Commit a90470b5 authored by Robert Schambach's avatar Robert Schambach
Browse files

Adjust overall tls and policy setup

parent 0b0b87d6
......@@ -34,7 +34,7 @@ spec:
#- name: SCONE_ALLOW_DLOPEN
#value: 2
- name: SCONE_CONFIG_ID
value: database_simpleclient_31677-21385-28494/serve
value: database_simpleclient_3936-9073-27801/serve
- name: SCONE_CAS_ADDR
value: 5-0-0.scone-cas.cf
- name: SCONE_LAS_ADDR
......
......@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: memcached-scone
image: registry.scontain.com:5050/enterjazz/secure-doc-management:memcached-tls
image: registry.scontain.com:5050/enterjazz/secure-doc-management:memcached-tls-protected
imagePullPolicy: Always
# command:
# - bash
......@@ -27,8 +27,12 @@ spec:
containerPort: 11211
protocol: TCP
env:
#- name: SCONE_CONFIG_ID
#value: $MC_POLICY/memcached
- name: SCONE_HEAP
value: 2G
- name: SCONE_ALLOW_DLOPEN
value: "2"
- name: SCONE_CONFIG_ID
value: memcached_policy_3936-9073-27801/memcached
- name: SCONE_CAS_ADDR
value: "5-0-0.scone-cas.cf"
- name: SCONE_LAS_ADDR
......
......@@ -16,28 +16,28 @@ The session template for the server assumes that the bootstrap will be attested.
```bash
# Define your base MariaDB image.
export BASE_IMAGE=sconecuratedimages/apps:mariadb-10.4-alpine-scone5.0.0
export MARIADB_BASE_IMAGE=sconecuratedimages/apps:mariadb-10.4-alpine-scone5.0.0
# Define the image we are building. This one will be deployed to your servers.
export TARGET_IMAGE=myprivaterepo/apps:mariadb-10.4-alpine-prod
export MARIADB_TARGET_IMAGE=myprivaterepo/apps:mariadb-10.4-alpine-prod
# Download the latests images from sconecuratedimages.
./pull_latest_images.sh
# Build.
key_tag=$(docker build --no-cache --build-arg BASE_IMAGE=${BASE_IMAGE} -t ${TARGET_IMAGE} utils/ | grep "Encrypted file system protection")
key_tag=$(docker build --no-cache --build-arg MARIADB_BASE_IMAGE=${MARIADB_BASE_IMAGE} -t ${MARIADB_TARGET_IMAGE} utils/ | grep "Encrypted file system protection")
```
Extract the key and tag and create a script that will be consumed by `upload_policies.sh`.
```bash
SCONE_FSPF_KEY=$(echo $key_tag | awk '{print $11}')
SCONE_FSPF_TAG=$(echo $key_tag | awk '{print $9}')
echo "export DB_POLICY_FSPF_KEY=$SCONE_FSPF_KEY" > fspf_variables.sh
echo "export DB_POLICY_FSPF_TAG=$SCONE_FSPF_TAG" >> fspf_variables.sh
MARIADB_SCONE_FSPF_KEY=$(echo $key_tag | awk '{print $11}')
MARIADB_SCONE_FSPF_TAG=$(echo $key_tag | awk '{print $9}')
echo "export DB_POLICY_FSPF_KEY=$MARIADB_SCONE_FSPF_KEY" > fspf_variables.sh
echo "export DB_POLICY_FSPF_TAG=$MARIADB_SCONE_FSPF_TAG" >> fspf_variables.sh
```
Finally, push your image to a registry.
```bash
docker push $TARGET_IMAGE
docker push $MARIADB_TARGET_IMAGE
```
#### Upload policies
......@@ -78,7 +78,7 @@ Now you can install the MariaDB Helm chart:
```bash
helm install $RELEASE_NAME sconeapps/mariadb-scone \
--set image=$TARGET_IMAGE \
--set image=$MARIADB_TARGET_IMAGE \
--set scone.attestation.cas=$SCONE_CAS_ADDR \
--set scone.attestation.DBConfigID=$DB_CONFIG_ID/db \
--set scone.attestation.bootstrapConfigID=$DB_CONFIG_ID/bootstrap \
......
......@@ -31,10 +31,16 @@ images:
injection_files:
- path: /etc/mariadb-ca.crt
content: $$SCONE::MARIADB_CA_CERT.chain$$ # Use the database session's CA certificate as a trusted root CA cert. We can use chain here because we verify the session name in the DB
- path: /etc/client.crt
- path: /etc/mariadb-client.crt
content: $$SCONE::MARIADB_CLIENT_CERT.crt$$
- path: /etc/client.key
- path: /etc/mariadb-client.key
content: $$SCONE::MARIADB_CLIENT_CERT.key$$
- path: /etc/memcached-ca.crt
content: $$SCONE::MEMCACHED_CA_CERT.chain$$
- path: /etc/memcached-client.crt
content: $$SCONE::MEMCACHED_CLIENT_CERT.crt$$
- path: /etc/memcached-client.key
content: $$SCONE::MEMCACHED_CLIENT_CERT.key$$
# Import client credentials from DB session.
secrets:
......@@ -49,3 +55,11 @@ secrets:
import:
session: $DB_SESSION
secret: MARIADB_CA_CERT
- name: MEMCACHED_CLIENT_CERT
import:
session: $MEMCACHED_SESSION
secret: MEMCACHED_CLIENT_CERT
- name: MEMCACHED_CA_CERT
import:
session: $MEMCACHED_SESSION
secret: MEMCACHED_CA_CERT
export DB_POLICY_FSPF_KEY=76f29bc6821a5aa217c3fa51969b26a017cb7e291718b85e97204b81211d1a25
export DB_POLICY_FSPF_TAG=060dd17dcfdc058ef06ec54d701e6444
export DB_POLICY_FSPF_KEY=6ac90bd634e070184e78a0a98f4e8361885d5761819437988f4f2d153bdb2aa1
export DB_POLICY_FSPF_TAG=95a33ee219ec7a97f479cf1c4f1b831b
export MEMCACHED_POLICY_FSPF_KEY=64c058da0cdd824ba1bd7d84327e119e4ea8be2b7a1a7ea60d0c8c356650ba13
export MEMCACHED_POLICY_FSPF_TAG=7ed8dcdb5fd6e08f55c4208d818f9b4d
name: $MEMCACHED_SESSION
version: "0.3"
# Access control:
# - only the data owner (CREATOR) can read or update the session
# - even the data owner cannot read the session secrets (i.e., the volume key and tag)
access_policy:
read:
- CREATOR
update:
- CREATOR
security:
attestation:
tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration]
ignore_advisories: "*"
# Service: memcached
services:
- name: memcached
image_name: memcached_image
command: memcached --enable-ssl -o ssl_chain_cert=/tmp/server.crt,ssl_key=/tmp/server.key,ssl_ca_cert=/tmp/memcached-ca.crt,ssl_verify_mode=2 -v
mrenclaves: ["$MRENCLAVE_MEMCACHED"]
pwd: /
fspf_path: /fspf.pb
fspf_key: $MEMCACHED_POLICY_FSPF_KEY
fspf_tag: $MEMCACHED_POLICY_FSPF_TAG
# We inject the content of MEMCACHED cofiguration file including
# the certificate of the MEMCACHED as well as the CA certificate of the session
images:
- name: memcached_image
injection_files:
- path: /tmp/memcached-ca.crt
content: $$SCONE::MEMCACHED_CA_CERT.chain$$ # Export this session's CA certificate & chain
- path: /tmp/server.crt
content: $$SCONE::memcached.crt$$ # export MEMCACHED server certificate
- path: /tmp/server.key
content: $$SCONE::memcached.key$$
- path: /tmp/client.crt
content: $$SCONE::MEMCACHED_CLIENT_CERT.crt$$ # export client certificate
- path: /tmp/client.key
content: $$SCONE::MEMCACHED_CLIENT_CERT.key$$ # export client key
# Export client credentials from MEMCACHED session.
# The client CA is the session CA of this session
secrets:
- name: memcached-key # automatically generate MEMCACHED server certificate
kind: private-key
- name: memcached # automatically generate MEMCACHED server certificate
private_key: memcached-key
issuer: MEMCACHED_CA_CERT
kind: x509
dns:
- $MEMCACHED_HOST
- name: MEMCACHED_CLIENT_KEY
kind: private-key
export:
- session: $DB_SIMPLECLIENT
- name: MEMCACHED_CLIENT_CERT # automatically generate client certificate
private_key: MEMCACHED_CLIENT_KEY
issuer: MEMCACHED_CA_CERT
common_name: MEMCACHED_CLIENT_CERT
kind: x509
export:
- session: $DB_SIMPLECLIENT # export client cert/key to upload session
- name: MEMCACHED_CA_KEY # export session CA certificate as MEMCACHED CA certificate
kind: private-key
- name: MEMCACHED_CA_CERT # export session CA certificate as MEMCACHED CA certificate
kind: x509-ca
common_name: MEMCACHED_CA
private_key: MEMCACHED_CA_KEY
export:
- session: $DB_SIMPLECLIENT # export the session CA certificate to upload session
......@@ -3,3 +3,4 @@ export MRENCLAVE_MYSQLD="1bfbc131f7abcb972c5afd27c1e9554f5d6678448c24d478f2b51f1
export MRENCLAVE_MYSQL="52908b023e66059e30f1ac5e16a91c8acd43027875a2a61113daddfd670b1376"
export MRENCLAVE_MY_PRINT_DEFAULTS="37fb68a5697ea48586d04d74f69a4cd08b152bbaa6597b5a7d92d9ef3a4581e9"
export MRENCLAVE_SIMPLECLIENT_FASTAPISERVER="2808559c02d5611b4fbf76230f5e73ddb48064830a83ffaf22a10695fac60770"
export MRENCLAVE_MEMCACHED="dabbadf48faf46d7b0200d168f4f4d04aa5d79704f69f0bdb5a15745c962ea29"
export SIMPLE_CLIENT_CONFIG_ID=database_simpleclient_31677-21385-28494
export DB_CONFIG_ID=database_policy_31677-21385-28494
export SIMPLE_CLIENT_CONFIG_ID=database_simpleclient_3936-9073-27801
export MEMCACHED_CONFIG_ID=memcached_policy_3936-9073-27801
export DB_CONFIG_ID=database_policy_3936-9073-27801
export SCONE_CAS_ADDR=5-0-0.scone-cas.cf
......@@ -17,13 +17,14 @@ function get_mrenclave {
# containing all up-to-date MRENCLAVES (can be easily exported
# into the environment).
CAS_IMAGE=${CAS_IMAGE:-"sconecuratedimages/services:cas.preprovisioned-scone5.0.0"}
MARIADB_IMAGE=${BASE_IMAGE:-"sconecuratedimages/apps:mariadb-10.4-alpine-scone5.0.0"}
MARIADB_IMAGE=${MARIADB_BASE_IMAGE:-"sconecuratedimages/apps:mariadb-10.4-alpine-scone5.0.0"}
FASTAPISERVER_IMAGE=${FASTAPISERVER_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:fastapi-server"}
CLI_IMAGE=${CLI_IMAGE:-"sconecuratedimages/sconecli:alpine3.10-scone5.0.0"}
MEMCACHED_IMAGE=${MEMCACHED_BASE_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:memcached-tls"}
echo "Pulling the latest images. Make sure you have access to all of them!"
for img in $MARIADB_IMAGE $CAS_IMAGE $FASTAPISERVER_IMAGE $CLI_IMAGE; do
for img in $MARIADB_IMAGE $CAS_IMAGE $FASTAPISERVER_IMAGE $CLI_IMAGE $MEMCACHED_IMAGE; do
docker pull $img
done
......@@ -35,6 +36,7 @@ MRENCLAVE_MYSQLD=$(get_mrenclave $MARIADB_IMAGE mysqld "-e SCONE_HEAP=2G -e SCON
MRENCLAVE_MY_PRINT_DEFAULTS=$(get_mrenclave $MARIADB_IMAGE my_print_defaults "-e SCONE_HEAP=2G -e SCONE_ALLOW_DLOPEN=1 --entrypoint=""")
MRENCLAVE_MYSQL=$(get_mrenclave $MARIADB_IMAGE mysql "-e SCONE_HEAP=2G -e SCONE_ALLOW_DLOPEN=1 --entrypoint=""")
MRENCLAVE_SIMPLECLIENT_FASTAPISERVER=$(get_mrenclave $FASTAPISERVER_IMAGE python3 "-e SCONE_HEAP=2G -e SCONE_ALLOW_DLOPEN=2")
MRENCLAVE_MEMCACHED=$(get_mrenclave $MEMCACHED_IMAGE memcached "-e SCONE_HEAP=2G -e SCONE_ALLOW_DLOPEN=2")
cat > /tmp/mrenclaves.sh << EOF
export CAS_MRENCLAVE="$CAS_MRENCLAVE"
......@@ -42,6 +44,7 @@ export MRENCLAVE_MYSQLD="$MRENCLAVE_MYSQLD"
export MRENCLAVE_MYSQL="$MRENCLAVE_MYSQL"
export MRENCLAVE_MY_PRINT_DEFAULTS="$MRENCLAVE_MY_PRINT_DEFAULTS"
export MRENCLAVE_SIMPLECLIENT_FASTAPISERVER="$MRENCLAVE_SIMPLECLIENT_FASTAPISERVER"
export MRENCLAVE_MEMCACHED="$MRENCLAVE_MEMCACHED"
EOF
sed 's/\r//g' /tmp/mrenclaves.sh > mrenclaves.sh
......
......@@ -9,6 +9,7 @@ POSTFIX=$RANDOM-$RANDOM-$RANDOM
# Set name to "" to avoid the session submission.
export DB_SESSION="database_policy_$POSTFIX"
export DB_SIMPLECLIENT="database_simpleclient_$POSTFIX"
export MEMCACHED_SESSION="memcached_policy_$POSTFIX"
# MRENCLAVEs.
# Run `pull_latest_images.sh` to export the correct, up-to-date
......@@ -58,6 +59,16 @@ if [ ! -z "$DB_SIMPLECLIENT" ]; then
unset DB_USER
fi
if [ ! -z "$MEMCACHED_SESSION" ]; then
source "${BASH_SOURCE%/*}/fspf_variables.sh"
echo "Uploading policy $MEMCACHED_SESSION (memcached)..."
scone session create --use-env "${BASH_SOURCE%/*}/mc_session.yml"
echo ""
echo "export MEMCACHED_CONFIG_ID="$MEMCACHED_SESSION"" >> "${BASH_SOURCE%/*}/myenv"
fi
if [ ! -z "$DB_SESSION" ]; then
# Server FSPF key and tag.
# This should be generated in advance, when building
......
......@@ -8,6 +8,8 @@ COPY --from=cli /opt/scone/bin/rust-cli /usr/local/bin/scone
COPY fspf.sh /
USER root
RUN SCONE_NO_FS_SHIELD=1 /fspf.sh
FROM $BASE_IMAGE
......
......@@ -9,25 +9,39 @@ set -o nounset
# Catch the error in case mysqldump fails (but gzip succeeds) in `mysqldump |gzip`
set -o pipefail
# Turn on traces, useful while debugging but commented out by default
#set -o xtrace
set -o xtrace
cd $PWD/mariadb
# Define your base MariaDB image.
export BASE_IMAGE=${BASE_IMAGE:-sconecuratedimages/apps:mariadb-10.4-alpine-scone5.0.0}
export MARIADB_BASE_IMAGE=${MARIADB_BASE_IMAGE:-sconecuratedimages/apps:mariadb-10.4-alpine-scone5.0.0}
# Define the image we are building. This one will be deployed to your servers.
export TARGET_IMAGE=${TARGET_IMAGE:-enterjazz/scone-test-images:mariadb}
export MARIADB_TARGET_IMAGE=${MARIADB_TARGET_IMAGE:-enterjazz/scone-test-images:mariadb}
# Download the latests images from sconecuratedimages.
export MEMCACHED_BASE_IMAGE=${MEMCACHED_BASE_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:memcached-tls"}
export MEMCACHED_TARGET_IMAGE=${MEMCACHED_TARGET_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:memcached-tls-protected"}
./pull_latest_images.sh
# Build.
key_tag=$(docker build --no-cache --build-arg BASE_IMAGE=${BASE_IMAGE} -t ${TARGET_IMAGE} utils/ | grep "Encrypted file system protection")
mariadb_key_tag=$(docker build --no-cache --build-arg BASE_IMAGE=${MARIADB_BASE_IMAGE} -t ${MARIADB_TARGET_IMAGE} utils/ | grep "Encrypted file system protection")
memcached_key_tag=$(docker build --no-cache --build-arg BASE_IMAGE=${MEMCACHED_BASE_IMAGE} -t ${MEMCACHED_TARGET_IMAGE} utils/ | grep "Encrypted file system protection")
MARIADB_SCONE_FSPF_KEY=$(echo $mariadb_key_tag | awk '{print $11}')
MARIADB_SCONE_FSPF_TAG=$(echo $mariadb_key_tag | awk '{print $9}')
echo "export DB_POLICY_FSPF_KEY=$MARIADB_SCONE_FSPF_KEY" > fspf_variables.sh
echo "export DB_POLICY_FSPF_TAG=$MARIADB_SCONE_FSPF_TAG" >> fspf_variables.sh
MEMCACHED_SCONE_FSPF_KEY=$(echo $memcached_key_tag | awk '{print $11}')
MEMCACHED_SCONE_FSPF_TAG=$(echo $memcached_key_tag | awk '{print $9}')
echo "export MEMCACHED_POLICY_FSPF_KEY=$MEMCACHED_SCONE_FSPF_KEY" >> fspf_variables.sh
echo "export MEMCACHED_POLICY_FSPF_TAG=$MEMCACHED_SCONE_FSPF_TAG" >> fspf_variables.sh
docker push $MARIADB_TARGET_IMAGE
SCONE_FSPF_KEY=$(echo $key_tag | awk '{print $11}')
SCONE_FSPF_TAG=$(echo $key_tag | awk '{print $9}')
echo "export DB_POLICY_FSPF_KEY=$SCONE_FSPF_KEY" > fspf_variables.sh
echo "export DB_POLICY_FSPF_TAG=$SCONE_FSPF_TAG" >> fspf_variables.sh
docker push $MEMCACHED_TARGET_IMAGE
docker push $TARGET_IMAGE
export RELEASE_NAME=${RELEASE_NAME:-mariadb}
export SCONE_CAS_ADDR=${SCONE_CAS_ADDR:-5-0-0.scone-cas.cf} # for production use 5.0.0.scone-cas.cf
......@@ -43,7 +57,7 @@ docker run -it --rm --network=host -e SCONE_CAS_ADDR=$SCONE_CAS_ADDR -e SCONE_LA
source myenv
helm install $RELEASE_NAME sconeapps/mariadb-scone \
--set image=$TARGET_IMAGE \
--set image=$MARIADB_TARGET_IMAGE \
--set scone.attestation.cas=$SCONE_CAS_ADDR \
--set scone.attestation.DBConfigID=$DB_CONFIG_ID/db \
--set scone.attestation.bootstrapConfigID=$DB_CONFIG_ID/bootstrap \
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment