pkcs11 plugin can no longer provider KBS resources #1158
Description
Describe the bug
In #735 (CC @tylerfanelli) the pkcs11 resource backend was turned into a standalone plugin, in order to provide new functionality for wrapping/unwrapping data with a protected key, in parallel with the existing resource data storage facility.
The PR describe indicates backwards compatibility was intended
The resource storage backend functionality is preserved, storing and retrieving secrets were originally done by setting the storage backend in the resource plugin to be PKCS11. With this plugin, the original resource URL to store/fetch secrets:
/kbs/v0/resource/{REPOSITORY}/{TYPE}/{TAG}
can be replaced by:
/kbs/v0/pkcs11/resource/{REPOSITORY}/{TYPE}/{TAG}
and the behavior will remain the same.
but I'm not seeing how backwards compatibility is actually achieved in practice, because this requires every trustee client to be modified to know to use a different URL path, and that has not been done.
The 'trustee-attestor' binary for example, only knows how to handle /kbs/v0/resource paths:
let mut remote_url = format!(
"{}/{KBS_PREFIX}/resource/{}/{}/{}",
self.kbs_host_url, resource_uri.repository, resource_uri.r#type, resource_uri.tag
);
While it would be possible to modify the client code to support choice of the different /kbs/v0/pkcs11/resource prefix this feel undesirable. The choice of resource storage backend used by the KBS ought to be kept completely opaque to the guest OS, so the owner of the KBS can change it at will, without any effect on guest attestation.
IOW, while the idea of supporting key wrapping via PKCS11 is fine, it feels like the existing PKCS11 resource datra storage backend should have been left untouched, and a new PKCS11 plugin added solely for the key wrapping features.
How to reproduce
- Configure the KBS with the pkcs11 plugin
- Attempt to use it with trustee-attestor to acquire data
CoCo version information
0.13.0 or later
What TEE are you seeing the problem on
None