rune: Clean up attestation parameters

1. Add the ra_product_enclave configuration to allow users to choose Production
Enclave or Development Enclave to be attested about IAS' remote attestaion.
2. Rename ra related configurations as enclave.attestation.ra in annotations.
Signed-off-by: NYilin Li <YiLin.Li@linux.alibaba.com>

rune/libcontainer/configs/enclave.go

@@ -10,6 +10,7 @@ type Enclave struct {
 	Type                  string `json:"type"`
 	Path                  string `json:"path"`
 	Args                  string `json:"args,omitempty"`
+	IsProductEnclave      uint32 `json:"is_product_enclave,omitempty"`
 	RaType                uint32 `json:"ra_type,omitempty"`
 	RaEpidSpid            string `json:"ra_epid_spid,omitempty"`
 	RaEpidSubscriptionKey string `json:"ra_epid_subscription_key,omitempty"`

rune/libcontainer/configs/validate/validator.go

@@ -226,13 +226,18 @@ func (v *ConfigValidator) enclave(config *configs.Config) error {
 		return err
 	}
 
+	if config.Enclave.IsProductEnclave == sgx.InvalidEnclaveType {
+		return fmt.Errorf("Unsupported enclave.is_product_enclave Configuration %v!\n", config.Enclave.IsProductEnclave)
+	}
+
 	if config.Enclave.RaType == sgx.InvalidRaType {
-		return fmt.Errorf("Unsupported ra_type Configuration %v!\n", config.Enclave.RaType)
+		return fmt.Errorf("Unsupported enclave.attestation.ra_type Configuration %v!\n", config.Enclave.RaType)
 	}
 
 	if config.Enclave.RaEpidIsLinkable == intelsgx.InvalidQuoteSignatureType {
-		return fmt.Errorf("Unsupported ra_epid_is_linkable Configuration %v!\n", config.Enclave.RaEpidIsLinkable)
+		return fmt.Errorf("Unsupported enclave.attestation.ra_epid_is_linkable Configuration %v!\n", config.Enclave.RaEpidIsLinkable)
 	}
+
 	return nil
 }
 

rune/libcontainer/process_linux.go

@@ -144,6 +144,7 @@ func (p *setnsProcess) start() (err error) {
 				Type:                  p.config.Config.Enclave.Type,
 				Path:                  p.config.Config.Enclave.Path,
 				Args:                  p.config.Config.Enclave.Args,
+				IsProductEnclave:      p.config.Config.Enclave.IsProductEnclave,
 				RaType:                p.config.Config.Enclave.RaType,
 				RaEpidSpid:            p.config.Config.Enclave.RaEpidSpid,
 				RaEpidSubscriptionKey: p.config.Config.Enclave.RaEpidSubscriptionKey,
@@ -478,6 +479,7 @@ func (p *initProcess) start() (retErr error) {
 				Type:                  p.config.Config.Enclave.Type,
 				Path:                  p.config.Config.Enclave.Path,
 				Args:                  p.config.Config.Enclave.Args,
+				IsProductEnclave:      p.config.Config.Enclave.IsProductEnclave,
 				RaType:                p.config.Config.Enclave.RaType,
 				RaEpidSpid:            p.config.Config.Enclave.RaEpidSpid,
 				RaEpidSubscriptionKey: p.config.Config.Enclave.RaEpidSubscriptionKey,

rune/libcontainer/specconv/spec_linux.go

@@ -334,9 +334,22 @@ func createEnclaveConfig(spec *specs.Spec, config *configs.Config) {
 		args = strings.Join(a, " ")
 	}
 
+	isProductEnclave := filterOut(env, "ENCLAVE_IS_PRODUCT_ENCLAVE")
+	if isProductEnclave == "" {
+		isProductEnclave = libcontainerUtils.SearchLabels(config.Labels, "enclave.is_product_enclave")
+	}
+	var is_product_enclave uint32
+	if strings.EqualFold(isProductEnclave, "false") {
+		is_product_enclave = sgx.DebugEnclave
+	} else if strings.EqualFold(isProductEnclave, "true") {
+		is_product_enclave = sgx.ProductEnclave
+	} else {
+		is_product_enclave = sgx.InvalidEnclaveType
+	}
+
 	raType := filterOut(env, "ENCLAVE_RA_TYPE")
 	if raType == "" {
-		raType = libcontainerUtils.SearchLabels(config.Labels, "ra_type")
+		raType = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_type")
 	}
 	var ra_type uint32
 	if strings.EqualFold(raType, "EPID") {
@@ -349,17 +362,17 @@ func createEnclaveConfig(spec *specs.Spec, config *configs.Config) {
 
 	ra_epid_spid := filterOut(env, "ENCLAVE_RA_EPID_SPID")
 	if ra_epid_spid == "" {
-		ra_epid_spid = libcontainerUtils.SearchLabels(config.Labels, "ra_epid_spid")
+		ra_epid_spid = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_spid")
 	}
 
 	ra_epid_subscription_key := filterOut(env, "ENCLAVE_RA_EPID_SUB_KEY")
 	if ra_epid_subscription_key == "" {
-		ra_epid_subscription_key = libcontainerUtils.SearchLabels(config.Labels, "ra_epid_subscription_key")
+		ra_epid_subscription_key = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_subscription_key")
 	}
 
 	linkable := filterOut(env, "ENCLAVE_RA_EPID_IS_LINKABLE")
 	if linkable == "" {
-		linkable = libcontainerUtils.SearchLabels(config.Labels, "ra_epid_is_linkable")
+		linkable = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_is_linkable")
 	}
 	var ra_epid_is_linkable uint32
 	if strings.EqualFold(linkable, "true") {
@@ -375,6 +388,7 @@ func createEnclaveConfig(spec *specs.Spec, config *configs.Config) {
 			Type:                  etype,
 			Path:                  path,
 			Args:                  args,
+			IsProductEnclave:      is_product_enclave,
 			RaType:                ra_type,
 			RaEpidSpid:            ra_epid_spid,
 			RaEpidSubscriptionKey: ra_epid_subscription_key,

rune/libenclave/attestation/sgx/attest.go

@@ -6,3 +6,10 @@ const (
 	EPID
 	DCAP
 )
+
+// RA Enclave Type
+const (
+	InvalidEnclaveType = iota
+	DebugEnclave
+	ProductEnclave
+)

rune/libenclave/configs/config.go

@@ -4,6 +4,7 @@ type InitEnclaveConfig struct {
 	Type                  string `json:"type"`
 	Path                  string `json:"path"`
 	Args                  string `json:"args"`
+	IsProductEnclave      uint32 `json:"is_product_enclave"`
 	RaType                uint32 `json:"ra_type"`
 	RaEpidSpid            string `json:"ra_epid_spid"`
 	RaEpidSubscriptionKey string `json:"ra_epid_subscription_key"`