example-setup: updated scripts and vm

Signed-off-by: Simon Ott <simon.ott@aisec.fraunhofer.de>

Author: smo4201

bin/cmc-docker

@@ -11,6 +11,7 @@ uidn=$(id -un)
 gidn=$(id -gn)
 
 name="cmc$(printf "%s" "${dir}" | tr '/' '-')"
+hostname="cmc-docker"
 
 qgs_path="/var/run/tdx-qgs"
 
@@ -24,6 +25,8 @@ if [[ -z "$(docker images -q ${name})" ]]; then
     docker build --no-cache --tag "${name}" -f "${dir}/example-setup/docker/cmc.dockerfile" .
 fi
 
+test -c "/dev/tpm0" && tpm0="--device /dev/tpm0" || tpm0=""
+test -c "/dev/tpmrm0" && tpmrm0="--device /dev/tpmrm0" || tpmrm0=""
 test -c "/dev/kvm" && kvm="--device /dev/kvm" || kvm=""
 test -c "/dev/sev" && sev="--device /dev/sev" || sev=""
 test -c "/dev/sgx_enclave" && sgx_enclave="--device /dev/sgx_enclave" || sgx_enclave=""
@@ -35,12 +38,18 @@ if [[ -z "$(docker ps -aq -f name=${name})" ]]; then
     echo "Creating container ${name}.."
     docker create \
     --name "${name}" \
+    --hostname "${hostname}" \
     -it \
     --mount type=bind,src="${dir}",dst="${dir}" \
+    --mount type=bind,src=/sys/kernel/security,dst=/sys/kernel/security,ro \
+    --cap-add SYS_ADMIN \
+    --security-opt apparmor=unconfined \
+    --security-opt seccomp=unconfined \
     --network "${name}" \
     -p 9955:9955 \
     -p 4443:4443 \
     ${kvm} \
+    ${tpm0} ${tpmrm0} \
     ${sev} \
     ${sgx_enclave} \
     ${sgx_provision} \
@@ -60,12 +69,10 @@ if [[ -z "$(docker ps -q -f name=${name})" ]]; then
     docker exec "${name}" chown "${uid}":"${gid}" /dev/sev || true
     docker exec "${name}" chown "${uid}":"${gid}" /dev/sgx_enclave || true
     docker exec "${name}" chown "${uid}":"${gid}" /dev/sgx_provision || true
-    docker exec \
-    --user "${uid}":"${gid}" \
-    --env HOME="${HOME}" \
-    --env PATH="/usr/bin:/usr/local/go/bin:$HOME/go/bin:${dir}/bin" \
-    --workdir "${dir}/cmc" \
-    "${name}" sh -c "go build ./... && go install ./..."
+    # Required for reading measurement logs
+    docker exec "${name}" sh -c \
+        "u=\$(getent passwd ${uid} | cut -d: -f1) && \
+        echo \"\$u ALL=(ALL) NOPASSWD:ALL\" > /etc/sudoers.d/\$u"
 fi
 
 # Run specified command

bin/generate-app-manifest-tpm

@@ -45,9 +45,8 @@ referenceValues=$("${mrtool[@]}" parse ima --mrs 10)
 json=$(cat "${input}/manifest.json")
 
 # App Manifest: Insert reference values
-while IFS= read -r element; do
-    json=$(echo "${json}" | jq --argjson element "${element}" '.referenceValues += [$element]')
-done < <(echo "${referenceValues}" | jq -c '.[]')
+json=$(jq -n --argjson base "$json" --slurpfile ver <(printf '%s' "$referenceValues") '$base | .referenceValues += $ver[0]')
+
 
 # App Manifest: Set other properties
 setjson "json" "name"                  "${name}"

bin/generate-metadata-container

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -euo pipefail
+
+trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT
+dir="$(CDPATH='' cd -- "$(dirname -- "$0")/.." && pwd -P)"
+source "${dir}/bin/utils.sh"
+
+bin="${dir}/bin"
+
+"${bin}/generate-image-description" "tpm-test-image"
+
+"${bin}/generate-rtm-manifest-tpm"
+
+"${bin}/generate-os-manifest-tpm"
+
+"${bin}/generate-app-manifest-tpm"
+
+"${bin}/generate-container-manifest" "docker" "ubuntu:24.04"

bin/generate-metadata-tpm

@@ -15,5 +15,3 @@ bin="${dir}/bin"
 "${bin}/generate-os-manifest-tpm"
 
 "${bin}/generate-app-manifest-tpm"
-
-"${bin}/generate-container-manifest" "docker" "ubuntu:24.04"

bin/generate-os-manifest-tpm

@@ -68,7 +68,7 @@ json=$(echo "${json}" | jq ".details.os = \"${os}\"")
 
 # Insert reference values in the OS Manifest
 json=$(echo "${json}" | jq 'del(.referenceValues[])')
-json=$(echo "${json}" | jq --argjson ver "${referenceValues}" '.referenceValues += $ver')
+json=$(jq -n --argjson base "$json" --slurpfile ver <(printf '%s' "$referenceValues") '$base | .referenceValues += $ver[0]')
 
 # Save manifest
 echo "Writing ${out}/rtm.manifest.json"

bin/generate-rtm-manifest-tpm

@@ -39,12 +39,6 @@ mkdir -p "${out}"
 
 echo "Using ${data} as directory for local data"
 
-# Retrieve platform details
-set +e
-firmware="Lenovo"
-bootloader=$(grub-install --version)
-set -e
-
 # Parse the values of the RTM PCRs from the kernel's binary bios measurements as reference values
 referenceValues=$("${mrtool[@]}" parse tpm --mrs 0,1,2,3,4,5,6,7)
 
@@ -63,13 +57,9 @@ setjson "json" "description"           "RTM Manifest"
 setarr  "json" "baseLayers"            "${name}"
 setjson "json" "certLevel"             3
 
-# Insert platform details
-json=$(echo "${json}" | jq ".details.firmware = \"${firmware}\"")
-json=$(echo "${json}" | jq ".details.bootloader = \"${bootloader}\"")
-
 # Replace existing reference values with new reference values in the RTM Manifest
 json=$(echo "${json}" | jq 'del(.referenceValues[])')
-json=$(echo "${json}" | jq --argjson ver "${referenceValues}" '.referenceValues += $ver')
+json=$(jq -n --argjson base "$json" --slurpfile ver <(printf '%s' "$referenceValues") '$base | .referenceValues += $ver[0]')
 
 # Save the RTM manifest
 echo "Writing ${out}/rtm.manifest.json"

bin/setup-cmc

@@ -63,8 +63,21 @@ fi
 echo "Using CMC: ${cmc}"
 echo "Using ${data} as directory for local data"
 
-# Build CMC
-echo "Building CMC"
+# Install CMC
+echo "Installing CMC"
+go install -C "${dir}/cmcd"
+go install -C "${dir}/cmcctl"
+go install -C "${dir}/provision/estserver"
+go install -C "${dir}/tools/mrtool"
+go install -C "${dir}/tools/metaconv"
+go install -C "${dir}/tools/metasign"
+go install -C "${dir}/tools/tdxtool"
+go install -C "${dir}/tools/snptool"
+go install -C "${dir}/tools/tdxtool"
+go install -C "${dir}/tools/cmcbackend"
+
+# Build CMC to be present in local folders
+echo "Locally Building CMC"
 go build -C "${dir}/cmcd"
 go build -C "${dir}/cmcctl"
 go build -C "${dir}/provision/estserver"
@@ -74,6 +87,7 @@ go build -C "${dir}/tools/metasign"
 go build -C "${dir}/tools/tdxtool"
 go build -C "${dir}/tools/snptool"
 go build -C "${dir}/tools/tdxtool"
+go build -C "${dir}/tools/cmcbackend"
 
 # Create a folder for the cmc configuration and metadata
 mkdir -p "${data}"

bin/vm-update-cmcd

@@ -18,7 +18,7 @@ vm-ssh systemctl stop cmcd
 vm-ssh systemctl stop cmcctl
 
 # Remove cmc internal folder to enforce generation of new certs
-vm-ssh rm -r /var/cmc/internal
+vm-ssh rm -rf /var/cmc/internal
 
 # Copy new binaries into VM
 vm-scp cmcd/cmcd vm-ubuntu:/usr/bin/

bin/vm-update-metadata

@@ -27,11 +27,13 @@ fi
 
 sign-metadata json
 
+mkdir -p "${dir}/example-setup/vm-config/vm-metadata/"
+
 cp "${dir}/data/metadata-signed/"* "${dir}/example-setup/vm-config/vm-metadata/"
 cp "${dir}/data/pki/ca.pem" "${dir}/example-setup/vm-config/metadata-ca.pem"
 
 # Delete cmc internal data to enforce new certificate generation
-vm-ssh rm -r /var/cmc
+vm-ssh rm -rf /var/cmc
 
 # Restarting cmcd is required for fetching the updated metadata
 vm-ssh systemctl restart cmcd

doc/run.md

@@ -34,49 +34,52 @@ The cmcctl can run the following commands, specified via the first parameter or
 
 ```sh
 # Start the EST server that supplies the certificates and metadata for the cmcd
-./estserver -config cmc-data/est-server-conf.json
+estserver -config example-setup/configs/installed/est-server-conf.json
 ```
 
 #### Run the cmcd
 
 ```sh
-# Build and run the cmcd
-./cmcd -config cmc-data/cmcd-conf.json
+# Run the cmcd
+cmcd -config example-setup/configs/installed/cmcd-conf.json
+
+# NOTE: for setups that require root, e.g., to access the tpm, make sure the installed go binaries
+# are found:
+sudo env PATH="$HOME/go/bin:$PATH" cmcd -config example-setup/configs/installed/cmcd-conf.json
 ```
 
 #### Generate and Verify Attestation Reports
 
 ```sh
 # Run cmcctl to retrieve an attestation report (stored in current folder unless otherwise specified)
-./cmcctl -mode generate
+cmcctl generate -config example-setup/configs/installed/cmcctl-conf.json
 
 # Run cmcctl to verify the attestation report (stored in current folder unless otherwise specified)
-./cmcctl -mode verify -ca cmc-data/pki/ca.pem
+cmcctl verify -config example-setup/configs/installed/cmcctl-conf.json
 ```
 
 #### Establish Attested TLS Connections
 
 ```sh
 
 # Run an attested TLS server
-./cmcctl -mode listen -addr 0.0.0.0:4443 -ca cmc-data/pki/ca.pem -mtls
+cmcctl listen -config example-setup/configs/installed/cmcctl-conf.json -addr "$(hostname --fqdn):4443"
 
 # Run an attested TLS client estblishing a mutually attested TLS connection to the server
-./cmcctl -mode dial -addr localhost:4443 -ca cmc-data/pki/ca.pem -mtls
+cmcctl dial -config example-setup/configs/installed/cmcctl-conf.json -addr "$(hostname --fqdn):4443"
 ```
 
 #### Establish Attested HTTPS Connections
 
 ```sh
 # Run two attested HTTPS servers
-./cmcctl -config cmcctl-config.json -addr 0.0.0.0:8081 -mode serve
+cmcctl serve -config example-setup/configs/installed/cmcctl-conf.json -addr "$(hostname --fqdn):8082"
 
 # Perform multiple user-specified attested HTTPS requests to both servers. Each connection is
 # attested, while multiple requests to the same server use the established attested TLS connections
-./cmcctl \
-    -config ../data/cmcctl-config.json \
-    -addr https://localhost:8081/post,https://localhost:8082/post \
-    -mode request \
+cmcctl request \
+    -config example-setup/configs/installed/cmcctl-conf.json \
+    -addr "https://$(hostname --fqdn):8082" \
     -method POST \
     -data "hello from attested HTTPS client" \
     -header "Content-Type: text/plain"