Fragment COSE Sign1 support. #1575
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Closed
helsaawy
reviewed
Nov 29, 2022
|
The PR title is too long for one line. Can you please format it so the title is a short description, and the PR body has a more detailed description. |
hgarvison
reviewed
Nov 30, 2022
hgarvison
reviewed
Nov 30, 2022
hgarvison
reviewed
Nov 30, 2022
hgarvison
reviewed
Nov 30, 2022
hgarvison
reviewed
Nov 30, 2022
anmaxvl
reviewed
Dec 1, 2022
KenGordon
changed the title
|
Test cases are not useful when you want to know why your encrypted UVM does not start.
WPA is not at all nice and it is hard/impossible to find the entries and always impossible to grep them. I did try that ahead of all the various logging hacking I have done on this project. In the end the most effective way is to set the initial vsockexec to target an entirely different port and run a listener on that. I guess you all take the startup of the UVM for granted so don't really understand how fiddly that part is.
@@ -178,7 +178,7 @@ func main() {
uint(kmsg.Warning),
"Log all kmsg entries with a priority less than or equal to the supplied level.")
logFile := flag.String("logfile",
- "",
+ "/tmp/gcs.log",
wpa using the ContainerPlatform.wprp file in our package should do it, as will TV++ using the adjacent ContainerPlatform.tvpp file
You can also create test cases in test/functional or test/gcs and run those, since they should output to stdout by default
|
hgarvison
reviewed
Dec 8, 2022
hgarvison
reviewed
Dec 8, 2022
anmaxvl
reviewed
Dec 12, 2022
anmaxvl
reviewed
Jan 4, 2023
helsaawy
approved these changes
Jan 19, 2023
| }, | ||
| cli.StringFlag{ | ||
| Name: "salt", | ||
| Usage: "salt type [rand|zero] (default: rand)", |
There was a problem hiding this comment.
Nit: we should probably add error checking for the salt and policy flags in a future PR, to make sure the values provided are valid.
|
|
||
| When adding an option here which must match some security policy by default, make sure that the correct default (ie matches | ||
| a default security policy) is applied in handleSecurityPolicy. Inadvertantly adding an "option" which defaults to false but MUST be | ||
| true for a default security policy to work will force the annotation to have be set by the team that owns the box. That will |
There was a problem hiding this comment.
nit: tab instead of space
to be checked for a good cert chain and a valid issuer DID that matches the certs and so the signature. Includes DID and COSE Sign1 packages and tooling. Support extracting a DID directly from a COSE Sign1 document and also support single cert COSE Sign document checking, but not DID generation. `signutil` is a debug tool that allows generating valid DID given a COSE Sign1 document and provides other utility functions like printing cert chain, leaf certs, displaying COSE Sign1 document content etc. Signed-off-by: Ken Gordon <ken.gordon@microsoft.com>
takuro-sato
pushed a commit
to takuro-sato/hcsshim
that referenced
this pull request
Apr 25, 2023
…ost (microsoft#1575) to be checked for a good cert chain and a valid issuer DID that matches the certs and so the signature. Includes DID and COSE Sign1 packages and tooling. Support extracting a DID directly from a COSE Sign1 document and also support single cert COSE Sign document checking, but not DID generation. `signutil` is a debug tool that allows generating valid DID given a COSE Sign1 document and provides other utility functions like printing cert chain, leaf certs, displaying COSE Sign1 document content etc. Signed-off-by: Ken Gordon <ken.gordon@microsoft.com>
takuro-sato
pushed a commit
to takuro-sato/hcsshim
that referenced
this pull request
Apr 25, 2023
…ost (microsoft#1575) to be checked for a good cert chain and a valid issuer DID that matches the certs and so the signature. Includes DID and COSE Sign1 packages and tooling. Support extracting a DID directly from a COSE Sign1 document and also support single cert COSE Sign document checking, but not DID generation. `signutil` is a debug tool that allows generating valid DID given a COSE Sign1 document and provides other utility functions like printing cert chain, leaf certs, displaying COSE Sign1 document content etc. Signed-off-by: Ken Gordon <ken.gordon@microsoft.com>
princepereira
pushed a commit
to princepereira/hcsshim
that referenced
this pull request
Aug 29, 2024
…ost (microsoft#1575) to be checked for a good cert chain and a valid issuer DID that matches the certs and so the signature. Includes DID and COSE Sign1 packages and tooling. Support extracting a DID directly from a COSE Sign1 document and also support single cert COSE Sign document checking, but not DID generation. `signutil` is a debug tool that allows generating valid DID given a COSE Sign1 document and provides other utility functions like printing cert chain, leaf certs, displaying COSE Sign1 document content etc. Signed-off-by: Ken Gordon <ken.gordon@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fragment COSE Sign1 support. Allows for a fragment presented by the host to be checked for a good cert chain and a valid issuer DID that matches the certs and so the signature. Includes DID and COSE Sign1 packages and tooling.
Signed-off-by: Ken Gordon ken.gordon@microsoft.com