Query verified CIM digest for layers #46
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Move common bridge protocol definitions to subpackage under internal/gcs - Move helper functions to internal/bridgeutils pkg so that they can be used by gcs-sidecar as well Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
This commit makes the high level changes needed for gcs-sidecar - Starts sidecar as service - Dereferences the various valid rpc requests - Adds code to invoke refs formatter Note: This commit does not add invokers to the code for new ResourceTypes like SecurityPolicy, CWCOWBlockCIMs, Container scratch formatting etc. This will come in along with functional tests in later PRs. There are some TODO comments in the code which will be addressed in upcoming PRs as well. To make this initialization of the gcs-sidecar flow complete, certain high level code for the policy enforcement have been brought into this commit from Mahati's changes. Example: internal/gcs-sidecar/policy.go, internal/gcs-sidecar/host.go and helper functions in internal/gcs-sidecar/host.go. Hence adding her as co-author in this commit. The rest of the policy framework code will be brought in by Mahati as follow up PRs. Co-authored-by: <mchamarthy@microsoft.com> Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
- Add new resource type and code needed to support block cim mounts for hyperv wcow - Add support to invoke refs formatter Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
Commit squashes the following individual commits: C-WCOW: Add security policy plumbing on hcsshim side C-WCOW: Add security policy framework C-WCOW:Securitypolicy: Rename securitypolicy framework files C-WCOW: Add device mount policy enforcement with a fake hash C-WCOW: Enforce mounting at the layers level C-WCOW: Add enforcement points and clean up existing ones C-WCOW: Merge securitypolicy package for linux and windows C-WCOW: Remove securitypolicy package copy from gcs-sidecar C-WCOW: Workaround mount_device and mount_overlay enforcements Signed-off-by: Mahati Chamarthy <mchamarthy@microsoft.com> (cherry picked from commit 5d2bca1) Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
Amit's changes for cimfs (microsoft#35) Allow different types of boot configurations for WCOW UVM Add support for running confidential WCOW UVMs Initial changes to start a cwcow container working CWCOW container with ReFS formatting in UVM Some sidecar updates by Kirtana Signed-off-by: Kirtana Ashok <kiashok@microsoft.com> Co-authored-by: Amit Barve <ambarve@microsoft.com> (cherry picked from commit 477dea5) Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
Verified CIMs will allow the gcs-sidecar to query the root digest for each block CIM and then validate that against the policy to see if that layer is allowed. The layer CIMs will be merge mounted only if all of the root digests of all layer CIMs are successfully validated against the policy. However, verified CIMs aren't available yet. In order to unblock testing of the policy engine, this commit mocks the root digest of a block CIM by generating a SHA256 of the layer path on the host. As long as the layer path remains the same (i.e we won't remove and repull the same image) the layer digest will remain same and we can use that in the policy. Note that this only a temporary change and it shouldn't be merged into main. Once verified CIMs are ready, we won't need to pass a digest in the mount block CIM request, instead gcs-sidecar will directly query the digest from the CIM. Signed-off-by: Amit Barve <ambarve@microsoft.com>
Signed-off-by: Amit Barve <ambarve@microsoft.com>
Signed-off-by: Mahati Chamarthy <mchamarthy@microsoft.com> Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
Signed-off-by: Mahati Chamarthy <mchamarthy@microsoft.com>
Block CIMs can now provide integrity checking (via a hash/Merkel tree, similar to dm-verity on Linux). A block CIM written with integrity checking enabled is called a verified CIM. A verified CIM is written once and then sealed to prevent any further modifications. When such a CIM is sealed it returns a digest of its contents. Such a CIM can then be mounted by passing in this digest. Every read on that mounted volume will then be verified against this digest to ensure the integrity of the contents of that CIM. Signed-off-by: Amit Barve <ambarve@microsoft.com> (cherry picked from commit dc7cf5c)
Currently we mock the root digest of layer CIMs. With the support for verified CIMs we don't have to mock it anymore. Now the gcs sidecar will directly query the root digest of attached layer CIMs and check that against the policy. Signed-off-by: Amit Barve <ambarve@microsoft.com>
Signed-off-by: Amit Barve <ambarve@microsoft.com>
Signed-off-by: Amit Barve <ambarve@microsoft.com>
Signed-off-by: Amit Barve <ambarve@microsoft.com>
Signed-off-by: Amit Barve <ambarve@microsoft.com>
Signed-off-by: Amit Barve <ambarve@microsoft.com>
With the latest changes to sidecar GCS, we can't boot the UVM anymore without a proper policy. uvmboot tool can't be used to test/debug CWCOW uvm boots if there is no policy provided. This commits adds a default policy and a flag to override it if required while creating UVMs with the tool. Signed-off-by: Amit Barve <ambarve@microsoft.com>
Signed-off-by: Amit Barve <ambarve@microsoft.com>
kiashok
force-pushed
the
cwcow-inside-uvm
branch
from
e639940 to
7a147df
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.