-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CDH: add en/decrypt support for eHSM-KMS #359
CDH: add en/decrypt support for eHSM-KMS #359
Conversation
Cool, I will check this out once we are done with the release. |
let key_spec = "EH_AES_GCM_256"; | ||
let provider_settings = json!({ | ||
"app_id": "86f0e9fe-7f05-4110-9f65-a224ddee1233", | ||
"endpoint": "https://172.16.1.1:9002", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a real instance running somewhere? Is it guaranteed to be running?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By the way, it's hard to run these tests on CoCo CI, since eHSM-KMS service relies on SGX. But I add a readme file about how to set up eHSM-KMS service locally. So that anyone can test eHSM-KMS Client on a device with SGX capabilities.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. I guess that's why these tests are marked as ignore. You might want to replace your IP with a phony one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @1570005763 pretty good code! Some nits
#[case(b"this is a test plaintext")] | ||
#[ignore] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The change upon this file seems not related to the PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, it was my mistake. I will open another PR about this change.
|
||
let credential_path = format!( | ||
"{EHSM_IN_GUEST_DEFAULT_KEY_PATH}/credential_{}.json", | ||
provider_settings.app_id |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
About the way to read credential. Currently we follow the steps:
- CDH get credential from the KBS
- CDH put the credential under
/run/..
- CDH reads the credential under
/run/..
@fitzthum once mentioned that this will expose the plaintext of credentials to the guest and suggest that the credentials be kept in the memory of the CDH. I think it is a good way, and the steps could be
- CDH get credential from the KBS
- CDH sets its own process's env the credential with specific keys
- Concrete KMS plugin reads the credential from the env
Which I'd like to put another PR and let's talk more about that then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Glad to hear that. eHSM-KMS itself supports reading the credential from environment variables, which will make the transition easy to implement.
let key_spec = "EH_AES_GCM_256"; | ||
let provider_settings = json!({ | ||
"app_id": "86f0e9fe-7f05-4110-9f65-a224ddee1233", | ||
"endpoint": "https://172.16.1.1:9002", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as mentioned
@@ -14,6 +14,9 @@ pub mod aliyun; | |||
|
|||
pub mod kbs; | |||
|
|||
#[cfg(feature = "ehsm")] | |||
pub mod ehsm; | |||
|
|||
#[derive(AsRefStr, EnumString)] | |||
pub enum DecryptorProvider { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We might also need to add eHSM-KMS
to new_decryptor
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do.
Modifications to the Aliyun KMS client have been removed. @Xynnn007 |
confidential-data-hub/kms/Cargo.toml
Outdated
@@ -13,6 +13,7 @@ bincode = { workspace = true, optional = true } | |||
chrono = { workspace = true, optional = true } | |||
const_format.workspace = true | |||
crypto = { path = "../../attestation-agent/deps/crypto", optional = true } | |||
ehsm_client = {git = "https://github.com/intel/ehsm", optional = true } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is good to have a rev
here to fix the version of the upstream version, which is helpful to avoid breaking caused by api changes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's helpful. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
: ) Could you help to squash the commits into one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure thing. : )
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm.
|
||
EHSM-KMS is a SGX-based Key Managment Service (KMS) that provides the near-equivalent hardware protection level of cryptographic functionalities including key generation, management inside the SGX enclave. More information about EHSM-KMS can be found [here](https://github.com/intel/ehsm). | ||
|
||
In CDH, we provide the EHSM-KMS Client to interact with the EHSM-KMS Server. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In CDH, we provide the EHSM-KMS Client to interact with the EHSM-KMS Server. | |
In CDH, we provide the EHSM-KMS client to interact with the EHSM-KMS Server. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of nits, but I think this is generally ready. It's unfortunate we don't have a better way to test. We might want to revisit the CI for this feature if it becomes widely used.
|
||
For EHSM-KMS client to run, you need to set up an EHSM-KMS service in advance. The following method is only a quick start, and you can find more deployment methods (e.g. with Kubernetes) at webpage of EHSM-KMS. | ||
|
||
> Prerequest: a sgx capable machine |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: prerequest
-> prerequisite
@@ -0,0 +1,116 @@ | |||
# EHSM-KMS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: should the E
be lowercase?
let key_spec = "EH_AES_GCM_256"; | ||
let provider_settings = json!({ | ||
"app_id": "86f0e9fe-7f05-4110-9f65-a224ddee1233", | ||
"endpoint": "https://172.16.1.1:9002", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. I guess that's why these tests are marked as ignore. You might want to replace your IP with a phony one.
Signed-off-by: Daniel Duan <[email protected]>
@fitzthum I have fixed these issues, thanks for your review! |
Add eHSM-KMS client to support en/decrypt operation.
eHSM-KMS related tasks mentioned in #353 will be further developed based on it.