Bug fixes and Docs update

cli/medperf/commands/cc/dataset_update_cc_policy.py

@@ -44,6 +44,8 @@ def get_permitted_workloads(dataset: Dataset):
         model_assocs = config.comms.get_benchmark_models_associations(benchmark_id)
         for model_assoc in model_assocs:
             model = Model.get(model_assoc["model"])
+            if not model.requires_cc():
+                continue
             asset = model.asset_obj
             workload_info = CCWorkloadID(
                 data_hash=dataset.generated_uid,

docs/concepts/confidential_computing.md

@@ -0,0 +1,70 @@
+# Configuring confidential Computing
+
+## Overview
+
+You are a data owner. You already have a registered, prepared, operational dataset. You already associated your dataset with the benchmark that contains a model that requires confidential computing.
+This guide helps you configure the MedPerf client to run a confidential computing model on your dataset in the google cloud environment.
+
+## Start the web UI and login
+
+Make sure you have MedPerf installed.
+
+Run the command `medperf_webui` on your terminal to start the local web user interface.
+
+In the web UI, login by clicking on the `login` button and follow the required steps.
+
+## Get a certificate
+
+1. Navigate to the `settings` page
+2. Scroll down to the `Certificate Settings` section.
+3. If you already have a certificate, skip this step. Otherwise, click the button and follow the required steps to get a certificate.
+
+Note: you may see a status `to be uploaded`. No need to upload your certificate for this usecase.
+
+## Configure your cloud environment information in MedPerf
+
+Ask your cloud administrator for the following information:
+
+- Project ID
+- Project Number
+- Bucket
+- Keyring Name
+- Key Name
+- Key Location
+- Workload Identity Pool
+- Workload Identity Provider
+- Service Account Name
+- VM Zone
+- VM Name
+
+You will use this information to configure your Medperf client.
+
+### Set up google cloud CLI
+
+Note: This step should be done in a terminal.
+
+1. Install the gcloud CLI (<https://docs.cloud.google.com/sdk/docs/install-sdk#latest-version>). Follow only the two sections about installing the CLI and initializing google cloud.
+2. Run `gcloud auth list` and make sure your account is active (an asterisk should be next to your account email)
+3. Set the project ID by running the command `gcloud config set project PROJECT_ID` where `PROJECT_ID` is the project ID you got from your cloud admin.
+4. Run the following command `gcloud auth application-default login` and follow the required steps.
+
+### Configure Medperf with your confidential VM settings
+
+1. Navigate to the `settings` page in the web UI
+2. Scroll down to the `Confidential Computing Operator Settings`
+3. Check the box `Configure confidential Computing`
+4. Fill in the required information.
+5. Click `Apply Changes`.
+
+### Configure Medperf with your Dataset cloud resources settings
+
+1. Navigate to your dataset dashboard (Click on the `Datasets` tab, then find your dataset. You can click `mine_only` to view only your datasets.)
+2. Scroll down to the section `Confidential Computing Preferences`.
+3. Check the box `Configure dataset for Confidential Computing`
+4. Fill in the required information.
+5. Click `Apply Changes`.
+6. After step 5, a new button will appear. Click on the new button `Sync CC policy`.
+
+## What's next?
+
+You can now run the model that required confidential computing, by clicking the button `Run` near the model of interest. After execution finishes, submit the results by clicking the `Submit` button that will later appear.

examples/cc/admin_scripts/README.md

@@ -2,25 +2,38 @@
 
 ## For GCP Project Admin
 
+Context: The user will use the MedPerf client on the local machine where the data resides. You (IT/cloud admin) will be creating required resources for the data user in order to allow them to use MedPerf to run inference on their dataset in a confidential virtual machine on google cloud. Here is what will happen behind the scenes when the user uses MedPerf to run a confidential computing workload; this will help understand the reason behind the resources and user roles being asked for.
+
+Medperf will:
+
+1. Encrypt the dataset using a locally generated key.
+2. Encrypt the key using cloud KMS
+3. Upload the encrypted dataset and the encrypted key to the cloud bucket.
+4. Update the workload identity pool OIDC provider with relevant attribute conditions and configure it to bind certain attestation claims to identities.
+5. Update the IAM policy of the bucket and of the KMS to only allow a confidential computing workload with certain attestation claims to get the encrypted data and to use the KMS to decrypt.
+6. Update the provisioned virtual machine with relevant metadata (e.g., docker container)
+7. Start the virtual machine, which will at the end write results to the bucket
+8. Stream logs from the virtual machine serial port.
+9. Download results from the bucket to the local machine.
+
 ### Quotas
 
 You will be creating:
 
-- bucket
+- a bucket
 - a KMS HSM key
-- a workload identity pool
+- a workload identity pool and an OIDC provider.
 - a service account
 - a GPU-based confidential VM (machine type: a3-highgpu-1g). To view zones where this machine type is available, visit <https://docs.cloud.google.com/compute/docs/regions-zones/gpu-regions-zones> and look for availability of "A3 High".
 
-You will need to make sure you have enough quota for nvidia h100 GPUs:
-
-- visit <https://docs.cloud.google.com/confidential-computing/confidential-vm/docs/create-a-confidential-vm-instance-with-gpu#request-preemptible-quota> and read sections "Request preemptible quota" and "Request global quota"; make sure you have these quotas. only 1 GPU is needed.
+You will need to make sure you have enough quota for the resources mentioned above.
+Additionally, `a3-highgpu-1g` machines use Nvidia H100 GPUs. Visit <https://docs.cloud.google.com/confidential-computing/confidential-vm/docs/create-a-confidential-vm-instance-with-gpu#request-preemptible-quota> and read sections "Request preemptible quota" and "Request global quota" to make sure you have enough quota. Only 1 GPU is needed.
 
 ### Creating resources
 
-Note: a script `admin.sh` can be found in this folder. You can configure the constants (e.g., project id, names of the resources to be created, etc...), run the script in cloud shell, and you are done. It will print at the end the information needed to be passed to the user.
+Note: a script `admin.sh` can be found in this folder. You can configure the constants (e.g., project id, names of the resources to be created, etc...), run the script in cloud shell, and you are done. It will print at the end the information needed to be passed to the user. You can also export the constants and then run the commands one by one.
 
-If you want to create resources manually, follow the instructions below.
+If you want to create resources manually using the google cloud console, follow the instructions below. Note however that there are some steps that can't be done using the console and should be run as commands using the gcloud CLI.
 
 #### Resources for Hosting the dataset and managing access
 
@@ -63,9 +76,3 @@ If you want to create resources manually, follow the instructions below.
 - Create a VM
   - You should use the command given in the `admin.sh` script to create the VM. Run it in the cloud shell.
   - grant the user "roles/compute.instanceAdmin.v1" role on the VM.
-
-## For users
-
-login
-set project
-run `gcloud auth application-default login`

examples/cc/admin_scripts/admin.sh

@@ -4,32 +4,32 @@ set -eo pipefail
 ####################################################
 
 # Project ID
-export PROJECT_ID="medperf-330914"
+export PROJECT_ID="project_id"
 
 # User email
-export USER="hasan.gcptest@gmail.com"
+export USER_EMAIL="user@example.com"
 
 # New service account name to create
-export SERVICE_ACCOUNT_NAME="medperf-cc-sa"
+export SERVICE_ACCOUNT_NAME="sa_name"
 
 # New KMS info to create
-export KEYRING_NAME="medperf-keyring"
-export KEY_NAME="medperf-key"
-export KEY_LOCATION="global"
+export KEYRING_NAME="keyring_name"
+export KEY_NAME="key_name"
+export KEY_LOCATION="key_location"  # e.g., us-central1, europe-west3, ...
 
 # New Workload identity pool and OIDC provider info to create
-export WIP_ID="medperf-wip"
-export WIP_PROVIDER_ID="medperf-wippro"
+export WIP_ID="wip_name"
+export WIP_PROVIDER_ID="attestation-verifier"
 
 # New bucket info to create
-export BUCKET_NAME="medperf-bucket"
-export BUCKET_LOCATION="us-central1"
+export BUCKET_NAME="bucket_name"  # bucket names are globally unique, please use a unique name
+export BUCKET_LOCATION="bucket_location"  # e.g., us-central1, europe-west3, ...
 
 # New virtual machine info to create
-export VM_NAME="gputest"
-export BOOT_DISK_SIZE="500GB"
-export VM_ZONE="us-central1-a"
-export VM_NETWORK="medperf-brats-network"  # default is usually "default"
+export VM_NAME="vm_name"
+export BOOT_DISK_SIZE="500GB"  # adjust as needed, depends on the data size
+export VM_ZONE="vm_zone" # e.g., us-central1-a, europe-west4-c, ...
+export VM_NETWORK="default"  # Usually the default network name is "default", but adjust if you have a custom network setup
 
 ####################################################
 #################### End Config ####################
@@ -49,6 +49,9 @@ gcloud services enable \
     confidentialcomputing.googleapis.com \
     iamcredentials.googleapis.com
 
+echo "********************************************************************************************"
+echo "************************************* Services enabled *************************************"
+echo "********************************************************************************************"
 ####################################################
 #################### KMS ###########################
 ####################################################
@@ -58,30 +61,46 @@ gcloud services enable \
 gcloud kms keyrings create "$KEYRING_NAME" \
     --location="$KEY_LOCATION"
 
+echo "********************************************************************************************"
+echo "************************************* KMS Keyring created **********************************"
+echo "********************************************************************************************"
+
 # Create Key
 gcloud kms keys create "$KEY_NAME" \
     --location="$KEY_LOCATION" \
     --keyring="$KEYRING_NAME" \
     --purpose=encryption \
     --protection-level=hsm
 
+echo "********************************************************************************************"
+echo "************************************* KMS Key created **************************************"
+echo "********************************************************************************************"
+
 # allow user to encrypt with the key
 gcloud kms keys add-iam-policy-binding "$FULL_KEY_NAME" \
-    --member=user:"$USER" \
+    --member=user:"$USER_EMAIL" \
     --role="roles/cloudkms.cryptoKeyEncrypter"
 
 # allow user to manage iam policy of the key
 gcloud kms keys add-iam-policy-binding "$FULL_KEY_NAME" \
-    --member=user:"$USER" \
+    --member=user:"$USER_EMAIL" \
     --role="roles/cloudkms.admin"
 
+echo "********************************************************************************************"
+echo "************************************* KMS permissions granted ******************************"
+echo "********************************************************************************************"
+
 ####################################################
 #################### WIP ###########################
 ####################################################
 
 # Create Workload Identity Pool
 gcloud iam workload-identity-pools create "$WIP_ID" --location=global
 
+echo "********************************************************************************************"
+echo "************************************* WIP created ******************************************"
+echo "********************************************************************************************"
+
 # Create OIDC provider for WIP
 gcloud iam workload-identity-pools providers create-oidc "$WIP_PROVIDER_ID" \
     --location=global \
@@ -94,14 +113,24 @@ gcloud iam workload-identity-pools providers create-oidc "$WIP_PROVIDER_ID" \
 ::\"+assertion.submods.gce.instance_id" \
     --attribute-condition="assertion.swname == 'CONFIDENTIAL_SPACE'"
 
+
+echo "********************************************************************************************"
+echo "************************************* WIP provider created *********************************"
+echo "********************************************************************************************"
+
 # Allow user to manage WIP
 gcloud iam workload-identity-pools add-iam-policy-binding "$WIP_ID" \
   --location=global \
   --project="$PROJECT_ID" \
-  --member=user:"$USER" \
+  --member=user:"$USER_EMAIL" \
   --role="roles/iam.workloadIdentityPoolAdmin"
 
 
+echo "********************************************************************************************"
+echo "************************************* WIP permissions granted ******************************"
+echo "********************************************************************************************"
+
+
 ####################################################
 #################### Bucket ########################
 ####################################################
@@ -111,22 +140,35 @@ gcloud storage buckets create "gs://$BUCKET_NAME" \
     --location="$BUCKET_LOCATION" \
     --uniform-bucket-level-access
 
+
+echo "********************************************************************************************"
+echo "************************************* Bucket created ***************************************"
+echo "********************************************************************************************"
+
 # Allow user to manage the bucket
 gcloud storage buckets add-iam-policy-binding "gs://$BUCKET_NAME" \
-    --member=user:"$USER" \
+    --member=user:"$USER_EMAIL" \
     --role="roles/storage.admin"
 
+echo "********************************************************************************************"
+echo "************************************* Bucket permissions granted ***************************"
+echo "********************************************************************************************"
+
 ####################################################
 #################### Service Account ###############
 ####################################################
 
 # create service account
 gcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME"
 
+echo "********************************************************************************************"
+echo "************************************* Service Account created ******************************"
+echo "********************************************************************************************"
+
 # allow user to use the service account
 gcloud iam service-accounts add-iam-policy-binding \
     "$SERVICE_ACCOUNT_EMAIL" \
-    --member=user:"$USER" \
+    --member=user:"$USER_EMAIL" \
     --role="roles/iam.serviceAccountUser"
 
 # give the service account cc workload user role
@@ -144,6 +186,10 @@ gcloud storage buckets add-iam-policy-binding "gs://$BUCKET_NAME" \
     --member=serviceAccount:"$SERVICE_ACCOUNT_EMAIL" \
     --role="roles/storage.objectAdmin"
 
+echo "********************************************************************************************"
+echo "********************** Service account permissions granted *********************************"
+echo "********************************************************************************************"
+
 ####################################################
 #################### Virtual Machine ###############
 ####################################################
@@ -184,15 +230,27 @@ gcloud compute instances create "$VM_NAME" \
     --instance-termination-action=STOP \
     --discard-local-ssds-at-termination-timestamp=true
 
+echo "********************************************************************************************"
+echo "************************************* VM created *******************************************"
+echo "********************************************************************************************"
+
 # Stop the VM
-gcloud compute instances stop "$VM_NAME" --zone="$VM_ZONE" --project="$PROJECT_ID"
+gcloud compute instances stop "$VM_NAME" --zone="$VM_ZONE" --project="$PROJECT_ID" --discard-local-ssd=false
+
+echo "********************************************************************************************"
+echo "************************************* VM stopped *******************************************"
+echo "********************************************************************************************"
 
 # allow user to edit the VM metadata and to start it
 gcloud compute instances add-iam-policy-binding "$VM_NAME" \
     --zone="$VM_ZONE" \
-    --member=user:"$USER" \
+    --member=user:"$USER_EMAIL" \
     --role="roles/compute.instanceAdmin.v1"
 
+echo "********************************************************************************************"
+echo "************************************* VM permissions granted *******************************"
+echo "********************************************************************************************"
+
 # Give the user the following information
 
 PROJECT_NUMBER=$(gcloud projects describe "$PROJECT_ID" --format="value(projectNumber)")

examples/cc/rano/implementation/benchmark/inference/entrypoint.sh

@@ -1 +1,2 @@
+export LD_LIBRARY_PATH=/usr/local/nvidia/lib64:$LD_LIBRARY_PATH
 python /project/benchmark/inference/infer.py $@

mkdocs.yml

@@ -30,6 +30,7 @@ nav:
   - Transferring to another Machine: concepts/import_export_data.md
   - Encrypted Models: concepts/encrypted_models.md
   - Certificates: concepts/certificates.md
+  - Confidential Computing: concepts/confidential_computing.md
   #  - Benchmark Associations: concepts/associations.md
   #  - Model Priority: concepts/priorities.md
   #  - Running Specific Models: concepts/single_run.md