aa_kbc_params: parse from kernel cmdlind first

In CoCo, the aa_kbc_params is still passed from the kernel cmdline and will be read in Confidential Data Hub. If we do not provide a default configuration file for CDH, a default one will set the aa_kbc_params env to offline-fs-kbc. This would make the kernel cmdline not work. As a workaround, this commit bring the kernel cmdline parsing first. The disadvantage is that we will not support to use any other aa_kbc_params if we already set the kernel cmdline. This disadvantage will be covered once initdata is implemented. Signed-off-by: Xynnn007 <[email protected]>
Xynnn007 · Mar 19, 2024 · 172fe9f · 172fe9f
1 parent fa1c266
commit 172fe9f
Showing 1 changed file with 11 additions and 5 deletions.
diff --git a/attestation-agent/attestation-agent/src/config/aa_kbc_params.rs b/attestation-agent/attestation-agent/src/config/aa_kbc_params.rs
@@ -19,6 +19,8 @@ pub enum ParamError {
     Io(#[from] std::io::Error),
     #[error("no `agent.aa_kbc_params` provided in kernel commandline")]
     MissingInCmdline,
+    #[error("`aa_kbc_params` not configured correctly")]
+    NotProvided,
 }
 
 pub struct AaKbcParams {
@@ -56,19 +58,24 @@ impl TryFrom<String> for AaKbcParams {
 }
 
 async fn get_value() -> Result<String, ParamError> {
-    // first check env
+    // first check kernel cmdline
+    if let Ok(params) = from_cmdline().await {
+        debug!("get aa_kbc_params from kernel cmdline");
+        return Ok(params);
+    }
+
+    // second check env
     if let Ok(params) = env::var("AA_KBC_PARAMS") {
         debug!("get aa_kbc_params from env.");
         return Ok(params);
     }
 
-    // second check whether we are in a peer pod
+    // third check whether we are in a peer pod
     if Path::new(PEER_POD_CONFIG_PATH).exists() {
         return from_config_file().await;
     }
 
-    // finally use the kernel cmdline
-    from_cmdline().await
+    Err(ParamError::NotProvided)
 }
 
 pub async fn get_params() -> Result<AaKbcParams, ParamError> {
@@ -99,7 +106,6 @@ async fn from_config_file() -> Result<String, ParamError> {
 }
 
 async fn from_cmdline() -> Result<String, ParamError> {
-    debug!("get aa_kbc_params from kernel cmdline");
     let cmdline = fs::read_to_string("/proc/cmdline").await?;
     let value = cmdline
         .split_ascii_whitespace()