CDH: skip KBC configuration if is given by aa_kbc_params

In CoCo, the aa_kbc_params is still passed from the kernel cmdline and will be read in Confidential Data Hub. If we do not provide a default configuration file for CDH, a default one will set the aa_kbc_params env to offline-fs-kbc. This would make the kernel cmdline not work. This fix checks if aa_kbc_params is given. If so, skip the logic of setting env to allow the original aa_kbc_params to work. Signed-off-by: Xynnn007 <[email protected]>
confidential-containers · Mar 19, 2024 · d728486 · d728486
1 parent 47cb96b
commit d728486
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 8 deletions.
diff --git a/confidential-data-hub/hub/Cargo.toml b/confidential-data-hub/hub/Cargo.toml
@@ -39,7 +39,7 @@ ttrpc-codegen = { workspace = true, optional = true }
 rstest.workspace = true
 
 [features]
-default = ["kbs"]
+default = ["kbs", "bin"]
 
 # support aliyun stacks (KMS, ..)
 aliyun = ["image/aliyun", "secret/aliyun"]
@@ -53,4 +53,4 @@ sev = ["attestation-agent", "image/sev", "kms/sev", "dep:sev", "secret/sev"]
 # support eHSM stacks (KMS, ...)
 ehsm = ["image/ehsm", "secret/ehsm"]
 
-bin = ["anyhow", "clap", "config", "env_logger", "protobuf", "serde", "tokio/signal", "ttrpc", "ttrpc-codegen"]
+bin = ["anyhow", "attestation-agent", "clap", "config", "env_logger", "protobuf", "serde", "tokio/signal", "ttrpc", "ttrpc-codegen"]
diff --git a/confidential-data-hub/hub/src/bin/confidential-data-hub/config.rs b/confidential-data-hub/hub/src/bin/confidential-data-hub/config.rs
@@ -7,7 +7,7 @@ use std::env;
 
 use anyhow::*;
 use config::{Config, File};
-use log::warn;
+use log::{debug, warn};
 use serde::Deserialize;
 use tokio::fs;
 
@@ -120,11 +120,15 @@ impl CdhConfig {
 
 impl CdhConfig {
     pub fn set_configuration_envs(&self) {
-        // KBS configurations
-        env::set_var(
-            "AA_KBC_PARAMS",
-            format!("{}::{}", self.kbc.name, self.kbc.url),
-        );
+        if let Err(_) = attestation_agent::config::aa_kbc_params::get_value() {
+            debug!("No aa_kbc_params provided in kernel cmdline, env and peerpod config.");
+            // KBS configurations
+            env::set_var(
+                "AA_KBC_PARAMS",
+                format!("{}::{}", self.kbc.name, self.kbc.url),
+            );
+        }
+
         if let Some(kbs_cert) = &self.kbc.kbs_cert {
             env::set_var("KBS_CERT", kbs_cert);
         }