mkulke · September 6, 2024 06:03
diff --git a/encrypt_decrypt.sh b/encrypt_decrypt.sh
 #!/bin/bash

 set -euo pipefail

 # login to GHCR
 pass github/token/packages | docker login ghcr.io -u USERNAME --password-stdin

 # Encryption

 # Provides the GRPC api for skopeo/ocicrypt. it performs no attestation
 pushd ~/dev/attestation-agent/coco_keyprovider
 RUST_LOG=coco_keyprovider cargo run -- --socket 127.0.0.1:50000 &
 keyprovider_pid=$!
 popd

 cat <<EOF > ocicrypt.conf
 {
  "key-providers": {
    "attestation-agent": {
      "grpc": "127.0.0.1:50000"
    }
  }
 }
 EOF

 # skopeo/ocicrypt will consume this env
 export OCICRYPT_KEYPROVIDER_CONFIG="${PWD}/ocicrypt.conf"

 # Create random key
 busybox_key="${PWD}/busybox.key"
 head -c 32 < /dev/urandom > "$busybox_key"

 # Encrypt busybox image
 skopeo copy \
 	--insecure-policy \
 	--encryption-key "provider:attestation-agent:keypath=${busybox_key}::keyid=kbs://127.0.0.1:8080/default/key/busybox::algorithm=A256GCM" \
 	docker://busybox \
 	docker://ghcr.io/mkulke/busybox_encrypted:v1

 # Kill keyprovider process
 kill $keyprovider_pid

 # KBS

 # Copy key to KBS folder
 mkdir -p /opt/confidential-containers/kbs/repository/default/key
 cp busybox.key /opt/confidential-containers/kbs/repository/default/key/busybox

 pushd ~/dev/kbs
 # Create KBS key pair
 openssl genpkey -algorithm ed25519 > kbs.key
 openssl pkey -in kbs.key -pubout -out kbs.pem

 # Start KBS
 kbs_socket="127.0.0.1:8080"
 RUST_LOG=actix_web cargo r --bin kbs -- --socket "$kbs_socket" --insecure-http --auth-public-key ./kbs.pem &
 kbs_pid=$!
 popd

 # Decrypt

 pushd ~/dev/attestation-agent
 # Start attestation agent with KBS support and default to the dummy attester module
 AA_SAMPLE_ATTESTER_TEST=1 RUST_LOG=attestation_agent cargo r --bin attestation-agent --no-default-features --features grpc,cc_kbc,openssl -- --keyprovider_sock 127.0.0.1:50000 --getresource_sock 127.0.0.1:50001 &
 aa_pid=$!
 popd

 # attestation-agent extracts key resource info from the annotation, check the decoded annotation.
 # should be: kbs://127.0.0.1:8080/default/key/busybox
 skopeo inspect docker://ghcr.io/mkulke/busybox_encrypted:v1 \
 	| jq -r '.LayersData[].Annotations."org.opencontainers.image.enc.keys.provider.attestation-agent"' \
 	| base64 -d \
 	| jq -r .kid

 # It still needs a (redundant) kbs endpoint, probably because it doesn't decode the annotation for auth, that might be bug
 skopeo copy \
 	--insecure-policy \
 	--decryption-key "provider:attestation-agent:cc_kbc::http://${kbs_socket}" \
 	docker://ghcr.io/mkulke/busybox_encrypted:v1 \
 	docker://ghcr.io/mkulke/busybox_decrypted:v1

 # stop aa and kbs processes
 kill $aa_pid $kbs_pid
	#!/bin/bash

	set -euo pipefail

	# login to GHCR
	pass github/token/packages \| docker login ghcr.io -u USERNAME --password-stdin

	# Encryption

	# Provides the GRPC api for skopeo/ocicrypt. it performs no attestation
	pushd ~/dev/attestation-agent/coco_keyprovider
	RUST_LOG=coco_keyprovider cargo run -- --socket 127.0.0.1:50000 &
	keyprovider_pid=$!
	popd

	cat <<EOF > ocicrypt.conf
	{
	"key-providers": {
	"attestation-agent": {
	"grpc": "127.0.0.1:50000"
	}
	}
	}
	EOF

	# skopeo/ocicrypt will consume this env
	export OCICRYPT_KEYPROVIDER_CONFIG="${PWD}/ocicrypt.conf"

	# Create random key
	busybox_key="${PWD}/busybox.key"
	head -c 32 < /dev/urandom > "$busybox_key"

	# Encrypt busybox image
	skopeo copy \
	--insecure-policy \
	--encryption-key "provider:attestation-agent:keypath=${busybox_key}::keyid=kbs://127.0.0.1:8080/default/key/busybox::algorithm=A256GCM" \
	docker://busybox \
	docker://ghcr.io/mkulke/busybox_encrypted:v1

	# Kill keyprovider process
	kill $keyprovider_pid

	# KBS

	# Copy key to KBS folder
	mkdir -p /opt/confidential-containers/kbs/repository/default/key
	cp busybox.key /opt/confidential-containers/kbs/repository/default/key/busybox

	pushd ~/dev/kbs
	# Create KBS key pair
	openssl genpkey -algorithm ed25519 > kbs.key
	openssl pkey -in kbs.key -pubout -out kbs.pem

	# Start KBS
	kbs_socket="127.0.0.1:8080"
	RUST_LOG=actix_web cargo r --bin kbs -- --socket "$kbs_socket" --insecure-http --auth-public-key ./kbs.pem &
	kbs_pid=$!
	popd

	# Decrypt

	pushd ~/dev/attestation-agent
	# Start attestation agent with KBS support and default to the dummy attester module
	AA_SAMPLE_ATTESTER_TEST=1 RUST_LOG=attestation_agent cargo r --bin attestation-agent --no-default-features --features grpc,cc_kbc,openssl -- --keyprovider_sock 127.0.0.1:50000 --getresource_sock 127.0.0.1:50001 &
	aa_pid=$!
	popd

	# attestation-agent extracts key resource info from the annotation, check the decoded annotation.
	# should be: kbs://127.0.0.1:8080/default/key/busybox
	skopeo inspect docker://ghcr.io/mkulke/busybox_encrypted:v1 \
	\| jq -r '.LayersData[].Annotations."org.opencontainers.image.enc.keys.provider.attestation-agent"' \
	\| base64 -d \
	\| jq -r .kid

	# It still needs a (redundant) kbs endpoint, probably because it doesn't decode the annotation for auth, that might be bug
	skopeo copy \
	--insecure-policy \
	--decryption-key "provider:attestation-agent:cc_kbc::http://${kbs_socket}" \
	docker://ghcr.io/mkulke/busybox_encrypted:v1 \
	docker://ghcr.io/mkulke/busybox_decrypted:v1

	# stop aa and kbs processes
	kill $aa_pid $kbs_pid