SEV Cleanup

dfinity · Jan 23, 2024 · 1c069ce · 1c069ce
1 parent 0a13ff3
commit 1c069ce
Show file tree

Hide file tree

Showing 8 changed files with 7 additions and 78 deletions.
diff --git a/ic-os/README.adoc b/ic-os/README.adoc
@@ -104,7 +104,7 @@ Follow instructions link:docs/SEVSnpTest.adoc#[here] to prepare the dev machine.
 Note: we are storing the PEM files instead of the DER files.
 
 ```bash
-% ic/ic-os/hostos/rootfs/opt/ic/bin/get-sev-certs.sh
+% snptool get-certs
 % sev-host-set-cert-chain  -r ark.pem -s ask.pem -v vcek.pem
 ```
 

diff --git a/ic-os/guestos/rootfs/etc/systemd/system/ic-replica.service b/ic-os/guestos/rootfs/etc/systemd/system/ic-replica.service
@@ -30,7 +30,6 @@ Environment=RUST_BACKTRACE=1
 # Remember to update 'rs/default.nix' for nix-shell users
 # Remember to update 'src/dfx/src/actors/replica.rs' in the sdk repo for dfx users
 Environment=RUST_MIN_STACK=8192000
-ExecStartPre=+/opt/ic/bin/setup-sev-certs.sh
 ExecStartPre=+/opt/ic/bin/generate-replica-config.sh -n /boot/config/network.conf -c /boot/config/nns.conf -b /boot/config/backup.conf -l /boot/config/log.conf -m /boot/config/malicious_behavior.conf -i /opt/ic/share/ic.json5.template -o /run/ic-node/config/ic.json5
 ExecStart=/opt/ic/bin/orchestrator --replica-binary-dir /var/lib/ic/data/images --cup-dir /var/lib/ic/data/cups --replica-config-file /run/ic-node/config/ic.json5 --enable-provisional-registration --ic-binary-directory /opt/ic/bin --orchestrator-data-directory /var/lib/ic/data/orchestrator --version-file /opt/ic/share/version.txt
 LimitNOFILE=1048576

diff --git a/ic-os/guestos/rootfs/opt/ic/bin/setup-sev-certs.sh b/ic-os/guestos/rootfs/opt/ic/bin/setup-sev-certs.sh
diff --git a/ic-os/hostos/rootfs/Dockerfile.base b/ic-os/hostos/rootfs/Dockerfile.base
@@ -126,6 +126,8 @@ RUN cd /tmp/ && \
     rm /tmp/node_exporter-1.3.1.linux-amd64.tar.gz
 
 # If CPU_SUPPORT is "sev", install the patched qemu and the host kernel
+# The file `/opt/ic/share/SEV` is used as a build-time flag to indicate that
+# the SEV path shoud be taken at runtime.
 # QEMU installed previously will be over-written by the patched QEMU (7.2.0)
 # Installing libsnappy package only for "sev" configuration
 # TODO: Generate SEV build conditionally so that QEMU 6.2 is not built unnecessarily

diff --git a/ic-os/hostos/rootfs/opt/ic/bin/generate-guestos-config.sh b/ic-os/hostos/rootfs/opt/ic/bin/generate-guestos-config.sh
@@ -105,8 +105,6 @@ function assemble_config_media() {
     cmd+=(--ipv4_name_servers "$(/opt/ic/bin/fetch-property.sh --key=.dns.ipv4_name_servers --metric=hostos_ipv4_dns_name_servers --config=${DEPLOYMENT})")
     cmd+=(--hostname "guest-$(/opt/ic/bin/fetch-mgmt-mac.sh | sed 's/://g')")
     cmd+=(--nns_url "$(/opt/ic/bin/fetch-property.sh --key=.nns.url --metric=hostos_nns_url --config=${DEPLOYMENT})")
-    # AMDs cert download links do not support IPv6; NODE-817
-    # cmd+=(--get_sev_certs)
     if [ -f "/boot/config/node_operator_private_key.pem" ]; then
         cmd+=(--node_operator_private_key "/boot/config/node_operator_private_key.pem")
     fi
@@ -229,6 +227,9 @@ function main() {
     read_variables
     assemble_config_media
     if is_sev_snp_enabled; then
+        # TODO: Also, fetch and load the SEV certs.
+        # snptool get-certs
+        # sev-host-set-cert-chain  -r ark.pem -s ask.pem -v vcek.pem
         generate_sev_guestos_config
     else
         generate_guestos_config

diff --git a/ic-os/hostos/rootfs/opt/ic/bin/get-sev-certs.sh b/ic-os/hostos/rootfs/opt/ic/bin/get-sev-certs.sh
diff --git a/ic-os/scripts/build-bootstrap-config-image.sh b/ic-os/scripts/build-bootstrap-config-image.sh
@@ -111,11 +111,6 @@ options may be specified:
   --socks_proxy url
     The URL of the socks proxy to use. To be used in
     systems tests only.
-
-  --get_sev_certs
-    If on an SEV-SNP enabled machine, include the ark, ask, and vcek
-    certificates in the config image.  Note: this requires that this
-    script is executed on the host which will be running the SEV-SNP VM.
 EOF
 }
 
@@ -135,7 +130,6 @@ function build_ic_bootstrap_tar() {
     local REPLICA_LOG_DEBUG_OVERRIDES
     local MALICIOUS_BEHAVIOR
     local BITCOIND_ADDR
-    local GET_SEV_CERTS=false
 
     while true; do
         if [ $# == 0 ]; then
@@ -199,11 +193,6 @@ function build_ic_bootstrap_tar() {
             --socks_proxy)
                 SOCKS_PROXY="$2"
                 ;;
-            --get_sev_certs)
-                GET_SEV_CERTS=true
-                shift 1
-                continue
-                ;;
             *)
                 echo "Unrecognized option: $1"
                 usage
@@ -268,12 +257,6 @@ EOF
     if [ "${NODE_OPERATOR_PRIVATE_KEY}" != "" ]; then
         cp "${NODE_OPERATOR_PRIVATE_KEY}" "${BOOTSTRAP_TMPDIR}/node_operator_private_key.pem"
     fi
-    if [[ "${GET_SEV_CERTS}" == true && ! -e "/dev/sev" ]]; then
-        echo "--get_sev_certs is true but /dev/sev is not available, unable to get SEV certs"
-    fi
-    if [[ "${GET_SEV_CERTS}" == true && -e "/dev/sev" ]]; then
-        /opt/ic/bin/get-sev-certs.sh
-    fi
 
     tar cf "${OUT_FILE}" -C "${BOOTSTRAP_TMPDIR}" .
 

diff --git a/rs/ic_os/sev/src/certs.rs b/rs/ic_os/sev/src/certs.rs
@@ -6,7 +6,7 @@ use std::fmt::{Display, Formatter};
 use std::{fs, path::Path};
 
 /// Location of certs
-static ARK_PEM: &str = "/var/lib/ic/data/ark.pem";
+static ARK_PEM: &str = "/opt/ic/share/ark.pem";
 static ASK_PEM: &str = "/var/lib/ic/data/ask.pem";
 static VCEK_PEM: &str = "/var/lib/ic/data/vcek.pem";
 static CERTS_DIR: &str = "/var/lib/ic/data";