Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 18 additions & 6 deletions codelabs/bank_data_analysis_codelab/scripts/common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -154,16 +154,28 @@ destroy_kms_key() {
# Name of the service-account
#######################################
create_service_account() {
gcloud iam service-accounts describe ${1} | grep ${1}
local sa_name="$1"
local project_id="$2" # Accept the project ID as the second argument.

# Construct the full, unique service account email address.
local sa_email="${sa_name}@${project_id}.iam.gserviceaccount.com"

# Check if the service account already exists IN THE SPECIFIED PROJECT.
# Note the addition of the --project flag.
gcloud iam service-accounts describe "${sa_email}" --project="${project_id}" >/dev/null 2>&1

if [[ $? -eq 0 ]]; then
echo "Service-account ${1} already exists. Skipping the create of new service-account ..."
echo "Service-account ${sa_email} already exists in project ${project_id}. Skipping creation."
else
echo "Creating service-account ${1} ..."
gcloud iam service-accounts create ${1}
echo "Creating service-account ${sa_name} in project ${project_id}..."
# Create the service account IN THE SPECIFIED PROJECT.
gcloud iam service-accounts create "${sa_name}" --display-name="${sa_name}" --project="${project_id}"

if [[ $? -eq 0 ]]; then
echo "Service-account ${1} is created successfully."
echo "Service-account ${sa_email} is created successfully."
else
err "Failed to create service-account ${1}."
echo "Error: Failed to create service-account ${sa_name} in project ${project_id}." >&2
return 1
fi
fi
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ source common.sh
set_gcp_project ${SECUNDUS_PROJECT_ID}

echo "Creating workload service-account ${WORKLOAD_SERVICE_ACCOUNT} under project ${SECUNDUS_PROJECT_ID}..."
create_service_account ${WORKLOAD_SERVICE_ACCOUNT}
create_service_account ${WORKLOAD_SERVICE_ACCOUNT} ${SECUNDUS_PROJECT_ID}

echo "Granting roles/iam.serviceAccountUser role to workload operator ..."
if ! gcloud iam service-accounts add-iam-policy-binding ${WORKLOAD_SERVICE_ACCOUNT}@${SECUNDUS_PROJECT_ID}.iam.gserviceaccount.com \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ echo "Uploading the encrypted file to storage bucket ${PRIMUS_INPUT_STORAGE_BUCK
gsutil cp ${PARENT_DIR}/artifacts/primus_enc_customer_list.csv gs://${PRIMUS_INPUT_STORAGE_BUCKET}/primus_enc_customer_list.csv

echo "Creating service-account ${PRIMUS_SERVICE_ACCOUNT} for Primus Bank."
create_service_account ${PRIMUS_SERVICE_ACCOUNT}
create_service_account ${PRIMUS_SERVICE_ACCOUNT} ${PRIMUS_PROJECT_ID}

echo "Granting KMS decryptor role to the service-account ${PRIMUS_SERVICE_ACCOUNT} ..."
gcloud kms keys add-iam-policy-binding \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ echo "Uploading the encrypted file to storage bucket ${SECUNDUS_INPUT_STORAGE_BU
gsutil cp ${PARENT_DIR}/artifacts/secundus_enc_customer_list.csv gs://${SECUNDUS_INPUT_STORAGE_BUCKET}/secundus_enc_customer_list.csv

echo "Creating service-account ${SECUNDUS_SERVICE_ACCOUNT} for secundus bank ..."
create_service_account ${SECUNDUS_SERVICE_ACCOUNT}
create_service_account ${SECUNDUS_SERVICE_ACCOUNT} ${SECUNDUS_PROJECT_ID}

echo "Granting KMS decryptor role to the service-account ${SECUNDUS_SERVICE_ACCOUNT}"
gcloud kms keys add-iam-policy-binding \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ import (
"os"
"time"

"github.com/golang-jwt/jwt/v5"
"google3/third_party/golang/github_com/golang_jwt/jwt/v/v4/jwt"

"github.com/gorilla/websocket"

Expand Down
2 changes: 1 addition & 1 deletion server/gcpcredential/validate.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ import (



"google3/third_party/golang/github_com/golang_jwt/jwt/v/v4/jwt"
"google.golang.org/api/idtoken"
"google.golang.org/api/option"
"github.com/golang-jwt/jwt/v5"
)

const googleCAURL = "https://pki.goog/roots.pem"
Expand Down
2 changes: 1 addition & 1 deletion server/gcpcredential/validate_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ import (
"time"

"github.com/google/go-cmp/cmp"
"google3/third_party/golang/github_com/golang_jwt/jwt/v/v4/jwt"
"google.golang.org/api/idtoken"
jwt "github.com/golang-jwt/jwt/v5"
)

const testAudience = "testaud"
Expand Down
11 changes: 11 additions & 0 deletions server/proto/common/shared.proto
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
syntax = "proto3";

package common;

option go_package = "github.com/GoogleCloudPlatform/confidential-space/proto/gen/common";

// Enum for specifying the signature algorithm.
enum SignatureAlgorithm {
SIGNATURE_ALGORITHM_UNSPECIFIED = 0;
ECDSA_P256_SHA256 = 1;
}
39 changes: 39 additions & 0 deletions server/proto/confidential_space/cs_platform_rims.proto
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
syntax = "proto3";

package confidential_space;

import "google/protobuf/timestamp.proto";
import "third_party/confidential_space/server/proto/common/shared.proto";
import "third_party/confidential_space/server/proto/confidential_space/image_database.proto";

option go_package = "github.com/GoogleCloudPlatform/confidential-space/proto/gen/confidential_space_platform_rims";

message CSImageGoldenMeasurement {
// Serialized ConfidentialSpacePlatformRims proto.
bytes confidential_space_platform_rims = 1;

// Signature of image
bytes signature = 2;

// Signature algorithm used to generate the signature
common.SignatureAlgorithm signature_algorithm = 3;
}

message ConfidentialSpacePlatformRims {
// Serialized ImageDatabase Proto
image_database.ImageDatabase image_database = 1;

// Time the RIM was published.
google.protobuf.Timestamp timestamp = 2;

// Time after which the RIM should no longer be used.
google.protobuf.Timestamp exp = 3;

// DER format certificate of the key that signed this document.
bytes cert = 4;

reserved 5; // Reserve 5, make ca_bundle item 6 to match endorsement proto

// PEM certificates of keys in least intermediate…root order.
bytes ca_bundle = 6;
}
93 changes: 93 additions & 0 deletions server/proto/confidential_space/image_database.proto
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
edition = "2023";

package image_database;

import "google/protobuf/timestamp.proto";
import "social/boq/protoconf/proto/protoconf.proto";
import "storage/datapol/annotations/proto/semantic_annotations.proto";
import "third_party/golang/tpm_tools/proto/attest.proto";

// Attestation Verifier image database.
// See go/vegas-attestation-database for definitions.
message ImageDatabase {
extend .social.boq.proto.protoconf.ProtoConf {
ImageDatabase protoconf_ext = 498038836;
}

enum AttributeLabel {
NIL = 0;
TEST = 1; // test images
USABLE = 2;
STABLE = 3;
LATEST = 4;
EXPERIMENTAL = 5; // external images that contain experimental features
}

// Represents values associated with a Confidential Space Image
message ImageGoldenEntry {
// The public facing image release name.
string image_release_name = 1;
bool is_hardened = 2;
uint32 image_base_version = 5;
uint32 swversion = 6;
repeated AttributeLabel attribute_labels = 9;
// Explicitly marks the CS Image as retired. If this field is true,
// attestation validations for the corresponding CS image should fail.
bool obsoleted = 7;

reserved 3, 4;
reserved grub_digests, efi_digests;
}

enum CCKnownCertificates {
UNSPECIFIED_CERT = 0;
CONF_SPACE_SELF_SIGNED_DB_CA = 1;
COS_DB_V10 = 2;
COS_DB_V20250203 = 3;
}

message CCDatabase {
repeated CCKnownCertificates known_certificates = 1
[features.repeated_field_encoding = EXPANDED];

repeated string digests = 2;
}

message ImageBaseEntry {
CCDatabase db = 1;
CCDatabase dbx = 2;
CCDatabase authority = 3;
}

// This encodes minimum requirements for general attestations received by the
// verifier.
message ServiceBasePolicy {
google.protobuf.Timestamp earliest_cert_issue_time = 1;
reserved 2;
reserved firmware_policy;
}

message ConfidentialSpaceBasePolicy {
attest.Policy firmware_policy = 1;
}

// Map of kernel command line to other image golden values.
map<string, ImageGoldenEntry> golden_values = 1;

// Map of image base version to image base values.
map<uint32, ImageBaseEntry> image_base_values = 2;

// Attestation Verifier appraisal policy for verifying all attestations.
// The service will validate this policy before use case specific
// attestations, like Confidential Space.
ServiceBasePolicy service_base_policy = 5
[(datapol.semantic_type) = ST_NOT_REQUIRED];

// Attestation Verifier appraisal policy for verifying Confidential Space
// attestations.
ConfidentialSpaceBasePolicy cs_base_policy = 6
[(datapol.semantic_type) = ST_NOT_REQUIRED];

reserved 3, 4;
reserved firmware_policy, earliest_cert_issue_time;
}
39 changes: 39 additions & 0 deletions server/proto/intel/google_tdx_tcb.proto
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
edition = "2023";

package third_party_confidential_space_server_proto_intel;

import "google/protobuf/timestamp.proto";
import "third_party/confidential_space/server/proto/common/shared.proto";

option go_package = "github.com/GoogleCloudPlatform/confidential-space/proto/gen/google_tdx_tcb";

message TDXTCBInfo {
// Serialized TCB info proto.
bytes gcp_tcb_info = 1;

// Signature of gcp_tcb_info
bytes signature = 2;

// Signature algorithm used to generate the signature.
common.SignatureAlgorithm signature_algorithm = 3;
}

// IntelRim proto wrapper to allow for schema changes
message IntelRim {
// Serialized TdxTcb JSON. Raw response from the Intel PCS service.
bytes tdx_tcb = 1;

// Time the RIM was published.
google.protobuf.Timestamp timestamp = 2;

// Time after which the RIM should no longer be used.
google.protobuf.Timestamp exp = 3;

// DER format certificate of the key that signed this document.
bytes cert = 4;

reserved 5; // Reserve 5, make ca_bundle item 6 to match endorsement proto

// PEM certificates of keys in least intermediate…root order.
bytes ca_bundle = 6;
}
Loading