edgelesssys · malt3 · Mar 15, 2024 · Mar 25, 2024 · Mar 18, 2024 · Apr 15, 2024
diff --git a/README.md b/README.md
@@ -201,13 +201,13 @@ helm template release-name chart-name > resources/all.yml
 ```
 
 To specify that a workload (pod, deployment, etc.) should be deployed as confidential containers,
-add `runtimeClassName: kata-cc-isolation` to the pod spec (pod definition or template).
+add `runtimeClassName: contrast-cc-isolation` to the pod spec (pod definition or template).
 In addition, add the Contrast Initializer as `initContainers` to these workloads and configure the
 workload to use the certificates written to a `volumeMount` named `tls-certs`.
 
 ```yaml
 spec: # v1.PodSpec
-  runtimeClassName: kata-cc-isolation
+  runtimeClassName: contrast-cc-isolation
   initContainers:
   - name: initializer
     image: "ghcr.io/edgelesssys/contrast/initializer:latest"

diff --git a/cli/cmd/generate.go b/cli/cmd/generate.go
@@ -168,7 +168,7 @@ func findGenerateTargets(args []string, logger *slog.Logger) ([]string, error) {
 		}
 	}
 
-	paths = filterNonCoCoRuntime("kata-cc-isolation", paths, logger)
+	paths = filterNonCoCoRuntime("contrast-cc-isolation", paths, logger)
 
 	if len(paths) == 0 {
 		return nil, fmt.Errorf("no .yml/.yaml files found")

diff --git a/cli/cmd/verify.go b/cli/cmd/verify.go
@@ -139,14 +139,19 @@ func parseVerifyFlags(cmd *cobra.Command) (*verifyFlags, error) {
 
 func newCoordinatorValidateOptsGen(hostData []byte) *snp.StaticValidateOptsGenerator {
 	defaultManifest := manifest.Default()
-	trustedIDKeyDigests, err := (&defaultManifest.ReferenceValues.SNP.TrustedIDKeyHashes).ByteSlices()
+	trustedMeasurement, err := defaultManifest.ReferenceValues.SNP.TrustedMeasurement.Bytes()
 	if err != nil {
 		panic(err) // We are decoding known values, tests should catch any failure.
 	}
+	if trustedMeasurement == nil {
+		// This is required to prevent an empty measurement in the manifest from disabling the measurement check.
+		trustedMeasurement = make([]byte, 48)
+	}
 
 	return &snp.StaticValidateOptsGenerator{
 		Opts: &validate.Options{
-			HostData: hostData,
+			HostData:    hostData,
+			Measurement: trustedMeasurement,
 			GuestPolicy: abi.SnpPolicy{
 				Debug: false,
 				SMT:   true,
@@ -165,8 +170,6 @@ func newCoordinatorValidateOptsGen(hostData []byte) *snp.StaticValidateOptsGener
 				UcodeSpl: 115,
 			},
 			PermitProvisionalFirmware: true,
-			TrustedIDKeyHashes:        trustedIDKeyDigests,
-			RequireIDBlock:            false, // TODO(malt3): re-enable once we control the full boot (including the id block)
 		},
 	}
 }

@@ -48,12 +48,17 @@ func (m *meshAuthority) SNPValidateOpts(report *sevsnp.Report) (*validate.Option
 		return nil, fmt.Errorf("hostdata %s not found in manifest", hostData)
 	}
 
-	trustedIDKeyDigestHashes, err := mnfst.ReferenceValues.SNP.TrustedIDKeyHashes.ByteSlices()
+	trustedMeasurement, err := mnfst.ReferenceValues.SNP.TrustedMeasurement.Bytes()
 	if err != nil {
-		return nil, fmt.Errorf("failed to convert TrustedIDKeyHashes from manifest to byte slices: %w", err)
+		return nil, fmt.Errorf("failed to convert TrustedMeasurement from manifest to byte slices: %w", err)
+	}
+	if trustedMeasurement == nil {
+		// This is required to prevent an empty measurement in the manifest from disabling the measurement check.
+		trustedMeasurement = make([]byte, 48)
 	}
 
 	return &validate.Options{
+		Measurement: trustedMeasurement,
 		GuestPolicy: abi.SnpPolicy{
 			Debug: false,
 			SMT:   true,
@@ -72,8 +77,6 @@ func (m *meshAuthority) SNPValidateOpts(report *sevsnp.Report) (*validate.Option
 			UcodeSpl: mnfst.ReferenceValues.SNP.MinimumTCB.MicrocodeVersion.UInt8(),
 		},
 		PermitProvisionalFirmware: true,
-		TrustedIDKeyHashes:        trustedIDKeyDigestHashes,
-		RequireIDBlock:            false, // TODO(malt3): re-enable once we control the full boot (including the id block)
 	}, nil
 }
 

diff --git a/deployments/contrast-node-installer/ds.yml b/deployments/contrast-node-installer/ds.yml
@@ -0,0 +1,44 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: contrast-node-installer
+  namespace: edg-default
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: contrast-node-installer
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: contrast-node-installer
+      annotations:
+        contrast.edgeless.systems/pod-role: contrast-node-installer
+    spec:
+      hostPID: true
+      hostNetwork: true
+      volumes:
+        - name: host-mount
+          hostPath:
+            path: /
+            type: Directory
+      initContainers:
+        - name: installer
+          image: "ghcr.io/edgelesssys/contrast/node-installer:latest"
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: host-mount
+              mountPath: /host
+          resources:
+            requests:
+              memory: 100Mi
+            limits:
+              memory: 100Mi
+      containers:
+        - name: pause
+          image: "k8s.gcr.io/pause"
+          resources:
+            requests:
+              memory: 10Mi
+            limits:
+              memory: 10Mi
diff --git a/deployments/contrast-node-installer/runtime-class.yaml b/deployments/contrast-node-installer/runtime-class.yaml
@@ -0,0 +1,13 @@
+apiVersion: node.k8s.io/v1
+handler: contrast-cc
+kind: RuntimeClass
+metadata:
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+  name: contrast-cc-isolation
+overhead:
+  podFixed:
+    memory: 2Gi
+scheduling:
+  nodeSelector:
+    kubernetes.azure.com/kata-cc-isolation: 'true'
diff --git a/deployments/emojivoto-sm-egress/coordinator.yml b/deployments/emojivoto-sm-egress/coordinator.yml
@@ -15,7 +15,7 @@ spec:
       annotations:
         contrast.edgeless.systems/pod-role: coordinator
     spec:
-      runtimeClassName: kata-cc-isolation
+      runtimeClassName: contrast-cc-isolation
       containers:
         - name: coordinator
           image: "ghcr.io/edgelesssys/contrast/coordinator:latest"

diff --git a/deployments/emojivoto-sm-egress/emoji.yml b/deployments/emojivoto-sm-egress/emoji.yml
@@ -25,7 +25,7 @@ spec:
         app.kubernetes.io/name: emoji-svc
         version: v11
     spec:
-      runtimeClassName: kata-cc-isolation
+      runtimeClassName: contrast-cc-isolation
       initContainers:
         - name: initializer
           image: "ghcr.io/edgelesssys/contrast/initializer:latest"

diff --git a/deployments/emojivoto-sm-egress/voting.yml b/deployments/emojivoto-sm-egress/voting.yml
@@ -25,7 +25,7 @@ spec:
         app.kubernetes.io/name: voting-svc
         version: v11
     spec:
-      runtimeClassName: kata-cc-isolation
+      runtimeClassName: contrast-cc-isolation
       initContainers:
         - name: initializer
           image: "ghcr.io/edgelesssys/contrast/initializer:latest"

diff --git a/deployments/emojivoto-sm-egress/web.yml b/deployments/emojivoto-sm-egress/web.yml
@@ -25,7 +25,7 @@ spec:
         app.kubernetes.io/name: web-svc
         version: v11
     spec:
-      runtimeClassName: kata-cc-isolation
+      runtimeClassName: contrast-cc-isolation
       initContainers:
         - name: initializer
           image: "ghcr.io/edgelesssys/contrast/initializer:latest"

diff --git a/deployments/emojivoto/coordinator.yml b/deployments/emojivoto/coordinator.yml
@@ -15,7 +15,7 @@ spec:
       annotations:
         contrast.edgeless.systems/pod-role: coordinator
     spec:
-      runtimeClassName: kata-cc-isolation
+      runtimeClassName: contrast-cc-isolation
       containers:
         - name: coordinator
           image: "ghcr.io/edgelesssys/contrast/coordinator:latest"

diff --git a/deployments/emojivoto/emoji.yml b/deployments/emojivoto/emoji.yml
@@ -25,7 +25,7 @@ spec:
         app.kubernetes.io/name: emoji-svc
         version: v11
     spec:
-      runtimeClassName: kata-cc-isolation
+      runtimeClassName: contrast-cc-isolation
       initContainers:
         - name: initializer
           image: "ghcr.io/edgelesssys/contrast/initializer:latest"

diff --git a/deployments/emojivoto/voting.yml b/deployments/emojivoto/voting.yml
@@ -25,7 +25,7 @@ spec:
         app.kubernetes.io/name: voting-svc
         version: v11
     spec:
-      runtimeClassName: kata-cc-isolation
+      runtimeClassName: contrast-cc-isolation
       initContainers:
         - name: initializer
           image: "ghcr.io/edgelesssys/contrast/initializer:latest"

diff --git a/deployments/emojivoto/web.yml b/deployments/emojivoto/web.yml
@@ -25,7 +25,7 @@ spec:
         app.kubernetes.io/name: web-svc
         version: v11
     spec:
-      runtimeClassName: kata-cc-isolation
+      runtimeClassName: contrast-cc-isolation
       initContainers:
         - name: initializer
           image: "ghcr.io/edgelesssys/contrast/initializer:latest"

@@ -74,7 +74,7 @@ func Coordinator(namespace string) *CoordinatorConfig {
 				WithLabels(map[string]string{"app.kubernetes.io/name": "coordinator"}).
 				WithAnnotations(map[string]string{"contrast.edgeless.systems/pod-role": "coordinator"}).
 				WithSpec(PodSpec().
-					WithRuntimeClassName("kata-cc-isolation").
+					WithRuntimeClassName("contrast-cc-isolation").
 					WithContainers(
 						Container().
 							WithName("coordinator").

@@ -43,7 +43,7 @@ func Simple() ([]any, error) {
 			WithTemplate(PodTemplateSpec().
 				WithLabels(map[string]string{"app.kubernetes.io/name": "workload"}).
 				WithSpec(PodSpec().
-					WithRuntimeClassName("kata-cc-isolation").
+					WithRuntimeClassName("contrast-cc-isolation").
 					WithContainers(
 						Container().
 							WithName("workload").

diff --git a/internal/manifest/constants.go b/internal/manifest/constants.go
@@ -1,5 +1,8 @@
 package manifest
 
+// This value is injected at build time.
+var trustedMeasurement = "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
+
 // Default returns a default manifest.
 func Default() Manifest {
 	return Manifest{
@@ -11,14 +14,7 @@ func Default() Manifest {
 					SNPVersion:        8,
 					MicrocodeVersion:  115,
 				},
-				TrustedIDKeyHashes: []HexString{
-					"b2bcf1b11d9fb3f2e4e7979546844d26c30255fff0775f3af56f8295f361a7d1a34a54516d41abfff7320763a5b701d8",
-					"22087e0b99b911c9cffccfd9550a054531c105d46ed6d31f948eae56bd2defa4887e2fc4207768ec610aa232ac7490c4",
-					"bb4bb49681f267bd1d504ce1c4388abcf7e3e53b6003a1bfcfe9884056047912ebb9a813da95cf711a0410ddc00fe65b", // Added 2024-01-22
-					"92898fbc330c89f8a38b8516087970b1d3361e017c84bd5abe901cab7edeb0a4271509edba1670c14feb82293bcde33f", // Added 2024-02-07
-					"089ee8adfc810a72eb2683007f34db9f8160c4d1936b70570b779ef3b7bb66046194298cea8d51ebfd4b7c8a2b8ea2d7", // Added 2024-02-21
-					"1383573d02170f77b1fc2a8bfd5eaec89b0158b3f186eee7b65f785187c41b50be5d97e3b23fa9c5a4b70fe0d1e03af7", // Added 2024-03-12
-				},
+				TrustedMeasurement: HexString(trustedMeasurement),
 			},
 		},
 	}

diff --git a/internal/manifest/manifest.go b/internal/manifest/manifest.go
@@ -24,8 +24,9 @@ type ReferenceValues struct {
 
 // SNPReferenceValues contains reference values for the SNP report.
 type SNPReferenceValues struct {
-	MinimumTCB         SNPTCB
-	TrustedIDKeyHashes HexStrings // 0356215882a825279a85b300b0b742931d113bf7e32dde2e50ffde7ec743ca491ecdd7f336dc28a6e0b2bb57af7a44a3
+	MinimumTCB SNPTCB
+	// TrustedMeasurement is the hash of the trusted launch digest.
+	TrustedMeasurement HexString
 }
 
 // SNPTCB represents a set of SNP TCB values.

diff --git a/justfile b/justfile
@@ -25,6 +25,10 @@ initializer:
     mkdir -p {{ workspace_dir }}
     nix run .#containers.push-initializer -- "$container_registry/contrast/initializer" >> {{ workspace_dir }}/just.containerlookup
 
+# Build the node-installer, containerize and push it.
+node-installer:
+    nix run .#containers.push-node-installer -- "$container_registry/contrast/node-installer" >&2
+
 default_cli := "contrast.cli"
 default_deploy_target := "simple"
 workspace_dir := "workspace"

@@ -0,0 +1,97 @@
+{ fetchurl
+, ociLayerTar
+, ociImageManifest
+, ociImageLayout
+, contrast-node-installer
+, runtime-class-files
+, pkgsStatic
+, writers
+, lib
+}:
+let
+  node-installer = ociLayerTar {
+    files = [
+      {
+        source = lib.getExe contrast-node-installer;
+        destination = "/bin/node-installer";
+      }
+      {
+        source = "${pkgsStatic.util-linux}/bin/nsenter";
+        destination = "/bin/nsenter";
+      }
+    ];
+  };
+  launch-digest = lib.removeSuffix "\n" (builtins.readFile "${runtime-class-files}/launch-digest.hex");
+  runtime-handler = "contrast-cc-" + builtins.substring 0 32 launch-digest;
+  installer-config = ociLayerTar {
+    files = [
+      {
+        source = writers.writeJSON "contrast-node-install.json" {
+          files = [
+            {
+              url = "file:///opt/edgeless/share/kata-containers.img";
+              path = "/opt/edgeless/${runtime-handler}/share/kata-containers.img";
+            }
+            {
+              url = "file:///opt/edgeless/share/kata-containers-igvm.img";
+              path = "/opt/edgeless/${runtime-handler}/share/kata-containers-igvm.img";
+            }
+            {
+              url = "file:///opt/edgeless/bin/cloud-hypervisor-snp";
+              path = "/opt/edgeless/${runtime-handler}/bin/cloud-hypervisor-snp";
+            }
+            {
+              url = "file:///opt/edgeless/bin/containerd-shim-contrast-cc-v2";
+              path = "/opt/edgeless/${runtime-handler}/bin/containerd-shim-contrast-cc-v2";
+            }
+          ];
+          runtimeHandlerName = runtime-handler;
+        };
+        destination = "/config/contrast-node-install.json";
+      }
+    ];
+  };
+  kata-container-img = ociLayerTar {
+    files = [
+      { source = runtime-class-files.rootfs; destination = "/opt/edgeless/share/kata-containers.img"; }
+      { source = runtime-class-files.igvm; destination = "/opt/edgeless/share/kata-containers-igvm.img"; }
+    ];
+  };
+  cloud-hypervisor = ociLayerTar {
+    files = [{ source = runtime-class-files.cloud-hypervisor-bin; destination = "/opt/edgeless/bin/cloud-hypervisor-snp"; }];
+  };
+  containerd-shim = ociLayerTar {
+    files = [{ source = runtime-class-files.containerd-shim-contrast-cc-v2; destination = "/opt/edgeless/bin/containerd-shim-contrast-cc-v2"; }];
+  };
+  manifest = ociImageManifest
+    {
+      layers = [
+        node-installer
+        installer-config
+        kata-container-img
+        cloud-hypervisor
+        containerd-shim
+      ];
+      extraConfig = {
+        "config" = {
+          "Env" = [
+            "PATH=/bin:/usr/bin"
+            "CONFIG_DIR=/config"
+            "HOST_MOUNT=/host"
+          ];
+          "Entrypoint" = [ "/bin/node-installer" ];
+        };
+      };
+      extraManifest = {
+        "annotations" = {
+          "org.opencontainers.image.title" = "contrast-node-installer";
+          "org.opencontainers.image.description" = "Contrast Node Installer";
+          "systems.edgeless.contrast.snp-launch-digest" = launch-digest;
+        };
+      };
+    };
+
+in
+ociImageLayout {
+  manifests = [ manifest ];
+}