未验证 提交 fee7b69b 编写于 作者: H hustliyilin 提交者: GitHub

rune/libcontainer: Collect and sanity check attestation parameters

Signed-off-by: NYilin Li <YiLin.Li@linux.alibaba.com>
上级 a9d4c594
......@@ -226,16 +226,22 @@ func (v *ConfigValidator) enclave(config *configs.Config) error {
return err
}
if config.Enclave.RaType != sgx.UnknownRaType {
if config.Enclave.IsProductEnclave == sgx.InvalidEnclaveType {
return fmt.Errorf("Unsupported enclave.is_product_enclave Configuration %v!\n", config.Enclave.IsProductEnclave)
return fmt.Errorf("Unsupported enclave.is_product_enclave Configuration!\n")
}
if config.Enclave.RaType == sgx.InvalidRaType {
return fmt.Errorf("Unsupported enclave.attestation.ra_type Configuration %v!\n", config.Enclave.RaType)
if config.Enclave.RaEpidSpid == "" {
return fmt.Errorf("The enclave.attestation.ra_epid_spid Configuration isn't set!\n")
}
if config.Enclave.RaEpidSubscriptionKey == "" {
return fmt.Errorf("The enclave.attestation.ra_epid_subscription_key Configuration isn't set!\n")
}
if config.Enclave.RaEpidIsLinkable == intelsgx.InvalidQuoteSignatureType {
return fmt.Errorf("Unsupported enclave.attestation.ra_epid_is_linkable Configuration %v!\n", config.Enclave.RaEpidIsLinkable)
return fmt.Errorf("Unsupported enclave.attestation.ra_epid_is_linkable Configuration!\n")
}
}
return nil
......
......@@ -334,53 +334,49 @@ func createEnclaveConfig(spec *specs.Spec, config *configs.Config) {
args = strings.Join(a, " ")
}
isProductEnclave := filterOut(env, "ENCLAVE_IS_PRODUCT_ENCLAVE")
if isProductEnclave == "" {
isProductEnclave = libcontainerUtils.SearchLabels(config.Labels, "enclave.is_product_enclave")
}
var is_product_enclave uint32
if strings.EqualFold(isProductEnclave, "false") {
is_product_enclave = sgx.DebugEnclave
} else if strings.EqualFold(isProductEnclave, "true") {
is_product_enclave = sgx.ProductEnclave
} else {
is_product_enclave = sgx.InvalidEnclaveType
}
raType := filterOut(env, "ENCLAVE_RA_TYPE")
if raType == "" {
raType = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_type")
}
var ra_type uint32
var enclaveRaType, sgxEnclaveType, raEpidIsLinkable uint32 = sgx.UnknownRaType, sgx.InvalidEnclaveType, intelsgx.InvalidQuoteSignatureType
var raEpidSpid, raEpidSubscriptionKey string
if raType != "" {
if strings.EqualFold(raType, "EPID") {
ra_type = sgx.EPID
enclaveRaType = sgx.EPID
} else if strings.EqualFold(raType, "DCAP") {
ra_type = sgx.DCAP
} else {
ra_type = sgx.InvalidRaType
enclaveRaType = sgx.DCAP
}
ra_epid_spid := filterOut(env, "ENCLAVE_RA_EPID_SPID")
if ra_epid_spid == "" {
ra_epid_spid = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_spid")
isProductEnclave := filterOut(env, "ENCLAVE_IS_PRODUCT_ENCLAVE")
if isProductEnclave == "" {
isProductEnclave = libcontainerUtils.SearchLabels(config.Labels, "enclave.is_product_enclave")
}
if strings.EqualFold(isProductEnclave, "false") {
sgxEnclaveType = sgx.DebugEnclave
} else if strings.EqualFold(isProductEnclave, "true") {
sgxEnclaveType = sgx.ProductEnclave
}
raEpidSpid = filterOut(env, "ENCLAVE_RA_EPID_SPID")
if raEpidSpid == "" {
raEpidSpid = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_spid")
}
ra_epid_subscription_key := filterOut(env, "ENCLAVE_RA_EPID_SUB_KEY")
if ra_epid_subscription_key == "" {
ra_epid_subscription_key = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_subscription_key")
raEpidSubscriptionKey = filterOut(env, "ENCLAVE_RA_EPID_SUB_KEY")
if raEpidSubscriptionKey == "" {
raEpidSubscriptionKey = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_subscription_key")
}
linkable := filterOut(env, "ENCLAVE_RA_EPID_IS_LINKABLE")
if linkable == "" {
linkable = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_is_linkable")
}
var ra_epid_is_linkable uint32
if strings.EqualFold(linkable, "true") {
ra_epid_is_linkable = intelsgx.QuoteSignatureTypeLinkable
raEpidIsLinkable = intelsgx.QuoteSignatureTypeLinkable
} else if strings.EqualFold(linkable, "false") {
ra_epid_is_linkable = intelsgx.QuoteSignatureTypeUnlinkable
} else {
ra_epid_is_linkable = intelsgx.InvalidQuoteSignatureType
raEpidIsLinkable = intelsgx.QuoteSignatureTypeUnlinkable
}
}
if etype != "" {
......@@ -388,11 +384,11 @@ func createEnclaveConfig(spec *specs.Spec, config *configs.Config) {
Type: etype,
Path: path,
Args: args,
IsProductEnclave: is_product_enclave,
RaType: ra_type,
RaEpidSpid: ra_epid_spid,
RaEpidSubscriptionKey: ra_epid_subscription_key,
RaEpidIsLinkable: ra_epid_is_linkable,
IsProductEnclave: sgxEnclaveType,
RaType: enclaveRaType,
RaEpidSpid: raEpidSpid,
RaEpidSubscriptionKey: raEpidSubscriptionKey,
RaEpidIsLinkable: raEpidIsLinkable,
}
}
}
......
......@@ -2,7 +2,7 @@ package sgx // import "github.com/opencontainers/runc/libenclave/attestation/sgx
// RA Type
const (
InvalidRaType = iota
UnknownRaType = iota
EPID
DCAP
)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册