diff --git a/tdxctl/src/fde_setup.rs b/tdxctl/src/fde_setup.rs index e7eb950..17b3283 100644 --- a/tdxctl/src/fde_setup.rs +++ b/tdxctl/src/fde_setup.rs @@ -16,7 +16,7 @@ use crate::{ crypto::dh_decrypt, utils::{ copy_dir_all, deserialize_json_file, extend_rtmr3, run_command, run_command_with_stdin, - sha256_file, AppCompose, AppKeys, HashingFile, VmConfig, + sha256, sha256_file, AppCompose, AppKeys, HashingFile, VmConfig, }, GenAppKeysArgs, GenRaCertArgs, }; @@ -178,7 +178,7 @@ pub async fn cmd_setup_fde(args: SetupFdeArgs) -> Result<()> { let ca_cert_hash = if kms_enabled { sha256_file(host_shared_dir.kms_ca_cert_file())? } else { - sha256_file(host_shared_dir.tmp_ca_cert_file())? + sha256(b"") }; let tapp_dir = args.rootfs_dir.join("tapp"); let app_keys_file = args.work_dir.join("appkeys.json"); @@ -241,8 +241,6 @@ pub async fn cmd_setup_fde(args: SetupFdeArgs) -> Result<()> { } else { info!("KMS is not enabled, generating local app keys"); cmd_gen_app_keys(GenAppKeysArgs { - ca_cert: host_shared_dir.tmp_ca_cert_file(), - ca_key: host_shared_dir.tmp_ca_key_file(), ca_level: 1, output: app_keys_file.clone(), })?; diff --git a/tdxctl/src/main.rs b/tdxctl/src/main.rs index d441a7d..6c2ce7e 100644 --- a/tdxctl/src/main.rs +++ b/tdxctl/src/main.rs @@ -120,14 +120,6 @@ struct GenCaCertArgs { #[derive(Parser)] /// Generate app keys struct GenAppKeysArgs { - /// CA certificate used to sign the RA certificate - #[arg(long)] - ca_cert: PathBuf, - - /// CA private key used to sign the RA certificate - #[arg(long)] - ca_key: PathBuf, - /// CA level #[arg(long, default_value_t = 1)] ca_level: u8, @@ -334,7 +326,6 @@ fn cmd_gen_app_keys(args: GenAppKeysArgs) -> Result<()> { use ra_tls::cert::CertRequest; use ra_tls::rcgen::{KeyPair, PKCS_ECDSA_P256_SHA256}; - let ca = CaCert::load(&args.ca_cert, &args.ca_key).context("Failed to read CA certificate")?; let key = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?; let disk_key = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?; let pubkey = key.public_key_der(); @@ -349,12 +340,14 @@ fn cmd_gen_app_keys(args: GenAppKeysArgs) -> Result<()> { .key(&key) .ca_level(args.ca_level) .build(); - let cert = ca.sign(req).context("Failed to sign certificate")?; + let cert = req + .self_signed() + .context("Failed to self-sign certificate")?; let app_keys = serde_json::json!({ "app_key": key.serialize_pem(), "disk_crypt_key": sha256(&disk_key.serialize_der()), - "certificate_chain": vec![cert.pem(), ca.pem_cert], + "certificate_chain": vec![cert.pem()], }); let app_keys = serde_json::to_string(&app_keys).context("Failed to serialize app keys")?; fs::write(&args.output, app_keys).context("Failed to write app keys")?; diff --git a/tdxctl/src/tboot.rs b/tdxctl/src/tboot.rs index 7724e28..58e88b6 100644 --- a/tdxctl/src/tboot.rs +++ b/tdxctl/src/tboot.rs @@ -112,10 +112,6 @@ async fn setup_tproxy_net(args: &TbootArgs, compose: &AppCompose) -> Result<()> fn prepare_certs(args: &TbootArgs) -> Result<()> { info!("Preparing certs"); fs::create_dir_all(args.resolve("/etc/tappd"))?; - fs::copy( - args.resolve("/tapp/certs/ca.cert"), - args.resolve("/etc/tappd/ca.cert"), - )?; let appkeys_data = fs::read_to_string(args.resolve("/tapp/appkeys.json"))?; let appkeys: AppKeys = serde_json::from_str(&appkeys_data)?; @@ -125,6 +121,17 @@ fn prepare_certs(args: &TbootArgs) -> Result<()> { } fs::write(args.resolve("/etc/tappd/app-ca.key"), &appkeys.app_key)?; + let kms_ca_cert = args.resolve("/tapp/certs/ca.cert"); + if fs::metadata(&kms_ca_cert).is_ok() { + fs::copy(kms_ca_cert, args.resolve("/etc/tappd/ca.cert"))?; + } else { + // symbolic link the app-ca.cert to ca.cert + fs::os::unix::fs::symlink( + args.resolve("/etc/tappd/app-ca.cert"), + args.resolve("/etc/tappd/ca.cert"), + )?; + } + let cert_chain_str = appkeys.certificate_chain.join("\n"); fs::write(args.resolve("/etc/tappd/app-ca.cert"), cert_chain_str)?;