Skip to content

Commit

Permalink
ibmse: add debug_assertions for debug and release branch
Browse files Browse the repository at this point in the history 
Signed-off-by: Qi Feng Huo <[email protected]>
  • Loading branch information
Qi Feng Huo committed Jun 17, 2024
1 parent 0af1601 commit c84d646
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 11 deletions.
3 changes: 2 additions & 1 deletion attestation-service/verifier/src/se/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ openssl pkey -in kbs.key -pubout -out kbs.pem

## Build KBS
```
cargo install --locked --path kbs/src/kbs --no-default-features --features coco-as-builtin,openssl,resource,opa
cargo install --locked --debug --path kbs/src/kbs --no-default-features --features coco-as-builtin,openssl,resource,opa
```

## (Option 1) Launch KBS as a program
Expand Down Expand Up @@ -107,6 +107,7 @@ export SE_SKIP_CERTS_VERIFICATION=true
```
DOCKER_BUILDKIT=1 docker build -t ghcr.io/confidential-containers/staged-images/kbs:latest --build-arg KBS_FEATURES=coco-as-builtin,openssl,resource,opa . -f kbs/docker/Dockerfile
```
>Note: Please add `--debug` in statement like `cargo install` in file `kbs/docker/Dockerfile` if you're using a development host key document to skip HKD's signature verification.
- Prepare a docker compose file, similar as:
```
Expand Down
25 changes: 15 additions & 10 deletions attestation-service/verifier/src/se/ibmse.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,6 @@ const DEFAULT_SE_MEASUREMENT_ENCR_KEY_PRIVATE: &str =
const DEFAULT_SE_MEASUREMENT_ENCR_KEY_PUBLIC: &str =
"/run/confidential-containers/ibmse/rsa/encrypt_key.pub";

const DEFAULT_SE_SKIP_CERTS_VERIFICATION: &str = "false";

macro_rules! env_or_default {
($env:literal, $default:ident) => {
match env::var($env) {
Expand Down Expand Up @@ -255,11 +253,6 @@ impl SeVerifierImpl {
DEFAULT_SE_HOST_KEY_DOCUMENTS_ROOT
);
let hkds = list_files_in_folder(&hkds_root)?;
let skip_certs_env = env_or_default!(
"SE_SKIP_CERTS_VERIFICATION",
DEFAULT_SE_SKIP_CERTS_VERIFICATION
);
let skip_certs: bool = skip_certs_env.parse::<bool>().unwrap_or(false);
for hkd in &hkds {
let hk = std::fs::read(hkd).context("read host-key document")?;
let certs = read_certs(&hk)?;
Expand All @@ -272,9 +265,21 @@ impl SeVerifierImpl {
let c = certs
.first()
.ok_or(anyhow!("File does not contain a X509 certificate"))?;
if skip_certs {
warn!("SE_SKIP_CERTS_VERIFICATION set '{skip_certs}' never use it in production!")
} else {
#[cfg(debug_assertions)]
{
const DEFAULT_SE_SKIP_CERTS_VERIFICATION: &str = "false";
let skip_certs_env = env_or_default!(
"SE_SKIP_CERTS_VERIFICATION",
DEFAULT_SE_SKIP_CERTS_VERIFICATION
);
let skip_certs: bool = skip_certs_env.parse::<bool>().unwrap_or(false);
if !skip_certs {
let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), Some(root_ca_path.clone()), false)?;
verifier.verify(c)?;
}
}
#[cfg(not(debug_assertions))]
{
let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), Some(root_ca_path.clone()), false)?;
verifier.verify(c)?;
}
Expand Down

0 comments on commit c84d646

Please sign in to comment.