From c7f011f13842b4a9e0bdb1ff3c3c82de87ffd196 Mon Sep 17 00:00:00 2001 From: Joshua Krstic Date: Mon, 18 Aug 2025 14:07:19 -0700 Subject: [PATCH] No public description PiperOrigin-RevId: 796567999 --- .../scripts/common.sh | 24 +++-- .../create_workload_service_account.sh | 2 +- .../scripts/setup_primus_bank_resources.sh | 2 +- .../scripts/setup_secundus_bank_resources.sh | 2 +- .../src/uwear/workload.go | 2 +- server/gcpcredential/validate.go | 2 +- server/gcpcredential/validate_test.go | 2 +- server/proto/common/shared.proto | 11 +++ .../confidential_space/cs_platform_rims.proto | 39 ++++++++ .../confidential_space/image_database.proto | 93 +++++++++++++++++++ server/proto/intel/google_tdx_tcb.proto | 39 ++++++++ 11 files changed, 206 insertions(+), 12 deletions(-) create mode 100644 server/proto/common/shared.proto create mode 100644 server/proto/confidential_space/cs_platform_rims.proto create mode 100644 server/proto/confidential_space/image_database.proto create mode 100644 server/proto/intel/google_tdx_tcb.proto diff --git a/codelabs/bank_data_analysis_codelab/scripts/common.sh b/codelabs/bank_data_analysis_codelab/scripts/common.sh index a010ff5..923f074 100644 --- a/codelabs/bank_data_analysis_codelab/scripts/common.sh +++ b/codelabs/bank_data_analysis_codelab/scripts/common.sh @@ -154,16 +154,28 @@ destroy_kms_key() { # Name of the service-account ####################################### create_service_account() { - gcloud iam service-accounts describe ${1} | grep ${1} + local sa_name="$1" + local project_id="$2" # Accept the project ID as the second argument. + + # Construct the full, unique service account email address. + local sa_email="${sa_name}@${project_id}.iam.gserviceaccount.com" + + # Check if the service account already exists IN THE SPECIFIED PROJECT. + # Note the addition of the --project flag. + gcloud iam service-accounts describe "${sa_email}" --project="${project_id}" >/dev/null 2>&1 + if [[ $? -eq 0 ]]; then - echo "Service-account ${1} already exists. Skipping the create of new service-account ..." + echo "Service-account ${sa_email} already exists in project ${project_id}. Skipping creation." else - echo "Creating service-account ${1} ..." - gcloud iam service-accounts create ${1} + echo "Creating service-account ${sa_name} in project ${project_id}..." + # Create the service account IN THE SPECIFIED PROJECT. + gcloud iam service-accounts create "${sa_name}" --display-name="${sa_name}" --project="${project_id}" + if [[ $? -eq 0 ]]; then - echo "Service-account ${1} is created successfully." + echo "Service-account ${sa_email} is created successfully." else - err "Failed to create service-account ${1}." + echo "Error: Failed to create service-account ${sa_name} in project ${project_id}." >&2 + return 1 fi fi } diff --git a/codelabs/bank_data_analysis_codelab/scripts/create_workload_service_account.sh b/codelabs/bank_data_analysis_codelab/scripts/create_workload_service_account.sh index 95342e1..42a27cd 100755 --- a/codelabs/bank_data_analysis_codelab/scripts/create_workload_service_account.sh +++ b/codelabs/bank_data_analysis_codelab/scripts/create_workload_service_account.sh @@ -8,7 +8,7 @@ source common.sh set_gcp_project ${SECUNDUS_PROJECT_ID} echo "Creating workload service-account ${WORKLOAD_SERVICE_ACCOUNT} under project ${SECUNDUS_PROJECT_ID}..." -create_service_account ${WORKLOAD_SERVICE_ACCOUNT} +create_service_account ${WORKLOAD_SERVICE_ACCOUNT} ${SECUNDUS_PROJECT_ID} echo "Granting roles/iam.serviceAccountUser role to workload operator ..." if ! gcloud iam service-accounts add-iam-policy-binding ${WORKLOAD_SERVICE_ACCOUNT}@${SECUNDUS_PROJECT_ID}.iam.gserviceaccount.com \ diff --git a/codelabs/bank_data_analysis_codelab/scripts/setup_primus_bank_resources.sh b/codelabs/bank_data_analysis_codelab/scripts/setup_primus_bank_resources.sh index f05b9c8..9104a46 100755 --- a/codelabs/bank_data_analysis_codelab/scripts/setup_primus_bank_resources.sh +++ b/codelabs/bank_data_analysis_codelab/scripts/setup_primus_bank_resources.sh @@ -34,7 +34,7 @@ echo "Uploading the encrypted file to storage bucket ${PRIMUS_INPUT_STORAGE_BUCK gsutil cp ${PARENT_DIR}/artifacts/primus_enc_customer_list.csv gs://${PRIMUS_INPUT_STORAGE_BUCKET}/primus_enc_customer_list.csv echo "Creating service-account ${PRIMUS_SERVICE_ACCOUNT} for Primus Bank." -create_service_account ${PRIMUS_SERVICE_ACCOUNT} +create_service_account ${PRIMUS_SERVICE_ACCOUNT} ${PRIMUS_PROJECT_ID} echo "Granting KMS decryptor role to the service-account ${PRIMUS_SERVICE_ACCOUNT} ..." gcloud kms keys add-iam-policy-binding \ diff --git a/codelabs/bank_data_analysis_codelab/scripts/setup_secundus_bank_resources.sh b/codelabs/bank_data_analysis_codelab/scripts/setup_secundus_bank_resources.sh index 4bb6035..153499f 100755 --- a/codelabs/bank_data_analysis_codelab/scripts/setup_secundus_bank_resources.sh +++ b/codelabs/bank_data_analysis_codelab/scripts/setup_secundus_bank_resources.sh @@ -38,7 +38,7 @@ echo "Uploading the encrypted file to storage bucket ${SECUNDUS_INPUT_STORAGE_BU gsutil cp ${PARENT_DIR}/artifacts/secundus_enc_customer_list.csv gs://${SECUNDUS_INPUT_STORAGE_BUCKET}/secundus_enc_customer_list.csv echo "Creating service-account ${SECUNDUS_SERVICE_ACCOUNT} for secundus bank ..." -create_service_account ${SECUNDUS_SERVICE_ACCOUNT} +create_service_account ${SECUNDUS_SERVICE_ACCOUNT} ${SECUNDUS_PROJECT_ID} echo "Granting KMS decryptor role to the service-account ${SECUNDUS_SERVICE_ACCOUNT}" gcloud kms keys add-iam-policy-binding \ diff --git a/codelabs/health_data_analysis_codelab/src/uwear/workload.go b/codelabs/health_data_analysis_codelab/src/uwear/workload.go index db13bbe..7058e12 100644 --- a/codelabs/health_data_analysis_codelab/src/uwear/workload.go +++ b/codelabs/health_data_analysis_codelab/src/uwear/workload.go @@ -18,7 +18,7 @@ import ( "os" "time" - "github.com/golang-jwt/jwt/v5" + "google3/third_party/golang/github_com/golang_jwt/jwt/v/v4/jwt" "github.com/gorilla/websocket" diff --git a/server/gcpcredential/validate.go b/server/gcpcredential/validate.go index 15c0179..885eba8 100644 --- a/server/gcpcredential/validate.go +++ b/server/gcpcredential/validate.go @@ -20,9 +20,9 @@ import ( + "google3/third_party/golang/github_com/golang_jwt/jwt/v/v4/jwt" "google.golang.org/api/idtoken" "google.golang.org/api/option" - "github.com/golang-jwt/jwt/v5" ) const googleCAURL = "https://pki.goog/roots.pem" diff --git a/server/gcpcredential/validate_test.go b/server/gcpcredential/validate_test.go index 2d7ef48..aaea2c7 100644 --- a/server/gcpcredential/validate_test.go +++ b/server/gcpcredential/validate_test.go @@ -16,8 +16,8 @@ import ( "time" "github.com/google/go-cmp/cmp" + "google3/third_party/golang/github_com/golang_jwt/jwt/v/v4/jwt" "google.golang.org/api/idtoken" - jwt "github.com/golang-jwt/jwt/v5" ) const testAudience = "testaud" diff --git a/server/proto/common/shared.proto b/server/proto/common/shared.proto new file mode 100644 index 0000000..30f63ea --- /dev/null +++ b/server/proto/common/shared.proto @@ -0,0 +1,11 @@ +syntax = "proto3"; + +package common; + +option go_package = "github.com/GoogleCloudPlatform/confidential-space/proto/gen/common"; + +// Enum for specifying the signature algorithm. +enum SignatureAlgorithm { + SIGNATURE_ALGORITHM_UNSPECIFIED = 0; + ECDSA_P256_SHA256 = 1; +} diff --git a/server/proto/confidential_space/cs_platform_rims.proto b/server/proto/confidential_space/cs_platform_rims.proto new file mode 100644 index 0000000..e9ead9f --- /dev/null +++ b/server/proto/confidential_space/cs_platform_rims.proto @@ -0,0 +1,39 @@ +syntax = "proto3"; + +package confidential_space; + +import "google/protobuf/timestamp.proto"; +import "third_party/confidential_space/server/proto/common/shared.proto"; +import "third_party/confidential_space/server/proto/confidential_space/image_database.proto"; + +option go_package = "github.com/GoogleCloudPlatform/confidential-space/proto/gen/confidential_space_platform_rims"; + +message CSImageGoldenMeasurement { + // Serialized ConfidentialSpacePlatformRims proto. + bytes confidential_space_platform_rims = 1; + + // Signature of image + bytes signature = 2; + + // Signature algorithm used to generate the signature + common.SignatureAlgorithm signature_algorithm = 3; +} + +message ConfidentialSpacePlatformRims { + // Serialized ImageDatabase Proto + image_database.ImageDatabase image_database = 1; + + // Time the RIM was published. + google.protobuf.Timestamp timestamp = 2; + + // Time after which the RIM should no longer be used. + google.protobuf.Timestamp exp = 3; + + // DER format certificate of the key that signed this document. + bytes cert = 4; + + reserved 5; // Reserve 5, make ca_bundle item 6 to match endorsement proto + + // PEM certificates of keys in least intermediate…root order. + bytes ca_bundle = 6; +} diff --git a/server/proto/confidential_space/image_database.proto b/server/proto/confidential_space/image_database.proto new file mode 100644 index 0000000..a6f7e4a --- /dev/null +++ b/server/proto/confidential_space/image_database.proto @@ -0,0 +1,93 @@ +edition = "2023"; + +package image_database; + +import "google/protobuf/timestamp.proto"; +import "social/boq/protoconf/proto/protoconf.proto"; +import "storage/datapol/annotations/proto/semantic_annotations.proto"; +import "third_party/golang/tpm_tools/proto/attest.proto"; + +// Attestation Verifier image database. +// See go/vegas-attestation-database for definitions. +message ImageDatabase { + extend .social.boq.proto.protoconf.ProtoConf { + ImageDatabase protoconf_ext = 498038836; + } + + enum AttributeLabel { + NIL = 0; + TEST = 1; // test images + USABLE = 2; + STABLE = 3; + LATEST = 4; + EXPERIMENTAL = 5; // external images that contain experimental features + } + + // Represents values associated with a Confidential Space Image + message ImageGoldenEntry { + // The public facing image release name. + string image_release_name = 1; + bool is_hardened = 2; + uint32 image_base_version = 5; + uint32 swversion = 6; + repeated AttributeLabel attribute_labels = 9; + // Explicitly marks the CS Image as retired. If this field is true, + // attestation validations for the corresponding CS image should fail. + bool obsoleted = 7; + + reserved 3, 4; + reserved grub_digests, efi_digests; + } + + enum CCKnownCertificates { + UNSPECIFIED_CERT = 0; + CONF_SPACE_SELF_SIGNED_DB_CA = 1; + COS_DB_V10 = 2; + COS_DB_V20250203 = 3; + } + + message CCDatabase { + repeated CCKnownCertificates known_certificates = 1 + [features.repeated_field_encoding = EXPANDED]; + + repeated string digests = 2; + } + + message ImageBaseEntry { + CCDatabase db = 1; + CCDatabase dbx = 2; + CCDatabase authority = 3; + } + + // This encodes minimum requirements for general attestations received by the + // verifier. + message ServiceBasePolicy { + google.protobuf.Timestamp earliest_cert_issue_time = 1; + reserved 2; + reserved firmware_policy; + } + + message ConfidentialSpaceBasePolicy { + attest.Policy firmware_policy = 1; + } + + // Map of kernel command line to other image golden values. + map golden_values = 1; + + // Map of image base version to image base values. + map image_base_values = 2; + + // Attestation Verifier appraisal policy for verifying all attestations. + // The service will validate this policy before use case specific + // attestations, like Confidential Space. + ServiceBasePolicy service_base_policy = 5 + [(datapol.semantic_type) = ST_NOT_REQUIRED]; + + // Attestation Verifier appraisal policy for verifying Confidential Space + // attestations. + ConfidentialSpaceBasePolicy cs_base_policy = 6 + [(datapol.semantic_type) = ST_NOT_REQUIRED]; + + reserved 3, 4; + reserved firmware_policy, earliest_cert_issue_time; +} diff --git a/server/proto/intel/google_tdx_tcb.proto b/server/proto/intel/google_tdx_tcb.proto new file mode 100644 index 0000000..4eb6568 --- /dev/null +++ b/server/proto/intel/google_tdx_tcb.proto @@ -0,0 +1,39 @@ +edition = "2023"; + +package third_party_confidential_space_server_proto_intel; + +import "google/protobuf/timestamp.proto"; +import "third_party/confidential_space/server/proto/common/shared.proto"; + +option go_package = "github.com/GoogleCloudPlatform/confidential-space/proto/gen/google_tdx_tcb"; + +message TDXTCBInfo { + // Serialized TCB info proto. + bytes gcp_tcb_info = 1; + + // Signature of gcp_tcb_info + bytes signature = 2; + + // Signature algorithm used to generate the signature. + common.SignatureAlgorithm signature_algorithm = 3; +} + +// IntelRim proto wrapper to allow for schema changes +message IntelRim { + // Serialized TdxTcb JSON. Raw response from the Intel PCS service. + bytes tdx_tcb = 1; + + // Time the RIM was published. + google.protobuf.Timestamp timestamp = 2; + + // Time after which the RIM should no longer be used. + google.protobuf.Timestamp exp = 3; + + // DER format certificate of the key that signed this document. + bytes cert = 4; + + reserved 5; // Reserve 5, make ca_bundle item 6 to match endorsement proto + + // PEM certificates of keys in least intermediate…root order. + bytes ca_bundle = 6; +}