Update Dockerfile For openssl error in checks #54
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix broken SE link
split the build of the binaries out to a gh-hosted runner, only the test need to run on TEE hw. Signed-off-by: Magnus Kulke <[email protected]>
…-kbs-e2e-test-binaries-build e2e-test: fix binary build on self-hosted runners
- Refactored AS/KBS/rvps docker placement This change improves Dockerfile readability as current approach (format: Dockerfile.[name]) is not compatible with code inspection in IDEs which can lead to errors. Signed-off-by: Pawel Proskurnicki <[email protected]>
We recently split the nodeport yaml into an s390x and an x86_64 directory, but we forgot to update the custom_pccs yaml to point to the correct one. For now let's assume that the custom_pccs will always run on x86_64 since it's for TDX. We might revisit that assumption in the future. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
Signed-off-by: Qi Feng Huo <[email protected]>
This is an alignment with guest-components side AA eventlog. Signed-off-by: Xynnn007 <[email protected]>
Before this commit, the parsed claims of arrays will be flatten into a nested structure like map. But in real scenario like AAEL, Array will only be the "leaf" member of the parsed claims. Thus keep it as-is is better. Signed-off-by: Xynnn007 <[email protected]>
delete useless code for SGX, also makes submodules public. Signed-off-by: Xynnn007 <[email protected]>
Bumps [clap_lex](https://github.com/clap-rs/clap) from 0.7.0 to 0.7.1. - [Release notes](https://github.com/clap-rs/clap/releases) - [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md) - [Commits](clap-rs/clap@clap_lex-v0.7.0...clap_lex-v0.7.1) --- updated-dependencies: - dependency-name: clap_lex dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Mikko Ylinen <[email protected]>
Fix rate limit error with docker.io/library/busybox:latest. ``` Warning Failed 76s kubelet Failed to pull image "busybox": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/library/busybox:latest": failed to copy: httpReadSeeker: failed open: unexpected status code https://registry-1.docker.io/v2/library/busybox/manifests/sha256:50aa4698fa6262977cff89181b2664b99d8a56dbca847bf62f2ef04854597cf8: 429 Too Many Requests - Server message: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit ``` Signed-off-by: ChengyuZhu6 <[email protected]>
The following hooks:
- ACTIONS_RUNNER_HOOK_JOB_STARTED
- ACTIONS_RUNNER_HOOK_JOB_COMPLETED
could perfectly replace the existing {pre,post}-action scripts
and will make a workflow independent of the runner context.
This commit wipes out all GHA steps where the actions are triggered.
Signed-off-by: Hyounggyu Choi <[email protected]>
kbs already supports checking the Request version but any version mismatch is not correctly returned to the client (nor checked by the current RCAR client handshake). Add an explicit kbs ProtocolVersion error that is returned when the Request version is higher than what the KBS claims to support. Signed-off-by: Mikko Ylinen <[email protected]>
…usybox kbs: Fix rate limit error with busybox
…rsion kbs: add ProtocolVersion error
ci: fix doc_lazy_continuation checks added in rust 1.80.0
Create a common function to generate a nonce, and add a unit test for it. Signed-off-by: James O. D. Hunt <[email protected]>
Added IBM SE fields for initdata Added examples for digest calculation in PeerPod Signed-off-by: Qi Feng Huo <[email protected]>
Added initdata link in PeerPod Signed-off-by: Qi Feng Huo <[email protected]>
Bumps [serde](https://github.com/serde-rs/serde) from 1.0.200 to 1.0.205. - [Release notes](https://github.com/serde-rs/serde/releases) - [Commits](serde-rs/serde@v1.0.200...v1.0.205) --- updated-dependencies: - dependency-name: serde dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Enable release image to have SE_SKIP_CERTS_VERIFICATION also Signed-off-by: Qi Feng Huo <[email protected]>
Bumps [regex](https://github.com/rust-lang/regex) from 1.10.4 to 1.10.6. - [Release notes](https://github.com/rust-lang/regex/releases) - [Changelog](https://github.com/rust-lang/regex/blob/master/CHANGELOG.md) - [Commits](rust-lang/regex@1.10.4...1.10.6) --- updated-dependencies: - dependency-name: regex dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Use the initdata hash value directly rather than it's hex in claims Signed-off-by: Qi Feng Huo <[email protected]>
Update readme for initdata and se.user_data field in attestation policy Signed-off-by: Qi Feng Huo <[email protected]>
ibmse: update readme to reflect initdata change
Bumps [ureq](https://github.com/algesten/ureq) from 2.9.7 to 2.10.1. - [Changelog](https://github.com/algesten/ureq/blob/main/CHANGELOG.md) - [Commits](algesten/ureq@2.9.7...2.10.1) --- updated-dependencies: - dependency-name: ureq dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [zstd](https://github.com/gyscos/zstd-rs) from 0.13.1 to 0.13.2. - [Release notes](https://github.com/gyscos/zstd-rs/releases) - [Commits](gyscos/zstd-rs@v0.13.1...v0.13.2) --- updated-dependencies: - dependency-name: zstd dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Support cross-compiled build for as, rvps, kbs and kbs client on arm64 architecture Signed-off-by: Seunguk Shin <[email protected]> Reviewed-by: Nick Connolly <[email protected]>
Improve cross-compile performance using rust cross-compiler instead of buildx Signed-off-by: Seunguk Shin <[email protected]> Reviewed-by: Nick Connolly <[email protected]>
Bumps [clap_lex](https://github.com/clap-rs/clap) from 0.7.3 to 0.7.4. - [Release notes](https://github.com/clap-rs/clap/releases) - [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md) - [Commits](clap-rs/clap@clap_lex-v0.7.3...clap_lex-v0.7.4) --- updated-dependencies: - dependency-name: clap_lex dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
…-binaries Push AS, RVPS, KBS and KBS Client for arm64
The official rust docker image supports s390x from v1.78.0 Signed-off-by: Seunguk Shin <[email protected]>
Disable provenance information to create multi-arch image Signed-off-by: Seunguk Shin <[email protected]>
Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.41.1 to 1.42.0. - [Release notes](https://github.com/tokio-rs/tokio/releases) - [Commits](tokio-rs/tokio@tokio-1.41.1...tokio-1.42.0) --- updated-dependencies: - dependency-name: tokio dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
…i-failure Fix ci failure
Bumps [zerofrom-derive](https://github.com/unicode-org/icu4x) from 0.1.4 to 0.1.5. - [Release notes](https://github.com/unicode-org/icu4x/releases) - [Changelog](https://github.com/unicode-org/icu4x/blob/main/CHANGELOG.md) - [Commits](https://github.com/unicode-org/icu4x/commits/ind/[email protected]) --- updated-dependencies: - dependency-name: zerofrom-derive dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [hmac-sha1-compact](https://github.com/jedisct1/rust-hmac-sha1) from 1.1.4 to 1.1.5. - [Commits](https://github.com/jedisct1/rust-hmac-sha1/commits/1.1.5) --- updated-dependencies: - dependency-name: hmac-sha1-compact dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [eventlog-rs](https://github.com/inclavare-containers/eventlog-rs) from 0.1.4 to 0.1.5. - [Commits](https://github.com/inclavare-containers/eventlog-rs/commits) --- updated-dependencies: - dependency-name: eventlog-rs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [tracing-subscriber](https://github.com/tokio-rs/tracing) from 0.3.18 to 0.3.19. - [Release notes](https://github.com/tokio-rs/tracing/releases) - [Commits](tokio-rs/tracing@tracing-subscriber-0.3.18...tracing-subscriber-0.3.19) --- updated-dependencies: - dependency-name: tracing-subscriber dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
The two dependencies have version dependencies so we update them together. Signed-off-by: Xynnn007 <[email protected]>
Bumps [prost](https://github.com/tokio-rs/prost) from 0.13.3 to 0.13.4. - [Release notes](https://github.com/tokio-rs/prost/releases) - [Changelog](https://github.com/tokio-rs/prost/blob/master/CHANGELOG.md) - [Commits](tokio-rs/prost@v0.13.3...v0.13.4) --- updated-dependencies: - dependency-name: prost dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
The SNP executables should depend on the SNP reference values Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
Make the policy logic simpler. Rather than using the min function (which I'm not sure is even defined on TrustClaims) use short-circuiting to only evaluate the rules for the platform that has TCB values defined. I don't think there is any risk that the policy could be tricked into evaluating the wrong rules, such as the sample ones. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.2.1 to 1.2.7. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](rust-lang/cc-rs@cc-v1.2.1...cc-v1.2.7) --- updated-dependencies: - dependency-name: cc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [coarsetime](https://github.com/jedisct1/rust-coarsetime) from 0.1.34 to 0.1.35. - [Commits](jedisct1/rust-coarsetime@0.1.34...0.1.35) --- updated-dependencies: - dependency-name: coarsetime dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
The Kata CI does not setup the attestation token signing keys. This causes the KBS to break when we bump the repo version and pick up this new config which had the signing key specified. In the future we can change the CI to setup the signing keys (although we are already testing this in our Makefile test), but for now let's stick with the existing behavior. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
Bumps [yoke](https://github.com/unicode-org/icu4x) from 0.7.4 to 0.7.5. - [Release notes](https://github.com/unicode-org/icu4x/releases) - [Changelog](https://github.com/unicode-org/icu4x/blob/main/CHANGELOG.md) - [Commits](https://github.com/unicode-org/icu4x/commits) --- updated-dependencies: - dependency-name: yoke dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [quote](https://github.com/dtolnay/quote) from 1.0.37 to 1.0.38. - [Release notes](https://github.com/dtolnay/quote/releases) - [Commits](dtolnay/quote@1.0.37...1.0.38) --- updated-dependencies: - dependency-name: quote dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Instead of just warning and proceeding, as done right now[0], let's bail
as the current behaviour leads to an unusable KBS[1].
By bailing earlier at that point, when trustee pod is being deployed by
the trustee-operator, we ensure that the pod will error out and
kubernetes will take care of restarting the pod till its startup
properly succeeds.
[0]:
```
[INFO kbs] Using config file /etc/kbs-config/kbs-config.json
[WARN kbs::token::jwk] error getting JWKS: SourceAccess("error sending request for url (https://portal.trustauthority.intel.com/.well-known/openid-configuration)")
[INFO kbs] Starting HTTP server at [0.0.0.0:8080]
[WARN kbs::token::jwk] error getting JWKS: SourceAccess("error sending request for url (https://portal.trustauthority.intel.com/.well-known/openid-configuration)")
[INFO actix_server::builder] starting 56 workers
[INFO actix_server::server] Tokio runtime found; starting in existing Tokio runtime
```
[1]:
```
[INFO actix_web::middleware::logger] 10.128.0.32 "POST /kbs/v0/attest HTTP/1.1" 401 218 "-" "attestation-agent-kbs-client/0.1.0" 0.279838
[INFO kbs::http::attest] Auth API called.
[INFO actix_web::middleware::logger] 10.128.0.32 "POST /kbs/v0/auth HTTP/1.1" 200 108 "-" "attestation-agent-kbs-client/0.1.0" 0.000334
[INFO kbs::http::attest] Attest API called.
[INFO kbs::attestation::intel_trust_authority] POST attestation request ...
[ERROR kbs::http::error] Attestation failed: Failed to verify attestation token
Caused by:
Cannot verify token since trusted JWK Set is empty
```
Signed-off-by: Fabiano Fidêncio <[email protected]>
The EAR token broker does not insert the `report_data` for SE attestation claim because there is no matching field in `SeAttestationClaims`. The absence leads to `TokenVerifierError(NoTeePubKeyClaimFound)` after successful attestation. As an interim solution, this commit renames the existing `user_data` to `report_data`, enabling the token broker to perform its task correctly. Signed-off-by: Hyounggyu Choi <[email protected]>
EAR tokens expect to find a report_data field in the TCB Claims as a signal that the verifier has checked the binding of the report data and the evidence. The SNP verifier does check the report data field, but it does not report it. This should not affect the az-snp verifier which will insert its own report_data on top of this field. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
Since the SNP verifier also checks the init data, include the init_data field in the tcb claims. This will allow EAR tokens to contain the init_data_claims. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
openshift-merge-robot
added
the
needs-rebase
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.