CDH: add en/decrypt support for eHSM-KMS #359
Conversation
|
Cool, I will check this out once we are done with the release. |
| let key_spec = "EH_AES_GCM_256"; | ||
| let provider_settings = json!({ | ||
| "app_id": "86f0e9fe-7f05-4110-9f65-a224ddee1233", | ||
| "endpoint": "https://172.16.1.1:9002", |
There was a problem hiding this comment.
Is this a real instance running somewhere? Is it guaranteed to be running?
There was a problem hiding this comment.
Sure! it is an eHSM-KMS service that I have deployed on my local machine. And all tests pass successfully.
There was a problem hiding this comment.
By the way, it's hard to run these tests on CoCo CI, since eHSM-KMS service relies on SGX. But I add a readme file about how to set up eHSM-KMS service locally. So that anyone can test eHSM-KMS Client on a device with SGX capabilities.
There was a problem hiding this comment.
Ok. I guess that's why these tests are marked as ignore. You might want to replace your IP with a phony one.
| #[case(b"this is a test plaintext")] | ||
| #[ignore] |
There was a problem hiding this comment.
The change upon this file seems not related to the PR.
There was a problem hiding this comment.
Indeed, it was my mistake. I will open another PR about this change.
|
|
||
| let credential_path = format!( | ||
| "{EHSM_IN_GUEST_DEFAULT_KEY_PATH}/credential_{}.json", | ||
| provider_settings.app_id |
There was a problem hiding this comment.
About the way to read credential. Currently we follow the steps:
- CDH get credential from the KBS
- CDH put the credential under
/run/.. - CDH reads the credential under
/run/..
@fitzthum once mentioned that this will expose the plaintext of credentials to the guest and suggest that the credentials be kept in the memory of the CDH. I think it is a good way, and the steps could be
- CDH get credential from the KBS
- CDH sets its own process's env the credential with specific keys
- Concrete KMS plugin reads the credential from the env
Which I'd like to put another PR and let's talk more about that then.
There was a problem hiding this comment.
Glad to hear that. eHSM-KMS itself supports reading the credential from environment variables, which will make the transition easy to implement.
| let key_spec = "EH_AES_GCM_256"; | ||
| let provider_settings = json!({ | ||
| "app_id": "86f0e9fe-7f05-4110-9f65-a224ddee1233", | ||
| "endpoint": "https://172.16.1.1:9002", |
| @@ -14,6 +14,9 @@ pub mod aliyun; | |||
|
|
|||
| pub mod kbs; | |||
|
|
|||
| #[cfg(feature = "ehsm")] | |||
| pub mod ehsm; | |||
|
|
|||
| #[derive(AsRefStr, EnumString)] | |||
| pub enum DecryptorProvider { | |||
There was a problem hiding this comment.
We might also need to add eHSM-KMS to new_decryptor
|
Modifications to the Aliyun KMS client have been removed. @Xynnn007 |
confidential-data-hub/kms/Cargo.toml
Outdated
| @@ -13,6 +13,7 @@ bincode = { workspace = true, optional = true } | |||
| chrono = { workspace = true, optional = true } | |||
| const_format.workspace = true | |||
| crypto = { path = "../../attestation-agent/deps/crypto", optional = true } | |||
| ehsm_client = {git = "https://github.com/intel/ehsm", optional = true } | |||
There was a problem hiding this comment.
It is good to have a rev here to fix the version of the upstream version, which is helpful to avoid breaking caused by api changes
There was a problem hiding this comment.
That's helpful. Thanks!
There was a problem hiding this comment.
: ) Could you help to squash the commits into one?
|
|
||
| EHSM-KMS is a SGX-based Key Managment Service (KMS) that provides the near-equivalent hardware protection level of cryptographic functionalities including key generation, management inside the SGX enclave. More information about EHSM-KMS can be found [here](https://github.com/intel/ehsm). | ||
|
|
||
| In CDH, we provide the EHSM-KMS Client to interact with the EHSM-KMS Server. |
There was a problem hiding this comment.
| In CDH, we provide the EHSM-KMS Client to interact with the EHSM-KMS Server. | |
| In CDH, we provide the EHSM-KMS client to interact with the EHSM-KMS Server. |
|
|
||
| For EHSM-KMS client to run, you need to set up an EHSM-KMS service in advance. The following method is only a quick start, and you can find more deployment methods (e.g. with Kubernetes) at webpage of EHSM-KMS. | ||
|
|
||
| > Prerequest: a sgx capable machine |
There was a problem hiding this comment.
nit: prerequest -> prerequisite
| @@ -0,0 +1,116 @@ | |||
| # EHSM-KMS | |||
There was a problem hiding this comment.
nit: should the E be lowercase?
| let key_spec = "EH_AES_GCM_256"; | ||
| let provider_settings = json!({ | ||
| "app_id": "86f0e9fe-7f05-4110-9f65-a224ddee1233", | ||
| "endpoint": "https://172.16.1.1:9002", |
There was a problem hiding this comment.
Ok. I guess that's why these tests are marked as ignore. You might want to replace your IP with a phony one.
Signed-off-by: Daniel Duan <[email protected]>
|
@fitzthum I have fixed these issues, thanks for your review! |
Add eHSM-KMS client to support en/decrypt operation.
eHSM-KMS related tasks mentioned in #353 will be further developed based on it.