Consolidate oak containers protos into one ergonomic file for customer teams, and add relevant build targets

oak_containers/proto/interfaces.proto

@@ -16,6 +16,11 @@
 
 syntax = "proto3";
 
+// TODO(#4392): Remove this file once the migration is complete.
+// This file is deprecated. The relevant functionality is available in
+// `proto/containers/application_interfaces.proto` & `proto/containers/launcher.proto`. DO NOT
+// MODIFY THIS FILE, DO NOT ADD NEW DEPENDENCIES ON IT.
+
 package oak.containers;
 
 import "google/protobuf/empty.proto";

oak_containers_launcher/build.rs

@@ -19,7 +19,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     // Generate gRPC code for connecting to the launcher.
     generate_grpc_code(
         &[
-            "../oak_containers/proto/interfaces.proto",
+            "../proto/containers/launcher.proto",
             "../oak_crypto/proto/v1/crypto.proto",
             "../proto/key_provisioning/key_provisioning.proto",
             "../proto/containers/hostlib_key_provisioning.proto",

oak_containers_launcher/src/lib.rs

@@ -16,8 +16,6 @@
 pub mod proto {
     pub mod oak {
         pub mod containers {
-            #![allow(clippy::return_self_not_must_use)]
-            tonic::include_proto!("oak.containers");
             pub mod v1 {
                 #![allow(clippy::return_self_not_must_use)]
                 tonic::include_proto!("oak.containers.v1");

oak_containers_launcher/src/server.rs

@@ -43,15 +43,11 @@ use tokio_stream::wrappers::TcpListenerStream;
 use tonic::{transport::Server, Request, Response, Status};
 
 use crate::proto::oak::{
-    containers::{
+    containers::v1::{
+        hostlib_key_provisioning_server::{HostlibKeyProvisioning, HostlibKeyProvisioningServer},
         launcher_server::{Launcher, LauncherServer},
-        v1::{
-            hostlib_key_provisioning_server::{
-                HostlibKeyProvisioning, HostlibKeyProvisioningServer,
-            },
-            GetGroupKeysResponse, GetKeyProvisioningRoleResponse, KeyProvisioningRole,
-        },
-        GetApplicationConfigResponse, GetImageResponse, SendAttestationEvidenceRequest,
+        GetApplicationConfigResponse, GetGroupKeysResponse, GetImageResponse,
+        GetKeyProvisioningRoleResponse, KeyProvisioningRole, SendAttestationEvidenceRequest,
     },
     session::v1::AttestationEvidence,
 };

oak_containers_orchestrator/build.rs

@@ -19,9 +19,9 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     // Generate gRPC code for Orchestrator services.
     generate_grpc_code(
         &[
-            "../oak_containers/proto/interfaces.proto",
             "../proto/key_provisioning/key_provisioning.proto",
-            "../proto/containers/orchestrator_crypto.proto",
+            "../proto/containers/application_interfaces.proto",
+            "../proto/containers/launcher.proto",
             "../proto/containers/hostlib_key_provisioning.proto",
             "../proto/session/messages.proto",
         ],

oak_containers_orchestrator/src/ipc_server.rs

@@ -24,9 +24,9 @@ use tonic::{transport::Server, Request, Response};
 use crate::{
     crypto::{CryptoService, KeyStore},
     launcher_client::LauncherClient,
-    proto::oak::containers::{
+    proto::oak::containers::v1::{
+        orchestrator_crypto_server::OrchestratorCryptoServer,
         orchestrator_server::{Orchestrator, OrchestratorServer},
-        v1::orchestrator_crypto_server::OrchestratorCryptoServer,
         GetApplicationConfigResponse,
     },
 };

oak_containers_orchestrator/src/launcher_client.rs

@@ -19,9 +19,9 @@ use tonic::transport::Channel;
 
 use crate::proto::oak::{
     attestation::v1::Evidence,
-    containers::{
-        launcher_client::LauncherClient as GrpcLauncherClient,
-        v1::{hostlib_key_provisioning_client::HostlibKeyProvisioningClient, KeyProvisioningRole},
+    containers::v1::{
+        hostlib_key_provisioning_client::HostlibKeyProvisioningClient,
+        launcher_client::LauncherClient as GrpcLauncherClient, KeyProvisioningRole,
         SendAttestationEvidenceRequest,
     },
     key_provisioning::v1::GroupKeys,

oak_containers_orchestrator/src/lib.rs

@@ -16,8 +16,6 @@
 pub mod proto {
     pub mod oak {
         pub mod containers {
-            #![allow(clippy::return_self_not_must_use)]
-            tonic::include_proto!("oak.containers");
             pub mod v1 {
                 #![allow(clippy::return_self_not_must_use)]
                 tonic::include_proto!("oak.containers.v1");

oak_containers_sdk/Cargo.toml

@@ -11,7 +11,6 @@ oak_grpc_utils = { workspace = true }
 [dependencies]
 anyhow = "*"
 async-trait = { version = "*", default-features = false }
-oak_attestation = { workspace = true }
 oak_crypto = { workspace = true }
 prost = "*"
 prost-types = "*"

oak_containers_sdk/build.rs

@@ -19,10 +19,9 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     // Generate gRPC code for connecting to the Orchestrator.
     generate_grpc_code(
         &[
-            "oak_containers/proto/interfaces.proto",
             "oak_crypto/proto/v1/crypto.proto",
             "proto/session/messages.proto",
-            "proto/containers/orchestrator_crypto.proto",
+            "proto/containers/application_interfaces.proto",
         ],
         "..",
         CodegenOptions {

oak_containers_sdk/src/lib.rs

@@ -16,13 +16,11 @@
 mod proto {
     pub mod oak {
         pub mod containers {
-            tonic::include_proto!("oak.containers");
             pub mod v1 {
                 #![allow(clippy::return_self_not_must_use)]
                 tonic::include_proto!("oak.containers.v1");
             }
         }
-        pub use oak_attestation::proto::oak::{attestation, session};
         pub use oak_crypto::proto::oak::crypto;
     }
 }

oak_containers_sdk/src/orchestrator_client.rs

@@ -17,7 +17,7 @@ use anyhow::{Context, Result};
 use tonic::transport::{Endpoint, Uri};
 use tower::service_fn;
 
-use crate::proto::oak::containers::orchestrator_client::OrchestratorClient as GrpcOrchestratorClient;
+use crate::proto::oak::containers::v1::orchestrator_client::OrchestratorClient as GrpcOrchestratorClient;
 
 // Unix Domain Sockets do not use URIs, hence this URI will never be used.
 // It is defined purely since in order to create a channel, since a URI has to

oak_containers_stage1/Cargo.toml

@@ -15,7 +15,6 @@ clap = { version = "*", features = ["derive"] }
 coset = { version = "*", features = ["std"] }
 futures-util = "*"
 oak_attestation = { workspace = true }
-oak_crypto = { workspace = true }
 oak_dice = { workspace = true }
 nix = { version = "*", features = ["mman"] }
 p256 = { version = "*" }

oak_containers_stage1/build.rs

@@ -20,9 +20,9 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     // Generate gRPC code for loading the system image.
     generate_grpc_code(
         &[
-            "../oak_containers/proto/interfaces.proto",
             "../oak_crypto/proto/v1/crypto.proto",
             "../proto/session/messages.proto",
+            "../proto/containers/launcher.proto",
         ],
         "..",
         CodegenOptions {

oak_containers_stage1/src/client.rs

@@ -17,14 +17,17 @@
 mod proto {
     pub mod oak {
         pub mod containers {
-            tonic::include_proto!("oak.containers");
+            pub mod v1 {
+                #![allow(clippy::return_self_not_must_use)]
+                tonic::include_proto!("oak.containers.v1");
+            }
         }
         pub use oak_attestation::proto::oak::{attestation, session};
     }
 }
 
 use anyhow::{Context, Result};
-use proto::oak::containers::launcher_client::LauncherClient as GrpcLauncherClient;
+use proto::oak::containers::v1::launcher_client::LauncherClient as GrpcLauncherClient;
 use tonic::transport::{Channel, Uri};
 
 pub struct LauncherClient {

oak_functions_containers_app/build.rs

@@ -38,7 +38,8 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
 
     generate_grpc_code(
         &[
-            "../oak_containers/proto/interfaces.proto",
+            "../oak_crypto/proto/v1/crypto.proto",
+            "../proto/containers/application_interfaces.proto",
             "../proto/session/messages.proto",
         ],
         "..",

oak_functions_containers_app/src/lib.rs

@@ -52,8 +52,10 @@ pub mod proto {
             tonic::include_proto!("oak.functions");
         }
         pub mod containers {
-            #![allow(clippy::return_self_not_must_use)]
-            tonic::include_proto!("oak.containers");
+            pub mod v1 {
+                #![allow(clippy::return_self_not_must_use)]
+                tonic::include_proto!("oak.containers.v1");
+            }
         }
         pub use oak_attestation::proto::oak::{attestation, session};
         pub use oak_crypto::proto::oak::crypto;

proto/containers/BUILD

@@ -15,6 +15,9 @@
 #
 
 load("@bazel_skylib//rules:build_test.bzl", "build_test")
+load("@com_github_grpc_grpc//bazel:cc_grpc_library.bzl", "cc_grpc_library")
+load("@com_github_grpc_grpc//bazel:python_rules.bzl", "py_grpc_library", "py_proto_library")
+load("@rules_cc//cc:defs.bzl", "cc_proto_library")
 load("@rules_proto//proto:defs.bzl", "proto_library")
 
 package(
@@ -23,10 +26,49 @@ package(
 )
 
 proto_library(
-    name = "orchestrator_crypto_proto",
-    srcs = ["orchestrator_crypto.proto"],
+    name = "common_proto",
+    srcs = ["common.proto"],
+)
+
+proto_library(
+    name = "application_interfaces_proto",
+    srcs = ["application_interfaces.proto"],
     deps = [
+        ":common_proto",
         "//oak_crypto/proto/v1:crypto_proto",
+        "//oak_remote_attestation/proto/v1:messages_proto",
+        "@com_google_protobuf//:empty_proto",
+    ],
+)
+
+cc_proto_library(
+    name = "application_interfaces_cc_proto",
+    deps = [":application_interfaces_proto"],
+)
+
+cc_grpc_library(
+    name = "application_interfaces_cc_grpc",
+    srcs = [":application_interfaces_proto"],
+    grpc_only = True,
+    deps = [":application_interfaces_proto"],
+)
+
+py_proto_library(
+    name = "application_interfaces_py_proto",
+    deps = [":application_interfaces_proto"],
+)
+
+py_grpc_library(
+    name = "application_interfaces_py_grpc",
+    srcs = [":application_interfaces_proto"],
+    deps = [":application_interfaces_py_proto"],
+)
+
+proto_library(
+    name = "launcher_proto",
+    srcs = ["launcher.proto"],
+    deps = [
+        ":common_proto",
     ],
 )
 
@@ -38,10 +80,20 @@ proto_library(
     ],
 )
 
+# TODO(#4392): Remove once the migration is complete.
+proto_library(
+    name = "orchestrator_crypto_proto",
+    srcs = ["orchestrator_crypto.proto"],
+    deps = [
+        "//oak_crypto/proto/v1:crypto_proto",
+    ],
+)
+
 build_test(
     name = "build_test",
     targets = [
         ":hostlib_key_provisioning_proto",
-        ":orchestrator_crypto_proto",
+        ":application_interfaces_proto",
+        ":launcher_proto",
     ],
 )

proto/containers/application_interfaces.proto

@@ -0,0 +1,75 @@
+//
+// Copyright 2023 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+// Interfaces that may be invoked by the application
+
+syntax = "proto3";
+
+package oak.containers.v1;
+
+import "oak_crypto/proto/v1/crypto.proto";
+import "google/protobuf/empty.proto";
+import "proto/containers/common.proto";
+
+// Defines the service exposed by the orchestrator, that can be invoked by the application.
+service Orchestrator {
+  // Exposes the previously loaded trusted application config to the application,
+  // which may choose to retrieve it.
+  rpc GetApplicationConfig(google.protobuf.Empty) returns (GetApplicationConfigResponse) {}
+
+  // Notifies the orchestrator that the trusted app is ready to serve requests and listening on the
+  // pre-arranged port (8080).
+  rpc NotifyAppReady(google.protobuf.Empty) returns (google.protobuf.Empty) {}
+}
+
+// Choice between a key generated by the enclave instance and the key distributed to the enclave
+// group with Key Provisioning.
+enum KeyOrigin {
+  KEY_ORIGIN_UNSPECIFIED = 0;
+  INSTANCE = 1;
+  GROUP = 2;
+}
+
+message DeriveSessionKeysRequest {
+  KeyOrigin key_origin = 1;
+  // Ephemeral Diffie-Hellman client public key that is needed to derive session keys.
+  bytes serialized_encapsulated_public_key = 2;
+}
+
+message DeriveSessionKeysResponse {
+  // Session keys for decrypting client requests and encrypting enclave responses.
+  oak.crypto.v1.SessionKeys session_keys = 1;
+}
+
+message SignRequest {
+  KeyOrigin key_origin = 1;
+  bytes message = 2;
+}
+
+message SignResponse {
+  oak.crypto.v1.Signature signature = 1;
+}
+
+// RPC service that is exposed to an enclave application and allows it to:
+// - Encrypt/decrypt messages
+// - Sign arbitrary data
+// TODO(#4504): Implement data signing.
+service OrchestratorCrypto {
+  // Derives session keys for decrypting client requests and encrypting enclave responses.
+  rpc DeriveSessionKeys(DeriveSessionKeysRequest) returns (DeriveSessionKeysResponse) {}
+  // Signs the provided message using the hardware rooted signing key.
+  rpc Sign(SignRequest) returns (SignResponse) {}
+}