chore: greater protection for release mode

[rjzak]

• Self-signed certificate not permitted in release mode
• Generating a certificate is not permitted in release mode

References #49

Signed-off-by: Richard Zak [email protected]

[rvolosatovs]

I don't think that solution to "having too much code" can be adding more code.

Why don't we just remove the testing code from our critical production service instead?

If we need this functionality for unit tests, then let's define clear boundaries in our internal API such that testing would be possible without modifying the implementation and be fully self-contained within the test module?

In any case, tests utilizing testing code don't test anything, those paths will never be taken in production setting, since those pieces of code will never be compiled in release mode. Note, that a mistake here could be very costly, while also being pretty easy to make. Tests must rely on "real" implementations we run in production as much as possible.

[rvolosatovs]

bool is Copy and small enough that & does not bring any benefits

[rjzak]

I did that to address complaints about use of a moved value.

[haraldh]

strange, it just compiles fine without it

[rjzak]

I think my IDE was having problems. I reverted back to bool and it's fine.

[rvolosatovs]

Especially looking at the env var name, this parameter does not seem relevant to the Steward at it's present form

[rjzak]

It's used to generate keys, which we wouldn't do in a production environment.

[rjzak]

Additionally, some tests were disabled for release mode (since Nix seems to test in release mode) due to this discovered bug #73

[rjzak]

I don't think that solution to "having too much code" can be adding more code.

I don't think I added that much code. I disabled code when compiling for release.

Why don't we just remove the testing code from our critical production service instead?

We need to have some testing (debug mode) to ensure things work in the future, since not everyone has SGX or SNP machines. The very reason for the nil and kvm backends in Enarx.

If we need this functionality for unit tests, then let's define clear boundaries in our internal API such that testing would be possible without modifying the implementation and be fully self-contained within the test module?

Sure, I can move the logic for generate() to the test side. But I still think having some debug functionally as a stand-alone executable beyond unit tests is helpful. The only part would be to ensure not using self-signed certs when compiled for release.

In any case, tests utilizing testing code don't test anything, those paths will never be taken in production setting, since those pieces of code will never be compiled in release mode. Note, that a mistake here could be very costly, while also being pretty easy to make. Tests must rely on "real" implementations we run in production as much as possible.

Again, the tests ensure the debug parts work, when utilized for actual testing. Better attestation reports and public keys can be serialized to ensure better testing #73 to fully exercise the release code.

[rvolosatovs]

As discussed a few times already, deferring review to @npmccallum
I personally think that we should just remove KVM attestation and use real, captured SGX and SEV reports in tests.
If we really want to have KVM attestation available, then that should be guarded by insecure feature (as is already done) and --insecure runtime flag. Still, I am not happy by how much the implementation is changed to account for this. I find that the prevalent cfg attributes make the code harder to reason about and maintain. What's worse, it introduces plethora of new code paths, that actual, real, production service will never take and results in "real" code that should be tested to not get tested.

If we really want to have KVM attestation available, then I think we need to restructure the code in such a way that this feature would not be as intrusive and such that the unit tests would still test "real" code paths and not code paths, which would never be taken in production.

[rvolosatovs]

Suggested change

	return Err(anyhow!("steward not in debug mode"));
	bail!("steward not in insecure mode")

[rjzak]

Captured SEV & SGX reports added yesterday.