refactoring to move CVM specific code from DiskUtil to CVMDiskUtil#1907
Open
pankajosh wants to merge 3 commits intopankajjoshi/KEKrotationCVMfrom
Open
refactoring to move CVM specific code from DiskUtil to CVMDiskUtil#1907pankajosh wants to merge 3 commits intopankajjoshi/KEKrotationCVMfrom
pankajosh wants to merge 3 commits intopankajjoshi/KEKrotationCVMfrom
Conversation
canfikret
requested changes
Apr 10, 2024
| if attestation_url: | ||
| cmd = "{0} -a {1} -k {2} -s {3}".format(skr_app,attestation_url,kek_url,protector_base64) | ||
| else: | ||
| cmd = "{0} -k {1} -s {2}".format(skr_app,kek_url,protector_base64) |
Member
There was a problem hiding this comment.
if no attestation url is specified, how is one constructed? (mapping VM location to known list?)
Member
There was a problem hiding this comment.
in that case, the IMDS result file can store that for future use.
cat imds_stored_results.ini
[imds_stored_results]
securitytype = ConfidentialVM
...
| msg = process_comm.stdout.strip() | ||
| else: | ||
| pass | ||
| self.logger.log("secure_key_release_operation {0} unsuccessful.".format(operation)) |
Member
There was a problem hiding this comment.
When SKR is not successful, we should set SKR_TRACE_ON=1 and re-run the command to get more traces into the extension log file. That's what we're doing in the Windows ADE.
| "KeyEncryptionKeyURL": "<kek_url>", | ||
| "KeyVaultResourceId": "<kv_res_id>", | ||
| "KeyVaultURL": "https://<vault_name>.vault.azure.net/", | ||
| "AttestationURL": null, |
Member
There was a problem hiding this comment.
Nit: AttestationURL might/should not be null.
| "KekVaultResourceId": "<kek_res_id>", | ||
| "KeyEncryptionKeyURL": "<kek_url>", | ||
| "KeyVaultResourceId": "<kv_res_id>", | ||
| "KeyVaultURL": "https://<vault_name>.vault.azure.net/", |
Member
There was a problem hiding this comment.
or https://<mhsm_name>.managedhsm.azure.net
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Please review.