Add Key Provisioning service definition (#4496)

This PR splits Key Provisioning gRPC services in 2:
- Orchestrator service that just accepts new encryption keys
- Key Provisioning service that can distribute encryption keys
  - This service will become a part of the Key Privisioning Service implementation

Ref #4442

oak_containers/proto/interfaces.proto

@@ -41,19 +41,7 @@ message SendAttestationEvidenceRequest {
   oak.attestation.v1.Evidence dice_evidence = 2;
 }
 
-message GetProvisionSecretsRequest {
-  // Endorsed evidence of the enclave that requests a new encryption key using Key Provisioning.
-  // TODO(#4074): Replace with `oak.attestation.v1.EndorsedEvidence` once DICE is implemented.
-  oak.session.v1.AttestationBundle endorsed_evidence = 1;
-}
-
-message GetProvisionSecretsResponse {
-  // Encryption private key that was encrypted with HPKE using the encryption public key provided
-  // in the endorsed evidence.
-  oak.crypto.v1.EncryptedRequest encrypted_encryption_key = 1;
-}
-
-message SendProvisionSecretsRequest {
+message SendGroupKeysRequest {
   // Enclave group encryption private key that was encrypted with HPKE using enclave's encryption
   // key.
   oak.crypto.v1.EncryptedRequest encrypted_encryption_key = 1;
@@ -96,12 +84,9 @@ service Launcher {
 }
 
 // Defines the service exposed by the orchestrator, that can be invoked by the application.
-service KeyProvisioning {
-  // Request provision secrets from for other enclaves as part of Key Provisioning.
-  rpc GetProvisionSecrets(GetProvisionSecretsRequest) returns (GetProvisionSecretsResponse) {}
-
-  // Send provision secrets to the enclave as part of Key Provisioning.
-  rpc SendProvisionSecrets(SendProvisionSecretsRequest) returns (google.protobuf.Empty) {}
+service OrchestratorKeyProvisioning {
+  // Send enclave group keys to the enclave as part of Key Provisioning.
+  rpc SendGroupKeys(SendGroupKeysRequest) returns (google.protobuf.Empty) {}
 }
 
 // Defines the service exposed by the orchestrator, that can be invoked by the application.

oak_containers_orchestrator/build.rs

@@ -16,10 +16,13 @@
 use oak_grpc_utils::{generate_grpc_code, CodegenOptions};
 
 fn main() -> Result<(), Box<dyn std::error::Error>> {
-    // Generate gRPC code for connecting to the launcher.
+    // Generate gRPC code for Orchestrator services.
     generate_grpc_code(
         "../",
-        &["oak_containers/proto/interfaces.proto"],
+        &[
+            "oak_containers/proto/interfaces.proto",
+            "proto/key_provisioning/key_provisioning.proto",
+        ],
         CodegenOptions {
             build_server: true,
             ..Default::default()

oak_containers_orchestrator/src/key_provisioning.rs

@@ -13,29 +13,40 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-use crate::proto::oak::containers::{
-    key_provisioning_server::KeyProvisioning, GetProvisionSecretsRequest,
-    GetProvisionSecretsResponse, SendProvisionSecretsRequest,
+use crate::proto::oak::{
+    containers::{
+        orchestrator_key_provisioning_server::OrchestratorKeyProvisioning, SendGroupKeysRequest,
+    },
+    key_provisioning::v1::{
+        key_provisioning_server::KeyProvisioning, GetGroupKeysRequest, GetGroupKeysResponse,
+    },
 };
 use tonic::{Request, Response};
 
 struct KeyProvisioningService {}
 
 #[tonic::async_trait]
-impl KeyProvisioning for KeyProvisioningService {
-    async fn get_provision_secrets(
+impl OrchestratorKeyProvisioning for KeyProvisioningService {
+    async fn send_group_keys(
         &self,
-        _request: Request<GetProvisionSecretsRequest>,
-    ) -> Result<Response<GetProvisionSecretsResponse>, tonic::Status> {
-        Ok(tonic::Response::new(GetProvisionSecretsResponse {
-            encrypted_encryption_key: None,
-        }))
+        _request: Request<SendGroupKeysRequest>,
+    ) -> Result<Response<()>, tonic::Status> {
+        // TODO(#4442): Implement replacing group encryption key.
+        Err(tonic::Status::unimplemented(
+            "Key Provisioning is not implemented",
+        ))
     }
+}
 
-    async fn send_provision_secrets(
+#[tonic::async_trait]
+impl KeyProvisioning for KeyProvisioningService {
+    async fn get_group_keys(
         &self,
-        _request: Request<SendProvisionSecretsRequest>,
-    ) -> Result<Response<()>, tonic::Status> {
-        Ok(tonic::Response::new(()))
+        _request: Request<GetGroupKeysRequest>,
+    ) -> Result<Response<GetGroupKeysResponse>, tonic::Status> {
+        // TODO(#4442): Implement generating group encryption key.
+        Err(tonic::Status::unimplemented(
+            "Key Provisioning is not implemented",
+        ))
     }
 }

oak_containers_orchestrator/src/lib.rs

@@ -21,6 +21,12 @@ mod proto {
         }
         pub use oak_crypto::proto::oak::crypto;
         pub use oak_remote_attestation::proto::oak::{attestation, session};
+        pub mod key_provisioning {
+            pub mod v1 {
+                #![allow(clippy::return_self_not_must_use)]
+                tonic::include_proto!("oak.key_provisioning.v1");
+            }
+        }
     }
 }
 

oak_remote_attestation/build.rs

@@ -23,6 +23,10 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
             ),
             &format!("{}proto/attestation/dice.proto", env!("WORKSPACE_ROOT")),
             &format!("{}proto/attestation/evidence.proto", env!("WORKSPACE_ROOT")),
+            &format!(
+                "{}proto/attestation/endorsement.proto",
+                env!("WORKSPACE_ROOT")
+            ),
         ],
         &[env!("WORKSPACE_ROOT")],
         Default::default(),

proto/key_provisioning/BUILD

@@ -0,0 +1,40 @@
+#
+# Copyright 2023 The Project Oak Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+load("@bazel_skylib//rules:build_test.bzl", "build_test")
+load("@rules_proto//proto:defs.bzl", "proto_library")
+
+package(
+    default_visibility = ["//visibility:public"],
+    licenses = ["notice"],
+)
+
+proto_library(
+    name = "key_provisioning_proto",
+    srcs = ["key_provisioning.proto"],
+    deps = [
+        "//oak_crypto/proto/v1:crypto_proto",
+        "//proto/attestation:endorsement_proto",
+        "//proto/attestation:evidence_proto",
+    ],
+)
+
+build_test(
+    name = "build_test",
+    targets = [
+        ":key_provisioning_proto",
+    ],
+)

proto/key_provisioning/key_provisioning.proto

@@ -0,0 +1,40 @@
+//
+// Copyright 2023 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+syntax = "proto3";
+
+package oak.key_provisioning.v1;
+
+import "oak_crypto/proto/v1/crypto.proto";
+import "proto/attestation/evidence.proto";
+import "proto/attestation/endorsement.proto";
+
+message GetGroupKeysRequest {
+  oak.attestation.v1.Evidence evidence = 1;
+  oak.attestation.v1.Endorsements endorsements = 2;
+}
+
+message GetGroupKeysResponse {
+  // Encryption private key that was encrypted with HPKE using the encryption public key provided
+  // in the endorsed evidence.
+  oak.crypto.v1.EncryptedRequest encrypted_encryption_key = 1;
+}
+
+// Defines the Key Provisioning Service that distributes keys between enclaves.
+service KeyProvisioning {
+  // Request enclave group keys from for other enclaves as part of Key Provisioning.
+  rpc GetGroupKeys(GetGroupKeysRequest) returns (GetGroupKeysResponse) {}
+}