Read pccs_url from env var

Author: kvinwang

Cargo.lock

@@ -116,7 +116,7 @@ default-net = "0.22.0"
 # Cryptography/Security
 aes-gcm = "0.10.3"
 curve25519-dalek = "4.1.3"
-dcap-qvl = "0.2.2"
+dcap-qvl = "0.2.4"
 elliptic-curve = { version = "0.13.8", features = ["pkcs8"] }
 getrandom = "0.3.1"
 hkdf = "0.12.4"

Cargo.toml

@@ -1,5 +1,10 @@
 #!/bin/bash
 
+HOST_SHARED_DIR="/dstack/.host-shared"
+SYS_CONFIG_FILE="$HOST_SHARED_DIR/.sys-config.json"
+CFG_PCCS_URL=$([ -f "$SYS_CONFIG_FILE" ] && jq -r '.pccs_url//""' "$SYS_CONFIG_FILE" || echo "")
+export PCCS_URL=${PCCS_URL:-$CFG_PCCS_URL}
+
 if [ $(jq 'has("pre_launch_script")' app-compose.json) == true ]; then
     echo "Running pre-launch script"
     tdxctl notify-host -e "boot.progress" -d "pre-launch" || true

basefiles/app-compose.sh

@@ -25,6 +25,7 @@ struct SyncClient {
     ca_cert_pem: String,
     app_id: Vec<u8>,
     timeout: Duration,
+    pccs_url: Option<String>,
 }
 
 impl SyncClient {
@@ -43,6 +44,7 @@ impl SyncClient {
                 .tls_client_key(self.key_pem.clone())
                 .tls_ca_cert(self.ca_cert_pem.clone())
                 .tls_built_in_root_certs(false)
+                .maybe_pccs_url(self.pccs_url.clone())
                 .cert_validator(Box::new(move |cert| {
                     let cert = cert.context("TLS cert not found")?;
                     let remote_app_id = cert.app_id.context("App id not found")?;
@@ -112,6 +114,7 @@ pub(crate) async fn sync_task(
             ca_cert_pem: keys.certificate_chain.last().cloned().unwrap_or_default(),
             app_id: my_app_id,
             timeout: config.sync.timeout,
+            pccs_url: config.pccs_url.clone(),
         }
     } else {
         SyncClient {
@@ -121,6 +124,7 @@ pub(crate) async fn sync_task(
             ca_cert_pem: "".into(),
             app_id: vec![],
             timeout: config.sync.timeout,
+            pccs_url: config.pccs_url.clone(),
         }
     };
 

gateway/src/main_service/sync_client.rs

@@ -31,6 +31,7 @@ services:
       - ACME_STAGING=${ACME_STAGING}
       - SUBNET_INDEX=${SUBNET_INDEX}
       - RUST_LOG=info,certbot=debug
+      - PCCS_URL=${PCCS_URL}
     restart: always
 
 volumes:

gateway/tapp/docker-compose.yaml

@@ -21,7 +21,6 @@ mandatory = false
 [core]
 cert_dir = "/etc/kms/certs"
 subject_postfix = ".dstack"
-pccs_url = "https://api.trustedservices.intel.com/tdx/certification/v4"
 
 [core.auth_api]
 type = "webhook"

kms/kms.toml

@@ -80,6 +80,7 @@ impl OnboardRpc for OnboardHandler {
             &request.source_url,
             &request.domain,
             self.state.config.onboard.quote_enabled,
+            self.state.config.pccs_url.clone(),
         )
         .await
         .context("Failed to onboard")?;
@@ -171,14 +172,19 @@ impl Keys {
         })
     }
 
-    async fn onboard(other_kms_url: &str, domain: &str, quote_enabled: bool) -> Result<Self> {
+    async fn onboard(
+        other_kms_url: &str,
+        domain: &str,
+        quote_enabled: bool,
+        pccs_url: Option<String>,
+    ) -> Result<Self> {
         let kms_client = RaClient::new(other_kms_url.into(), true)?;
         let mut kms_client = KmsClient::new(kms_client);
 
         if quote_enabled {
             let tmp_ca = kms_client.get_temp_ca_cert().await?;
             let (ra_cert, ra_key) = gen_ra_cert(tmp_ca.temp_ca_cert, tmp_ca.temp_ca_key).await?;
-            let ra_client = RaClient::new_mtls(other_kms_url.into(), ra_cert, ra_key)
+            let ra_client = RaClient::new_mtls(other_kms_url.into(), ra_cert, ra_key, pccs_url)
                 .context("Failed to create client")?;
             kms_client = KmsClient::new(ra_client);
         }

kms/src/onboard_service.rs

@@ -19,6 +19,7 @@ services:
       - PORT=8000
       - ETH_RPC_URL=${ETH_RPC_URL}
       - KMS_CONTRACT_ADDR=${KMS_CONTRACT_ADDR}
+      - PCCS_URL=${PCCS_URL}
     restart: unless-stopped
 
   kms:

kms/tapp/compose-dev.yaml

@@ -92,13 +92,19 @@ impl RaClient {
             .context("failed to create client")
     }
 
-    pub fn new_mtls(remote_uri: String, cert_pem: String, key_pem: String) -> Result<Self> {
+    pub fn new_mtls(
+        remote_uri: String,
+        cert_pem: String,
+        key_pem: String,
+        pccs_url: Option<String>,
+    ) -> Result<Self> {
         RaClientConfig::builder()
             .tls_no_check(true)
             .tls_built_in_root_certs(false)
             .remote_uri(remote_uri)
             .tls_client_cert(cert_pem)
             .tls_client_key(key_pem)
+            .maybe_pccs_url(pccs_url)
             .build()
             .into_client()
             .context("failed to create client")

ra-rpc/src/client.rs

@@ -1,5 +1,7 @@
 //! Attestation functions
 
+use std::borrow::Cow;
+
 use anyhow::{anyhow, bail, Context, Result};
 use dcap_qvl::quote::Quote;
 use qvl::{
@@ -294,7 +296,15 @@ impl Attestation {
         if &self.decode_report_data()? != report_data {
             bail!("report data mismatch");
         }
-        let report = qvl::collateral::get_collateral_and_verify(quote, pccs_url)
+        let mut pccs_url = Cow::Borrowed(pccs_url.unwrap_or_default());
+        if pccs_url.is_empty() {
+            // try to read from PCCS_URL env var
+            pccs_url = match std::env::var("PCCS_URL") {
+                Ok(url) => Cow::Owned(url),
+                Err(_) => Cow::Borrowed(""),
+            };
+        }
+        let report = qvl::collateral::get_collateral_and_verify(quote, Some(pccs_url.as_ref()))
             .await
             .context("Failed to get collateral")?;
         if let Some(report) = report.report.as_td10() {