feat: add a keybroker client implementation #8
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…mand line argument Signed-off-by: Arnaud de Grandmaison <[email protected]>
…to from its FQDN. Signed-off-by: Arnaud de Grandmaison <[email protected]>
Signed-off-by: Arnaud de Grandmaison <[email protected]>
The verbose flag is generally useful for debug purpose obviously, but also for new comers to the code base who want to understand the flow of operations. Signed-off-by: Arnaud de Grandmaison <[email protected]>
as well as to optionnally provide a mock challenge, reusing the CCA example token nonce. This can be useful during system bring-up for example. Signed-off-by: Arnaud de Grandmaison <[email protected]>
Arnaud-de-Grandmaison-ARM
force-pushed
the
keybroker-client
branch
from
a0b0f96
to
2072cb5
Compare
paulhowardarm
requested changes
Sep 20, 2024
There was a problem hiding this comment.
Great stuff - I just have one minor request to simplify the client configuration with a single endpoint string rather than separate address and port. Other comments are just observations and things we might change in the future. Otherwise happy for this to be merged.
Arnaud-de-Grandmaison-ARM
force-pushed
the
keybroker-client
branch
from
2072cb5
to
55bc8fb
Compare
Arnaud-de-Grandmaison-ARM
force-pushed
the
keybroker-client
branch
2 times, most recently
from
8b10f98
to
139962a
Compare
Arnaud-de-Grandmaison-ARM
force-pushed
the
keybroker-client
branch
from
139962a
to
7fd90e2
Compare
The core of the functionality is provided as a library, with 2 main routines: - get_wrapped_key: is the core routine to get a key, with the crypto related to the ephemeral wrapping key left to the caller. - get_key: is a convenience routine which calls get_wrapped_key and handle the crypto when there is no specific requirement. The demo application illustrates how to use the client library to connect to the keybroker server and get an attestation. This enables running a demo of the 2 API calls needed to request the key, supply the evidence and RSA-decrypt the result. Co-authored-by: Paul Howard <[email protected]> Signed-off-by: Arnaud de Grandmaison <[email protected]>
Arnaud-de-Grandmaison-ARM
force-pushed
the
keybroker-client
branch
from
7fd90e2
to
0de4028
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This series of patches adds support for a keybroker client.
The first 5 patches relate to the
keybroker-server, either adding features or fixes in order to prepare the landing of the client.The client itself is in the last (chunky) patch. The client is divided in 2 parts: a client library and a demo application that makes use of the client library.
CI tests from
veraison/keybroker-demoare passing.keybroker-apphas been succesfully used in a realm running on an FVP, connecting to akeybroker-serverrunning elsewhere (that did communicate with a veraison instance), achieving the first end-to-end attestation with an FVP.