create rootfs_key dynamically and seal it #149

mythi · 2023-05-11T06:02:17Z

We have been waiting for #20 but in the mean time, let's work on something simpler to get rid of the static rootfs_key.

The proposal is to create rootfs_key dynamically and seal with with MRSIGNER key from Occlum's getkey ioctl().

Steps:

update boot-instance Occlum to 0.29.7 #126
improve payload image creation v2 #114
update image-rs Occlum snapshotter to make the key available under the containerd_id path
update runtime boot to get the key from containerd_id path

The text was updated successfully, but these errors were encountered:

dcmiddle · 2023-05-15T13:04:40Z

Xynnn007 · 2023-05-25T06:10:55Z

Let me try to understand this:

Enclave-agent generates a key randomly, seal the key and then put the encrypted key to /run/enclave-cc/<containerd_id>
runtime boot get the key from /run/enclave-cc/<containerd_id> and unseal it

This implies that the enclave-agent and runtime boot are signed by the same signer, right?

mythi · 2023-05-25T06:25:32Z

@Xynnn007 yes your summary is correct

ariel-adam · 2023-07-05T12:41:20Z

@mythi will this converge for release 0.7.0 (feature freeze 12th of July) or should we move this to 0.8.0?

mythi added this to CoCo Releases Jun 12, 2023

mythi moved this to 🏗 In progress in CoCo Releases Jun 16, 2023

ariel-adam assigned mythi Jul 5, 2023

mythi mentioned this issue Oct 12, 2023

RFC: enclave-cc improvement ideas #235

Open

piotrpalcz mentioned this issue Nov 9, 2023

Random key generation confidential-containers/guest-components#385

Merged

mythi moved this from 🏗 In progress to 👀 In review in CoCo Releases Dec 18, 2023

mythi mentioned this issue Dec 22, 2023

Runtime boot using a randomly generated key from image-rs passed inside enclave sefs #312

Merged

mythi closed this as completed in #312 Jan 4, 2024

github-project-automation bot moved this from 👀 In review to ✅ Done in CoCo Releases Jan 4, 2024

Provide feedback