Skip to content

Commit

Permalink
No ca cert if kms is disabled
Browse files Browse the repository at this point in the history
  • Loading branch information
@kvinwang
kvinwang committed Nov 25, 2024
1 parent 5315686 commit 710d716
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 19 deletions.
6 changes: 2 additions & 4 deletions tdxctl/src/fde_setup.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ use crate::{
crypto::dh_decrypt,
utils::{
copy_dir_all, deserialize_json_file, extend_rtmr3, run_command, run_command_with_stdin,
sha256_file, AppCompose, AppKeys, HashingFile, VmConfig,
sha256, sha256_file, AppCompose, AppKeys, HashingFile, VmConfig,
},
GenAppKeysArgs, GenRaCertArgs,
};
Expand Down Expand Up @@ -178,7 +178,7 @@ pub async fn cmd_setup_fde(args: SetupFdeArgs) -> Result<()> {
let ca_cert_hash = if kms_enabled {
sha256_file(host_shared_dir.kms_ca_cert_file())?
} else {
sha256_file(host_shared_dir.tmp_ca_cert_file())?
sha256(b"")
};
let tapp_dir = args.rootfs_dir.join("tapp");
let app_keys_file = args.work_dir.join("appkeys.json");
Expand Down Expand Up @@ -241,8 +241,6 @@ pub async fn cmd_setup_fde(args: SetupFdeArgs) -> Result<()> {
} else {
info!("KMS is not enabled, generating local app keys");
cmd_gen_app_keys(GenAppKeysArgs {
ca_cert: host_shared_dir.tmp_ca_cert_file(),
ca_key: host_shared_dir.tmp_ca_key_file(),
ca_level: 1,
output: app_keys_file.clone(),
})?;
Expand Down
15 changes: 4 additions & 11 deletions tdxctl/src/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,14 +120,6 @@ struct GenCaCertArgs {
#[derive(Parser)]
/// Generate app keys
struct GenAppKeysArgs {
/// CA certificate used to sign the RA certificate
#[arg(long)]
ca_cert: PathBuf,

/// CA private key used to sign the RA certificate
#[arg(long)]
ca_key: PathBuf,

/// CA level
#[arg(long, default_value_t = 1)]
ca_level: u8,
Expand Down Expand Up @@ -334,7 +326,6 @@ fn cmd_gen_app_keys(args: GenAppKeysArgs) -> Result<()> {
use ra_tls::cert::CertRequest;
use ra_tls::rcgen::{KeyPair, PKCS_ECDSA_P256_SHA256};

let ca = CaCert::load(&args.ca_cert, &args.ca_key).context("Failed to read CA certificate")?;
let key = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?;
let disk_key = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?;
let pubkey = key.public_key_der();
Expand All @@ -349,12 +340,14 @@ fn cmd_gen_app_keys(args: GenAppKeysArgs) -> Result<()> {
.key(&key)
.ca_level(args.ca_level)
.build();
let cert = ca.sign(req).context("Failed to sign certificate")?;
let cert = req
.self_signed()
.context("Failed to self-sign certificate")?;

let app_keys = serde_json::json!({
"app_key": key.serialize_pem(),
"disk_crypt_key": sha256(&disk_key.serialize_der()),
"certificate_chain": vec![cert.pem(), ca.pem_cert],
"certificate_chain": vec![cert.pem()],
});
let app_keys = serde_json::to_string(&app_keys).context("Failed to serialize app keys")?;
fs::write(&args.output, app_keys).context("Failed to write app keys")?;
Expand Down
15 changes: 11 additions & 4 deletions tdxctl/src/tboot.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,10 +112,6 @@ async fn setup_tproxy_net(args: &TbootArgs, compose: &AppCompose) -> Result<()>
fn prepare_certs(args: &TbootArgs) -> Result<()> {
info!("Preparing certs");
fs::create_dir_all(args.resolve("/etc/tappd"))?;
fs::copy(
args.resolve("/tapp/certs/ca.cert"),
args.resolve("/etc/tappd/ca.cert"),
)?;

let appkeys_data = fs::read_to_string(args.resolve("/tapp/appkeys.json"))?;
let appkeys: AppKeys = serde_json::from_str(&appkeys_data)?;
Expand All @@ -125,6 +121,17 @@ fn prepare_certs(args: &TbootArgs) -> Result<()> {
}
fs::write(args.resolve("/etc/tappd/app-ca.key"), &appkeys.app_key)?;

let kms_ca_cert = args.resolve("/tapp/certs/ca.cert");
if fs::metadata(&kms_ca_cert).is_ok() {
fs::copy(kms_ca_cert, args.resolve("/etc/tappd/ca.cert"))?;
} else {
// symbolic link the app-ca.cert to ca.cert
fs::os::unix::fs::symlink(
args.resolve("/etc/tappd/app-ca.cert"),
args.resolve("/etc/tappd/ca.cert"),
)?;
}

let cert_chain_str = appkeys.certificate_chain.join("\n");
fs::write(args.resolve("/etc/tappd/app-ca.cert"), cert_chain_str)?;

Expand Down

0 comments on commit 710d716

Please sign in to comment.