-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: greater protection for release mode #72
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that solution to "having too much code" can be adding more code.
Why don't we just remove the testing code from our critical production service instead?
If we need this functionality for unit tests, then let's define clear boundaries in our internal API such that testing would be possible without modifying the implementation and be fully self-contained within the test module?
In any case, tests utilizing testing code don't test anything, those paths will never be taken in production setting, since those pieces of code will never be compiled in release
mode. Note, that a mistake here could be very costly, while also being pretty easy to make. Tests must rely on "real" implementations we run in production as much as possible.
src/ext/mod.rs
Outdated
@@ -28,5 +28,5 @@ pub trait ExtVerifier { | |||
/// certificate. Returning `Ok(false)` will allow the certification request | |||
/// to continue, but this particular extension will not be included | |||
/// in the resulting certificate. | |||
fn verify(&self, cri: &CertReqInfo<'_>, ext: &Extension<'_>, dbg: bool) -> Result<bool>; | |||
fn verify(&self, cri: &CertReqInfo<'_>, ext: &Extension<'_>, dbg: &bool) -> Result<bool>; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
bool
is Copy
and small enough that &
does not bring any benefits
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did that to address complaints about use of a moved value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
strange, it just compiles fine without it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think my IDE was having problems. I reverted back to bool
and it's fine.
src/main.rs
Outdated
@@ -80,6 +85,7 @@ struct Args { | |||
#[clap(short, long, env = "ROCKET_ADDRESS", default_value = "::")] | |||
addr: IpAddr, | |||
|
|||
#[cfg(debug_assertions)] | |||
#[clap(short, long, env = "RENDER_EXTERNAL_HOSTNAME")] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Especially looking at the env var name, this parameter does not seem relevant to the Steward at it's present form
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's used to generate keys, which we wouldn't do in a production environment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Additionally, some tests were disabled for release mode (since Nix seems to test in release mode) due to this discovered bug #73
7778951
to
2be891a
Compare
I don't think I added that much code. I disabled code when compiling for
We need to have some testing (
Sure, I can move the logic for
Again, the tests ensure the |
cc1a40b
to
64d7434
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed a few times already, deferring review to @npmccallum
I personally think that we should just remove KVM attestation and use real, captured SGX and SEV reports in tests.
If we really want to have KVM attestation available, then that should be guarded by insecure
feature (as is already done) and --insecure
runtime flag. Still, I am not happy by how much the implementation is changed to account for this. I find that the prevalent cfg
attributes make the code harder to reason about and maintain. What's worse, it introduces plethora of new code paths, that actual, real, production service will never take and results in "real" code that should be tested to not get tested.
If we really want to have KVM attestation available, then I think we need to restructure the code in such a way that this feature would not be as intrusive and such that the unit tests would still test "real" code paths and not code paths, which would never be taken in production.
src/ext/kvm.rs
Outdated
return Err(anyhow!("steward not in debug mode")); | ||
} | ||
#[cfg(not(feature = "insecure"))] | ||
return Err(anyhow!("steward not in debug mode")); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return Err(anyhow!("steward not in debug mode")); | |
bail!("steward not in insecure mode") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Captured SEV & SGX reports added yesterday.
ea1ce69
to
33c9a9e
Compare
c4a191a
to
1954681
Compare
Signed-off-by: Richard Zak <richard@profian.com>
1954681
to
0a3cb7d
Compare
Signed-off-by: Richard Zak <richard@profian.com>
Signed-off-by: Richard Zak <richard@profian.com>
Signed-off-by: Richard Zak <richard@profian.com>
0a3cb7d
to
ab44039
Compare
References #49
Signed-off-by: Richard Zak richard@profian.com