From 5efef0509289bcad920c548733a247a604ab704d Mon Sep 17 00:00:00 2001 From: Miroslav Shubernetskiy Date: Mon, 4 Nov 2024 16:15:39 -0500 Subject: [PATCH] fix: split attestation bits from metsys plugin currently metsys plugin was reporting global metadata keys such as chalk run time as well as generating attestation bits such as artifact signature. this meant that disabling metsys plugin to avoid assigning metadata id, etc would also not report global keys such as chalk run time this was happening for docker push when pushing non-chalked image --- src/collect.nim | 7 ++++--- src/configs/base_plugins.c4m | 19 +++++++++++++++---- src/docker/push.nim | 4 ++-- src/plugins/system.nim | 14 ++++++++------ 4 files changed, 29 insertions(+), 15 deletions(-) diff --git a/src/collect.nim b/src/collect.nim index d8044643..433724db 100644 --- a/src/collect.nim +++ b/src/collect.nim @@ -10,7 +10,7 @@ import "./docker"/[scan] import "."/[config, plugin_api] proc isSystem*(p: Plugin): bool = - return p.name in ["system", "metsys"] + return p.name in ["system", "attestation", "metsys"] proc hasSubscribedKey(p: Plugin, keys: seq[string], dict: ChalkDict): bool = # Decides whether to run a given plugin... does it export any key we @@ -45,9 +45,10 @@ proc canWrite(plugin: Plugin, key: string, decls: seq[string]): bool = if not attrGet[bool](section & ".system"): return true - case plugin.name - of "system", "metsys": + if plugin.isSystem(): return true + + case plugin.name of "conffile": if attrGet[bool](section & ".conf_as_system"): return true diff --git a/src/configs/base_plugins.c4m b/src/configs/base_plugins.c4m index c3df931b..1bea1f1f 100644 --- a/src/configs/base_plugins.c4m +++ b/src/configs/base_plugins.c4m @@ -57,18 +57,29 @@ are not overridable via other plugins. # # The priority field is set to high(int64). -plugin metsys { +plugin attestation { ~enabled: true pre_chalk_keys: ["METADATA_HASH", "ERR_INFO", "FAILED_KEYS", "METADATA_ID", "SIGNING", "SIGNATURE", "INJECTOR_PUBLIC_KEY"] post_chalk_keys: ["_SIGNATURES"] + ~priority: high() - 1 + doc: """ +Like the `system` module, this module is non-overridable keys added by +Chalk. It's just the ones that need to be computed at the very end of +chalk-time data collection phase, so integrity / signing and audit. +""" +} + +plugin metsys { + ~enabled: true post_run_keys: ["_OP_ERRORS", "_OP_FAILED_KEYS", "_CHALK_EXTERNAL_ACTION_AUDIT", "_CHALK_RUN_TIME", "_OP_EXIT_CODE"] ~priority: high() doc: """ Like the `system` module, this module is non-overridable keys added by Chalk. It's just the ones that need to be computed at the very end of -a data collection phase, so integrity / signing and audit. +a run-time collection phase about the whole operation +such as the overall chalk run time. """ } @@ -312,7 +323,7 @@ plugin conffile { pre_chalk_keys: ["*"] # Chalk-only keys are evaluated here. post_chalk_keys: ["*"] # Non-chalkable artifact keys here. post_run_keys: ["*"] # Post-run keys here. - priority: high() - 1 + priority: high() - 2 doc: """ This plugin is responsible for collecting any values explicitly set in the configuration file by the user. The user can set values statically @@ -391,7 +402,7 @@ plugin elf_last_resort { codec: true pre_chalk_keys: ["ARTIFACT_TYPE"] post_chalk_keys: ["_CURRENT_HASH", "_OP_ARTIFACT_TYPE"] - ~priority: high() - 1 + ~priority: high() - 3 doc: """ This codec is only used for operating on chalk marks for oddball hand-written elf-files. It works by leveraging the fact that appending diff --git a/src/docker/push.nim b/src/docker/push.nim index 38dada97..35a969e9 100644 --- a/src/docker/push.nim +++ b/src/docker/push.nim @@ -17,7 +17,7 @@ proc dockerPush*(ctx: DockerInvocation): int = if chalkOpt.isNone(): error("docker: " & ctx.foundImage & " is not found. pushing without chalk") - return ctx.runMungedDockerInvocation() + return setExitCode(ctx.runMungedDockerInvocation()) # force DOCKER_PLATFORM to be included in chalk normalization # which is required to compute unique METADATA_* keys @@ -30,7 +30,7 @@ proc dockerPush*(ctx: DockerInvocation): int = # so they create things like CHALK_ID, METADATA_ID # but we just want to report keys about the artifact # without "creating" new chalkmark so we chalk-time collection - suspendChalkCollectionFor("metsys") + suspendChalkCollectionFor("attestation") suspendChalkCollectionFor("docker") initCollection() diff --git a/src/plugins/system.nim b/src/plugins/system.nim index 6586b636..a3f60dd4 100644 --- a/src/plugins/system.nim +++ b/src/plugins/system.nim @@ -276,8 +276,8 @@ proc sysGetChalkTimeHostInfo*(self: Plugin): ChalkDict {.cdecl.} = let selfIdOpt = selfID if selfIdOpt.isSome(): result["INJECTOR_CHALK_ID"] = pack(selfIdOpt.get()) -proc metsysGetChalkTimeArtifactInfo*(self: Plugin, obj: ChalkObj): - ChalkDict {.cdecl.} = +proc attestationGetChalkTimeArtifactInfo*(self: Plugin, obj: ChalkObj): + ChalkDict {.cdecl.} = result = ChalkDict() # We add these directly into collectedData so that it can get @@ -300,8 +300,8 @@ proc metsysGetChalkTimeArtifactInfo*(self: Plugin, obj: ChalkObj): except: error("Cannot sign " & obj.name & ": " & getCurrentExceptionMsg()) -proc metsysGetRunTimeArtifactInfo(self: Plugin, obj: ChalkObj, insert: bool): - ChalkDict {.cdecl.} = +proc attestationGetRunTimeArtifactInfo(self: Plugin, obj: ChalkObj, insert: bool): + ChalkDict {.cdecl.} = result = ChalkDict() if insert and obj.willSignBySigStore(): try: @@ -333,7 +333,9 @@ proc loadSystem*() = rtArtCallback = RunTimeArtifactCb(sysGetRunTimeArtifactInfo), rtHostCallback = RunTimeHostCb(sysGetRunTimeHostInfo)) + newPlugin("attestation", + ctArtCallback = ChalkTimeArtifactCb(attestationGetChalkTimeArtifactInfo), + rtArtCallback = RunTimeArtifactCb(attestationGetRunTimeArtifactInfo)) + newPlugin("metsys", - ctArtCallback = ChalkTimeArtifactCb(metsysGetChalkTimeArtifactInfo), - rtArtCallback = RunTimeArtifactCb(metsysGetRunTimeArtifactInfo), rtHostCallback = RunTimeHostCb(metsysGetRunTimeHostInfo))