Remove EnableSignedContainerCache + EnableMeasureMemoryMonitor from c…

…ontainer launcher
google · Oct 1, 2024 · 54db991 · 54db991
1 parent 78eb710
commit 54db991
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 53 deletions.
diff --git a/launcher/agent/agent.go b/launcher/agent/agent.go
@@ -136,12 +136,7 @@ func (a *agent) Attest(ctx context.Context, opts AttestAgentOpts) ([]byte, error
 		},
 	}
 
-	var signatures []oci.Signature
-	if a.launchSpec.Experiments.EnableSignedContainerCache {
-		signatures = a.sigsCache.get()
-	} else {
-		signatures = fetchContainerImageSignatures(ctx, a.sigsFetcher, a.launchSpec.SignedImageRepos, defaultRetryPolicy, a.logger)
-	}
+	signatures := a.sigsCache.get()
 	if len(signatures) > 0 {
 		req.ContainerImageSignatures = signatures
 		a.logger.Printf("Found container image signatures: %v\n", signatures)
@@ -166,11 +161,9 @@ func (a *agent) attest(nonce []byte, cel []byte) (*pb.Attestation, error) {
 // Refresh refreshes the internal state of the attestation agent.
 // It will reset the container image signatures for now.
 func (a *agent) Refresh(ctx context.Context) error {
-	if a.launchSpec.Experiments.EnableSignedContainerCache {
-		signatures := fetchContainerImageSignatures(ctx, a.sigsFetcher, a.launchSpec.SignedImageRepos, defaultRetryPolicy, a.logger)
-		a.sigsCache.set(signatures)
-		a.logger.Printf("Refreshed container image signature cache: %v\n", signatures)
-	}
+	signatures := fetchContainerImageSignatures(ctx, a.sigsFetcher, a.launchSpec.SignedImageRepos, defaultRetryPolicy, a.logger)
+	a.sigsCache.set(signatures)
+	a.logger.Printf("Refreshed container image signature cache: %v\n", signatures)
 	return nil
 }
 

diff --git a/launcher/agent/agent_test.go b/launcher/agent/agent_test.go
@@ -19,7 +19,6 @@ import (
 	"github.com/google/go-tpm-tools/cel"
 	"github.com/google/go-tpm-tools/client"
 	"github.com/google/go-tpm-tools/internal/test"
-	"github.com/google/go-tpm-tools/launcher/internal/experiments"
 	"github.com/google/go-tpm-tools/launcher/internal/signaturediscovery"
 	"github.com/google/go-tpm-tools/launcher/spec"
 	attestpb "github.com/google/go-tpm-tools/proto/attest"
@@ -88,16 +87,9 @@ func TestAttest(t *testing.T) {
 		containerSignaturesFetcher signaturediscovery.Fetcher
 	}{
 		{
-			name:                       "all experiment flags disabled",
-			launchSpec:                 spec.LaunchSpec{},
-			principalIDTokenFetcher:    placeholderPrincipalFetcher,
-			containerSignaturesFetcher: signaturediscovery.NewFakeClient(),
-		},
-		{
-			name: "enable signed container",
+			name: "all experiment flags disabled",
 			launchSpec: spec.LaunchSpec{
 				SignedImageRepos: []string{signaturediscovery.FakeRepoWithSignatures},
-				Experiments:      experiments.Experiments{EnableSignedContainerCache: true},
 			},
 			principalIDTokenFetcher:    placeholderPrincipalFetcher,
 			containerSignaturesFetcher: signaturediscovery.NewFakeClient(),
@@ -158,26 +150,26 @@ func TestAttest(t *testing.T) {
 			if claims.Subject != "https://www.googleapis.com/compute/v1/projects/fakeProject/zones/fakeZone/instances/fakeInstance" {
 				t.Errorf("Invalid sub")
 			}
-			if tc.launchSpec.Experiments.EnableSignedContainerCache {
-				got := claims.ContainerImageSignatures
-				want := []fake.ContainerImageSignatureClaims{
-					{
-						Payload:   "test data",
-						Signature: base64.StdEncoding.EncodeToString([]byte("test data")),
-						PubKey:    "test data",
-						SigAlg:    "ECDSA_P256_SHA256",
-					},
-					{
-						Payload:   "hello world",
-						Signature: base64.StdEncoding.EncodeToString([]byte("hello world")),
-						PubKey:    "hello world",
-						SigAlg:    "RSASSA_PKCS1V15_SHA256",
-					},
-				}
-				if !cmp.Equal(got, want) {
-					t.Errorf("ContainerImageSignatureClaims does not match expected value: got %v, want %v", got, want)
-				}
+
+			got := claims.ContainerImageSignatures
+			want := []fake.ContainerImageSignatureClaims{
+				{
+					Payload:   "test data",
+					Signature: base64.StdEncoding.EncodeToString([]byte("test data")),
+					PubKey:    "test data",
+					SigAlg:    "ECDSA_P256_SHA256",
+				},
+				{
+					Payload:   "hello world",
+					Signature: base64.StdEncoding.EncodeToString([]byte("hello world")),
+					PubKey:    "hello world",
+					SigAlg:    "RSASSA_PKCS1V15_SHA256",
+				},
 			}
+			if !cmp.Equal(got, want) {
+				t.Errorf("ContainerImageSignatureClaims does not match expected value: got %v, want %v", got, want)
+			}
+
 			ms := &attestpb.MachineState{}
 			err = protojson.Unmarshal([]byte(claims.MachineStateMarshaled), ms)
 			if err != nil {

diff --git a/launcher/container_runner.go b/launcher/container_runner.go
@@ -270,10 +270,8 @@ func (r *ContainerRunner) measureCELEvents(ctx context.Context) error {
 	if err := r.measureContainerClaims(ctx); err != nil {
 		return fmt.Errorf("failed to measure container claims: %v", err)
 	}
-	if r.launchSpec.Experiments.EnableMeasureMemoryMonitor {
-		if err := r.measureMemoryMonitor(); err != nil {
-			return fmt.Errorf("failed to measure memory monitoring state: %v", err)
-		}
+	if err := r.measureMemoryMonitor(); err != nil {
+		return fmt.Errorf("failed to measure memory monitoring state: %v", err)
 	}
 
 	separator := cel.CosTlv{

diff --git a/launcher/container_runner_test.go b/launcher/container_runner_test.go
@@ -24,7 +24,6 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-tpm-tools/cel"
 	"github.com/google/go-tpm-tools/launcher/agent"
-	"github.com/google/go-tpm-tools/launcher/internal/experiments"
 	"github.com/google/go-tpm-tools/launcher/launcherfile"
 	"github.com/google/go-tpm-tools/launcher/spec"
 	"github.com/opencontainers/go-digest"
@@ -68,9 +67,7 @@ func (f *fakeAttestationAgent) Attest(ctx context.Context, _ agent.AttestAgentOp
 
 // Refresh simulates the behavior of an actual agent.
 func (f *fakeAttestationAgent) Refresh(ctx context.Context) error {
-	if f.launchSpec.Experiments.EnableSignedContainerCache {
-		f.sigsCache = f.sigsFetcherFunc(ctx)
-	}
+	f.sigsCache = f.sigsFetcherFunc(ctx)
 	return nil
 }
 
@@ -192,7 +189,6 @@ func TestRefreshTokenWithSignedContainerCacheEnabled(t *testing.T) {
 		sigsFetcherFunc: func(context.Context) []string {
 			return oldCache
 		},
-		launchSpec: spec.LaunchSpec{Experiments: experiments.Experiments{EnableSignedContainerCache: true}},
 	}
 	fakeAgent.attestFunc = func(context.Context, agent.AttestAgentOpts) ([]byte, error) {
 		return createJWTWithSignatures(t, fakeAgent.sigsCache), nil
@@ -586,6 +582,7 @@ func TestMeasureCELEvents(t *testing.T) {
 				cel.EnvVarType,
 				cel.OverrideEnvType,
 				cel.OverrideArgType,
+				cel.MemoryMonitorType,
 				cel.LaunchSeparatorType,
 			},
 			launchSpec: spec.LaunchSpec{
@@ -605,7 +602,6 @@ func TestMeasureCELEvents(t *testing.T) {
 				cel.MemoryMonitorType,
 				cel.LaunchSeparatorType,
 			},
-			launchSpec: spec.LaunchSpec{Experiments: experiments.Experiments{EnableMeasureMemoryMonitor: true}},
 		},
 	}
 

diff --git a/launcher/internal/experiments/experiments.go b/launcher/internal/experiments/experiments.go
@@ -11,10 +11,8 @@ import (
 // Failure to unmarshal the experiment JSON data will result in an empty object being returned
 // to treat experiment flags as their default value. The error should still be checked.
 type Experiments struct {
-	EnableTestFeatureForImage  bool
-	EnableSignedContainerCache bool
-	EnableMeasureMemoryMonitor bool
-	EnableTempFSMount          bool
+	EnableTestFeatureForImage bool
+	EnableTempFSMount         bool
 }
 
 // New takes a filepath, opens the file, and calls ReadJsonInput with the contents