diff --git a/.gitignore b/.gitignore index e69de29..f10390e 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +/guest-components-0061d03.tar.gz +/trustee-guest-components-0.10.0_124.git0061d03-vendor.tar.xz diff --git a/0001-Fedora-Remove-workspace-members-which-are-not-built.patch b/0001-Fedora-Remove-workspace-members-which-are-not-built.patch new file mode 100644 index 0000000..f5e1753 --- /dev/null +++ b/0001-Fedora-Remove-workspace-members-which-are-not-built.patch @@ -0,0 +1,40 @@ +From 8f7ad9ce8eac9f9bb4f7fbae37f56bef3dd4f597 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Mon, 28 Oct 2024 20:00:25 +0200 +Subject: [PATCH] Fedora: Remove workspace members which are not built +Content-type: text/plain + +The trustee-attester is currently under kbs_protocol. +The 2 attestation-agent's deps and attester are BuildRequired. + +Signed-off-by: Uri Lublin +--- + Cargo.toml | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/Cargo.toml b/Cargo.toml +index 4c239ae..e10cdbe 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -1,18 +1,10 @@ + [workspace] + resolver = "2" + members = [ +- "api-server-rest", +- "attestation-agent/attestation-agent", +- "attestation-agent/kbc", + "attestation-agent/kbs_protocol", + "attestation-agent/attester", + "attestation-agent/deps/resource_uri", + "attestation-agent/deps/crypto", +- "attestation-agent/deps/sev", +- "attestation-agent/coco_keyprovider", +- "confidential-data-hub/hub", +- "image-rs", +- "ocicrypt-rs", + ] + + [workspace.dependencies] +-- +2.47.1 + diff --git a/0002-Fedora-AA-deps-crypto-default-to-openssl.patch b/0002-Fedora-AA-deps-crypto-default-to-openssl.patch new file mode 100644 index 0000000..fa64fef --- /dev/null +++ b/0002-Fedora-AA-deps-crypto-default-to-openssl.patch @@ -0,0 +1,79 @@ +From 0ff9eeb8ffc5a88732f75a84145bb07cd2b88bfc Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Tue, 10 Dec 2024 01:25:48 +0200 +Subject: [PATCH] Fedora: AA/deps/crypto: default to openssl +Content-type: text/plain + +Do not use "vendored" openssl + +Remove some rust-crypto dependencies + +Signed-off-by: Uri Lublin +--- + Cargo.toml | 4 ---- + attestation-agent/deps/crypto/Cargo.toml | 11 ++++------- + 2 files changed, 4 insertions(+), 11 deletions(-) + +diff --git a/Cargo.toml b/Cargo.toml +index e10cdbe..bb4a534 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -8,8 +8,6 @@ members = [ + ] + + [workspace.dependencies] +-aes = "0.8.3" +-aes-gcm = "0.10.2" + anyhow = "1.0" + assert-json-diff = "2.0" + assert_cmd = "2" +@@ -22,7 +20,6 @@ chrono = "0.4.26" + clap = "~4.2.7" + config = "0.14.1" + const_format = "0.2.33" +-ctr = "0.9.2" + env_logger = "0.11.5" + hex = "0.4.3" + hmac = "0.12.1" +@@ -38,7 +35,6 @@ rand = "0.8.5" + reqwest = { version = "0.12", default-features = false } + resource_uri = { path = "attestation-agent/deps/resource_uri" } + ring = "0.17" +-rsa = "0.9.7" + rstest = "0.17" + serde = { version = "1.0", features = ["derive"] } + serde_with = { version = "1.11.0", features = ["base64"] } +diff --git a/attestation-agent/deps/crypto/Cargo.toml b/attestation-agent/deps/crypto/Cargo.toml +index 18c4143..2119bc1 100644 +--- a/attestation-agent/deps/crypto/Cargo.toml ++++ b/attestation-agent/deps/crypto/Cargo.toml +@@ -6,14 +6,11 @@ publish = false + edition = "2021" + + [dependencies] +-aes-gcm = { workspace = true, optional = true } + anyhow.workspace = true + base64.workspace = true +-ctr = { workspace = true, optional = true } + kbs-types.workspace = true +-openssl = { workspace = true, features = ["vendored"], optional = true} ++openssl = { workspace = true, optional = true} + rand.workspace = true +-rsa = { workspace = true, optional = true } + serde.workspace = true + serde_json.workspace = true + sha2.workspace = true +@@ -24,6 +21,6 @@ zeroize.workspace = true + rstest.workspace = true + + [features] +-default = ["rust-crypto"] +-rust-crypto = ["dep:aes-gcm", "ctr", "rsa"] +-openssl = ["dep:openssl"] +\ No newline at end of file ++default = ["openssl"] ++rust-crypto = [] ++openssl = ["dep:openssl"] +-- +2.47.1 + diff --git a/0003-Fedora-kbs_protocol-Cargo.toml-reqwest-use-native-TL.patch b/0003-Fedora-kbs_protocol-Cargo.toml-reqwest-use-native-TL.patch new file mode 100644 index 0000000..8ab788c --- /dev/null +++ b/0003-Fedora-kbs_protocol-Cargo.toml-reqwest-use-native-TL.patch @@ -0,0 +1,27 @@ +From 14e07d79ce3218f9cb52118194e1b579df55a3c2 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Mon, 28 Oct 2024 20:03:22 +0200 +Subject: [PATCH] Fedora: kbs_protocol/Cargo.toml: reqwest: use native TLS not + vendored +Content-type: text/plain + +Signed-off-by: Uri Lublin +--- + attestation-agent/kbs_protocol/Cargo.toml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/attestation-agent/kbs_protocol/Cargo.toml b/attestation-agent/kbs_protocol/Cargo.toml +index 667969a..92fccce 100644 +--- a/attestation-agent/kbs_protocol/Cargo.toml ++++ b/attestation-agent/kbs_protocol/Cargo.toml +@@ -61,6 +61,6 @@ cca-attester = ["attester/cca-attester"] + se-attester = ["attester/se-attester"] + + rust-crypto = ["reqwest/rustls-tls", "crypto/rust-crypto"] +-openssl = ["reqwest/native-tls-vendored", "crypto/openssl"] ++openssl = ["reqwest/native-tls", "crypto/openssl"] + + bin = ["tokio/rt", "tokio/macros", "clap", "env_logger"] +-- +2.47.1 + diff --git a/0004-Fedora-remove-jwt-simple-dependency.patch b/0004-Fedora-remove-jwt-simple-dependency.patch new file mode 100644 index 0000000..51443ab --- /dev/null +++ b/0004-Fedora-remove-jwt-simple-dependency.patch @@ -0,0 +1,95 @@ +From 5325bd8707afb0ac8504c5e845c96c62f8cd4b93 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Tue, 10 Sep 2024 17:17:03 +0300 +Subject: [PATCH] Fedora: remove jwt-simple dependency +Content-type: text/plain + +jwt-simple requires some crypto crates. + +The code checks time validity. Use std::time instead for this. + +Signed-off-by: Uri Lublin +--- + Cargo.toml | 1 - + attestation-agent/kbs_protocol/Cargo.toml | 1 - + .../kbs_protocol/src/token_provider/mod.rs | 19 +++++++++---------- + 3 files changed, 9 insertions(+), 12 deletions(-) + +diff --git a/Cargo.toml b/Cargo.toml +index bb4a534..db72ef9 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -23,7 +23,6 @@ const_format = "0.2.33" + env_logger = "0.11.5" + hex = "0.4.3" + hmac = "0.12.1" +-jwt-simple = { version = "0.12", default-features = false, features = ["pure-rust"] } + kbs-types = "0.7.0" + lazy_static = "1.5.0" + log = "0.4.22" +diff --git a/attestation-agent/kbs_protocol/Cargo.toml b/attestation-agent/kbs_protocol/Cargo.toml +index 92fccce..d012487 100644 +--- a/attestation-agent/kbs_protocol/Cargo.toml ++++ b/attestation-agent/kbs_protocol/Cargo.toml +@@ -13,7 +13,6 @@ base64.workspace = true + clap = { workspace = true, features = ["derive"], optional = true } + crypto = { path = "../deps/crypto", default-features = false } + env_logger = { workspace = true, optional = true } +-jwt-simple.workspace = true + kbs-types.workspace = true + log.workspace = true + protobuf = { workspace = true, optional = true} +diff --git a/attestation-agent/kbs_protocol/src/token_provider/mod.rs b/attestation-agent/kbs_protocol/src/token_provider/mod.rs +index 8f4d7ae..844680c 100644 +--- a/attestation-agent/kbs_protocol/src/token_provider/mod.rs ++++ b/attestation-agent/kbs_protocol/src/token_provider/mod.rs +@@ -14,11 +14,9 @@ pub use aa::*; + use anyhow::*; + use async_trait::async_trait; + use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine}; +-use jwt_simple::{ +- claims::JWTClaims, +- prelude::{Clock, UnixTimeStamp}, +-}; + use serde_json::Value; ++use std::time::SystemTime; ++ + + use crate::keypair::TeeKeyPair; + +@@ -33,8 +31,8 @@ pub trait TokenProvider: Send + Sync { + #[derive(Clone, Debug)] + pub struct Token { + pub content: String, +- exp: Option, +- nbf: Option, ++ exp: Option, ++ nbf: Option, + } + + impl Token { +@@ -44,16 +42,17 @@ impl Token { + .nth(1) + .ok_or_else(|| anyhow!("illegal token format"))?; + let claims = URL_SAFE_NO_PAD.decode(claims_b64)?; +- let claims = serde_json::from_slice::>(&claims)?; ++ let claims = serde_json::from_slice::(&claims)?; + Ok(Self { + content: token, +- exp: claims.expires_at, +- nbf: claims.invalid_before, ++ exp: claims["exp"].as_u64(), ++ nbf: claims["nbf"].as_u64(), + }) + } + + pub fn check_valid(&self) -> Result<()> { +- let now = Clock::now_since_epoch(); ++ let now = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH) ++ .unwrap().as_secs(); + if let Some(exp) = self.exp { + if exp < now { + bail!("token expired"); +-- +2.47.1 + diff --git a/0005-Fedora-remove-ttrpc-dependency.patch b/0005-Fedora-remove-ttrpc-dependency.patch new file mode 100644 index 0000000..9b0e2bc --- /dev/null +++ b/0005-Fedora-remove-ttrpc-dependency.patch @@ -0,0 +1,59 @@ +From 45401917ccabca38112fb4be23193f5230e90867 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Tue, 10 Dec 2024 01:38:24 +0200 +Subject: [PATCH] Fedora: remove ttrpc dependency +Content-type: text/plain + +Not required and not in Fedora + +Signed-off-by: Uri Lublin +--- + Cargo.toml | 2 -- + attestation-agent/kbs_protocol/Cargo.toml | 4 +--- + 2 files changed, 1 insertion(+), 5 deletions(-) + +diff --git a/Cargo.toml b/Cargo.toml +index db72ef9..e7dc965 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -48,8 +48,6 @@ tokio = "1.42" + toml = "0.8.19" + tonic = "0.12" + tonic-build = "0.12" +-ttrpc = "0.8.2" +-ttrpc-codegen = "0.4.2" + url = "2.5.4" + uuid = "1" + zeroize = "1.5.7" +diff --git a/attestation-agent/kbs_protocol/Cargo.toml b/attestation-agent/kbs_protocol/Cargo.toml +index d012487..ab86141 100644 +--- a/attestation-agent/kbs_protocol/Cargo.toml ++++ b/attestation-agent/kbs_protocol/Cargo.toml +@@ -23,7 +23,6 @@ serde_json.workspace = true + sha2.workspace = true + thiserror.workspace = true + tokio.workspace = true +-ttrpc = { workspace = true, optional = true} + url.workspace = true + zeroize.workspace = true + +@@ -35,7 +34,6 @@ testcontainers.workspace = true + tokio = { workspace = true, features = [ "rt", "macros", "fs", "process" ]} + + [build-dependencies] +-ttrpc-codegen = { workspace = true, optional = true } + + [[bin]] + name = "trustee-attester" +@@ -46,7 +44,7 @@ default = ["background_check", "passport", "rust-crypto", "all-attesters"] + + passport = [] + # use a client of attestation-agent to get token for kbs +-aa_token = ["ttrpc-codegen", "passport", "ttrpc/async", "protobuf"] ++aa_token = [] + + background_check = ["tokio/time"] + all-attesters = ["attester/all-attesters"] +-- +2.47.1 + diff --git a/0006-Fedora-attester-pick-attesters-in-all-attesters.patch b/0006-Fedora-attester-pick-attesters-in-all-attesters.patch new file mode 100644 index 0000000..864c2d1 --- /dev/null +++ b/0006-Fedora-attester-pick-attesters-in-all-attesters.patch @@ -0,0 +1,80 @@ +From 5cc40f98248d57bc203425ff994253ab4ef09b95 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Tue, 10 Dec 2024 02:41:17 +0200 +Subject: [PATCH] Fedora: attester: pick attesters in all-attesters +Content-type: text/plain + +Currently: snp, az-snp-vtpm and az-tdx-vtpm + +Remove all dependencies of non-built attesters + +Some require additional dependencies that are not in Fedora + +Signed-off-by: Uri Lublin +--- + attestation-agent/attester/Cargo.toml | 26 +++++--------------------- + 1 file changed, 5 insertions(+), 21 deletions(-) + +diff --git a/attestation-agent/attester/Cargo.toml b/attestation-agent/attester/Cargo.toml +index f371e3a..4e16347 100644 +--- a/attestation-agent/attester/Cargo.toml ++++ b/attestation-agent/attester/Cargo.toml +@@ -15,22 +15,11 @@ clap = { workspace = true, features = ["derive"], optional = true } + hex.workspace = true + kbs-types.workspace = true + log.workspace = true +-occlum_dcap = { git = "https://github.com/occlum/occlum", tag = "v0.29.7", optional = true } +-pv = { version = "0.10.0", package = "s390_pv", optional = true } +-scroll = { version = "0.12.0", default-features = false, features = ["derive", "std"], optional = true } + serde.workspace = true + serde_json.workspace = true + serde_with.workspace = true + sev = { version = "4.0.0", default-features = false, features = ["snp"], optional = true } +-sha2.workspace = true +-strum.workspace = true +-tdx-attest-rs = { git = "https://github.com/intel/SGXDataCenterAttestationPrimitives", tag = "DCAP_1.22", optional = true } + thiserror.workspace = true +-# TODO: change it to "0.1", once released. +-csv-rs = { git = "https://github.com/openanolis/csv-rs", rev = "3045440", optional = true } +-codicon = { version = "3.0", optional = true } +-hyper = { version = "0.14", features = ["full"], optional = true } +-hyper-tls = { version = "0.5", optional = true } + tokio = { version = "1", features = ["full"], optional = true } + tempfile = { workspace = true, optional = true } + +@@ -45,27 +34,22 @@ required-features = ["bin"] + [features] + default = ["all-attesters"] + all-attesters = [ +- "tdx-attester", +- "sgx-attester", + "az-snp-vtpm-attester", + "az-tdx-vtpm-attester", + "snp-attester", +- "csv-attester", +- "cca-attester", +- "se-attester", + ] + + # tsm-report enables a module that helps attesters to use Linux TSM_REPORTS for generating + # quotes. It's an unconditional dependency for tdx-attester since that is the only way to + # generate TDX quotes with upstream kernels. + tsm-report = ["tempfile"] +-tdx-attester = ["scroll", "tsm-report", "tdx-attest-rs"] +-sgx-attester = ["occlum_dcap"] ++tdx-attester = [] ++sgx-attester = [] + az-snp-vtpm-attester = ["az-snp-vtpm"] + az-tdx-vtpm-attester = ["az-snp-vtpm-attester", "az-tdx-vtpm"] + snp-attester = ["sev"] +-csv-attester = ["csv-rs", "codicon", "hyper", "hyper-tls", "tokio"] +-cca-attester = ["tsm-report"] +-se-attester = ["pv"] ++csv-attester = [] ++cca-attester = [] ++se-attester = [] + + bin = ["tokio/rt", "tokio/macros", "clap"] +-- +2.47.1 + diff --git a/0007-Fedora-remove-testcontainers-dependency.patch b/0007-Fedora-remove-testcontainers-dependency.patch new file mode 100644 index 0000000..da60823 --- /dev/null +++ b/0007-Fedora-remove-testcontainers-dependency.patch @@ -0,0 +1,57 @@ +From c7c063bd76b9b1c8befb514b77b4524a40015066 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Tue, 10 Dec 2024 02:50:53 +0200 +Subject: [PATCH] Fedora: remove testcontainers dependency +Content-type: text/plain + +Not in Fedora. +Skip tests that use it. + +Signed-off-by: Uri Lublin +--- + Cargo.toml | 1 - + attestation-agent/kbs_protocol/Cargo.toml | 1 - + attestation-agent/kbs_protocol/src/client/rcar_client.rs | 3 ++- + 3 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/Cargo.toml b/Cargo.toml +index e7dc965..7fb9b15 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -42,7 +42,6 @@ serial_test = "3" + sha2 = "0.10.7" + strum = { version = "0.26", features = ["derive"] } + tempfile = "3.14" +-testcontainers = "0.14" + thiserror = "2.0" + tokio = "1.42" + toml = "0.8.19" +diff --git a/attestation-agent/kbs_protocol/Cargo.toml b/attestation-agent/kbs_protocol/Cargo.toml +index ab86141..e29be9c 100644 +--- a/attestation-agent/kbs_protocol/Cargo.toml ++++ b/attestation-agent/kbs_protocol/Cargo.toml +@@ -30,7 +30,6 @@ zeroize.workspace = true + rstest.workspace = true + serial_test.workspace = true + tempfile.workspace = true +-testcontainers.workspace = true + tokio = { workspace = true, features = [ "rt", "macros", "fs", "process" ]} + + [build-dependencies] +diff --git a/attestation-agent/kbs_protocol/src/client/rcar_client.rs b/attestation-agent/kbs_protocol/src/client/rcar_client.rs +index 45b194e..1059927 100644 +--- a/attestation-agent/kbs_protocol/src/client/rcar_client.rs ++++ b/attestation-agent/kbs_protocol/src/client/rcar_client.rs +@@ -355,7 +355,8 @@ impl KbsClientCapabilities for KbsClient> { + } + } + +-#[cfg(test)] ++// Fedora: no testcontainers so ignore the following test ++#[cfg(any())] + mod test { + use crypto::HashAlgorithm; + use rstest::rstest; +-- +2.47.1 + diff --git a/0008-Fedora-kbs_protocol-default-to-openssl.patch b/0008-Fedora-kbs_protocol-default-to-openssl.patch new file mode 100644 index 0000000..fe092b9 --- /dev/null +++ b/0008-Fedora-kbs_protocol-default-to-openssl.patch @@ -0,0 +1,29 @@ +From 4fdedc07203138492fe5561af2fbf9868caf9407 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Mon, 28 Oct 2024 20:59:59 +0200 +Subject: [PATCH] Fedora: kbs_protocol: default to openssl +Content-type: text/plain + +Also add "bin" such that trustee-attester can be built + +Signed-off-by: Uri Lublin +--- + attestation-agent/kbs_protocol/Cargo.toml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/attestation-agent/kbs_protocol/Cargo.toml b/attestation-agent/kbs_protocol/Cargo.toml +index e29be9c..82b0de8 100644 +--- a/attestation-agent/kbs_protocol/Cargo.toml ++++ b/attestation-agent/kbs_protocol/Cargo.toml +@@ -39,7 +39,7 @@ name = "trustee-attester" + required-features = ["bin"] + + [features] +-default = ["background_check", "passport", "rust-crypto", "all-attesters"] ++default = ["background_check", "passport", "openssl", "all-attesters", "bin"] + + passport = [] + # use a client of attestation-agent to get token for kbs +-- +2.47.1 + diff --git a/0009-Fedora-rstest-0.23.patch b/0009-Fedora-rstest-0.23.patch new file mode 100644 index 0000000..f6efbec --- /dev/null +++ b/0009-Fedora-rstest-0.23.patch @@ -0,0 +1,26 @@ +From 51beb7c59fb4409c1f99b1b01e0e7ef8ae6a04a6 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Tue, 10 Sep 2024 17:01:02 +0300 +Subject: [PATCH] Fedora: rstest 0.23 +Content-type: text/plain + +--- + Cargo.toml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Cargo.toml b/Cargo.toml +index 7fb9b15..08dca30 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -34,7 +34,7 @@ rand = "0.8.5" + reqwest = { version = "0.12", default-features = false } + resource_uri = { path = "attestation-agent/deps/resource_uri" } + ring = "0.17" +-rstest = "0.17" ++rstest = "0.23" + serde = { version = "1.0", features = ["derive"] } + serde_with = { version = "1.11.0", features = ["base64"] } + serde_json = "1.0" +-- +2.47.1 + diff --git a/0010-Fedora-use-clap-4.2.7.patch b/0010-Fedora-use-clap-4.2.7.patch new file mode 100644 index 0000000..d19053e --- /dev/null +++ b/0010-Fedora-use-clap-4.2.7.patch @@ -0,0 +1,37 @@ +From 266776b3c7bdc4179faa7739bb5cd92dad150380 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Mon, 28 Oct 2024 21:15:37 +0200 +Subject: [PATCH] Fedora: use clap "^4.2.7" +Content-type: text/plain + +Upstream commits 2d8dcd3 and 53ddd63 changed version from "4" to +"~4.2.7" such that it can be built with rust 1.69. + +Fedora currently has rust-1.83 and clap 4.5.23. +With the "~4.2.7" build fails with error: + (crate(clap/default) >= 4.2.7 with crate(clap/default) < 4.3.0~) is needed + +This commit relaxes the clap version requirement to be ">=4.2.7,<5" + +Suggested-by: Fabio Valentini +Signed-off-by: Uri Lublin +--- + Cargo.toml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Cargo.toml b/Cargo.toml +index 08dca30..9f5e48c 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -17,7 +17,7 @@ base64-serde = "0.7" + bincode = "1.3.3" + cfg-if = "1.0.0" + chrono = "0.4.26" +-clap = "~4.2.7" ++clap = "^4.2.7" + config = "0.14.1" + const_format = "0.2.33" + env_logger = "0.11.5" +-- +2.47.1 + diff --git a/0011-Fedora-kbs-types-0.8.0.patch b/0011-Fedora-kbs-types-0.8.0.patch new file mode 100644 index 0000000..0ca124f --- /dev/null +++ b/0011-Fedora-kbs-types-0.8.0.patch @@ -0,0 +1,27 @@ +From fbceba028878b2e6a5f5c1ebff5a4958ddda0221 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Sun, 24 Nov 2024 23:53:51 +0200 +Subject: [PATCH] Fedora: kbs-types 0.8.0 +Content-type: text/plain + +Signed-off-by: Uri Lublin +--- + Cargo.toml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Cargo.toml b/Cargo.toml +index 9f5e48c..3bc3844 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -23,7 +23,7 @@ const_format = "0.2.33" + env_logger = "0.11.5" + hex = "0.4.3" + hmac = "0.12.1" +-kbs-types = "0.7.0" ++kbs-types = "0.8.0" + lazy_static = "1.5.0" + log = "0.4.22" + nix = "0.29" +-- +2.47.1 + diff --git a/0012-Fedora-kbs_protocol-Cargo.toml-add-package.license.patch b/0012-Fedora-kbs_protocol-Cargo.toml-add-package.license.patch new file mode 100644 index 0000000..19d7d2e --- /dev/null +++ b/0012-Fedora-kbs_protocol-Cargo.toml-add-package.license.patch @@ -0,0 +1,28 @@ +From 21ea654c75d9f8adca1db33d3b2590ef94ba5af1 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Tue, 10 Dec 2024 03:26:16 +0200 +Subject: [PATCH] Fedora: kbs_protocol/Cargo.toml: add package.license +Content-type: text/plain + +Required by rust2rpm + +Signed-off-by: Uri Lublin +--- + attestation-agent/kbs_protocol/Cargo.toml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/attestation-agent/kbs_protocol/Cargo.toml b/attestation-agent/kbs_protocol/Cargo.toml +index 82b0de8..982a904 100644 +--- a/attestation-agent/kbs_protocol/Cargo.toml ++++ b/attestation-agent/kbs_protocol/Cargo.toml +@@ -4,6 +4,7 @@ version = "0.1.0" + authors = ["The Attestation Agent Authors"] + publish = false + edition = "2021" ++license = "Apache-2.0" + + [dependencies] + anyhow.workspace = true +-- +2.47.1 + diff --git a/0013-Fedora-url-version-is-2.5.2.patch b/0013-Fedora-url-version-is-2.5.2.patch new file mode 100644 index 0000000..7455af2 --- /dev/null +++ b/0013-Fedora-url-version-is-2.5.2.patch @@ -0,0 +1,26 @@ +From 7e9550c2ec9de0974c567d5d7e0068492ec4e11e Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Tue, 10 Dec 2024 04:25:49 +0200 +Subject: [PATCH] Fedora: url version is 2.5.2 +Content-type: text/plain + +Signed-off-by: Uri Lublin +--- + Cargo.toml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Cargo.toml b/Cargo.toml +index 3bc3844..100adc7 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -47,6 +47,6 @@ tokio = "1.42" + toml = "0.8.19" + tonic = "0.12" + tonic-build = "0.12" +-url = "2.5.4" ++url = "2.5.2" + uuid = "1" + zeroize = "1.5.7" +-- +2.47.1 + diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..f88aa91 --- /dev/null +++ b/gating.yaml @@ -0,0 +1,5 @@ +--- !Policy +product_versions: + - rhel-9 +decision_context: osci_compose_gate +rules: [] diff --git a/sources b/sources new file mode 100644 index 0000000..4016e79 --- /dev/null +++ b/sources @@ -0,0 +1,2 @@ +SHA512 (guest-components-0061d03.tar.gz) = 1003767c3ca23de625f02f883373ccc3d23a950c2fa9c02a38bc22293be04d298cd6b18ad64d8506eb5060de10e6fa00f6d7197d314d2b75cadea8223202a954 +SHA512 (trustee-guest-components-0.10.0_124.git0061d03-vendor.tar.xz) = e7c8470673b755daf4e78536fe1bb0f0b7749792bf47414940e1e0c44fc70922b0536562a12093d40c099c930412b846ba06c50a772a627f657e0a479b600a83 diff --git a/trustee-guest-components.spec b/trustee-guest-components.spec new file mode 100644 index 0000000..55612aa --- /dev/null +++ b/trustee-guest-components.spec @@ -0,0 +1,139 @@ +# Generated by rust2rpm 27 +%bcond check 1 + +%global commit 0061d036509e451597f5f61492b41849b36a32a1 +%global shortcommit %(c=%{commit}; echo ${c:0:7}) +# numcommits is taken from git describe --tags (num commits s +%global numcommits 124 +%global projectname guest-components + +Name: trustee-guest-components +Version: 0.10.0^%{numcommits}.git%{shortcommit} +Release: 1%{?dist} +Summary: Tools that run in confidential VMs, attest and get secrets from Trustee + +# License lines copied from the build +# Apache-2.0 +# Apache-2.0 OR BSL-1.0 +# Apache-2.0 OR ISC OR MIT +# Apache-2.0 OR MIT +# BSD-2-Clause OR Apache-2.0 OR MIT +# ISC +# MIT +# MIT OR Apache-2.0 +# MIT OR Apache-2.0 OR Zlib +# MPL-2.0 +# Unicode-3.0 +# Unlicense OR MIT +# Zlib OR Apache-2.0 OR MIT + +# License lines above, but sorted within and between lines +# Apache-2.0 +# Apache-2.0 OR BSD-2-Clause OR MIT +# Apache-2.0 OR BSL-1.0 +# Apache-2.0 OR ISC OR MIT +# Apache-2.0 OR MIT +# Apache-2.0 OR MIT +# Apache-2.0 OR MIT OR Zlib +# Apache-2.0 OR MIT OR Zlib +# ISC +# MIT +# MIT OR Unlicense +# MPL-2.0 +# Unicode-3.0 + + +License: Apache-2.0 AND (Apache-2.0 OR BSD-2-Clause OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR ISC OR MIT) AND (Apache-2.0 OR MIT) AND (Apache-2.0 OR MIT OR Zlib) AND ISC AND MIT AND (MIT OR Unlicense) AND MPL-2.0 AND Unicode-3.0 + +# LICENSE.dependencies contains a full license breakdown + +URL: https://github.com/confidential-containers/guest-components +Source: https://github.com/confidential-containers/%{projectname}/archive/%{commit}/%{projectname}-%{shortcommit}.tar.gz +Source1: %{name}-0.10.0_%{numcommits}.git%{shortcommit}-vendor.tar.xz +# * adapt to RHEL +# * Remove workspace members which are not built +Patch1: 0001-Fedora-Remove-workspace-members-which-are-not-built.patch +# * deps/crypto defaults to openssl +Patch2: 0002-Fedora-AA-deps-crypto-default-to-openssl.patch +# * use native-tls for reqwest +Patch3: 0003-Fedora-kbs_protocol-Cargo.toml-reqwest-use-native-TL.patch +# * remove dependency jwt-simple - not in Fedora +Patch4: 0004-Fedora-remove-jwt-simple-dependency.patch +# * remove dependency ttrpc - not in Fedora +Patch5: 0005-Fedora-remove-ttrpc-dependency.patch +# * pick attesters to build +Patch6: 0006-Fedora-attester-pick-attesters-in-all-attesters.patch +# * remove dependency testcontainers - not in Fedora +Patch7: 0007-Fedora-remove-testcontainers-dependency.patch +# * kbs_protocol defaults to openssl +Patch8: 0008-Fedora-kbs_protocol-default-to-openssl.patch +# * rstest version is 0.23 +Patch9: 0009-Fedora-rstest-0.23.patch +# * clap version is ^4.2.7 -- see patch for more info +Patch10: 0010-Fedora-use-clap-4.2.7.patch +# * kbs-types version is 0.8.0 +Patch11: 0011-Fedora-kbs-types-0.8.0.patch +# * add package.license to kbs_protocol/Cargo.toml +Patch12: 0012-Fedora-kbs_protocol-Cargo.toml-add-package.license.patch +# * url version is 2.5.2 +Patch13: 0013-Fedora-url-version-is-2.5.2.patch + +ExclusiveArch: x86_64 +BuildRequires: rust-toolset +BuildRequires: /usr/bin/pkg-config +BuildRequires: openssl-devel +BuildRequires: tpm2-tss-devel + + +%global _description %{expand: +Running in a confidential VM, gather confidential-computing evidence, +send it to Trustee and get secrets. +A part of the confidential-containers project} + +%description %{_description} + +%prep +%autosetup -n guest-components-0061d036509e451597f5f61492b41849b36a32a1 -p1 -a1 +rm -f Cargo.lock +%cargo_prep -v vendor + +%build +cd attestation-agent/kbs_protocol +%cargo_build +%{cargo_license_summary} +%{cargo_license} > LICENSE.dependencies +%{cargo_vendor_manifest} +mv LICENSE.dependencies ../../ +mv cargo-vendor.txt ../../ +# remove from cargo-vendor.txt dependencies that are in the source +# the path to them makes rpmbuild fail +cd ../../ +sed -i '/^attester /d' cargo-vendor.txt +sed -i '/^crypto /d' cargo-vendor.txt +sed -i '/^resource_uri /d' cargo-vendor.txt +sed -i '/^sev /d' cargo-vendor.txt + +%install +cd attestation-agent/kbs_protocol +mkdir -p %{buildroot}%{_docdir}/%{name} +install -m 0644 src/bin/trustee-attester/README.md %{buildroot}%{_docdir}/%{name}/trustee-attester-README.md +%cargo_install + +%if %{with check} +%check +cd attestation-agent/kbs_protocol +%cargo_test +%endif + +%files +%license LICENSE +%license LICENSE.dependencies +%license cargo-vendor.txt +%doc README.md +%doc trustee-attester-README.md +%{_bindir}/trustee-attester + +%changelog +* Tue Jan 21 2025 Uri Lublin 0.10.0^124.git0061d03-1 +- Initial commit on c9s + Resolves: RHEL-68141