Worker key refresh policy implementation #671

manju956 · 2020-09-01T10:42:59Z

This feature initiates refresh of worker encryption key pair based on
number of work orders processed in case of Singleton worker or number of
pre-processed work orders in case of KME worker.
A new pair of encryption key is generated in the enclave and the updated
enclave signup details are stored in the KvStorage in workers table.

Worker encryption key signature is re-computed when encryption key gets refreshed.

When a worker key gets refreshed during the work order submission,
a specific error code is returned to client to indicate worker key refresh.
On receiving this error code, client retrieves the updated worker details and
does work order submission again.

Signed-off-by: manju956 [email protected]

lgtm-com · 2020-09-01T10:47:12Z

This pull request introduces 5 alerts when merging 1df89b3 into ed424e7 - view on LGTM.com

new alerts:

4 for Unused import
1 for Syntax error

lgtm-com · 2020-09-01T12:09:09Z

This pull request introduces 1 alert when merging 48318d2 into ed424e7 - view on LGTM.com

new alerts:

1 for Unused import

danintel

Approved after minor changes and questions.

danintel · 2020-09-01T15:52:37Z

common/cpp/tcf_error.h

@@ -42,7 +42,9 @@ typedef enum {
    TCF_ERR_SYSTEM_BUSY = -10,
    TCF_ERR_CRYPTO = -11,
    /** Invalid workload ID */
-    TCF_ERR_INVALID_WORKLOAD = -12
+    TCF_ERR_INVALID_WORKLOAD = -12,
+    /* Enclave key refresh error */


Make this comment Doxygen-friendly. Change
/* Enclave key refresh error */
to
/** Enclave key refresh error */

danintel · 2020-09-01T16:42:37Z

enclave_manager/avalon_enclave_manager/worker_key_refresh.py

+            worker_info = EnclaveManager.create_json_worker(
+                self._enclave_info, self._config)
+            logger.info(
+                "Persiting updated worker details after key refresh - %s",


Change Persiting to Persisting.

danintel · 2020-09-01T16:44:10Z

tc/sgx/trusted_worker_manager/enclave/work_order_processor.cpp

@@ -349,12 +375,13 @@ namespace tcf {
        }
        // Calculate final hash
        std::string final_hash_string = ByteArrayToString(hash_1);
-        if(!hash_in_data_str.empty()) {
+
+        //if(!hash_in_data_str.empty()) {


Is there a reason this is commented out and not deleted?

Its irrelevant change. Deleted it

danintel · 2020-09-01T16:44:27Z

tc/sgx/trusted_worker_manager/enclave/work_order_processor.cpp

-        }
-        if(!hash_out_data_str.empty()) {
+        //}
+        //if(!hash_out_data_str.empty()) {


Same here--why not delete it?

Its irrelevant change. Deleted it

danintel

Looks like there are some LGTM warnings that were added (4 new unused imports, 1 new syntax error)

This feature initiates refresh of worker encryption key pair based on number of work orders processed in case of Singleton worker or number of pre-processed work orders in case of KME worker. A new pair of encryption key is generated in the enclave and the updated enclave signup details are stored in the KvStorage in workers table. Worker encryption key signature is re-computed when encryption key gets refreshed. When a worker key gets refreshed during the work order submission, a specific error code is returned to client to indicate worker key refresh. On receiving this error code, client retrieves the updated worker details and does work order submission again. Signed-off-by: manju956 <[email protected]>

manju956 added the enhancement New feature or request label Sep 1, 2020

manju956 requested review from danintel, dcmiddle, EugeneYYY, karthikamurthy, manojgop, pankajgoyal2, Ram-srini, rranjan3, SriharshaSubbakrishna and TomBarnes as code owners September 1, 2020 10:43

manju956 self-assigned this Sep 1, 2020

manju956 force-pushed the worker_key_refresh branch from 1df89b3 to 48318d2 Compare September 1, 2020 12:01

manju956 force-pushed the worker_key_refresh branch from 48318d2 to 730cab4 Compare September 1, 2020 12:12

danintel changed the title ~~Worker key refresh policy implemenation~~ Worker key refresh policy implementation Sep 1, 2020

danintel approved these changes Sep 1, 2020

View reviewed changes

danintel reviewed Sep 1, 2020

View reviewed changes

manju956 force-pushed the worker_key_refresh branch from 730cab4 to f34c32a Compare September 2, 2020 07:17

manju956 force-pushed the worker_key_refresh branch from f34c32a to 8869f61 Compare September 2, 2020 16:47

manju956 mentioned this pull request Nov 9, 2020

Implementation of Enclave Key Refresh #358

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Worker key refresh policy implementation #671

Worker key refresh policy implementation #671

manju956 commented Sep 1, 2020

lgtm-com bot commented Sep 1, 2020

lgtm-com bot commented Sep 1, 2020

danintel left a comment

danintel Sep 1, 2020

manju956 Sep 2, 2020

danintel Sep 1, 2020

manju956 Sep 2, 2020

danintel Sep 1, 2020

manju956 Sep 2, 2020

danintel Sep 1, 2020

manju956 Sep 2, 2020

danintel left a comment

Worker key refresh policy implementation #671

Are you sure you want to change the base?

Worker key refresh policy implementation #671

Conversation

manju956 commented Sep 1, 2020

lgtm-com bot commented Sep 1, 2020

lgtm-com bot commented Sep 1, 2020

danintel left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

danintel left a comment

Choose a reason for hiding this comment