Update Oak revision.

oak_containers_sdk and InstanceAttester have been removed; InstanceSessionBinder can be used an a replacement. Change-Id: I41f1cb64903adb819dc5e68e121bc8cff19a6a41
google-parfait · Mar 3, 2025 · 7254e8c · 7254e8c
1 parent ee330cf
commit 7254e8c
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 27 deletions.
diff --git a/WORKSPACE b/WORKSPACE
@@ -84,9 +84,9 @@ rules_proto_toolchains()
 
 http_archive(
     name = "oak",
-    sha256 = "fc7f1600800495ac1227579395a66822402be61dd45d37664f379bab5dec4c26",
-    strip_prefix = "oak-e7c76de7f54ef58527bc7ee59ca7f2e8e32c22fb",
-    url = "https://github.com/project-oak/oak/archive/e7c76de7f54ef58527bc7ee59ca7f2e8e32c22fb.tar.gz",
+    sha256 = "5bb692898705ae3dcdb2e7a385e7afc681e3f18866120aee6b06d1615f5a4cf9",
+    strip_prefix = "oak-d889956d9503c0459b96579e75ba34583d0809ae",
+    url = "https://github.com/project-oak/oak/archive/d889956d9503c0459b96579e75ba34583d0809ae.tar.gz",
 )
 
 load("@oak//bazel:repositories.bzl", "oak_toolchain_repositories")

diff --git a/apps/atomic_counter/container/BUILD b/apps/atomic_counter/container/BUILD
@@ -24,7 +24,6 @@ rust_binary(
         "//apps/atomic_counter/service:tcp_atomic_counter_service",
         "//proto:tcp_proto",
         "//runtime:tcp_runtime",
-        "@oak//oak_containers_sdk",
         "@oak//oak_proto_rust",
         "@oak//oak_sdk/containers:oak_sdk_containers",
         "@oak_crates_index//:anyhow",

diff --git a/apps/atomic_counter/container/src/main.rs b/apps/atomic_counter/container/src/main.rs
@@ -13,14 +13,14 @@
 // limitations under the License.
 
 use anyhow::{anyhow, Context};
-use oak_containers_sdk::OrchestratorClient;
 use oak_proto_rust::oak::attestation::v1::{
     binary_reference_value, kernel_binary_reference_value, reference_values, text_reference_value,
     BinaryReferenceValue, ContainerLayerReferenceValues, InsecureReferenceValues,
     KernelBinaryReferenceValue, KernelLayerReferenceValues, OakContainersReferenceValues,
     ReferenceValues, RootLayerReferenceValues, SkipVerification, SystemLayerReferenceValues,
     TextReferenceValue,
 };
+use oak_sdk_containers::OrchestratorClient;
 use tcp_atomic_counter_service::actor::CounterActor;
 use tcp_proto::runtime::endpoint::endpoint_service_server::EndpointServiceServer;
 use tcp_runtime::service::TonicApplicationService;

diff --git a/runtime/BUILD b/runtime/BUILD
@@ -45,8 +45,8 @@ rust_library(
         "@raft_rs//:raft",
     ] + select({
         "@platforms//os:linux": [
-            "@oak//oak_containers_sdk",
             "@oak//oak_sdk/common:oak_sdk_common",
+            "@oak//oak_sdk/containers:oak_sdk_containers",
             "@oak_crates_index//:mockall",
             "@oak_crates_index//:slog-term",
             "@oak_crates_index//:tokio",

diff --git a/runtime/src/session.rs b/runtime/src/session.rs
@@ -101,26 +101,22 @@ impl OakSessionBinderFactory for DefaultOakSessionBinderFactory {
 // Default implementation of `OakSessionBinderFactory` for Oak Containers.
 #[cfg(feature = "std")]
 pub struct OakContainersSessionBinderFactory {
-    signer: oak_containers_sdk::crypto::InstanceSigner,
+    binder: oak_sdk_containers::InstanceSessionBinder,
 }
 
 #[cfg(feature = "std")]
 impl OakContainersSessionBinderFactory {
     pub fn new(channel: &tonic::transport::channel::Channel) -> Self {
         Self {
-            signer: oak_containers_sdk::crypto::InstanceSigner::create(channel),
+            binder: oak_sdk_containers::InstanceSessionBinder::create(channel),
         }
     }
 }
 
 #[cfg(feature = "std")]
 impl OakSessionBinderFactory for OakContainersSessionBinderFactory {
     fn get(&self) -> Result<Box<dyn SessionBinder>> {
-        let binder = oak_session::session_binding::SignatureBinderBuilder::default()
-            .signer(Box::new(self.signer.clone()))
-            .build()
-            .map_err(anyhow::Error::msg)?;
-        Ok(Box::new(binder))
+        Ok(Box::new(self.binder.clone()))
     }
 }
 
@@ -288,7 +284,7 @@ impl OakSession<SessionResponse, SessionRequest> for DefaultOakClientSession {
     }
 
     fn write(&mut self, plaintext: &[u8]) -> Result<()> {
-        self.inner.write(&PlaintextMessage {
+        self.inner.write(PlaintextMessage {
             plaintext: plaintext.to_vec(),
         })
     }
@@ -343,7 +339,7 @@ impl OakSession<SessionRequest, SessionResponse> for DefaultOakServerSession {
     }
 
     fn write(&mut self, plaintext: &[u8]) -> Result<()> {
-        self.inner.write(&PlaintextMessage {
+        self.inner.write(PlaintextMessage {
             plaintext: plaintext.to_vec(),
         })
     }
@@ -395,8 +391,8 @@ mod test {
                 nonce: None,
                 aad: None,
             };
-            let encrypted_payload = replica_1.encrypt(&payload).unwrap();
-            let plaintext = replica_2.decrypt(&encrypted_payload).unwrap().message;
+            let encrypted_payload = replica_1.encrypt(payload).unwrap();
+            let plaintext = replica_2.decrypt(encrypted_payload).unwrap().message;
             assert_eq!(message, &plaintext);
         }
     }
@@ -430,7 +426,7 @@ mod test {
         for i in 0..test_messages.len() {
             encrypted_payloads.push(
                 replica_1
-                    .encrypt(&Payload {
+                    .encrypt(Payload {
                         message: test_messages[i].to_vec(),
                         nonce: None,
                         aad: None,
@@ -443,64 +439,64 @@ mod test {
         assert_eq!(
             test_messages[3],
             replica_2
-                .decrypt(&clone_payload(&encrypted_payloads[3]))
+                .decrypt(clone_payload(&encrypted_payloads[3]))
                 .unwrap()
                 .message
         );
         // Decrypting messages within the window should be ok.
         assert_eq!(
             test_messages[1],
             replica_2
-                .decrypt(&clone_payload(&encrypted_payloads[1]))
+                .decrypt(clone_payload(&encrypted_payloads[1]))
                 .unwrap()
                 .message
         );
         assert_eq!(
             test_messages[2],
             replica_2
-                .decrypt(&clone_payload(&encrypted_payloads[2]))
+                .decrypt(clone_payload(&encrypted_payloads[2]))
                 .unwrap()
                 .message
         );
         // Replaying message should fail.
         assert_eq!(
             true,
             replica_2
-                .decrypt(&clone_payload(&encrypted_payloads[3]))
+                .decrypt(clone_payload(&encrypted_payloads[3]))
                 .is_err()
         );
         assert_eq!(
             true,
             replica_2
-                .decrypt(&clone_payload(&encrypted_payloads[2]))
+                .decrypt(clone_payload(&encrypted_payloads[2]))
                 .is_err()
         );
         assert_eq!(
             true,
             replica_2
-                .decrypt(&clone_payload(&encrypted_payloads[1]))
+                .decrypt(clone_payload(&encrypted_payloads[1]))
                 .is_err()
         );
         // Decrypting messages outside the window should fail.
         assert_eq!(
             true,
             replica_2
-                .decrypt(&clone_payload(&encrypted_payloads[0]))
+                .decrypt(clone_payload(&encrypted_payloads[0]))
                 .is_err()
         );
 
         // Decrypt more messages in order.
         assert_eq!(
             test_messages[4],
             replica_2
-                .decrypt(&clone_payload(&encrypted_payloads[4]))
+                .decrypt(clone_payload(&encrypted_payloads[4]))
                 .unwrap()
                 .message
         );
         assert_eq!(
             test_messages[5],
             replica_2
-                .decrypt(&clone_payload(&encrypted_payloads[5]))
+                .decrypt(clone_payload(&encrypted_payloads[5]))
                 .unwrap()
                 .message
         );