Skip to content

Implement Confidential Computing #650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 34 commits into from
Jul 5, 2024
Merged

Implement Confidential Computing #650

merged 34 commits into from
Jul 5, 2024

Conversation

@olethanh
Copy link
Collaborator

@olethanh olethanh commented Jul 3, 2024

No description provided.

nesitor and others added 30 commits June 12, 2024 18:07
@nesitor
Implement Start Confidential endpoint (#627)
2b30a6a 
* Problem: The server don't have a directory to save the platform certificates generated by sevctl.

Solution: Set that directory field on settings class and ensure to create the folder on initialization step.

* Problem: The aren't an endpoint to be able to get the confidential platform certificates to start the VM key exchange.

Solution: Create that endpoint and return the platform certificates generated by the `sevctl` command.

* Fix: Solved code quality issues.

* Fix: Added 2 test cases for that endpoint.

* Fix: Added PR suggestions.

* Fix: Modified test mock to let the tests work

* Problem: Now isn't possible as a VM operator to get the client session certificates to initialize a confidential VM.

Solution: Create an operator start endpoint that receive the confidential session files and starts the qemu VM to continue with the certificate exchange methods.

* Fix: Remove useless aiofiles import

* Fix: Solve test issues after code quality fixes

* Fix: Solve code quality issues.

* Fix: Solve code quality issues.

* Fix: Write file in sync mode to avoid adding a new dependency. Files to write should be so small, so any blocking issue should be here.

* Fix: Solved PR comments and wrong conditionals.

* Fix: Solved more PR comments.

* Fix: Removed unexisting import

* Fix: Added useless command requested on the PR review.

* Fix: Changed endpoint path and added automatic tests for that endpoint.

* Fix: Solved settings singleton issue with testing, adding an `initialize_settings` method.

* Fix: Just disable the setting that is failing and remove previous method to initialize the singleton.
@hoh @nesitor
Fix: CI Droplet cleanup failed when same name was used
84fec2e 
When there were multiple Droplets with the same name, cleanup using doctl compute droplet delete -f $NAME would not work.

Error: There are 3 Droplets with the name "aleph-vm-ci-XXX"; please provide a specific Droplet ID. [425559566, 425702949, 425703724]
(cherry picked from commit b824503)
@olethanh
Problem: Could not install on Python 12 via pip install -e
699ef12 
because of deps problem.
Solution : upgrade aiohttp version
@olethanh
Problem: Crash in log when VM was printing control char
e7faa53
@olethanh
Raise log level for VM termination in controller so we always display…
daef8af 
… when it finish
@olethanh
comment
67f00ae
@olethanh
Problem: Error were not properly returned in allocation endpoint
5033ce6
@olethanh
Add Qemu confidential controler implementation
5070882
@olethanh
remove duplicate endpoint
f9aa2ab
@olethanh
fix test in test_about_certificates
d008000
@olethanh @nesitor
Add TODO comment
8641539 
Co-authored-by: nesitor <[email protected]>
@olethanh
Only run Confidentifial if is_confidential
15d7565
@olethanh
Add script to build OVMF file for confidential VMs (#636)
6cce53a
@olethanh
Rename the confidential endpoints (#641)
a5128f8 
* Rename confidential endpoints

* Rename the function too and reorder

* isort
@olethanh
Merge remote-tracking branch 'origin/main' into dev-confidential
ddec01b
@olethanh
Use unified logging system for confidential
be4aa9d
@olethanh
Provide an example confidential image construction script and instruc…
5d2348c 
…tion
@olethanh
Prevent the cleanup being run twice
4de9e64 
but still works with -e
@olethanh
Problem: sudo command was not working inside the VM
d289957 
ensure the setuid bit stay preserved when copying the file"
@olethanh
remove unecesary step
48eac5d
@olethanh
More example instruction
d679128
@nesitor @olethanh
Problem: A user cannot specify which OVMF firmware want to use for th…
c5da0f6 
…ey instances.

Solution: Use new aleph-message version that includes that data schema and implement it on the qemu confidential resources.
@olethanh
Adapt example confidential message
8525323
@olethanh
fix host volume for confidential
c097567
@olethanh
Force aleph-message minimal version
76498f4
@olethanh
Correct problem in HostVolume code
47a0734
@olethanh
Merge both test_operator
95cf275
@olethanh
Fix options for HostVolume
97f343a
@nesitor
Move domain payload field to Operation token instead PubKey one (#647)
3815aa7 
* Problem: If a user wants to manage different operations for a different CRNs, they have to sign a new pubkey token for every CRN, and this is so bad for the user experience.

Solution: Move the `domain` field to the operation token payload instead the pubkey one, just to improve the user experience and maintain the security integrity.

* Fix: Solved test error message failing.

---------

Co-authored-by: Andres D. Molins <[email protected]>
@olethanh
Problem: Failing initialization of AlephQemuConfidentialInstance
dee0d25 
due to merge problem
@codecov
Copy link

codecov bot commented Jul 3, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 66.33166% with 134 lines in your changes missing coverage. Please review.

Project coverage is 61.74%. Comparing base (4a9eabd) to head (607b868).
Report is 2 commits behind head on main.

Files Patch % Lines
...c/aleph/vm/hypervisors/qemu_confidential/qemuvm.py 32.14% 38 Missing ⚠️
src/aleph/vm/orchestrator/views/operator.py 51.35% 33 Missing and 3 partials ⚠️
...aleph/vm/controllers/qemu_confidential/instance.py 58.57% 29 Missing ⚠️
src/aleph/vm/controllers/qemu/client.py 55.55% 16 Missing ⚠️
src/aleph/vm/controllers/__main__.py 16.66% 4 Missing and 1 partial ⚠️
src/aleph/vm/models.py 58.33% 3 Missing and 2 partials ⚠️
src/aleph/vm/orchestrator/run.py 0.00% 2 Missing ⚠️
src/aleph/vm/orchestrator/views/authentication.py 60.00% 1 Missing and 1 partial ⚠️
src/aleph/vm/pool.py 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #650      +/-   ##
==========================================
+ Coverage   61.25%   61.74%   +0.48%     
==========================================
  Files          65       68       +3     
  Lines        5603     5949     +346     
  Branches      596      624      +28     
==========================================
+ Hits         3432     3673     +241     
- Misses       2023     2124     +101     
- Partials      148      152       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@olethanh olethanh marked this pull request as ready for review July 3, 2024 15:07
@olethanh olethanh requested review from hoh and nesitor and removed request for hoh July 4, 2024 07:36
@olethanh olethanh force-pushed the dev-confidential branch from c74e59d to d63bc6d Compare July 4, 2024 08:08
nesitor
nesitor approved these changes Jul 4, 2024
View reviewed changes
Copy link
Member

@nesitor nesitor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@olethanh olethanh force-pushed the dev-confidential branch from 7e8fadb to a814e74 Compare July 5, 2024 10:33
@olethanh olethanh merged commit 67ae732 into main Jul 5, 2024
@Psycojoker Psycojoker deleted the dev-confidential branch July 24, 2024 15:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nesitor nesitor nesitor approved these changes

@hoh hoh Awaiting requested review from hoh

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@olethanh @nesitor @hoh