skr

command

v0.0.0-...-3739264 Latest Latest Go to latest Published: Apr 1, 2024 License: MIT Imports: 17 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/Microsoft/confidential-sidecar-containers

README ¶

Secure Key Release (SKR)

The skr tool instantiates a web server ( http://localhost:) which exposes a REST API so that other containers can retrieve raw attestation via the attest/raw POST method and MAA token via the attest/maa POST method as well as release secrets from Azure Key Vault service via the key/release POST method.

The tool can be executed using the script skr.sh. If the port number is not specified, the port will default to 8080. This script take the environment variables SkrSideCarArgs, Port, LogFile, and LogLevel and passes them into /bin/skr with their corresponding flags.

To use the GRPC server instead of the HTTP server, the tool can be executed using the same script skr.sh. But instead expecting the environment variables Port, ServerType, LogFile, and LogLevel and passes them into /bin/skr with their corresponding flags.

HTTP API

The status GET method returns the status of the server. The response carries a StatusOK header and a payload of the following format:

{
    "message": "STATUS OK"
}

{
    "message": "STATUS NOT OK"
}

The attest/raw POST method expects a JSON of the following format:

{
    "runtime_data": "<Base64-encoded blob; the hash digest of the blob will be presented as report data in the raw attestation report>"
}

runtime_data is to guarantee the freshness of the attestation report. We put the runtime_data in the attestation report request and then we can check the whole signed report contains the same data we just put in. This field is for preventing replay attack.

Upon success, the attest/raw POST method response carries a StatusOK header and a payload of the following format:

{
    "report": "<hex format of raw hardware attestation report>"
}

Upon error, the attest/raw POST method response carries a BadRequest or StatusForbidden header and a payload of the following format:

{
    "error": "<error message>"
}

The attest/maa POST method expects a JSON of the following format:

{
    "maa_endpoint": "<maa endpoint>",
    "runtime_data": "<Base64-encoded blob whose hash digest will be presented as runtime data in maa token>"
}

Upon success, the attest/maa POST method response carries a StatusOK header and a payload of the following format:

{
    "token": "<MAA token formatted in JSON Web Token format>"
}

Upon error, the attest/maa POST method response carries a BadRequest or StatusForbidden header and a payload of the following format:

{
    "error": "<error message>"
}

The key/release POST method expects a JSON of the following format:

{
    "maa_endpoint": "<maa endpoint>",
    "akv_endpoint": "<akv endpoint>",
    "kid": "<key identifier>",
    "access_token": "optional aad token if the command will run in a resource without proper managed identity assigned"
}

Upon success, the key/release POST method response carries a StatusOK header and a payload of the following format:

{
    "key": "<key in JSON Web Key format>"
}

Upon error, the key/release POST method response carries a StatusForbidden header and a payload of the following format:

{
    "error": "<error message>"
}

Additionally, the skr tool instantiates a GRPC server that can be accessed by running grpcurl commands. The GRPC server exposes the following methods:

GRPC API

The <ip:port> list command lists the services exposed on a specific IP address and port.

grpcurl -v -plaintext 127.0.0.1:50000 list

The <ip:port> list <service-name> command lists the exposed APIs under a specific service on a specific IP address and port.

grpcurl -v -plaintext 127.0.0.1:50000  list keyprovider.KeyProviderService

The SayHello method of the KeyProviderService is used to test whether APIs under KeyProviderService can be reached.

grpcurl -v -plaintext -d '{"name":"This is a GRPC test!"}' 127.0.0.1:50000  keyprovider.KeyProviderService.SayHello

The GetReport method of the KeyProviderService is used to get the SNP report in hex string format. Users can optionally provide reportDataHexString and the input will show under report data section of the SNP report.

grpcurl -v -plaintext -d '{"reportDataHexString":""}' 127.0.0.1:50000  keyprovider.KeyProviderService.GetReport

The UnWrapKey method of the KeyProviderService is used to test whether the key can be released.

AAA=`printf skr | base64 -w0`

ANNO=`cat wrapped`

REQ=`echo "{\"op\":\"keyunwrap\",\"keywrapparams\":{},\"keyunwrapparams\":{\"dc\":{\"Parameters\":{\"attestation-agent\":[\"${AAA}\"]}},\"annotation\":\"${ANNO}\"}}" | base64 -w0`

grpcurl -plaintext -d "{\"KeyProviderKeyWrapProtocolInput\":\"${REQ}\"}" 127.0.0.1:50000 keyprovider.KeyProviderService.UnWrapKey

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL