Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

con-con: write policy, reference info and cert to container's rootfs #1708

Merged
merged 3 commits into from
Apr 5, 2023
Merged

con-con: write policy, reference info and cert to container's rootfs #1708

merged 3 commits into from
Apr 5, 2023

Conversation

anmaxvl
Copy link
Contributor

@anmaxvl anmaxvl commented Mar 24, 2023

Due to execve limitation on the size of environment variable, write the base64 encoded security policy, UVM reference info and host AMD certificate to container's rootfs.

Update existing test accordingly.

@anmaxvl anmaxvl requested a review from a team as a code owner March 24, 2023 21:32
@anmaxvl
con-con: write policy, reference info and cert to container's rootfs
c3577f5 
Due to `execve` limitation on the size of environment variable, write the
base64 encoded security policy, UVM reference info and host AMD certificate
to container's rootfs.

Update existing test accordingly.

Signed-off-by: Maksim An <maksiman@microsoft.com>
matajoh
matajoh suggested changes Mar 30, 2023
View reviewed changes
pkg/securitypolicy/securitypolicy.go Outdated Show resolved Hide resolved
@anmaxvl anmaxvl force-pushed the confidential-env-as-mounts branch from badd28f to 6564c06 Compare April 1, 2023 00:09
@anmaxvl
pr feedback: put measurement files into unique directory
354520c 
Signed-off-by: Maksim An <maksiman@microsoft.com>
@anmaxvl anmaxvl force-pushed the confidential-env-as-mounts branch from 6564c06 to 354520c Compare April 4, 2023 15:52
helsaawy
helsaawy reviewed Apr 4, 2023
View reviewed changes
Copy link
Contributor

@helsaawy helsaawy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor feedback

internal/guest/runtime/hcsv2/uvm.go Outdated Show resolved Hide resolved
internal/guest/runtime/hcsv2/uvm.go Outdated Show resolved Hide resolved
internal/guest/runtime/hcsv2/uvm.go Outdated Show resolved Hide resolved
helsaawy
helsaawy reviewed Apr 4, 2023
View reviewed changes
Copy link
Contributor

@helsaawy helsaawy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor feedback

@anmaxvl
pr feedback
79263aa 
Signed-off-by: Maksim An <maksiman@microsoft.com>
msscotb
msscotb approved these changes Apr 5, 2023
View reviewed changes
Copy link
Contributor

@msscotb msscotb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@anmaxvl anmaxvl merged commit b0a82cb into microsoft:main Apr 5, 2023
@anmaxvl anmaxvl deleted the confidential-env-as-mounts branch April 5, 2023 16:04
@jumaffre jumaffre mentioned this pull request Apr 6, 2023
Closed
@KenGordon KenGordon mentioned this pull request Apr 6, 2023
Merged
KenGordon added a commit to microsoft/archived-confidential-sidecar-containers that referenced this pull request Apr 19, 2023
@KenGordon
Support file rather than env based scheme to acquire policy, uvm info…
1d09a65 
… and certs. (#23)

Support file rather than env based scheme to acquire policy, uvm info and certs.

To match microsoft/hcsshim#1708

This PR supports both methods to decouple testing/deployment. There will be a subsequent PR to remove support for the environment variable scheme.

---------

Signed-off-by: Ken Gordon <ken.gordon@microsoft.com>
@jumaffre jumaffre mentioned this pull request Apr 21, 2023
Merged
princepereira pushed a commit to princepereira/hcsshim that referenced this pull request Aug 29, 2024
@anmaxvl
con-con: write policy, reference info and cert to container's rootfs (m…
c4bda99 
…icrosoft#1708)

Due to `execve` limitation on the size of environment variable, write the
base64 encoded security policy, UVM reference info and host AMD certificate
to container's rootfs.

Update existing test accordingly.

Signed-off-by: Maksim An <maksiman@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matajoh matajoh matajoh requested changes

@helsaawy helsaawy helsaawy approved these changes

@msscotb msscotb msscotb approved these changes

Assignees

@msscotb msscotb

@helsaawy helsaawy

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@anmaxvl @matajoh @msscotb @helsaawy