-
Notifications
You must be signed in to change notification settings - Fork 998
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kata agent runtime configuration #1837
Comments
@sameo How do you plan to handle container list/creation/deletion APIs? They cannot be blocked otherwise confidential containers cannot be created. But if they are not blocked, the host would be able to manipulate the guest at will. |
It seems like the easiest way to bring the config file into the TCB would be to bake it into the initrd, which most platforms seem to measure or encrypt. This might increase the burden on the guest-owner, however, who would have to keep track of a new initrd measurement for each variation of the configuration file. I'm not sure how much variation there would be in practice, but I can imagine a guest owner wanting to use the same initrd for most deployments. |
@fitzthum seems an easier way would be to pass it in via kernel parameters. Something like |
@jimcadden yeah good point the kernel command line should be a measured interface as well and we will probably be passing some important config information there no matter what. I am a bit wary of passing the entire config through the kernel command line in part because I think there is a length limitation. |
I am onboard with the idea. |
Capturing our discussion that the delivery of the configuration file might potentially be a "plugin" point. In the sense that we start with flexibility on how it gets there being a separate consideration to what might be in it and resulting behaviours. I am however fully on board with concern that the creation/provision of such a file must be part of the flow before any container actions are taken, essentially part of the image, provided at sandbox creation or provided as part of initial boot (attestation etc). |
Are there permutations of blocked/allowed apis that make no sense. If you can pause a container but not resume for example? |
Should we use allowed_endpoints rather than blocked_endpoints? It might be more secure but of course the tradeoff might be a little poorer user experience when creating such a file. Leads to backwards compatibility question perhaps? How do we decide to enable or disable the checks or do we just use provide a config file which enables everything for backwards compatibility? |
Fixed, thanks. |
@bergwolf Sorry for the late reply Now to answer your questions:
|
I thought about blocked endpoints because I believe this list answers the "What must we not support for confidential computing?" question.
I'm opening a separate issue to discuss that (edit: This is issue #1891), as I think it's a separate discussion from allowing the agent API to be configured.
I think the configuration should be optional. Without a config file the agent would run with a full API. With a config file, the API restrictions specified in that file would apply. |
This approach of allowing full API access when agent runs without the config file seems reasonable. Ensures the current user experience doesn't break with confidential computing changes. |
This aspect of things is discussed to a large extent in #1834, notably with respect to who owns this or that API. In the case of the |
@sameo I don't think this is correct. In a confidential containers context, the tenant would supply the configuration file and rely on the measurements of the boot image to know that this is applied. If you allow agent command line options to override that, then the guarantee seems to be lost. Unless we find a way to add the agent command line to the measurements? |
From configuration file:
In the context of a split host/tenant trust realms like #1834 (I'm now forcing myself to no longer say "trust domain" because in the case of TDX, that's defined as the VM and not whatever else is in the same security "domain"), then the agent would presumably no longer get that over @sameo Would you agree that this could later be extended to accept |
We have two ways to disable some API services/code:
|
We can't disable all API services for confidential computing, otherwise we never need Kata for confidential computing. The only solution will be running kubelet/containerd/runc within a confidential VM. So the answer may be audibility. We should audit/log every sensitive API service request. |
I fully agree, and the plan is certainly not to disable all API for CC. There is no need for it, and deciding which APIs to disable is also a business decision.
That already exists and it's a fairly different use case.
Are you saying we should keep all APIs open and audit log the sensitive ones from the agent? |
We discussed about it in our weekly use case meeting, and agreed having it configurable at runtime is more flexible.
How would you map gRPC request parameter to seccomp rules? |
@c3d We have some patches for OVMF and maybe QEMU that extend the SEV launch measurement to the kernel command line, kernel, and initrd. See this discussion |
When the kernel command line includes a agent.config_file=<path> entry, then we will try to override the default confiuguration values with the ones we parse from a TOML file at <path>. As the configuration file overrides the default values, we need to go through a simplified builder that convert a set of Option<> fields into the actual AgentConfig structure. Fixes: kata-containers#1837 Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
From the endpoints string described through the configuration file, we build a hash set of blocked enpoints. Then for every ttrpc request, we check if the name of the endpoint is part of the hashset. If it is, then we return ttrcp::UNIMPLEMENTED. Fixes: kata-containers#1837 Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
When the kernel command line includes a agent.config_file=<path> entry, then we will try to override the default confiuguration values with the ones we parse from a TOML file at <path>. As the configuration file overrides the default values, we need to go through a simplified builder that convert a set of Option<> fields into the actual AgentConfig structure. Fixes: kata-containers#1837 Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
From the endpoints string described through the configuration file, we build a hash set of blocked enpoints. Then for every ttrpc request, we check if the name of the endpoint is part of the hashset. If it is, then we return ttrcp::UNIMPLEMENTED. Fixes: kata-containers#1837 Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
When the kernel command line includes a agent.config_file=<path> entry, then we will try to override the default confiuguration values with the ones we parse from a TOML file at <path>. As the configuration file overrides the default values, we need to go through a simplified builder that convert a set of Option<> fields into the actual AgentConfig structure. Fixes: kata-containers#1837 Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
From the endpoints string described through the configuration file, we build a hash set of blocked enpoints. Then for every ttrpc request, we check if the name of the endpoint is part of the hashset. If it is, then we return ttrcp::UNIMPLEMENTED. Fixes: kata-containers#1837 Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
Generally an allow-list is more secure than a deny-list. To offset the usability challenge an example file could be provided with the minimum required APIs allowed, and perhaps some guidance on what other APIs should be enabled if the user experiences a failure. This issue and an associated PR are pretty far along, though. An alternative would be to stay with the deny-list, but provide an example where all but the minimum APIs are denied (blocked). That approach is less future-proof though, i.e., if a new API is added users would need to know to go back and update their agent configurations that are in production. I'm not clear where the agent-configuration.toml will live. As noted above it needs to be part of the measurement. |
When the kernel command line includes a agent.config_file=<path> entry, then we will try to override the default confiuguration values with the ones we parse from a TOML file at <path>. As the configuration file overrides the default values, we need to go through a simplified builder that convert a set of Option<> fields into the actual AgentConfig structure. Fixes: kata-containers#1837 Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
From the endpoints string described through the configuration file, we build a hash set of allowed enpoints. If a configuration files does not include an endpoints section, we assume all endpoints are allowed. Then for every ttrpc request, we check if the name of the endpoint is part of the hashset. If it is not, then we return ttrcp::UNIMPLEMENTED. Fixes: kata-containers#1837 Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
When the kernel command line includes a agent.config_file=<path> entry, then we will try to override the default confiuguration values with the ones we parse from a TOML file at <path>. As the configuration file overrides the default values, we need to go through a simplified builder that convert a set of Option<> fields into the actual AgentConfig structure. Fixes: kata-containers#1837 Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
From the endpoints string described through the configuration file, we build a hash set of allowed enpoints. If a configuration files does not include an endpoints section, we assume all endpoints are allowed. Then for every ttrpc request, we check if the name of the endpoint is part of the hashset. If it is not, then we return ttrcp::UNIMPLEMENTED. Fixes: kata-containers#1837 Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
From the endpoints string described through the configuration file, we build a hash set of allowed enpoints. If a configuration files does not include an endpoints section, we assume all endpoints are not allowed. Then for every ttrpc request, we check if the name of the endpoint is part of the hashset. If it is not, then we return ttrcp::UNIMPLEMENTED. Fixes: kata-containers#1837 Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
When the kernel command line includes a agent.config_file=<path> entry, then we will try to override the default confiuguration values with the ones we parse from a TOML file at <path>. As the configuration file overrides the default values, we need to go through a simplified builder that convert a set of Option<> fields into the actual AgentConfig structure. Fixes: kata-containers#1837 Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
From the endpoints string described through the configuration file, we build a hash set of allowed enpoints. If a configuration files does not include an endpoints section, we assume all endpoints are not allowed. If there is no configuration file, then all endpoints are allowed. Then for every ttrpc request, we check if the name of the endpoint is part of the hashset. If it is not, then we return ttrcp::UNIMPLEMENTED. Fixes: kata-containers#1837 Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
When the kernel command line includes a agent.config_file=<path> entry, then we will try to override the default confiuguration values with the ones we parse from a TOML file at <path>. As the configuration file overrides the default values, we need to go through a simplified builder that convert a set of Option<> fields into the actual AgentConfig structure. Fixes: kata-containers#1837 Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
From the endpoints string described through the configuration file, we build a hash set of allowed enpoints. If a configuration files does not include an endpoints section, we assume all endpoints are not allowed. If there is no configuration file, then all endpoints are allowed. Then for every ttrpc request, we check if the name of the endpoint is part of the hashset. If it is not, then we return ttrcp::UNIMPLEMENTED. Fixes: kata-containers#1837 Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
From the endpoints string described through the configuration file, we build a hash set of allowed enpoints. If a configuration files does not include an endpoints section, we assume all endpoints are not allowed. If there is no configuration file, then all endpoints are allowed. Then for every ttrpc request, we check if the name of the endpoint is part of the hashset. If it is not, then we return ttrcp::UNIMPLEMENTED. Fixes: kata-containers#1837 Signed-off-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com>
- Use clap to do command line parsing - Add option to pass in config with -c/--config Fixes: kata-containers#1837 Co-authored-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Signed-off-by: stevenhorsman <steven@uk.ibm.com>
- Use clap to do command line parsing - Add option to pass in config with -c/--config Fixes: kata-containers#1837 Co-authored-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Signed-off-by: stevenhorsman <steven@uk.ibm.com>
- Use clap to do command line parsing - Add option to pass in config with -c/--config Fixes: kata-containers#1837 Co-authored-by: Samuel Ortiz <samuel.e.ortiz@protonmail.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Problem Statement
The kata-agent communicates with the host through a gRPC API, via a vsock channel. The host typically sends commands and request to the kata-agent, though this RPC mechanism.
In a confidential computing context, where the host software stack is out of the guest TCB, parts of that host <-> guest interface can not be supported without breaking the expected confidential computing threat model.
Proposal
We want to propose for the
kata-agent
to optionally use a configuration file that would allow for a more dynamically defined agent behaviour. The configuration file would be passed to thekata-agent
as a command line option:kata-agent -c agent-configuration.toml
We expect this file to be added to the guest primary root filesystem (initramfs or virtio-block device). As a consequence, confidential computing technologies would include that configuration file as part of their verified TCB measurements. In other words, an attested guest could only start its kata-agent through a verified configuration file.
Goals
Although a
kata-agent
runtime configuration file could be used to extensively customize the agent's behaviour, the primary and initial goal of that proposal is to use it as a runtime definition of the supported agent gRPC API, in order to meet and build the confidential computing threat model.In other words the goals of that proposal are:
kata-agent
binary to use an optional configuration filekata-agent
command line parameters to the configuration file. The command line parameters would overwrite the configuration file ones.Configuration file format
For consistency sake with the other
kata-containers
components, we propose for the agent configuration file to use the TOML format.API section
The
kata-agent
configuration file would contain an[api]
section. The section would then contain ablocked_endpoints
entry describing the blocked gRPC endpoints as a string list.Each entry in the
blocked_endpoints
list should map exactly to one of the agent gRPC service method defined in the AgentService proto file.The agent should fail to start if one or more entry in the
blocked_endpoints
does not map to anAgentService
method.Sample
The text was updated successfully, but these errors were encountered: