policy: do not set policy to open door if none is provided#1572
policy: do not set policy to open door if none is provided#1572anmaxvl merged 1 commit intomicrosoft:mainfrom
Conversation
Currently hcsshim is setting an allow all open door policy if no security policy has been provided. On the host side, the security policy is hashed and used as HostData when starting an SNP-uVM. However, guest receives the aforementioned "open_door" policy and computes hash over it. As a result, this has doesn't match the LaunchData which is returned by the attestation report and rightfully so, GCS rejects the security policy. Fix this by not special handling empty security policy on the host side and let the guest decide what to do with it, thus ensuring that both host and guest compute the hash over the same thing. Signed-off-by: Maksim An <maksiman@microsoft.com>
helsaawy
left a comment
There was a problem hiding this comment.
This means that now we would have to set a default policy in one isnt provided in uvmboot, since the guest may default to something that isnt opendoor policy?
The guest should handle empty security policy and enforcer properly. |
| if policy == "" { | ||
| openDoorPolicy := securitypolicy.NewOpenDoorPolicy() | ||
| policyString, err := openDoorPolicy.EncodeToString() | ||
| if err != nil { | ||
| return err | ||
| } | ||
| policy = policyString | ||
| } |
There was a problem hiding this comment.
Should there at least be a check that policy isn't empty? Or do you end up with a deny all if policy is empty?
There was a problem hiding this comment.
The default policy set will be determined by -initial-policy-stance flag that GCS binary accepts. In SNP case, we'll set it to deny. This PR enables the scenario where we want to boot from a VMGS file, but don't need a security policy. e.g. for debugging purposes or what not.
…#1572) Currently hcsshim is setting an allow all open door policy if no security policy has been provided. On the host side, the security policy is hashed and used as HostData when starting an SNP-uVM. However, guest receives the aforementioned "open_door" policy and computes hash over it. As a result, this has doesn't match the LaunchData which is returned by the attestation report and rightfully so, GCS rejects the security policy. Fix this by not special handling empty security policy on the host side and let the guest decide what to do with it, thus ensuring that both host and guest compute the hash over the same thing. Signed-off-by: Maksim An <maksiman@microsoft.com>
Currently hcsshim is setting an allow all open door policy if no security policy has been provided.
On the host side, the security policy is hashed and used as HostData when starting an SNP-uVM. However, guest receives the aforementioned "open_door" policy and computes hash over it. As a result, this has doesn't match the LaunchData which is returned by the attestation report and rightfully so, GCS rejects the security policy.
Fix this by not special handling empty security policy on the host side and let the guest decide what to do with it, thus ensuring that both host and guest compute the hash over the same thing.
Signed-off-by: Maksim An maksiman@microsoft.com