Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Key Provisioning #4442

Closed
ipetr0v opened this issue Nov 3, 2023 · 1 comment
Closed

Implement Key Provisioning #4442

ipetr0v opened this issue Nov 3, 2023 · 1 comment

Comments

@ipetr0v
Copy link
Contributor

ipetr0v commented Nov 3, 2023

We need to implement a Key Provisioning mechanism that allows enclaves to share secrets between each other.

Key provisioning enables clients to interact with the group of enclaves with knowledge of just the one shared public key provisioned to this group. In contrast, a group of enclaves without key provisioning would require peers to be aware of the unique keys of each member of the group.

Ref #3442
@ipetr0v
Copy link
Contributor Author

ipetr0v commented Nov 3, 2023

@pmcgrath17 @tiziano88

@ipetr0v ipetr0v mentioned this issue Nov 3, 2023
Merged
ipetr0v added a commit that referenced this issue Nov 3, 2023
@ipetr0v
Add Orchestrator Key Provisioning service definition (#4439)
ead5d9b 
This PR adds a Key Provisioning service definition for communication from the Hostlib to the Orchestrator.

Ref #4442
@ipetr0v ipetr0v mentioned this issue Nov 21, 2023
Merged
ipetr0v added a commit that referenced this issue Nov 23, 2023
@ipetr0v
Add Key Provisioning service definition (#4496)
134ab08 
This PR splits Key Provisioning gRPC services in 2:
- Orchestrator service that just accepts new encryption keys
- Key Provisioning service that can distribute encryption keys
  - This service will become a part of the Key Privisioning Service implementation

Ref #4442
@ipetr0v ipetr0v mentioned this issue Nov 23, 2023
Merged
ipetr0v added a commit that referenced this issue Nov 28, 2023
@ipetr0v
Implement Orchestrator crypto service (#4506)
91d857c 
This PR creates a separate Orchestrator service for generating session keys. But it doesn't replace the old service yet - we'll replace it once all enclave apps use the new service.

Ref #4442
This was referenced Nov 28, 2023
Closed
Merged
Merged
ipetr0v added a commit that referenced this issue Dec 5, 2023
@ipetr0v
Forward host to Orchestrator port (#4528)
d54be86 
This PR creates port forwarding from host to the VM in order to access the Orchestrator Key Provisioning service.

Ref #4442
ipetr0v added a commit that referenced this issue Dec 6, 2023
@ipetr0v
Add Hostlib method for requesting group keys (#4530)
39341c7 
This PR adds a Hostlib method for requesting the group keys by the Orchestrator.
This method is currently not called by the Orchestrator, because we first need to provide it internally.

Ref #4442
@ipetr0v ipetr0v mentioned this issue Dec 7, 2023
Merged
@ipetr0v ipetr0v mentioned this issue Jan 4, 2024
Merged
ipetr0v added a commit that referenced this issue Jan 4, 2024
@ipetr0v
Add Key Provisioning logic for requesting group keys from Hostlib (#4543
eb646bb 
)

This PR adds the Orchestrator logic for requesting the Hostlib with:
- Key Provisioning role request (whether it's a Leader or a Dependant)
- Requesting group keys for a Dependant role

Ref #4442
ipetr0v added a commit that referenced this issue Jan 8, 2024
@ipetr0v
Add Oak Containers SDK for encryption (#4602)
00d7268 
This PR adds a `oak_containers_sdk` crate for implementing enclave applications.

It also adds an SDK implementation for encryption: the new gRPC client connects to the Orchestrator Crypto service.

Ref #4490
Ref #4442
@ipetr0v ipetr0v mentioned this issue Jan 26, 2024
Merged
ipetr0v added a commit that referenced this issue Feb 1, 2024
@ipetr0v
Implement GetGroupKeys for Key Provisioning (#4722)
2ae5e53 
This PR implements the `GetGroupKeys` which verifies the incoming endorsed evidence and encrypts group keys in the response.

Ref #4442
This was referenced Mar 26, 2024
Merged
Merged
ipetr0v added a commit that referenced this issue Mar 27, 2024
@ipetr0v
Add GroupEncryptionKeyHandle to C++ Containers SDK (#4964)
57a8f73 
Ref #4442
ipetr0v added a commit that referenced this issue Mar 27, 2024
@ipetr0v
Sign group keys as part of Key Provisioning (#4961)
121a6b0 
This PR adds the ability to sign group keys in the attestation evidence as part of Key Provisioning.

Ref #4442
copybara-service bot pushed a commit that referenced this issue Apr 9, 2024
@jblebrun
Update ack branch to main so builds continue succeeding.
f24e62e 
Squashed commit of the following:

commit 1b24ec1
Author: Tiziano Santoro <[email protected]>
Date:   Thu Apr 4 00:50:26 2024 +0100

    Update nix deps (#4979)

    Among other things, this update xz to v. 5.4.6

commit f68df2b
Author: Tiziano Santoro <[email protected]>
Date:   Thu Apr 4 00:46:45 2024 +0100

    Align with internal linter (#4978)

    b/332740854

commit 8bdd773
Author: jblebrun <[email protected]>
Date:   Wed Apr 3 21:43:20 2024 +0000

    Update h2 to resolve vulnerability discovered by deny (#4977)

    https://rustsec.org/advisories/RUSTSEC-2024-0332

commit 5bc91be
Author: jul-sh <[email protected]>
Date:   Wed Apr 3 16:05:06 2024 -0400

    Directly issue kernel provenance for attestation measurements (#4976)

    * Directly issue kernel provenance attestation measurements

    Previously the provenance created by the SLSA builder was just for the bzImage. Not the artifact that would be measured in the attestation. With this PR the provenance subjects should include binaries measured in the attestation.

    Change-Id: I16e3234d0d65e3790319294c416c378cd7611681

    * fix typo

    Change-Id: I3d078256d085ef05171e5997743d7497fc530ad0

commit 2ae6255
Author: Andri Saar <[email protected]>
Date:   Tue Apr 2 20:55:51 2024 +0000

    Do a page state change operation before invoking `PVALIDATE`

commit 8452885
Author: conradgrobler <[email protected]>
Date:   Wed Apr 3 17:54:04 2024 +0100

    Ensure CPUID triggered the #VC exception (#4974)

    We want to make sure that the instruction pointer in a #VC exception really pointed to a CPUID instruction since it is the only #VC exception type we support.

commit 4ad534f
Author: thmsbinder <[email protected]>
Date:   Wed Apr 3 18:09:46 2024 +0200

    Add and verify endorsement field for text reference value (#4973)

    The kernel command line reference value now follows the pattern from other reference values: skip, TR endorsement, or direct verification. When using TR endorsements in conjunction with the kernel command line the regex feature needs to be enabled.

commit fa50670
Author: Patrick McGrath <[email protected]>
Date:   Tue Apr 2 10:43:22 2024 -0700

    Unary gRPC transport template class (#4970)

    Implement unary transport class template for future Oak clients that use the unary interface.

commit 65f6b46
Author: k-naliuka <[email protected]>
Date:   Fri Mar 29 00:33:37 2024 +0100

    Add go and java options to the TcbVersion proto (#4969)

commit cefb3c3
Author: Andri Saar <[email protected]>
Date:   Thu Mar 28 15:46:31 2024 +0000

    Collect, and print out, some `PVALIDATE` stats in stage0

commit 579e92c
Author: k-naliuka <[email protected]>
Date:   Wed Mar 27 20:49:53 2024 +0100

    Refactor text reference values matching  (#4965)

    Allow literal string comparison and  make regex optional

commit 121a6b0
Author: Ivan Petrov <[email protected]>
Date:   Wed Mar 27 19:13:14 2024 +0000

    Sign group keys as part of Key Provisioning (#4961)

    This PR adds the ability to sign group keys in the attestation evidence as part of Key Provisioning.

    Ref #4442

commit 2a57cd6
Author: jul-sh <[email protected]>
Date:   Wed Mar 27 12:10:56 2024 -0400

    Revert "Increase the size of the certificate in Stage0 DICE data (#4946)" (#4966)

    This reverts commit c869644, as it introduced a breaking change that broke imports.

commit 57a8f73
Author: Ivan Petrov <[email protected]>
Date:   Wed Mar 27 15:29:07 2024 +0000

    Add GroupEncryptionKeyHandle to C++ Containers SDK (#4964)

    Ref #4442

commit 863ee00
Author: k-naliuka <[email protected]>
Date:   Wed Mar 27 14:15:48 2024 +0100

    Include regex in Bazel oak_crates_index (#4960)

commit 83d881d
Author: Tiziano Santoro <[email protected]>
Date:   Wed Mar 27 09:53:32 2024 +0000

    Fix username and host when building kernel (#4963)

    b/330744888

Change-Id: Iac4a71c2d14238ccaca13c3997f47aa265a789ba
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tiziano88 @ipetr0v