Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CDH: add en/decrypt support for eHSM-KMS #359

Merged
merged 1 commit into from
Dec 4, 2023
Merged

CDH: add en/decrypt support for eHSM-KMS #359

merged 1 commit into from
Dec 4, 2023

Conversation

1570005763
Copy link
Contributor

Add eHSM-KMS client to support en/decrypt operation.

eHSM-KMS related tasks mentioned in #353 will be further developed based on it.

@1570005763 1570005763 requested a review from sameo as a code owner September 15, 2023 03:14
@fitzthum
Copy link
Member

Cool, I will check this out once we are done with the release.

let key_spec = "EH_AES_GCM_256";
let provider_settings = json!({
"app_id": "86f0e9fe-7f05-4110-9f65-a224ddee1233",
"endpoint": "https://172.16.1.1:9002",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a real instance running somewhere? Is it guaranteed to be running?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure! it is an eHSM-KMS service that I have deployed on my local machine. And all tests pass successfully.
AA31A454-D5A6-463D-AC06-3864653EF76D

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By the way, it's hard to run these tests on CoCo CI, since eHSM-KMS service relies on SGX. But I add a readme file about how to set up eHSM-KMS service locally. So that anyone can test eHSM-KMS Client on a device with SGX capabilities.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. I guess that's why these tests are marked as ignore. You might want to replace your IP with a phony one.

Copy link
Member

@Xynnn007 Xynnn007 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @1570005763 pretty good code! Some nits

#[case(b"this is a test plaintext")]
#[ignore]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change upon this file seems not related to the PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, it was my mistake. I will open another PR about this change.

confidential-data-hub/kms/src/plugins/ehsm/client.rs Outdated Show resolved Hide resolved

let credential_path = format!(
"{EHSM_IN_GUEST_DEFAULT_KEY_PATH}/credential_{}.json",
provider_settings.app_id
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

About the way to read credential. Currently we follow the steps:

  1. CDH get credential from the KBS
  2. CDH put the credential under /run/..
  3. CDH reads the credential under /run/..

@fitzthum once mentioned that this will expose the plaintext of credentials to the guest and suggest that the credentials be kept in the memory of the CDH. I think it is a good way, and the steps could be

  1. CDH get credential from the KBS
  2. CDH sets its own process's env the credential with specific keys
  3. Concrete KMS plugin reads the credential from the env

Which I'd like to put another PR and let's talk more about that then.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Glad to hear that. eHSM-KMS itself supports reading the credential from environment variables, which will make the transition easy to implement.

let key_spec = "EH_AES_GCM_256";
let provider_settings = json!({
"app_id": "86f0e9fe-7f05-4110-9f65-a224ddee1233",
"endpoint": "https://172.16.1.1:9002",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as mentioned

@@ -14,6 +14,9 @@ pub mod aliyun;

pub mod kbs;

#[cfg(feature = "ehsm")]
pub mod ehsm;

#[derive(AsRefStr, EnumString)]
pub enum DecryptorProvider {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might also need to add eHSM-KMS to new_decryptor

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do.

@1570005763
Copy link
Contributor Author

1570005763 commented Sep 18, 2023

Modifications to the Aliyun KMS client have been removed. @Xynnn007

@@ -13,6 +13,7 @@ bincode = { workspace = true, optional = true }
chrono = { workspace = true, optional = true }
const_format.workspace = true
crypto = { path = "../../attestation-agent/deps/crypto", optional = true }
ehsm_client = {git = "https://github.com/intel/ehsm", optional = true }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is good to have a rev here to fix the version of the upstream version, which is helpful to avoid breaking caused by api changes

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's helpful. Thanks!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

: ) Could you help to squash the commits into one?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure thing. : )

Copy link
Member

@Xynnn007 Xynnn007 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm.


EHSM-KMS is a SGX-based Key Managment Service (KMS) that provides the near-equivalent hardware protection level of cryptographic functionalities including key generation, management inside the SGX enclave. More information about EHSM-KMS can be found [here](https://github.com/intel/ehsm).

In CDH, we provide the EHSM-KMS Client to interact with the EHSM-KMS Server.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
In CDH, we provide the EHSM-KMS Client to interact with the EHSM-KMS Server.
In CDH, we provide the EHSM-KMS client to interact with the EHSM-KMS Server.

@1570005763 1570005763 closed this by deleting the head repository Nov 16, 2023
@1570005763 1570005763 reopened this Nov 16, 2023
Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of nits, but I think this is generally ready. It's unfortunate we don't have a better way to test. We might want to revisit the CI for this feature if it becomes widely used.


For EHSM-KMS client to run, you need to set up an EHSM-KMS service in advance. The following method is only a quick start, and you can find more deployment methods (e.g. with Kubernetes) at webpage of EHSM-KMS.

> Prerequest: a sgx capable machine
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: prerequest -> prerequisite

@@ -0,0 +1,116 @@
# EHSM-KMS
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: should the E be lowercase?

let key_spec = "EH_AES_GCM_256";
let provider_settings = json!({
"app_id": "86f0e9fe-7f05-4110-9f65-a224ddee1233",
"endpoint": "https://172.16.1.1:9002",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. I guess that's why these tests are marked as ignore. You might want to replace your IP with a phony one.

@1570005763
Copy link
Contributor Author

@fitzthum I have fixed these issues, thanks for your review!

@Xynnn007 Xynnn007 merged commit 20ef805 into confidential-containers:main Dec 4, 2023
4 checks passed
@1570005763 1570005763 deleted the feat-cdh-kms-ehsm branch December 4, 2023 07:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants