside -# graphene/Tools/gsc/test/ubuntu18.04-ra-tls-secret-prov.manifest file. -# -# STEP 2: Create gsc image for ra-tls-secret-prov client -# 2.1 Gsc image creation steps for ra-tls-secret-prov-client image are described -# inside graphene/Tools/gsc/test/ubuntu18.04-ra-tls-secret-prov.manifest. -# -# STEP 3: Push resulting image to Docker Hub or your preferred registry -# $ docker tag \ -# / -# $ docker push / -# -# STEP 4: Deploy in confidential compute AKS cluster -# Reference deployment file: graphene/Tools/gsc/images/aks-client-deployment.yaml - -Deploy both client and server images inside AKS confidential compute cluster -============================================================================ -**Prerequisites:** AKS confidential compute cluster with sgxquotehelper plugin and public ip address. - -AKS confidential compute cluster can be created using the following link: -https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-get-started . - -Graphene performs out-proc mode DCAP quote generation. Out-proc mode quote generation requires aesmd -service. To fulfill this requirement, AKS provides sgxquotehelper daemonset -[https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-out-of-proc-attestation]. -This feature exposes aesmd service for the container node. The service will internally connect with -az-dcap-client to fetch the platform collateral required for quote-generation. -In this demo the aks-client-deployment.yaml uses aesmd service exposed by AKS with the help of -sgxquotehelper plugin. - -In the ra-tls-secret-prov example, the client will generate sgx quote and send the quote embedded in -RA-TLS certificate to the server. Internally the server will verify the quote using -libsgx-dcap-quote-verify library. The libsgx-dcap-quote-verify library will fetch platform -collateral from libsgx-dcap-default-qpl library. Microsoft provides az-dcap-client library as an -alternative for libsgx-dcap-default-qpl library and it fetches platform collateral from -Azure-internal caching service https://global.acccache.azure.net/sgx/certificates/. -The aks-server-deployment.yaml is utilizing az-dcap-client library instead of -libsgx-dcap-default-qpl. - -The requirement of public-ip address is given so that the server is reachable by the client. - -**Deployment** -$ kubectl apply -f aks-server-deployment.yaml - -Once the server container is in running state, -$ kubectl apply -f aks-client-deployment.yaml - -Ensure the quote generation and verification is successful inside AKS cluster -============================================================================= - -Verify the client job is completed -$ kubectl get jobs -l app=gsc-ra-tls-secret-prov-client - -Receive logs to verify the secret has been provisioned to the client -$ kubectl logs -l app=gsc-ra-tls-secret-prov-client --tail=50 - -**Expected Output** ---- Received secret1 = 'XXXXXXXXXXXXXXXXXXXXXXXXXXX', secret2 = 'XX' - -Delete both client and server containers -$ kubectl apply -f aks-server-deployment.yaml -$ kubectl apply -f aks-client-deployment.yaml diff --git a/Tools/gsc/test/ubuntu18.04-ra-tls-secret-prov.manifest b/Tools/gsc/test/ubuntu18.04-ra-tls-secret-prov.manifest index eb1270bde6..0ef554749b 100644 --- a/Tools/gsc/test/ubuntu18.04-ra-tls-secret-prov.manifest +++ b/Tools/gsc/test/ubuntu18.04-ra-tls-secret-prov.manifest @@ -28,12 +28,14 @@ # Secret Provisioning library (client-side) is preloaded loader.env.LD_PRELOAD = "libs/libsecret_prov_attest.so" +loader.env.SECRET_PROVISION_SERVERS = "dummyserver:80;localhost:4433;anotherdummy:4433" + # Uncomment below lines for secret_prov_min_client and secret_prov_pf_client # #loader.env.SECRET_PROVISION_CONSTRUCTOR = "1" #loader.env.SECRET_PROVISION_SET_PF_KEY = "1" #loader.env.SECRET_PROVISION_CA_CHAIN_PATH = "certs/test-ca-sha256.crt" -#loader.env.SECRET_PROVISION_SERVERS = "dummyserver:80;localhost:4433;anotherdummy:4433" + # Request remote attestation functionality from Graphene sgx.remote_attestation = true From dd99b8cb82a0fa73f14b0d7c4d6f021e4674b719 Mon Sep 17 00:00:00 2001 From: Veena Saini Date: Thu, 29 Jul 2021 12:09:27 +0530 Subject: [PATCH 5/5] updated graphene_attestation_inside_aks_readme.md --- .../images/graphene_attestation_inside_aks_readme.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Tools/gsc/images/graphene_attestation_inside_aks_readme.md b/Tools/gsc/images/graphene_attestation_inside_aks_readme.md index 526cabdf53..e8d2adf8e6 100644 --- a/Tools/gsc/images/graphene_attestation_inside_aks_readme.md +++ b/Tools/gsc/images/graphene_attestation_inside_aks_readme.md @@ -1,11 +1,11 @@ # Graphene Attestation Inside AKS cluster -This guide demonstrates how Graphene DCAP attestation quote can be verified inside AKS cluster. -Here, we provide an end to end example to help CSPs integrate graphene’s RA TLS attestation and -secret provisioning feature with a confidential compute cluster managed by the Azure Kubernetes -Service. The necessary reference wrappers that will enable graphene to use the AKS components -such as the AESMD and quote provider libraries are contributed. A microservice deployment is also -provided for the RA-TLS verifier module that can be readily deployed to the AKS cluster. +This guide demonstrates how Graphene DCAP attestation quote can be generated and verified from +within an AKS cluster. Here, we provide an end to end example to help CSPs integrate graphene’s +RA-TLS attestation and secret provisioning feature with a confidential compute cluster managed by +Azure Kubernetes Service. The necessary reference wrappers that will enable graphene to use AKS +components such as the AESMD and quote provider libraries are contributed. A microservice deployment +is also provided for the RA-TLS verifier module that can be readily deployed to the AKS cluster. ## Create client and server images for graphene attestation samples