Skip to content

Enable encrypted local fs kbs backend of RPM and image #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jialez0 merged 2 commits into from
Feb 3, 2026
Merged

Enable encrypted local fs kbs backend of RPM and image #152

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2bc4390
Enable encrypted local fs kbs backend of RPM and image
jialez0 Feb 3, 2026
b882c04
Update RPM spec to v1.8.1
jialez0 Feb 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion Dockerfile.kbs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ ARG ARCH=x86_64
ARG HTTPS_CRYPTO=rustls
ARG ALIYUN=true
ARG TPM_PCA_PLUGIN=true
ARG ENCRYPTED_LOCAL_FS=true

WORKDIR /usr/src/kbs
COPY . .
Expand All @@ -29,7 +30,7 @@ RUN if [ -n "$CARGO_JOBS" ]; then \
fi

# Build and Install KBS
RUN cd kbs && make AS_FEATURE=coco-as-grpc ALIYUN=${ALIYUN} TPM_PCA_PLUGIN=${TPM_PCA_PLUGIN} && \
RUN cd kbs && make AS_FEATURE=coco-as-grpc ALIYUN=${ALIYUN} TPM_PCA_PLUGIN=${TPM_PCA_PLUGIN} ENCRYPTED_LOCAL_FS=${ENCRYPTED_LOCAL_FS} && \
make install-kbs

FROM ${BASE_IMAGE}
Expand Down
2 changes: 1 addition & 1 deletion dist/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ build:
cd ../trustee-gateway && \
CGO_ENABLED=1 GOOS=linux go build -mod vendor -a -installsuffix cgo -ldflags="-s -w" -o gateway cmd/server/main.go && \
cd ..
cargo build -p kbs --locked --release --no-default-features --features coco-as-grpc,aliyun,tpm-pca
cargo build -p kbs --locked --release --no-default-features --features coco-as-grpc,aliyun,tpm-pca,encrypted-local-fs
cargo build --bin restful-as --release --features restful-bin --locked
cargo build --bin grpc-as --release --features grpc-bin --locked
cargo build --bin rvps --release
Expand Down
2 changes: 1 addition & 1 deletion kbs/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ AS_TYPE ?= coco-as
ALIYUN ?= false
NEBULA_CA_PLUGIN ?= false
TPM_PCA_PLUGIN ?= false
ENCRYPTED_LOCAL_FS ?= false
ENCRYPTED_LOCAL_FS ?= true

BUILD_ARCH := $(shell uname -m)
ARCH ?= $(shell uname -m)
Expand Down
7 changes: 6 additions & 1 deletion rpm/trustee.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
%global __brp_mangle_shebangs %{nil}

Name: trustee
Version: 1.8.0
Version: 1.8.1
Release: %{alinux_release}%{?dist}
Summary: Daemon services for attestation and secret distribution
Group: Applications/System
Expand Down Expand Up @@ -148,6 +148,11 @@ fi
/var/lib/attestation/token/ear/policies/opa/default.rego

%changelog
* Tue Feb 3 2026 Jiale Zhang <xinjian.zjl@alibaba-inc.com> -1.8.1-1
- KBS: add external KMS resource backend with dynamic .so provider loading
- KBS: enable encrypted local fs backend by default in build options
- Docs: update resource backend configuration for ExternalKms

* Mon Jan 26 2026 Jiale Zhang <xinjian.zjl@alibaba-inc.com> -1.8.0-1
- Add OIDC token support for attestation-service by @jinzihao
- trustee-gateway: add eas_pod_name to audit structure by @jialez0
Expand Down
Loading