C-WCOW: Unify data structures and reuse for C-LCOW and C-WCOW

Signed-off-by: Mahati Chamarthy <[email protected]>

Author: MahatiC

internal/gcs-sidecar/handlers.go

@@ -599,7 +599,7 @@ func (b *Bridge) modifySettings(req *request) (err error) {
 			log.G(ctx).Tracef("hcsschema.MappedDirectory { %v }", settings)
 
 		case guestresource.ResourceTypeSecurityPolicy:
-			securityPolicyRequest := modifyGuestSettingsRequest.Settings.(*guestresource.WCOWConfidentialOptions)
+			securityPolicyRequest := modifyGuestSettingsRequest.Settings.(*guestresource.ConfidentialOptions)
 			log.G(ctx).Tracef("WCOWConfidentialOptions: { %v}", securityPolicyRequest)
 			err := b.hostState.SetWCOWConfidentialUVMOptions(req.ctx, securityPolicyRequest, b.logWriter)
 			if err != nil {
@@ -616,10 +616,9 @@ func (b *Bridge) modifySettings(req *request) (err error) {
 			}
 			return nil
 		case guestresource.ResourceTypePolicyFragment:
-			//Note: Reusing the same type LCOWSecurityPolicyFragment for CWCOW.
-			r, ok := modifyGuestSettingsRequest.Settings.(*guestresource.LCOWSecurityPolicyFragment)
+			r, ok := modifyGuestSettingsRequest.Settings.(*guestresource.SecurityPolicyFragment)
 			if !ok {
-				return errors.New("the request settings are not of type LCOWSecurityPolicyFragment")
+				return errors.New("the request settings are not of type SecurityPolicyFragment")
 			}
 			return b.hostState.InjectFragment(ctx, r)
 		case guestresource.ResourceTypeWCOWBlockCims:
@@ -635,7 +634,6 @@ func (b *Bridge) modifySettings(req *request) (err error) {
 			// The block device takes some time to show up. Wait for a few seconds.
 			time.Sleep(2 * time.Second)
 
-			//TODO(Mahati) : test and verify CIM hashes
 			var layerCIMs []*cimfs.BlockCIM
 			layerHashes := make([]string, len(wcowBlockCimMounts.BlockCIMs))
 			layerDigests := make([][]byte, len(wcowBlockCimMounts.BlockCIMs))

internal/gcs-sidecar/host.go

@@ -73,7 +73,7 @@ func NewHost(initialEnforcer securitypolicy.SecurityPolicyEnforcer) *Host {
 // (ie fingerprint of a non leaf cert and the subject matches the leaf cert)
 // 3 - Check that this issuer/feed match the requirement of the user provided
 // security policy (done in the regoby LoadFragment)
-func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.LCOWSecurityPolicyFragment) (err error) {
+func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.SecurityPolicyFragment) (err error) {
 	log.G(ctx).WithField("fragment", fmt.Sprintf("%+v", fragment)).Debug("GCS Host.InjectFragment")
 
 	raw, err := base64.StdEncoding.DecodeString(fragment.Fragment)
@@ -133,7 +133,7 @@ func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.LCOWS
 	return nil
 }
 
-func (h *Host) SetWCOWConfidentialUVMOptions(ctx context.Context, securityPolicyRequest *guestresource.WCOWConfidentialOptions, logWriter io.Writer) error {
+func (h *Host) SetWCOWConfidentialUVMOptions(ctx context.Context, securityPolicyRequest *guestresource.ConfidentialOptions, logWriter io.Writer) error {
 	h.policyMutex.Lock()
 	defer h.policyMutex.Unlock()
 

internal/gcs-sidecar/uvm.go

@@ -92,7 +92,7 @@ func unmarshalContainerModifySettings(req *request) (_ *prot.ContainerModifySett
 			modifyGuestSettingsRequest.Settings = settings
 
 		case guestresource.ResourceTypeSecurityPolicy:
-			securityPolicyRequest := &guestresource.WCOWConfidentialOptions{}
+			securityPolicyRequest := &guestresource.ConfidentialOptions{}
 			if err := commonutils.UnmarshalJSONWithHresult(rawGuestRequest, securityPolicyRequest); err != nil {
 				return nil, fmt.Errorf("invalid ResourceTypeSecurityPolicy request: %w", err)
 			}

internal/guest/prot/protocol.go

@@ -583,15 +583,15 @@ func UnmarshalContainerModifySettings(b []byte) (*containerModifySettings, error
 		}
 		msr.Settings = cc
 	case guestresource.ResourceTypeSecurityPolicy:
-		enforcer := &guestresource.LCOWConfidentialOptions{}
+		enforcer := &guestresource.ConfidentialOptions{}
 		if err := commonutils.UnmarshalJSONWithHresult(msrRawSettings, enforcer); err != nil {
-			return &request, errors.Wrap(err, "failed to unmarshal settings as LCOWConfidentialOptions")
+			return &request, errors.Wrap(err, "failed to unmarshal settings as ConfidentialOptions")
 		}
 		msr.Settings = enforcer
 	case guestresource.ResourceTypePolicyFragment:
-		fragment := &guestresource.LCOWSecurityPolicyFragment{}
+		fragment := &guestresource.SecurityPolicyFragment{}
 		if err := commonutils.UnmarshalJSONWithHresult(msrRawSettings, fragment); err != nil {
-			return &request, errors.Wrap(err, "failed to unmarshal settings as LCOWSecurityPolicyFragment")
+			return &request, errors.Wrap(err, "failed to unmarshal settings as SecurityPolicyFragment")
 		}
 		msr.Settings = fragment
 	default:

internal/guest/runtime/hcsv2/uvm.go

@@ -96,13 +96,13 @@ func NewHost(rtime runtime.Runtime, vsock transport.Transport, initialEnforcer s
 	}
 }
 
-// SetConfidentialUVMOptions takes guestresource.LCOWConfidentialOptions
+// SetConfidentialUVMOptions takes guestresource.ConfidentialOptions
 // to set up our internal data structures we use to store and enforce
 // security policy. The options can contain security policy enforcer type,
 // encoded security policy and signed UVM reference information The security
 // policy and uvm reference information can be further presented to workload
 // containers for validation and attestation purposes.
-func (h *Host) SetConfidentialUVMOptions(ctx context.Context, r *guestresource.LCOWConfidentialOptions) error {
+func (h *Host) SetConfidentialUVMOptions(ctx context.Context, r *guestresource.ConfidentialOptions) error {
 	h.policyMutex.Lock()
 	defer h.policyMutex.Unlock()
 	if h.securityPolicyEnforcerSet {
@@ -164,7 +164,7 @@ func (h *Host) SetConfidentialUVMOptions(ctx context.Context, r *guestresource.L
 // (ie fingerprint of a non leaf cert and the subject matches the leaf cert)
 // 3 - Check that this issuer/feed match the requirement of the user provided
 // security policy (done in the regoby LoadFragment)
-func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.LCOWSecurityPolicyFragment) (err error) {
+func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.SecurityPolicyFragment) (err error) {
 	log.G(ctx).WithField("fragment", fmt.Sprintf("%+v", fragment)).Debug("GCS Host.InjectFragment")
 
 	raw, err := base64.StdEncoding.DecodeString(fragment.Fragment)
@@ -638,15 +638,15 @@ func (h *Host) modifyHostSettings(ctx context.Context, containerID string, req *
 		}
 		return c.modifyContainerConstraints(ctx, req.RequestType, req.Settings.(*guestresource.LCOWContainerConstraints))
 	case guestresource.ResourceTypeSecurityPolicy:
-		r, ok := req.Settings.(*guestresource.LCOWConfidentialOptions)
+		r, ok := req.Settings.(*guestresource.ConfidentialOptions)
 		if !ok {
-			return errors.New("the request's settings are not of type LCOWConfidentialOptions")
+			return errors.New("the request's settings are not of type ConfidentialOptions")
 		}
 		return h.SetConfidentialUVMOptions(ctx, r)
 	case guestresource.ResourceTypePolicyFragment:
-		r, ok := req.Settings.(*guestresource.LCOWSecurityPolicyFragment)
+		r, ok := req.Settings.(*guestresource.SecurityPolicyFragment)
 		if !ok {
-			return errors.New("the request settings are not of type LCOWSecurityPolicyFragment")
+			return errors.New("the request settings are not of type SecurityPolicyFragment")
 		}
 		return h.InjectFragment(ctx, r)
 	default:

internal/protocol/guestresource/resources.go

@@ -229,20 +229,14 @@ type SignalProcessOptionsWCOW struct {
 	Signal guestrequest.SignalValueWCOW `json:",omitempty"`
 }
 
-// LCOWConfidentialOptions is used to set various confidential container specific
+// ConfidentialOptions is used to set various confidential container specific
 // options.
-type LCOWConfidentialOptions struct {
+type ConfidentialOptions struct {
 	EnforcerType          string `json:"EnforcerType,omitempty"`
 	EncodedSecurityPolicy string `json:"EncodedSecurityPolicy,omitempty"`
 	EncodedUVMReference   string `json:"EncodedUVMReference,omitempty"`
 }
 
-type LCOWSecurityPolicyFragment struct {
+type SecurityPolicyFragment struct {
 	Fragment string `json:"Fragment,omitempty"`
 }
-
-type WCOWConfidentialOptions struct {
-	EnforcerType          string `json:"EnforcerType,omitempty"`
-	EncodedSecurityPolicy string `json:"EncodedSecurityPolicy,omitempty"`
-	EncodedUVMReference   string `json:"EncodedUVMReference,omitempty"`
-}

internal/uvm/security_policy.go

@@ -16,87 +16,24 @@ import (
 	"github.com/Microsoft/hcsshim/pkg/ctrdtaskapi"
 )
 
-type ConfidentialUVMOpt func(ctx context.Context, r *guestresource.LCOWConfidentialOptions) error
+type ConfidentialUVMOpt func(ctx context.Context, r *guestresource.ConfidentialOptions) error
 
 // WithSecurityPolicy sets the desired security policy for the resource.
 func WithSecurityPolicy(policy string) ConfidentialUVMOpt {
-	return func(ctx context.Context, r *guestresource.LCOWConfidentialOptions) error {
+	return func(ctx context.Context, r *guestresource.ConfidentialOptions) error {
 		r.EncodedSecurityPolicy = policy
 		return nil
 	}
 }
 
 // WithSecurityPolicyEnforcer sets the desired enforcer type for the resource.
 func WithSecurityPolicyEnforcer(enforcer string) ConfidentialUVMOpt {
-	return func(ctx context.Context, r *guestresource.LCOWConfidentialOptions) error {
+	return func(ctx context.Context, r *guestresource.ConfidentialOptions) error {
 		r.EnforcerType = enforcer
 		return nil
 	}
 }
 
-// TODO (Mahati): Move this block out later
-type WCOWConfidentialUVMOpt func(ctx context.Context, r *guestresource.WCOWConfidentialOptions) error
-
-// WithSecurityPolicy sets the desired security policy for the resource.
-func WithWCOWSecurityPolicy(policy string) WCOWConfidentialUVMOpt {
-	return func(ctx context.Context, r *guestresource.WCOWConfidentialOptions) error {
-		r.EncodedSecurityPolicy = policy
-		return nil
-	}
-}
-
-// WithSecurityPolicyEnforcer sets the desired enforcer type for the resource.
-func WithWCOWSecurityPolicyEnforcer(enforcer string) WCOWConfidentialUVMOpt {
-	return func(ctx context.Context, r *guestresource.WCOWConfidentialOptions) error {
-		r.EnforcerType = enforcer
-		return nil
-	}
-}
-
-// WithUVMReferenceInfo reads UVM reference info file and base64 encodes the
-// content before setting it for the resource. This is no-op if the
-// path is empty or the file doesn't exist.
-func WithWCOWUVMReferenceInfo(path string) WCOWConfidentialUVMOpt {
-	return func(ctx context.Context, r *guestresource.WCOWConfidentialOptions) error {
-		encoded, err := base64EncodeFileContents(path)
-		if err != nil {
-			if os.IsNotExist(err) {
-				log.G(ctx).WithField("filePath", path).Debug("UVM reference info file not found")
-				return nil
-			}
-			return fmt.Errorf("failed to read UVM reference info file: %w", err)
-		}
-		r.EncodedUVMReference = encoded
-		return nil
-	}
-}
-
-func (uvm *UtilityVM) SetWCOWConfidentialUVMOptions(ctx context.Context, opts ...WCOWConfidentialUVMOpt) error {
-	if uvm.operatingSystem != "windows" {
-		return errNotSupported
-	}
-	uvm.m.Lock()
-	defer uvm.m.Unlock()
-	confOpts := &guestresource.WCOWConfidentialOptions{}
-	for _, o := range opts {
-		if err := o(ctx, confOpts); err != nil {
-			return err
-		}
-	}
-	modification := &hcsschema.ModifySettingRequest{
-		RequestType: guestrequest.RequestTypeAdd,
-		GuestRequest: guestrequest.ModificationRequest{
-			ResourceType: guestresource.ResourceTypeSecurityPolicy,
-			RequestType:  guestrequest.RequestTypeAdd,
-			Settings:     *confOpts,
-		},
-	}
-	if err := uvm.modify(ctx, modification); err != nil {
-		return fmt.Errorf("uvm::Policy: failed to modify utility VM configuration: %w", err)
-	}
-	return nil
-}
-
 func base64EncodeFileContents(filePath string) (string, error) {
 	if filePath == "" {
 		return "", nil
@@ -112,7 +49,7 @@ func base64EncodeFileContents(filePath string) (string, error) {
 // content before setting it for the resource. This is no-op if the
 // `referenceName` is empty or the file doesn't exist.
 func WithUVMReferenceInfo(referenceRoot string, referenceName string) ConfidentialUVMOpt {
-	return func(ctx context.Context, r *guestresource.LCOWConfidentialOptions) error {
+	return func(ctx context.Context, r *guestresource.ConfidentialOptions) error {
 		if referenceName == "" {
 			return nil
 		}
@@ -137,14 +74,10 @@ func WithUVMReferenceInfo(referenceRoot string, referenceName string) Confidenti
 // This has to happen before we start mounting things or generally changing
 // the state of the UVM after is has been measured at startup
 func (uvm *UtilityVM) SetConfidentialUVMOptions(ctx context.Context, opts ...ConfidentialUVMOpt) error {
-	if uvm.operatingSystem != "linux" {
-		return errNotSupported
-	}
-
 	uvm.m.Lock()
 	defer uvm.m.Unlock()
 
-	confOpts := &guestresource.LCOWConfidentialOptions{}
+	confOpts := &guestresource.ConfidentialOptions{}
 	for _, o := range opts {
 		if err := o(ctx, confOpts); err != nil {
 			return err
@@ -174,7 +107,7 @@ func (uvm *UtilityVM) InjectPolicyFragment(ctx context.Context, fragment *ctrdta
 		GuestRequest: guestrequest.ModificationRequest{
 			ResourceType: guestresource.ResourceTypePolicyFragment,
 			RequestType:  guestrequest.RequestTypeAdd,
-			Settings: guestresource.LCOWSecurityPolicyFragment{
+			Settings: guestresource.SecurityPolicyFragment{
 				Fragment: fragment.Fragment,
 			},
 		},

internal/uvm/start.go

@@ -326,28 +326,29 @@ func (uvm *UtilityVM) Start(ctx context.Context) (err error) {
 	}
 	uvm.SCSIManager = mgr
 
-	if uvm.confidentialUVMOptions != nil && uvm.OS() == "linux" {
+	var policy, enforcer, referenceInfoFileRoot, referenceInfoFilePath string
+
+	if uvm.confidentialUVMOptions != nil || uvm.HasConfidentialPolicy() {
+		if uvm.confidentialUVMOptions != nil && uvm.OS() == "linux" {
+			policy = uvm.confidentialUVMOptions.SecurityPolicy
+			enforcer = uvm.confidentialUVMOptions.SecurityPolicyEnforcer
+			referenceInfoFilePath = uvm.confidentialUVMOptions.UVMReferenceInfoFile
+			referenceInfoFileRoot = defaultLCOWOSBootFilesPath()
+		} else if uvm.HasConfidentialPolicy() && uvm.OS() == "windows" {
+			policy = uvm.createOpts.(*OptionsWCOW).SecurityPolicy
+			enforcer = uvm.createOpts.(*OptionsWCOW).SecurityPolicyEnforcer
+			referenceInfoFilePath = uvm.createOpts.(*OptionsWCOW).UVMReferenceInfoFile
+		}
 		copts := []ConfidentialUVMOpt{
-			WithSecurityPolicy(uvm.confidentialUVMOptions.SecurityPolicy),
-			WithSecurityPolicyEnforcer(uvm.confidentialUVMOptions.SecurityPolicyEnforcer),
-			WithUVMReferenceInfo(defaultLCOWOSBootFilesPath(), uvm.confidentialUVMOptions.UVMReferenceInfoFile),
+			WithSecurityPolicy(policy),
+			WithSecurityPolicyEnforcer(enforcer),
+			WithUVMReferenceInfo(referenceInfoFileRoot, referenceInfoFilePath),
 		}
 		if err := uvm.SetConfidentialUVMOptions(ctx, copts...); err != nil {
 			return err
 		}
 	}
 
-	if uvm.HasConfidentialPolicy() && uvm.OS() == "windows" {
-		copts := []WCOWConfidentialUVMOpt{
-			WithWCOWSecurityPolicy(uvm.createOpts.(*OptionsWCOW).SecurityPolicy),
-			WithWCOWSecurityPolicyEnforcer(uvm.createOpts.(*OptionsWCOW).SecurityPolicyEnforcer),
-			WithWCOWUVMReferenceInfo(uvm.createOpts.(*OptionsWCOW).UVMReferenceInfoFile),
-		}
-		if err := uvm.SetWCOWConfidentialUVMOptions(ctx, copts...); err != nil {
-			return err
-		}
-	}
-
 	return nil
 }
 

test/gcs/main_test.go

@@ -169,7 +169,7 @@ func getHostErr(rt runtime.Runtime, tp transport.Transport) (*hcsv2.Host, error)
 	h := hcsv2.NewHost(rt, tp, &securitypolicy.OpenDoorSecurityPolicyEnforcer{}, os.Stdout)
 	if err := h.SetConfidentialUVMOptions(
 		context.Background(),
-		&guestresource.LCOWConfidentialOptions{},
+		&guestresource.ConfidentialOptions{},
 	); err != nil {
 		return nil, fmt.Errorf("could not set host security policy: %w", err)
 	}