CDH | Support passport mode KBS

confidential-data-hub/Makefile

@@ -100,5 +100,5 @@ clean:
 
 help:
 	@echo "==========================Help========================================="
-	@echo "build: make [DEBUG=1] [LIBC=(musl)] [ARCH=(x86_64/s390x/ppc64le)] [RESOURCE_PROVIDER=(kbs/sev)] [KMS_PROVIDER=aliyun/ehsm]"
+	@echo "build: make [DEBUG=1] [LIBC=(musl)] [ARCH=(x86_64/s390x/ppc64le)] [RESOURCE_PROVIDER=(kbs/resource_kbs/sev)] [KMS_PROVIDER=aliyun/ehsm]"
 	@echo "install: make install [DESTDIR=/path/to/target] [LIBC=(musl)]"

confidential-data-hub/hub/Cargo.toml

@@ -40,9 +40,12 @@ default = ["kbs"]
 # support aliyun stacks (KMS, ..)
 aliyun = ["image/aliyun", "secret/aliyun"]
 
-# support coco-KBS to provide confidential resources
+# support coco-KBS in Background Check Mode to provide confidential resources
 kbs = ["image/kbs", "kms/kbs", "secret/kbs"]
 
+# support coco-KBS and coco-AS in Passport Mode to provide confidential resources
+resource_kbs = ["image/resource_kbs", "kms/resource_kbs", "secret/resource_kbs"]
+
 # support sev to provide confidential resources
 sev = ["attestation_agent", "image/sev", "kms/sev", "dep:sev", "secret/sev"]
 

confidential-data-hub/hub/src/hub.rs

@@ -67,9 +67,21 @@ impl DataHub for Hub {
     async fn get_resource(&self, uri: String) -> Result<Vec<u8>> {
         info!("get resource called: {uri}");
         // to initialize a get_resource_provider client we do not need the ProviderSettings.
+        #[cfg(feature = "kbs")]
         let mut client = kms::new_getter("kbs", ProviderSettings::default())
             .await
-            .map_err(|e| Error::GetResource(format!("create kbs client failed: {e}")))?;
+            .map_err(|e| {
+                Error::GetResource(format!(
+                    "create kbs client (background check mode) failed: {e}"
+                ))
+            })?;
+
+        #[cfg(feature = "resource_kbs")]
+        let mut client = kms::new_getter("resource_kbs", ProviderSettings::default())
+            .await
+            .map_err(|e| {
+                Error::GetResource(format!("create kbs client (passport mode) failed: {e}"))
+            })?;
 
         // to get resource using a get_resource_provider client we do not need the Annotations.
         let res = client

confidential-data-hub/image/Cargo.toml

@@ -24,6 +24,7 @@ default = []
 
 # legacy AnnotationPacket format, s.t. legacy encrypted image format relies on `kbs` feature
 kbs = ["kms/kbs"]
+resource_kbs = ["kms/resource_kbs"]
 aliyun = ["kms/aliyun"]
 sev = ["kms/sev"]
 ehsm = ["kms/ehsm"]

confidential-data-hub/kms/Cargo.toml

@@ -22,6 +22,7 @@ log.workspace = true
 openssl = { workspace = true, optional = true }
 p12 = { version = "0.6.3", optional = true }
 prost = { workspace = true, optional = true }
+protobuf.workspace = true
 rand = { workspace = true, optional = true }
 reqwest = { workspace = true, optional = true }
 resource_uri = { path = "../../attestation-agent/deps/resource_uri" }
@@ -34,6 +35,7 @@ thiserror.workspace = true
 tokio = { workspace = true, features = ["fs"] }
 toml.workspace = true
 tonic = { workspace = true, optional = true }
+ttrpc.workspace = true
 url = { workspace = true, optional = true }
 uuid = { workspace = true, features = ["serde", "v4"], optional = true }
 yasna = { version = "0.5.2", optional = true }
@@ -46,11 +48,13 @@ tokio = { workspace = true, features = ["rt", "macros" ] }
 [build-dependencies]
 anyhow.workspace = true
 tonic-build.workspace = true
+ttrpc-codegen.workspace = true
 
 [features]
-default = ["aliyun", "kbs", "ehsm"]
+default = ["aliyun", "resource_kbs", "ehsm"]
 
 aliyun = ["chrono", "hex", "openssl", "p12", "prost", "rand", "reqwest/rustls-tls", "sha2", "tonic", "url", "yasna"]
 kbs = ["kbs_protocol"]
+resource_kbs = ["kbs_protocol"]
 ehsm = ["ehsm_client"]
 sev = ["bincode", "crypto", "dep:sev", "prost", "tonic", "uuid", "zeroize"]

confidential-data-hub/kms/build.rs

@@ -3,6 +3,8 @@
 // extern crate tonic_build;
 
 use anyhow::*;
+use std::fs::File;
+use std::io::{Read, Write};
 
 fn main() -> Result<()> {
     #[cfg(feature = "aliyun")]
@@ -16,5 +18,39 @@ fn main() -> Result<()> {
         .out_dir("./src/plugins/kbs/sev")
         .compile(&["./src/plugins/kbs/sev/protos/getsecret.proto"], &[""])?;
 
+    ttrpc_codegen::Codegen::new()
+        .out_dir("src/attestation/aa_ttrpc")
+        .include("../../attestation-agent/protos")
+        .inputs(["../../attestation-agent/protos/attestation-agent.proto"])
+        .rust_protobuf()
+        .customize(ttrpc_codegen::Customize {
+            async_all: true,
+            ..Default::default()
+        })
+        .rust_protobuf_customize(ttrpc_codegen::ProtobufCustomize::default().gen_mod_rs(false))
+        .run()
+        .expect("ttrpc gen async code failed.");
+
+    // Fix clippy warnings of code generated from ttrpc_codegen
+    replace_text_in_file(
+        "src/attestation/aa_ttrpc/attestation_agent_ttrpc.rs",
+        "client: client",
+        "client",
+    )?;
+
+    Ok(())
+}
+
+fn replace_text_in_file(file_name: &str, from: &str, to: &str) -> Result<()> {
+    let mut src = File::open(file_name)?;
+    let mut contents = String::new();
+    src.read_to_string(&mut contents).unwrap();
+    drop(src);
+
+    let new_contents = contents.replace(from, to);
+
+    let mut dst = File::create(file_name)?;
+    dst.write_all(new_contents.as_bytes())?;
+
     Ok(())
 }