docs: update resource URI and add plugin support

attestation-agent/coco_keyprovider/src/enc_mods/mod.rs

@@ -66,8 +66,6 @@ const HARD_CODED_KEYID: &str = "kbs:///default/test-key/1";
 /// with this prefix.
 const DEFAULT_KEY_REPO_PATH: &str = "/default/image-kek";
 
-const KBS_RESOURCE_URL_PREFIX: &str = "kbs://";
-
 fn parse_input_params(input: &str) -> Result<InputParams> {
     let map: HashMap<&str, &str> = input
         .split("::")
@@ -150,9 +148,23 @@ async fn generate_key_parameters(input_params: &InputParams) -> Result<(Vec<u8>,
 
 /// Normalize the given keyid into (kbs addr, key path), s.t.
 /// converting `kbs://...` or `../..` to `(<kbs-addr>, <repository>/<type>/<tag>)`.
+/// Supports both `kbs://` and `kbs+<plugin>://` schemes.
 fn normalize_path(keyid: &str) -> Result<(String, String)> {
     debug!("normalize key id {keyid}");
-    let path = keyid.strip_prefix(KBS_RESOURCE_URL_PREFIX).unwrap_or(keyid);
+
+    let path = if let Some(rest) = keyid.strip_prefix("kbs://") {
+        rest
+    } else if let Some(pos) = keyid.find("://") {
+        let scheme = &keyid[..pos];
+        if scheme.starts_with("kbs+") {
+            &keyid[pos + 3..]
+        } else {
+            keyid
+        }
+    } else {
+        keyid
+    };
+
     let values: Vec<&str> = path.split('/').collect();
     if values.len() == 4 {
         Ok((
@@ -164,6 +176,8 @@ fn normalize_path(keyid: &str) -> Result<(String, String)> {
             "Resource path {keyid} must follow one of the following formats:
                 'kbs:///<repository>/<type>/<tag>'
                 'kbs://<kbs-addr>/<repository>/<type>/<tag>'
+                'kbs+<plugin>:///<repository>/<type>/<tag>'
+                'kbs+<plugin>://<kbs-addr>/<repository>/<type>/<tag>'
                 '<kbs-addr>/<repository>/<type>/<tag>'
                 '/<repository>/<type>/<tag>'
             "
@@ -195,7 +209,7 @@ pub async fn enc_optsdata_gen_anno(
         .await
         .context("generating key params")?;
 
-    let (kbs_addr, k_path) = normalize_path(&kid)?;
+    let (_kbs_addr, k_path) = normalize_path(&kid)?;
 
     let algorithm = input_params.algorithm;
     let encrypt_optsdata = crypto::encrypt(optsdata, &key, &iv, &algorithm)
@@ -213,7 +227,7 @@ pub async fn enc_optsdata_gen_anno(
 
     let engine = base64::engine::general_purpose::STANDARD;
     let annotation = AnnotationPacket {
-        kid: format!("{KBS_RESOURCE_URL_PREFIX}{kbs_addr}/{k_path}"),
+        kid: kid.clone(),
         wrapped_data: engine.encode(encrypt_optsdata),
         iv: engine.encode(iv),
         wrap_type: algorithm.to_string(),
@@ -229,6 +243,9 @@ mod tests {
     #[rstest]
     #[case("kbs://a/b/c/d", ("a", "b/c/d"))]
     #[case("kbs:///b/c/d", ("", "b/c/d"))]
+    #[case("kbs+pkcs11://a/b/c/d", ("a", "b/c/d"))]
+    #[case("kbs+pkcs11:///b/c/d", ("", "b/c/d"))]
+    #[case("kbs+myplugin:///repo/type/tag", ("", "repo/type/tag"))]
     #[case("a/b/c/d", ("a", "b/c/d"))]
     #[case("/b/c/d", ("", "b/c/d"))]
     fn test_normalize_keypath(#[case] input: &str, #[case] expected: (&str, &str)) {

attestation-agent/deps/resource_uri/src/lib.rs

@@ -14,15 +14,17 @@ const RESOURCE_ID_ERROR_INFO: &str =
     "invalid kbs resource uri, should be kbs://<addr-of-kbs>/<repo>/<type>/<tag>";
 
 const SCHEME: &str = "kbs";
+const DEFAULT_PLUGIN: &str = "resource";
 
-/// Resource Id document <https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docs/KBS_URI.md>
+/// Resource Id document <https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docs/RESOURCE_URI.md>
 #[derive(Clone, Debug, PartialEq, Eq)]
 pub struct ResourceUri {
     pub kbs_addr: String,
     pub repository: String,
     pub r#type: String,
     pub tag: String,
     pub query: Option<String>,
+    pub plugin: Option<String>,
 }
 
 impl TryFrom<&str> for ResourceUri {
@@ -47,9 +49,19 @@ impl TryFrom<url::Url> for ResourceUri {
             }
         }
 
-        if value.scheme() != SCHEME {
-            return Err("scheme must be kbs");
-        }
+        let scheme = value.scheme();
+
+        let plugin = match scheme {
+            SCHEME => None,
+            s if s.starts_with("kbs+") => {
+                let plugin_name = s.trim_start_matches("kbs+");
+                if plugin_name.is_empty() {
+                    return Err("scheme kbs+ requires a plugin name, e.g. kbs+pkcs11");
+                }
+                Some(plugin_name.to_string())
+            }
+            _ => return Err("scheme must be kbs or kbs+<plugin>"),
+        };
 
         if value.path().is_empty() {
             return Err(RESOURCE_ID_ERROR_INFO);
@@ -64,6 +76,7 @@ impl TryFrom<url::Url> for ResourceUri {
                 r#type: values[1].into(),
                 tag: values[2].into(),
                 query: value.query().map(|s| s.to_string()),
+                plugin,
             })
         } else {
             Err(RESOURCE_ID_ERROR_INFO)
@@ -106,6 +119,7 @@ impl ResourceUri {
                 r#type: values[2].into(),
                 tag: values[3].into(),
                 query: None,
+                plugin: None,
             })
         } else {
             bail!(
@@ -115,8 +129,12 @@ impl ResourceUri {
     }
 
     pub fn whole_uri(&self) -> String {
+        let scheme = match &self.plugin {
+            Some(p) => format!("{SCHEME}+{p}"),
+            None => SCHEME.to_string(),
+        };
         let uri = format!(
-            "{SCHEME}://{}/{}/{}/{}",
+            "{scheme}://{}/{}/{}/{}",
             self.kbs_addr, self.repository, self.r#type, self.tag
         );
         match &self.query {
@@ -125,6 +143,12 @@ impl ResourceUri {
         }
     }
 
+    /// Returns the plugin name. If no plugin was specified in the URI,
+    /// returns the default plugin "resource".
+    pub fn plugin(&self) -> &str {
+        self.plugin.as_deref().unwrap_or(DEFAULT_PLUGIN)
+    }
+
     /// Only return the resource path. This function is used
     /// currently because up to now the kbs-uri is given
     /// to create an AA instance.
@@ -158,27 +182,58 @@ mod tests {
     use rstest::rstest;
 
     #[rstest]
-    #[case("kbs:///alice/cosign-key/213", "alice", "cosign-key", "213", None)]
     #[case(
-        "kbs:///plugin/plugname/resourcename?param1=value1&param2=value2",
-        "plugin",
-        "plugname",
-        "resourcename",
-        Some("param1=value1&param2=value2")
+        "kbs:///alice/cosign-key/213",
+        "alice",
+        "cosign-key",
+        "213",
+        None,
+        None
+    )]
+    #[case(
+        "kbs:///repo/type/tag?param1=value1&param2=value2",
+        "repo",
+        "type",
+        "tag",
+        Some("param1=value1&param2=value2"),
+        None
+    )]
+    #[case(
+        "kbs+pkcs11:///repo/type/tag",
+        "repo",
+        "type",
+        "tag",
+        None,
+        Some("pkcs11")
+    )]
+    #[case("kbs+myplugin:///a/b/c", "a", "b", "c", None, Some("myplugin"))]
+    #[case(
+        "kbs+custom://example.com:8080/repo/type/tag",
+        "repo",
+        "type",
+        "tag",
+        None,
+        Some("custom")
     )]
     fn test_resource_uri_serialization_conversion(
         #[case] url: &str,
         #[case] repository: &str,
         #[case] r#type: &str,
         #[case] tag: &str,
         #[case] query: Option<&str>,
+        #[case] plugin: Option<&str>,
     ) {
         let resource = ResourceUri {
-            kbs_addr: "".into(),
+            kbs_addr: if url.contains("example.com") {
+                "example.com:8080".into()
+            } else {
+                "".into()
+            },
             repository: repository.into(),
             r#type: r#type.into(),
             tag: tag.into(),
             query: query.map(|s| s.to_string()),
+            plugin: plugin.map(|s| s.to_string()),
         };
 
         // Deserialization
@@ -201,4 +256,21 @@ mod tests {
             ResourceUri::try_from(url_from_string).expect("failed to try from url");
         assert_eq!(resource_from_url, resource);
     }
+
+    #[rstest]
+    #[case("kbs:///repo/type/tag", "resource")]
+    #[case("kbs+pkcs11:///repo/type/tag", "pkcs11")]
+    fn test_plugin_accessor(#[case] uri: &str, #[case] plugin: &str) {
+        let uri: ResourceUri = uri.try_into().expect("failed to parse uri");
+        assert_eq!(uri.plugin(), plugin);
+    }
+
+    #[rstest]
+    #[case("http:///repo/type/tag", "scheme must be kbs")]
+    #[case("kbs+:///repo/type/tag", "requires a plugin name")]
+    fn test_invalid_scheme(#[case] uri: &str, #[case] error: &str) {
+        let result = ResourceUri::try_from(uri);
+        assert!(result.is_err());
+        assert!(result.unwrap_err().contains(error));
+    }
 }

attestation-agent/docs/RESOURCE_URI.md

@@ -0,0 +1,76 @@
+# Resource URIs
+
+## Introduction
+
+Resource URIs are used across Confidential Containers to identify resources.
+For example, the metadata of an encrypted image can contain a resource URI
+referencing the image decryption key.
+An image signature policy or a sealed secret can contain a resource URI.
+
+Although these have been referred to as KBS Resource URIs, this abstraction
+is implemented by the CDH.
+
+The resource URI is not the same thing as the path for requesting a resource
+from Trustee's REST API. The mapping between these is described below.
+
+Technically, the Resource URI is not tied to any specific KBS, but this document
+mainly focuses on Trustee and the CC_KBC and describes how the resource URI
+relates to Trustee.
+Some legacy code, such as the SEV KBC or the FS KBC may fulfill resource URIs
+in different ways.
+
+## Specification
+
+A Resource URI must comply with the following format:
+
+```plaintext
+kbs+<plugin>://<kbs_host>:<kbs_port>/<repository>/<type>/<tag>
+```
+
+### Scheme
+
+The scheme always begins with `kbs`. Typically the scheme is simply `kbs://`, but a plus sign
+can be used to specify that the resource should be fulfilled by a particular plugin.
+
+For instance, to represent a resource fulfilled by the Trustee `pkcs11` plugin, the
+scheme would be `kbs+pkcs11://`.
+
+If no plugin is specified, the CDH will request a resource from the `resource` plugin.
+
+### Host and Port
+
+The host and port point to the KBS instance that will serve the resource.
+Today, the CDH ignores these fields and instead gets the KBS URI and port
+from the CDH config file.
+This way, the resource URI does not need to be updated if the KBS URI changes.
+This means that generally only one KBS serves resources for a pod, there are ways
+to work around this with sealed secrets.
+Multi-KBS workloads may be supported in the future.
+
+Since these fields are ignored, most resource URIs leave them out.
+This results in three slashes in a row.
+For example, `kbs:///repository/type/tag`.
+
+### Repository, Type, and Tag
+
+Currently resource URIs have three levels of identifiers/scope.
+The terms `repository`, `type`, and `tag` are somewhat arbitrary. 
+These identifiers can be used in any way.
+
+### Query Strings
+
+The resource URI also supports query strings.
+
+## Examples
+
+* `kbs://example.cckbs.org:8081/alice/decryption-key/1`
+* `kbs:///a/b/c`
+* `kbs+pkcs11:///a/b/c`
+
+## Mapping
+
+The resource URI is transformed into an HTTP(S) request.
+Specifically, the request will be made to `http://<kbs_host>:<kbs_port>/kbs/v0/<plugin>/alice/decryption-key/1`.
+
+If no plugin is specified in the resource URI, `resource` will be used.
+More information on the KBS API can be found [here](https://github.com/confidential-containers/trustee/blob/main/kbs/docs/kbs.yaml).

attestation-agent/kbs_protocol/src/client/rcar_client.rs

@@ -330,8 +330,12 @@ impl KbsClient<Box<dyn EvidenceProvider>> {
 impl KbsClientCapabilities for KbsClient<Box<dyn EvidenceProvider>> {
     async fn get_resource(&mut self, resource_uri: ResourceUri) -> Result<Vec<u8>> {
         let mut remote_url = format!(
-            "{}/{KBS_PREFIX}/resource/{}/{}/{}",
-            self.kbs_host_url, resource_uri.repository, resource_uri.r#type, resource_uri.tag
+            "{}/{KBS_PREFIX}/{}/{}/{}/{}",
+            self.kbs_host_url,
+            resource_uri.plugin(),
+            resource_uri.repository,
+            resource_uri.r#type,
+            resource_uri.tag
         );
         if let Some(ref q) = resource_uri.query {
             remote_url = format!("{remote_url}?{q}");

attestation-agent/kbs_protocol/src/client/token_client.rs

@@ -32,8 +32,12 @@ impl KbsClient<Box<dyn TokenProvider>> {
 impl KbsClientCapabilities for KbsClient<Box<dyn TokenProvider>> {
     async fn get_resource(&mut self, resource_uri: ResourceUri) -> Result<Vec<u8>> {
         let mut remote_url = format!(
-            "{}/{KBS_PREFIX}/resource/{}/{}/{}",
-            self.kbs_host_url, resource_uri.repository, resource_uri.r#type, resource_uri.tag
+            "{}/{KBS_PREFIX}/{}/{}/{}/{}",
+            self.kbs_host_url,
+            resource_uri.plugin(),
+            resource_uri.repository,
+            resource_uri.r#type,
+            resource_uri.tag
         );
         if let Some(ref q) = resource_uri.query {
             remote_url = format!("{remote_url}?{q}");