1 Star 0 Fork 0

plasma-csv/verdictd

加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
贡献代码
同步代码
取消
提示: 由于 Git 不支持空文件夾,创建文件夹后会生成空的 .keep 文件
Loading...
README

Introduction

Verdictd is a remote attestation implementation comprising of a set of building blocks that utilize Intel/AMD Security features to discover, attest, and enable critical foundation security and confidential computing use-cases. It relies on RATS-TLS to apply the remote attestation fundamentals and standard specifications to maintain a platform data collection service and an efficient verification engine to perform comprehensive trust evaluations. These trust evaluations can be used to govern different trust and security policies applied to any given workload.

Verdictd creates an m-TLS(Mutal Transport Layer Security) connection with Attestation Agent via remote attestation. Mainly functions:

  • Implemented verdictd's protocol which includes "decryption" and "get KEK" requests.
  • Implemented a ocicrypto containers/ocicrypto compatible gRPC service.
  • Implemented a grpc service which can be used to config OPA's policy files.

Design

Please refer design doc to view the design of verdictd.

Build Source Code

Requirements

  • rust-lang
  • golang

Setup Environment

Please refer Download OPA to install OPA tool.

curl -L -o opa https://openpolicyagent.org/downloads/v0.30.1/opa_linux_amd64_static
chmod 755 ./opa
mv opa /usr/local/bin/opa

Install bindgen tool

cargo install protobuf
cargo install bindgen

# Linux(RHEL)
yum install -y clang-libs clang-devel

# Linux(Ubuntu)
apt-get install llvm-dev libclang-dev clang

Build & Install

make
make install

Run

Verdictd relies on rats-tls to listen on tcp socket, the default sockaddr is 127.0.0.1:1234. User can use --listen option to specify a listen address.

verdictd --listen 127.0.0.1:1111

User can use --attester, --verifier, --tls, --crypto and --mutual options to specific rats-tls uses instances's type. See details: RATS-TLS

User can use --client-api option to specify client-api server's listen address.

verdictd --client-api [::1]:10001

Default

These options all exist default values. If user execute ./bin/verdictd directly, it will execute with following configurations.

verdictd --listen 127.0.0.1:1234 --client-api [::1]:60000

Generate encrypted container image

Verdictd supports key provider protocol's WrapKey request by the address designated by --client-api option. So user can use Verdictd and skopeo to generate encrypted container image with the following steps.

# Generate the key provider configuration file
cat <<- EOF >/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf
{
        "key-providers": {
                "attestation-agent": {
                    "grpc": "127.0.0.1:50001"

                }
        }
}
EOF

# Generate a encryption key
cat <<- EOF >/opt/verdictd/keys/84688df7-2c0c-40fa-956b-29d8e74d16c0
1234567890123456789012345678901
EOF

# Launch Verdictd
verdictd --client-api 127.0.0.1:50001

skopeo --insecure-policy copy docker://docker.io/library/alpine:latest oci:alpine

export OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf

# generate encrypted image
skopeo copy --insecure-policy --encryption-key provider:attestation-agent:84688df7-2c0c-40fa-956b-29d8e74d16c0 oci:alpine oci:alpine-encrypted

空文件

简介

暂无描述 展开 收起
Rust 等 4 种语言
取消

发行版

暂无发行版

贡献者

全部

近期动态

不能加载更多了
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/plasma-csv/verdictd.git
git@gitee.com:plasma-csv/verdictd.git
plasma-csv
verdictd
verdictd
csv-cc

搜索帮助