diff --git a/.gitignore b/.gitignore index e69de29..51ff014 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,3 @@ +/guest-components-0.15.0.tar.gz +/trustee-0.15.0-vendor.tar.zstd +/v0.15.0.tar.gz diff --git a/0001-restrict-workspace-members-to-kbs-only.patch b/0001-restrict-workspace-members-to-kbs-only.patch new file mode 100644 index 0000000..fc2d359 --- /dev/null +++ b/0001-restrict-workspace-members-to-kbs-only.patch @@ -0,0 +1,34 @@ +From bc49af2607aee4db40607e77f98b5fa28b4db23e Mon Sep 17 00:00:00 2001 +From: Cropi +Date: Wed, 21 Jan 2026 09:48:10 +0100 +Subject: [PATCH] restrict workspace members to kbs only + +Remove 'attestation-service', 'rvps', and other members from the cargo +workspace members list. This change ensures that only the 'kbs' +component is built, significantly lowering the build footprint by +excluding the Attestation Service (AS) and Reference Value Provider +Service (RVPS). +--- + Cargo.toml | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/Cargo.toml b/Cargo.toml +index 7cb93b6..31b3e75 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -1,12 +1,6 @@ + [workspace] + members = [ + "kbs", +- "attestation-service", +- "rvps", +- "tools/kbs-client", +- "deps/verifier", +- "deps/eventlog", +- "integration-tests", + ] + resolver = "2" + +-- +2.52.0 + diff --git a/0002-kbs-remove-built-in-attestation-service-for-lightwei.patch b/0002-kbs-remove-built-in-attestation-service-for-lightwei.patch new file mode 100644 index 0000000..d296d1e --- /dev/null +++ b/0002-kbs-remove-built-in-attestation-service-for-lightwei.patch @@ -0,0 +1,74 @@ +From 63be56912a93fc358b6d6d4d3981434d7882141c Mon Sep 17 00:00:00 2001 +From: Cropi +Date: Wed, 21 Jan 2026 10:04:09 +0100 +Subject: [PATCH] kbs: remove built-in attestation-service for lightweight + broker mode + +Decouple the compiled KBS binary from the internal 'attestation-service' +crate. This includes: +- Updating 'coco-as-builtin' feature to exclude + 'attestation-service/default'. +- Removing architecture-specific 'attestation-service' dependencies + (all-verifier, se-verifier, cca-verifier) from Cargo.toml. + +This enables a "pure broker" build configuration where the KBS acts +solely as a resource and secret broker, relying on external entity +tokens (e.g. from Keylime) rather than verifying hardware evidence +internally. +--- + kbs/Cargo.toml | 18 ++---------------- + 1 file changed, 2 insertions(+), 16 deletions(-) + +diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml +index 7f2dc8b..10c5809 100644 +--- a/kbs/Cargo.toml ++++ b/kbs/Cargo.toml +@@ -7,7 +7,7 @@ documentation.workspace = true + edition.workspace = true + + [features] +-default = ["coco-as-builtin", "coco-as-grpc", "intel-trust-authority-as"] ++default = [] + + # Support a backend attestation service for KBS + as = [] +@@ -16,7 +16,7 @@ as = [] + coco-as = ["as"] + + # Use built-in CoCo-AS as backend attestation service +-coco-as-builtin = ["coco-as", "attestation-service/default"] ++coco-as-builtin = ["coco-as"] + + # Use built-in CoCo-AS as backend attestation service without verifier + coco-as-builtin-no-verifier = ["coco-as"] +@@ -89,27 +89,13 @@ az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true } + derivative = "2.2.0" + vaultrs = { version = "0.7.4", optional = true } + +-[target.'cfg(not(any(target_arch = "s390x", target_arch = "aarch64")))'.dependencies] +-attestation-service = { path = "../attestation-service", default-features = false, features = [ +- "all-verifier", +-], optional = true } + +-[target.'cfg(target_arch = "s390x")'.dependencies] +-attestation-service = { path = "../attestation-service", default-features = false, features = [ +- "se-verifier", +-], optional = true } +- +-[target.'cfg(target_arch = "aarch64")'.dependencies] +-attestation-service = { path = "../attestation-service", default-features = false, features = [ +- "cca-verifier", +-], optional = true } + + + [dev-dependencies] + josekit = "0.10.3" + tempfile.workspace = true + rstest.workspace = true +-reference-value-provider-service.path = "../rvps" + serial_test = "3.0" + toml = "0.9" + +-- +2.52.0 + diff --git a/0003-kbs-replace-concat-kdf-dependency-with-internal-impl.patch b/0003-kbs-replace-concat-kdf-dependency-with-internal-impl.patch new file mode 100644 index 0000000..9f0ca02 --- /dev/null +++ b/0003-kbs-replace-concat-kdf-dependency-with-internal-impl.patch @@ -0,0 +1,105 @@ +From 933b57d8e8915280d671e4796c8919a06bcbb2fb Mon Sep 17 00:00:00 2001 +From: Cropi +Date: Wed, 21 Jan 2026 11:00:08 +0100 +Subject: [PATCH] kbs: replace concat-kdf dependency with internal + implementation + +Remove the 'concat-kdf' crate dependency and replace it with a local +implementation of the Single-Step Concatenation Key Derivation Function +(Concat KDF), using standard 'openssl' primitives. + +This change reduces the external dependency footprint while maintaining +compatibility with the algorithm used by other guest components (based +on NIST SP 800-56A). +Inspired by attestation-agent/deps/crypto/src/native/ec.rs +--- + kbs/Cargo.toml | 1 - + kbs/src/jwe.rs | 46 +++++++++++++++++++++++++++++++++------------- + 2 files changed, 33 insertions(+), 14 deletions(-) + +diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml +index 52968e2..1bd4adf 100644 +--- a/kbs/Cargo.toml ++++ b/kbs/Cargo.toml +@@ -52,7 +52,6 @@ base64.workspace = true + cfg-if.workspace = true + clap = { workspace = true, features = ["derive", "env"] } + config.workspace = true +-concat-kdf = "0.1.0" + cryptoki = { version = "0.10.0", optional = true } + env_logger.workspace = true + hex.workspace = true +diff --git a/kbs/src/jwe.rs b/kbs/src/jwe.rs +index 27b4863..6eb25a2 100644 +--- a/kbs/src/jwe.rs ++++ b/kbs/src/jwe.rs +@@ -19,6 +19,7 @@ use p256::{ + use rand::{rngs::OsRng, Rng}; + use rsa::{sha2::Sha256, BigUint, Oaep, Pkcs1v15Encrypt, RsaPublicKey}; + use serde_json::{json, Map}; ++use openssl::hash::{Hasher, MessageDigest}; + + /// RSA PKCS#1 v1.5 + const RSA1_5_ALGORITHM: &str = "RSA1_5"; +@@ -41,6 +42,36 @@ const AES_GCM_256_ALGORITHM: &str = "A256GCM"; + /// AES 256 GCM Key length in bits + const AES_GCM_256_KEY_BITS: u32 = 256; + ++// Concat KDF as per NIST SP 800-56A ++// Based on the implementation from attestation-agent/deps/crypto/src/native/ec.rs ++fn concat_kdf(alg: &str, target_length: usize, z: &[u8]) -> Result> { ++ let target_length_bytes = ((target_length * 8) as u32).to_be_bytes(); ++ let alg_len_bytes = (alg.len() as u32).to_be_bytes(); ++ ++ let mut output = Vec::new(); ++ let md = MessageDigest::sha256(); ++ let count = target_length.div_ceil(md.size()); ++ for i in 0..count { ++ let mut hasher = Hasher::new(md)?; ++ hasher.update(&((i + 1) as u32).to_be_bytes())?; ++ hasher.update(z)?; ++ hasher.update(&alg_len_bytes)?; ++ hasher.update(alg.as_bytes())?; ++ hasher.update(&0_u32.to_be_bytes())?; ++ hasher.update(&0_u32.to_be_bytes())?; ++ hasher.update(&target_length_bytes)?; ++ ++ let digest = hasher.finish()?; ++ output.extend(digest.to_vec()); ++ } ++ ++ if output.len() > target_length { ++ output.truncate(target_length); ++ } ++ ++ Ok(output) ++} ++ + /// Use RSAv1.5 to encrypt the payload data. + /// Warning: This algorithm is deprecated per + /// +@@ -167,19 +198,8 @@ fn ecdh_es_a256kw_p256(x: String, y: String, mut payload_data: Vec) -> Resul + .diffie_hellman(&public_key) + .raw_secret_bytes() + .to_vec(); +- let mut key_derivation_materials = Vec::new(); +- key_derivation_materials.extend_from_slice(&(ECDH_ES_A256KW.len() as u32).to_be_bytes()); +- key_derivation_materials.extend_from_slice(ECDH_ES_A256KW.as_bytes()); +- key_derivation_materials.extend_from_slice(&(0_u32).to_be_bytes()); +- key_derivation_materials.extend_from_slice(&(0_u32).to_be_bytes()); +- key_derivation_materials.extend_from_slice(&AES_GCM_256_KEY_BITS.to_be_bytes()); +- let mut wrapping_key = vec![0; 32]; +- concat_kdf::derive_key_into::( +- &z, +- &key_derivation_materials, +- &mut wrapping_key, +- ) +- .map_err(|e| anyhow!("failed to do concat KDF: {e:?}"))?; ++ ++ let wrapping_key = concat_kdf(ECDH_ES_A256KW, 32, &z).context("failed to do concat KDF")?; + let wrapping_key: [u8; 32] = wrapping_key + .try_into() + .map_err(|_| anyhow!("invalid bytes length of AES wrapping key"))?; +-- +2.52.0 + diff --git a/0004-Refactor-kbs-replace-jwt-simple-with-jsonwebtoken-in.patch b/0004-Refactor-kbs-replace-jwt-simple-with-jsonwebtoken-in.patch new file mode 100644 index 0000000..4607614 --- /dev/null +++ b/0004-Refactor-kbs-replace-jwt-simple-with-jsonwebtoken-in.patch @@ -0,0 +1,129 @@ +From 1e9b52cdb513ed5d9b72f1babf3de860f6a30168 Mon Sep 17 00:00:00 2001 +From: Cropi +Date: Wed, 21 Jan 2026 12:19:54 +0100 +Subject: [PATCH] Refactor(kbs): replace jwt-simple with jsonwebtoken in Admin + API + +Migrate the KBS Admin API authentication from `jwt-simple` to the +`jsonwebtoken` library to reduce dependency burden. + +Changes details: +- kbs/admin: Refactor `Admin` struct to store `DecodingKey` instead of + `Ed25519PublicKey`. +- kbs/admin: Update validation logic to use `jsonwebtoken::decode` with + EdDSA algorithm validation. +- kbs/admin: Update error handling to wrap `jsonwebtoken` errors. +- kbs/Cargo.toml: Remove `jwt-simple` dependency. +- Cargo.toml: Remove `jwt-simple` from workspace dependencies. + +Note: The `kbs-client` tool, which still depends on `jwt-simple`, is +currently excluded from the workspace `members` list. If we ever decide +to ship that as well we need to do additional work. + +THIS PATCH COULD BE UPSTREAMED +--- + Cargo.toml | 3 --- + kbs/Cargo.toml | 2 +- + kbs/src/admin/error.rs | 4 ++-- + kbs/src/admin/mod.rs | 16 +++++++--------- + 4 files changed, 10 insertions(+), 15 deletions(-) + +diff --git a/Cargo.toml b/Cargo.toml +index 31b3e75..d76a061 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -26,9 +26,6 @@ config = "0.14.1" + ear = "0.3.0" + env_logger = "0.10.0" + hex = "0.4.3" +-jwt-simple = { version = "0.12", default-features = false, features = [ +- "pure-rust", +-] } + kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "c35306f", default-features = false } + # TODO: Change this to kbs-types release + kbs-types = { "git" = "https://github.com/virtee/kbs-types.git", rev = "e3cc706" } +diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml +index 1bd4adf..93a8061 100644 +--- a/kbs/Cargo.toml ++++ b/kbs/Cargo.toml +@@ -56,7 +56,7 @@ cryptoki = { version = "0.10.0", optional = true } + env_logger.workspace = true + hex.workspace = true + jsonwebtoken = { workspace = true, default-features = false } +-jwt-simple.workspace = true ++ + kbs-types.workspace = true + kms = { workspace = true, default-features = false } + lazy_static.workspace = true +diff --git a/kbs/src/admin/error.rs b/kbs/src/admin/error.rs +index 2c21f63..440851e 100644 +--- a/kbs/src/admin/error.rs ++++ b/kbs/src/admin/error.rs +@@ -13,14 +13,14 @@ pub enum Error { + #[error("Admin Token verification failed")] + JwtVerificationFailed { + #[source] +- source: jwt_simple::Error, ++ source: jsonwebtoken::errors::Error, + }, + + #[error("`auth_public_key` is not set in the config file")] + NoPublicKeyGiven, + + #[error("Failed to parse admin public key")] +- ParsePublicKey(#[from] jwt_simple::Error), ++ ParsePublicKey(#[from] jsonwebtoken::errors::Error), + + #[error("Failed to parse HTTP Auth Bearer header")] + ParseAuthHeaderFailed(#[from] actix_web::error::ParseError), +diff --git a/kbs/src/admin/mod.rs b/kbs/src/admin/mod.rs +index f5a376a..cda7675 100644 +--- a/kbs/src/admin/mod.rs ++++ b/kbs/src/admin/mod.rs +@@ -5,11 +5,8 @@ + use actix_web::{http::header::Header, HttpRequest}; + use actix_web_httpauth::headers::authorization::{Authorization, Bearer}; + use config::AdminConfig; +-use jwt_simple::{ +- claims::NoCustomClaims, +- common::VerificationOptions, +- prelude::{Ed25519PublicKey, EdDSAPublicKeyLike}, +-}; ++use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation}; ++use serde_json::Value; + + pub mod config; + pub mod error; +@@ -18,7 +15,7 @@ use log::warn; + + #[derive(Default, Clone)] + pub struct Admin { +- public_key: Option, ++ public_key: Option, + } + + impl TryFrom for Admin { +@@ -32,7 +29,7 @@ impl TryFrom for Admin { + + let key_path = value.auth_public_key.ok_or(Error::NoPublicKeyGiven)?; + let user_public_key_pem = std::fs::read_to_string(key_path)?; +- let key = Ed25519PublicKey::from_pem(&user_public_key_pem)?; ++ let key = DecodingKey::from_ed_pem(user_public_key_pem.as_bytes())?; + Ok(Self { + public_key: Some(key), + }) +@@ -49,8 +46,9 @@ impl Admin { + + let token = bearer.token(); + +- let _claims = public_key +- .verify_token::(token, Some(VerificationOptions::default())) ++ let validation = Validation::new(Algorithm::EdDSA); ++ ++ let _claims = decode::(token, public_key, &validation) + .map_err(|e| Error::JwtVerificationFailed { source: e })?; + + Ok(()) +-- +2.52.0 + diff --git a/0005-Refactor-deps-align-crate-versions-with-Fedora-upstr.patch b/0005-Refactor-deps-align-crate-versions-with-Fedora-upstr.patch new file mode 100644 index 0000000..800577c --- /dev/null +++ b/0005-Refactor-deps-align-crate-versions-with-Fedora-upstr.patch @@ -0,0 +1,67 @@ +From 16cdfdd0ee8131b22b3631c5dbcdcdfcfd384d47 Mon Sep 17 00:00:00 2001 +From: Cropi +Date: Wed, 21 Jan 2026 13:56:36 +0100 +Subject: [PATCH] Refactor(deps): align crate versions with Fedora upstream + +Update and adjust project dependencies to match versions currently +available in Fedora packages. + +Depedency changes: +- Update `config` to 0.15.13 +- Update `rstest` to 0.26 +- Set `josekit` to 0.7 +- Remove `serde_qs` dependency +--- + Cargo.toml | 5 ++--- + kbs/Cargo.toml | 3 +-- + 2 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/Cargo.toml b/Cargo.toml +index d76a061..fdd0e78 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -22,7 +22,7 @@ byteorder = "1.5.0" + cfg-if = "1.0.0" + chrono = "0.4.41" + clap = { version = "4", features = ["derive"] } +-config = "0.14.1" ++config = "0.15.13" + ear = "0.3.0" + env_logger = "0.10.0" + hex = "0.4.3" +@@ -45,10 +45,9 @@ regorus = { version = "0.2.6", default-features = false, features = [ + reqwest = { version = "0.12", default-features = false, features = [ + "default-tls", + ] } +-rstest = "0.18.1" ++rstest = "0.26" + serde = { version = "1.0", features = ["derive"] } + serde_json = "1.0.143" +-serde_qs = "0.13.0" + serde_with = { version = "3.14.0", features = ["base64", "hex"] } + serial_test = { version = "3.2.0", features = ["async"] } + sha2 = "0.10" +diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml +index db3d892..3fd8963 100644 +--- a/kbs/Cargo.toml ++++ b/kbs/Cargo.toml +@@ -71,7 +71,6 @@ regorus.workspace = true + reqwest = { workspace = true, features = ["json"] } + rsa = { version = "0.9.2", features = ["sha2"] } + scc = "2" +-serde_qs.workspace = true + semver = "1.0.16" + serde = { workspace = true, features = ["derive"] } + serde_json.workspace = true +@@ -92,7 +91,7 @@ vaultrs = { version = "0.7.4", optional = true } + + + [dev-dependencies] +-josekit = "0.10.3" ++josekit = "0.7" + tempfile.workspace = true + rstest.workspace = true + serial_test = "3.0" +-- +2.52.0 + diff --git a/0006-replace-derivative-with-educe-for-debug-derivation.patch b/0006-replace-derivative-with-educe-for-debug-derivation.patch new file mode 100644 index 0000000..4313b37 --- /dev/null +++ b/0006-replace-derivative-with-educe-for-debug-derivation.patch @@ -0,0 +1,159 @@ +From 23536a5aa38d1197ac554f7cfedd31e4d5138223 Mon Sep 17 00:00:00 2001 +From: Cropi +Date: Wed, 21 Jan 2026 14:05:45 +0100 +Subject: [PATCH] replace derivative with educe for debug derivation + +Although we are not using plugins in the current kbs, this patch can +come handy in case we decide to do so in the future. + +Replace the `derivative` crate with `educe` to manage Debug +implementations where sensitive fields need to be ignored (e.g. API +keys, passwords, tokens). `educe` is a lighter and more maintained +alternative that is often available in system repositories (like +Fedora). + +Refactored components: +- Intel Trust Authority (Attestation) +- PKCS#11 plugin +- Aliyun KMS plugin +- Vault KV plugin +--- + kbs/Cargo.toml | 1 - + kbs/src/attestation/intel_trust_authority/mod.rs | 8 ++++---- + kbs/src/plugins/implementations/pkcs11.rs | 8 ++++---- + kbs/src/plugins/implementations/resource/aliyun_kms.rs | 10 +++++----- + kbs/src/plugins/implementations/resource/vault_kv.rs | 8 ++++---- + 5 files changed, 17 insertions(+), 18 deletions(-) + +diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml +index 3fd8963..653c759 100644 +--- a/kbs/Cargo.toml ++++ b/kbs/Cargo.toml +@@ -84,7 +84,6 @@ tonic = { workspace = true, optional = true } + uuid = { version = "1.18.0", features = ["serde", "v4"] } + openssl.workspace = true + az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true } +-derivative = "2.2.0" + vaultrs = { version = "0.7.4", optional = true } + + +diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs +index 58c63b2..45565da 100644 +--- a/kbs/src/attestation/intel_trust_authority/mod.rs ++++ b/kbs/src/attestation/intel_trust_authority/mod.rs +@@ -10,7 +10,7 @@ use anyhow::*; + use async_trait::async_trait; + use az_cvm_vtpm::hcl::HclReport; + use base64::{engine::general_purpose::STANDARD, Engine}; +-use derivative::Derivative; ++use educe::Educe; + use kbs_types::{Challenge, HashAlgorithm, Tee}; + use reqwest::header::{ACCEPT, CONTENT_TYPE, USER_AGENT}; + use serde::{Deserialize, Serialize}; +@@ -83,11 +83,11 @@ struct ErrorResponse { + error: String, + } + +-#[derive(Clone, Derivative, Deserialize, PartialEq, Default)] +-#[derivative(Debug)] ++[derive(Clone, Educe, Deserialize, PartialEq, Default)] ++#[educe(Debug)] + pub struct IntelTrustAuthorityConfig { + pub base_url: String, +- #[derivative(Debug = "ignore")] ++ #[educe(Debug(ignore))] + pub api_key: String, + pub certs_file: String, + pub allow_unmatched_policy: Option, +diff --git a/kbs/src/plugins/implementations/pkcs11.rs b/kbs/src/plugins/implementations/pkcs11.rs +index d562cbd..0c31f8e 100644 +--- a/kbs/src/plugins/implementations/pkcs11.rs ++++ b/kbs/src/plugins/implementations/pkcs11.rs +@@ -12,7 +12,7 @@ use cryptoki::{ + session::{Session, UserType}, + types::AuthPin, + }; +-use derivative::Derivative; ++use educe::Educe; + use serde::Deserialize; + use std::{path::PathBuf, sync::Arc}; + use tokio::sync::Mutex; +@@ -20,8 +20,8 @@ use uuid::Uuid; + + use super::super::plugin_manager::ClientPlugin; + +-#[derive(Derivative, Deserialize, Clone, PartialEq)] +-#[derivative(Debug)] ++#[derive(Educe, Deserialize, Clone, PartialEq, Default)] ++#[educe(Debug)] + pub struct Pkcs11Config { + /// Path to the PKCS11 module. + module: PathBuf, +@@ -31,7 +31,7 @@ pub struct Pkcs11Config { + slot_index: u8, + + /// The user pin for authenticating the session. +- #[derivative(Debug = "ignore")] ++ #[educe(Debug(ignore))] + pin: String, + } + +diff --git a/kbs/src/plugins/implementations/resource/aliyun_kms.rs b/kbs/src/plugins/implementations/resource/aliyun_kms.rs +index 8521236..b029bf6 100644 +--- a/kbs/src/plugins/implementations/resource/aliyun_kms.rs ++++ b/kbs/src/plugins/implementations/resource/aliyun_kms.rs +@@ -4,18 +4,18 @@ + + use super::backend::{ResourceDesc, StorageBackend}; + use anyhow::{Context, Result}; +-use derivative::Derivative; ++use educe::Educe; + use kms::{plugins::aliyun::AliyunKmsClient, Annotations, Getter}; + use log::info; + use serde::Deserialize; + +-#[derive(Derivative, Deserialize, Clone, PartialEq)] +-#[derivative(Debug)] ++#[derive(Educe, Deserialize, Clone, PartialEq)] ++#[educe(Debug)] + pub struct AliyunKmsBackendConfig { +- #[derivative(Debug = "ignore")] ++ #[educe(Debug(ignore))] + client_key: String, + kms_instance_id: String, +- #[derivative(Debug = "ignore")] ++ #[educe(Debug(ignore))] + password: String, + cert_pem: String, + } +diff --git a/kbs/src/plugins/implementations/resource/vault_kv.rs b/kbs/src/plugins/implementations/resource/vault_kv.rs +index ed7733f..812ef98 100644 +--- a/kbs/src/plugins/implementations/resource/vault_kv.rs ++++ b/kbs/src/plugins/implementations/resource/vault_kv.rs +@@ -4,7 +4,7 @@ + + use super::backend::{ResourceDesc, StorageBackend}; + use anyhow::{Context, Result}; +-use derivative::Derivative; ++use educe::Educe; + use log::info; + use serde::Deserialize; + use std::collections::HashMap; +@@ -28,11 +28,11 @@ pub enum VaultError { + VaultApiError { path: String, source: anyhow::Error }, + } + +-#[derive(Derivative, Deserialize, Clone, PartialEq)] +-#[derivative(Debug)] ++#[derive(Educe, Deserialize, Clone, PartialEq)] ++#[educe(Debug)] + pub struct VaultKvBackendConfig { + pub vault_url: String, +- #[derivative(Debug = "ignore")] ++ #[educe(Debug(ignore))] + pub token: String, + #[serde(default = "default_mount_path")] + pub mount_path: String, +-- +2.52.0 + diff --git a/0007-replace-git-dependencies-with-path-registry-deps-for.patch b/0007-replace-git-dependencies-with-path-registry-deps-for.patch new file mode 100644 index 0000000..d4e3b86 --- /dev/null +++ b/0007-replace-git-dependencies-with-path-registry-deps-for.patch @@ -0,0 +1,61 @@ +From f9e01d49a90cadffa9f07851ff25bdf949e9ee77 Mon Sep 17 00:00:00 2001 +From: Cropi +Date: Wed, 21 Jan 2026 14:13:55 +0100 +Subject: [PATCH] replace git dependencies with path/registry deps for offline + builds + +Replace git dependencies with local path or registry dependencies to +support --offline build environments (like Fedora's build system). + +Dependency changes: +- kbs_protocol: Switch from git to local path + 'guest-components-0.15.0/attestation-agent/kbs_protocol' +- kms: Switch from git to local path + 'guest-components-0.15.0/confidential-data-hub/kms' +- kbs-types: Switch from git to registry version '0.14.0' +--- + Cargo.toml | 6 ++---- + kbs/Cargo.toml | 3 +-- + 2 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/Cargo.toml b/Cargo.toml +index fdd0e78..66e8172 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -26,10 +26,8 @@ config = "0.15.13" + ear = "0.3.0" + env_logger = "0.10.0" + hex = "0.4.3" +-kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "c35306f", default-features = false } +-# TODO: Change this to kbs-types release +-kbs-types = { "git" = "https://github.com/virtee/kbs-types.git", rev = "e3cc706" } +-kms = { git = "https://github.com/confidential-containers/guest-components.git", rev = "c35306f", default-features = false } ++kbs_protocol = { path = "guest-components-0.15.0/attestation-agent/kbs_protocol", default-features = false } ++kbs-types = { version = "0.14.0" } + jsonwebtoken = { version = "9", default-features = false } + lazy_static = "1.4.0" + log = "0.4.28" +diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml +index 653c759..427aa87 100644 +--- a/kbs/Cargo.toml ++++ b/kbs/Cargo.toml +@@ -28,7 +28,7 @@ coco-as-grpc = ["coco-as", "mobc", "tonic", "tonic-build", "prost"] + intel-trust-authority-as = ["as", "az-cvm-vtpm"] + + # Use aliyun KMS as KBS backend +-aliyun = ["kms/aliyun"] ++aliyun = [] + + # Use pkcs11 plugin + pkcs11 = ["cryptoki"] +@@ -58,7 +58,6 @@ hex.workspace = true + jsonwebtoken = { workspace = true, default-features = false } + + kbs-types.workspace = true +-kms = { workspace = true, default-features = false } + lazy_static.workspace = true + log.workspace = true + mobc = { version = "0.9.0", optional = true } +-- +2.52.0 + diff --git a/0008-guard-RVPS-import-in-config-tests.patch b/0008-guard-RVPS-import-in-config-tests.patch new file mode 100644 index 0000000..e583686 --- /dev/null +++ b/0008-guard-RVPS-import-in-config-tests.patch @@ -0,0 +1,28 @@ +From 3847d4061d1f590956a8276b95881a2c944fd973 Mon Sep 17 00:00:00 2001 +From: Cropi +Date: Thu, 22 Jan 2026 09:12:02 +0100 +Subject: [PATCH] guard RVPS import in config tests + +The reference_value_provider_service import in test code is only needed +when the coco-as-builtin feature is enabled. Since we've removed support +for coco-as-builtin to minimize dependencies, gate this import behind +the feature flag. +--- + kbs/src/config.rs | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kbs/src/config.rs b/kbs/src/config.rs +index 2de2a53..4b7b8cd 100644 +--- a/kbs/src/config.rs ++++ b/kbs/src/config.rs +@@ -136,6 +136,7 @@ mod tests { + token::{simple, AttestationTokenConfig, COCO_AS_ISSUER_NAME, DEFAULT_TOKEN_DURATION}, + }; + ++ #[cfg(feature = "coco-as-builtin")] + use reference_value_provider_service::storage::{local_fs, ReferenceValueStorageConfig}; + + use rstest::rstest; +-- +2.52.0 + diff --git a/sources b/sources new file mode 100644 index 0000000..78a837f --- /dev/null +++ b/sources @@ -0,0 +1,3 @@ +SHA512 (guest-components-0.15.0.tar.gz) = be182e5839f1c86dfa4093b1332a0fa4b2c878c5afc447d82688d48796f1c9c87cae0f289242df7e4c885108d1ac07134d777b0ad9073db8042f84034fc38471 +SHA512 (trustee-0.15.0-vendor.tar.zstd) = 9f4e8a31fa6011b6dfa628dcbf37d75a7867bac856bff53bb756ec5645947569a1b0c196aefe62d7fd87a79a6407fd980eedd4e46873300e17dfd70136794038 +SHA512 (v0.15.0.tar.gz) = 175ff47aa3f738a78926636fe9900ad833e8a3cf4cdd0dc69d2f40cb96d737813bfc15888fe4aaecd8a88d446f2bb1648404ebdc40528677020a5f4d9779347b diff --git a/trustee.spec b/trustee.spec new file mode 100644 index 0000000..4cfa0f5 --- /dev/null +++ b/trustee.spec @@ -0,0 +1,148 @@ +%bcond check 1 + +# RHEL lacks individual packaged Rust crates, so we must bundle them (Source2). +# Fedora has these crates packaged, so we can use system dependencies. +%if 0%{?rhel} +%bcond_without bundle_rust_deps +%else +%bcond_with bundle_rust_deps +%endif + +Name: trustee +Version: 0.15.0 +Release: %autorelease +Summary: Tools and components for attesting confidential guests and providing secrets + +### BEGIN LICENSE SUMMARY ### +# (Apache-2.0 OR MIT) AND BSD-3-Clause +# (MIT OR Apache-2.0) AND Unicode-DFS-2016 +# 0BSD OR MIT OR Apache-2.0 +# Apache-2.0 +# Apache-2.0 AND ISC AND (MIT OR Apache-2.0) +# Apache-2.0 OR BSL-1.0 +# Apache-2.0 OR MIT +# Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT +# BSD-2-Clause OR Apache-2.0 OR MIT +# BSD-3-Clause +# ISC +# MIT +# MIT AND Apache-2.0 AND BSD-3-Clause +# MIT OR Apache-2.0 +# MIT OR Zlib OR Apache-2.0 +# MPL-2.0 +# Unicode-3.0 +# Unlicense OR MIT +# Zlib +### END LICENSE SUMMARY ### + +License: %{shrink: Apache-2.0 AND + (Apache-2.0 OR BSL-1.0) AND + BSD-2-Clause AND + BSD-3-Clause AND + ISC AND + MIT AND + MPL-2.0 AND + Unicode-DFS-2016 AND + Unicode-3.0 AND + Zlib} +URL: https://github.com/confidential-containers/trustee +Source0: %{url}/archive/refs/tags/v%{version}.tar.gz +Source1: https://github.com/confidential-containers/guest-components/archive/refs/tags/v%{version}/guest-components-%{version}.tar.gz +# Generated via create_vendor_source.sh script +Source2: trustee-%{version}-vendor.tar.zstd + +Patch: 0001-restrict-workspace-members-to-kbs-only.patch +Patch: 0002-kbs-remove-built-in-attestation-service-for-lightwei.patch +Patch: 0003-kbs-replace-concat-kdf-dependency-with-internal-impl.patch +Patch: 0004-Refactor-kbs-replace-jwt-simple-with-jsonwebtoken-in.patch +Patch: 0005-Refactor-deps-align-crate-versions-with-Fedora-upstr.patch +Patch: 0006-replace-derivative-with-educe-for-debug-derivation.patch +Patch: 0007-replace-git-dependencies-with-path-registry-deps-for.patch +Patch: 0008-guard-RVPS-import-in-config-tests.patch + +%if %{with bundle_rust_deps} +BuildRequires: rust-toolset +BuildRequires: pkgconfig(openssl) +%else +BuildRequires: cargo-rpm-macros +%endif +BuildRequires: git-core + +%description +Tools and components for attesting confidential guests and providing secrets to +them. Collectively, these components are known as Trustee. Trustee typically +operates on behalf of the guest owner and interacts remotely with guest +components, providing the necessary services for Attestation and Secret +Delivery. + +#=============================================================================== + +%package kbs +Summary: Key Broker Service for Confidential Computing +Requires: openssl + +%description kbs +The Key Broker Service (KBS) is a key management component for Confidential +Computing scenarios. It provides secure key distribution for confidential +containers and virtual machines. KBS supports multiple backend storage +systems and attestation services. + +#=============================================================================== + +%prep +%autosetup -n trustee-%{version} -a1 -S git + +%if %{with bundle_rust_deps} +tar xf %{SOURCE2} +# The vendor tarball may contain files with the executable bit set. +# If these files start with an inner attribute like `#![no_std]`, +# rpmbuild's dependency generator interprets the `#!` as a shebang +# and fails because the path is invalid. Removing the executable bit +# prevents this check. +find vendor -type f -exec chmod -x {} + +%cargo_prep -v vendor +%else +%cargo_prep +%generate_buildrequires +%cargo_generate_buildrequires +%endif + +# Force openssl-sys to use system OpenSSL instead of building from source. +# 1. Check if OPENSSL_NO_VENDOR is already defined (skips if true). +# 2. Check if [env] section exists. If not, append it. +# 3. Insert the variable definition after the [env] header. +if ! grep -q "OPENSSL_NO_VENDOR" .cargo/config.toml; then + grep -q "^\[env\]" .cargo/config.toml || printf "\n[env]\n" >> .cargo/config.toml + sed -i '/^\[env\]/a OPENSSL_NO_VENDOR = "1"' .cargo/config.toml +fi + +%build +%cargo_build + +%if %{with bundle_rust_deps} +%cargo_vendor_manifest +%endif + +%cargo_license_summary +%{cargo_license} > LICENSE.dependencies + +%install +# Install KBS +install -D -m 755 target/rpm/kbs %{buildroot}%{_bindir}/kbs + +%if %{with check} +%check +%cargo_test +%endif + +%files kbs +%license LICENSE +%license LICENSE.dependencies +%if %{with bundle_rust_deps} +%license cargo-vendor.txt +%endif +%doc README.md +%{_bindir}/kbs + +%changelog +%autochangelog