From 54db9913db04588f9568e6cac1a765526f1e72a9 Mon Sep 17 00:00:00 2001 From: yawangwang Date: Tue, 1 Oct 2024 20:23:56 +0000 Subject: [PATCH] Remove EnableSignedContainerCache + EnableMeasureMemoryMonitor from container launcher --- launcher/agent/agent.go | 15 ++---- launcher/agent/agent_test.go | 48 ++++++++------------ launcher/container_runner.go | 6 +-- launcher/container_runner_test.go | 8 +--- launcher/internal/experiments/experiments.go | 6 +-- 5 files changed, 30 insertions(+), 53 deletions(-) diff --git a/launcher/agent/agent.go b/launcher/agent/agent.go index efca958ec..28aa4b49b 100644 --- a/launcher/agent/agent.go +++ b/launcher/agent/agent.go @@ -136,12 +136,7 @@ func (a *agent) Attest(ctx context.Context, opts AttestAgentOpts) ([]byte, error }, } - var signatures []oci.Signature - if a.launchSpec.Experiments.EnableSignedContainerCache { - signatures = a.sigsCache.get() - } else { - signatures = fetchContainerImageSignatures(ctx, a.sigsFetcher, a.launchSpec.SignedImageRepos, defaultRetryPolicy, a.logger) - } + signatures := a.sigsCache.get() if len(signatures) > 0 { req.ContainerImageSignatures = signatures a.logger.Printf("Found container image signatures: %v\n", signatures) @@ -166,11 +161,9 @@ func (a *agent) attest(nonce []byte, cel []byte) (*pb.Attestation, error) { // Refresh refreshes the internal state of the attestation agent. // It will reset the container image signatures for now. func (a *agent) Refresh(ctx context.Context) error { - if a.launchSpec.Experiments.EnableSignedContainerCache { - signatures := fetchContainerImageSignatures(ctx, a.sigsFetcher, a.launchSpec.SignedImageRepos, defaultRetryPolicy, a.logger) - a.sigsCache.set(signatures) - a.logger.Printf("Refreshed container image signature cache: %v\n", signatures) - } + signatures := fetchContainerImageSignatures(ctx, a.sigsFetcher, a.launchSpec.SignedImageRepos, defaultRetryPolicy, a.logger) + a.sigsCache.set(signatures) + a.logger.Printf("Refreshed container image signature cache: %v\n", signatures) return nil } diff --git a/launcher/agent/agent_test.go b/launcher/agent/agent_test.go index 9cfe7c3ca..af9aea5bb 100644 --- a/launcher/agent/agent_test.go +++ b/launcher/agent/agent_test.go @@ -19,7 +19,6 @@ import ( "github.com/google/go-tpm-tools/cel" "github.com/google/go-tpm-tools/client" "github.com/google/go-tpm-tools/internal/test" - "github.com/google/go-tpm-tools/launcher/internal/experiments" "github.com/google/go-tpm-tools/launcher/internal/signaturediscovery" "github.com/google/go-tpm-tools/launcher/spec" attestpb "github.com/google/go-tpm-tools/proto/attest" @@ -88,16 +87,9 @@ func TestAttest(t *testing.T) { containerSignaturesFetcher signaturediscovery.Fetcher }{ { - name: "all experiment flags disabled", - launchSpec: spec.LaunchSpec{}, - principalIDTokenFetcher: placeholderPrincipalFetcher, - containerSignaturesFetcher: signaturediscovery.NewFakeClient(), - }, - { - name: "enable signed container", + name: "all experiment flags disabled", launchSpec: spec.LaunchSpec{ SignedImageRepos: []string{signaturediscovery.FakeRepoWithSignatures}, - Experiments: experiments.Experiments{EnableSignedContainerCache: true}, }, principalIDTokenFetcher: placeholderPrincipalFetcher, containerSignaturesFetcher: signaturediscovery.NewFakeClient(), @@ -158,26 +150,26 @@ func TestAttest(t *testing.T) { if claims.Subject != "https://www.googleapis.com/compute/v1/projects/fakeProject/zones/fakeZone/instances/fakeInstance" { t.Errorf("Invalid sub") } - if tc.launchSpec.Experiments.EnableSignedContainerCache { - got := claims.ContainerImageSignatures - want := []fake.ContainerImageSignatureClaims{ - { - Payload: "test data", - Signature: base64.StdEncoding.EncodeToString([]byte("test data")), - PubKey: "test data", - SigAlg: "ECDSA_P256_SHA256", - }, - { - Payload: "hello world", - Signature: base64.StdEncoding.EncodeToString([]byte("hello world")), - PubKey: "hello world", - SigAlg: "RSASSA_PKCS1V15_SHA256", - }, - } - if !cmp.Equal(got, want) { - t.Errorf("ContainerImageSignatureClaims does not match expected value: got %v, want %v", got, want) - } + + got := claims.ContainerImageSignatures + want := []fake.ContainerImageSignatureClaims{ + { + Payload: "test data", + Signature: base64.StdEncoding.EncodeToString([]byte("test data")), + PubKey: "test data", + SigAlg: "ECDSA_P256_SHA256", + }, + { + Payload: "hello world", + Signature: base64.StdEncoding.EncodeToString([]byte("hello world")), + PubKey: "hello world", + SigAlg: "RSASSA_PKCS1V15_SHA256", + }, } + if !cmp.Equal(got, want) { + t.Errorf("ContainerImageSignatureClaims does not match expected value: got %v, want %v", got, want) + } + ms := &attestpb.MachineState{} err = protojson.Unmarshal([]byte(claims.MachineStateMarshaled), ms) if err != nil { diff --git a/launcher/container_runner.go b/launcher/container_runner.go index f966bab20..e7ce6d6a1 100644 --- a/launcher/container_runner.go +++ b/launcher/container_runner.go @@ -270,10 +270,8 @@ func (r *ContainerRunner) measureCELEvents(ctx context.Context) error { if err := r.measureContainerClaims(ctx); err != nil { return fmt.Errorf("failed to measure container claims: %v", err) } - if r.launchSpec.Experiments.EnableMeasureMemoryMonitor { - if err := r.measureMemoryMonitor(); err != nil { - return fmt.Errorf("failed to measure memory monitoring state: %v", err) - } + if err := r.measureMemoryMonitor(); err != nil { + return fmt.Errorf("failed to measure memory monitoring state: %v", err) } separator := cel.CosTlv{ diff --git a/launcher/container_runner_test.go b/launcher/container_runner_test.go index 179a1ffc4..a9cd8f225 100644 --- a/launcher/container_runner_test.go +++ b/launcher/container_runner_test.go @@ -24,7 +24,6 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-tpm-tools/cel" "github.com/google/go-tpm-tools/launcher/agent" - "github.com/google/go-tpm-tools/launcher/internal/experiments" "github.com/google/go-tpm-tools/launcher/launcherfile" "github.com/google/go-tpm-tools/launcher/spec" "github.com/opencontainers/go-digest" @@ -68,9 +67,7 @@ func (f *fakeAttestationAgent) Attest(ctx context.Context, _ agent.AttestAgentOp // Refresh simulates the behavior of an actual agent. func (f *fakeAttestationAgent) Refresh(ctx context.Context) error { - if f.launchSpec.Experiments.EnableSignedContainerCache { - f.sigsCache = f.sigsFetcherFunc(ctx) - } + f.sigsCache = f.sigsFetcherFunc(ctx) return nil } @@ -192,7 +189,6 @@ func TestRefreshTokenWithSignedContainerCacheEnabled(t *testing.T) { sigsFetcherFunc: func(context.Context) []string { return oldCache }, - launchSpec: spec.LaunchSpec{Experiments: experiments.Experiments{EnableSignedContainerCache: true}}, } fakeAgent.attestFunc = func(context.Context, agent.AttestAgentOpts) ([]byte, error) { return createJWTWithSignatures(t, fakeAgent.sigsCache), nil @@ -586,6 +582,7 @@ func TestMeasureCELEvents(t *testing.T) { cel.EnvVarType, cel.OverrideEnvType, cel.OverrideArgType, + cel.MemoryMonitorType, cel.LaunchSeparatorType, }, launchSpec: spec.LaunchSpec{ @@ -605,7 +602,6 @@ func TestMeasureCELEvents(t *testing.T) { cel.MemoryMonitorType, cel.LaunchSeparatorType, }, - launchSpec: spec.LaunchSpec{Experiments: experiments.Experiments{EnableMeasureMemoryMonitor: true}}, }, } diff --git a/launcher/internal/experiments/experiments.go b/launcher/internal/experiments/experiments.go index cef84e849..6547b0f50 100644 --- a/launcher/internal/experiments/experiments.go +++ b/launcher/internal/experiments/experiments.go @@ -11,10 +11,8 @@ import ( // Failure to unmarshal the experiment JSON data will result in an empty object being returned // to treat experiment flags as their default value. The error should still be checked. type Experiments struct { - EnableTestFeatureForImage bool - EnableSignedContainerCache bool - EnableMeasureMemoryMonitor bool - EnableTempFSMount bool + EnableTestFeatureForImage bool + EnableTempFSMount bool } // New takes a filepath, opens the file, and calls ReadJsonInput with the contents