[RFC] Generic Key Broker Service (KBS) & Attestation Service high level architecture proposal #119
Comments
hdxia
changed the title
|
This is awesome |
|
This is a really high quality overview. Thanks for posting. Like I said in the meeting, I think this is on the right track. My main questions are about the best way to engineer a solution that is robust and well-integrated. I also have some thoughts about policies. In the diagrams above you are evaluating policies in two different locations. First, there is the policy engine in the KBS that determines whether a key should be released. A simple example here would be to release a key if the attestation service approves the evidence. There is also policy evaluation in the attestation service, which is used to determine whether the evidence is valid. For example, the attestation service might only approve evidence that includes a particular launch measurement. The question is whether it makes sense to separate these two things. What if I want to deploy a workload only to pods that have a particular configuration of the Kata Agent? The agent config file is part of the launch measurement, so this could be evaluated by a policy in the Attestation Service, but really we want this to be taken into account by the key policy of the KBS. In some ways I think splitting the policy evaluation in two is wise. The policy of the attestation service is platform specific and it might be tough to map platform-specific characteristics directly to keys. On the other hand this might limit some of the policies we can enforce. Maybe a compromise would be to have the AS policy return more than just I am also curious about plans for signature support, which isn't really described here. In some ways the public keys for signature validation are just like any other secret. On the other hand, we've talked about having the signature policy file be dynamically generated by the KBS. Where would something like that fit in? Finally, we have often overlooked what happens when the guest owner provisions images. While it isn't too complex, it might be nice to add some information about how and when keys are populated. It also might good to have a tool that the guest owner can use as a keyprovider when they encrypt their images, which would automatically populate the KBS. Currently it looks like setup would involve uploading keys to a KMS, policies to the KBS, and AS, and some configuration to tie everything together. How can we make this easy to use? |
The reason to separate the evaluating policies in two different locations is the KBS and AS will be two separate services/modules. We expected they will have two separate repos.
For this scenario, the AS's policy engine can evaluate the launch measurement firstly, then AS can response a
This is the reason why we choose the OPA as policy engine because it supports load policy files dynamically. It can select different |
|
Good questions @fitzthum and I think @liangzhou121 addressed most. I just want to add two points.
|
|
Thank you @liangzhou121, @jiazhang0, and @hdxia for your presentation. You presented some very solid arguments and resources. For the majority of the higher-level discussion, I am in agreement; especially in regard to using OPA. However, I have a number of questions/reservations around adopting ISecL and verdictd. A few of these include:
|
|
Thanks @larrydewey for the comments
the idea of the generic attestation service is to have modules to support different HW technologies. in case it is missing there, we would expect the community to develop there. before that, current demo and test framework for SEV should not change. KBS is HW independent.
Programming language is debatable. My personal opinion is the node components have rust, but services outside of the node should be not constrained. We can start with what we have to streamline the process. however, there is no constraint to create another repo in rust if there is a need later on.
the details on roadmap and long term can be discussed in their respective repo. for KBS, I think we can fork, and maintain it here from long term perspective. |
|
Thanks @larrydewey @hdxia comments, and I have some other comments from Attestation Service's side.
As haidong mentioned, the Attestation Service supported HW-TEEs can be extended conveniently by its modularization design. And we also have plan to add the SEV(-ES, -SNP) supporting to the general AS after TDX and SGX related development finished.
From AS side, it won't introduce lots of external dependencies. We plan to donate the the inclavared-container's
From AS side, as we plan donate verdictd to CC entirely and will use it as the master branch, so we will keep development in this repo to support potential new types of HW-TEE and fix bugs. |
The idea of having a HW agnostic, generic attestation services definitely makes the most sense. However, it would be good to discuss a path forward for make the required changes to our existing examples to have the Generic KBS work. So I think additional research here is definitely warranted.
I don't know that I agree the language should be debatable. There are more implications to consider than resource consumption, though that is an important point, too. Making a new repository may be easy, correct, but the refactoring of an entire project is not a small undertaking.
If the suggestion here is that CC should retain full ownership and maintenance of a fork (or forks), wouldn't that place a significant maintenance load on the community? |
Where there is already support for SEV and SEV-ES in the repository, this proposal would be missing support for an already supported architecture, this is what I mean by breaking the existing functionality and test cases. It introduces multiple hard regressions.
From the Attestation Service side of things, yes, verdictd is written in Rust, but the rest of ISecL is not. This in particular was what I was referring to by introducing a large number of external dependencies.
I would echo my question from my last response: If the suggestion here is that CC should retain full ownership and maintenance of a fork (or forks), wouldn't that place a significant maintenance load on the community? |
|
Agree with @fitzthum here, further discussion is needed here. |
|
btw can you clarify the relationship between verdictd and rats-tls? Is rats-tls part of this proposal? |
rats-tls is not part of this general AS. The general AS will employ a new subsystem with so-called verifier drivers to support various TEEs. |
Please let me clarify this. I think Liang's meaning is the general AS as part of CC's project is inspired from verdictd. Verdictd and general AS will be separate. Verdictd is designed as a combination of KBS and AS, and it is connected to AA through EAA KBC. This is the initial implementation for CCv0. So no external dependency and fork efforts are maintained by CC community. |
Do you mean the support for SEV and SEV-ES occurs in rats-tls repo?
I think we could leave this question to @hdxia . I think this problem doesn't affect the progress of general AS right? |
|
Hi @sphrasavath , Thank you for your comments.
The Attesattion Service can be run in anywhere. It's a HW-TEE environment independent service but it needs to recognize different types HW-TEE's Evidence.
From Attestation Service side, as @jiazhang0 mentioned, it's inspired from the existing verdictd project.
This role is defined by RATS reference architecture that used to verify the HW-TEE evidence's identity. Such as the Intel PCS service.
These are design details and It's better to discuss them in the Attestation Service's dedicated proposal. But I think it shouldn't impact the progress of Attestation Service. |
I think there may be misunderstanding of KBS vs ISecL. ISecL itself supports many use cases and has many components. KBS is one of the components as a solution that ISecL provides. so KBS != ISecL. for CC project, we propose to only move or fork KBS component from ISecL to CC, and we will remove other dependencies to ISecL. So KBS itself will be standalone in CC. |
|
I think the most important question is about the nature of the KBS fork. If we fork the KBS, will there still be a KBS in the ISecL repo? Are we going to try to keep them in sync? Do you expect any developers from ISecL to contribute to the fork? |
@fitzthum I am sure developers from ISecL will contribute and help maintain/sync the KBS in CC. the 1st step is to fork KBS from ISecL and make it self-contained, and contribute to CC, and we will maintain it. |
|
This image shows that Attester talks to Verifier and similarly Relying Party / KBS also talks to Verifier, does that also imply that Attester and Relying Party / KBS never communicate? If they don't communicate directly then this diagram shows that Attester directly communicates with the Relying Party / KBS. What is really going on? So which one is accurate?
|
|
Hi @surajssd ,
And Attestation Service's design chooses the background model. |
|
@liangzhou121 thanks for the clarification! |
|
Are you still planning to use the ISecL KBS? We're starting to make progress on the AS thanks to @liangzhou121 but I haven't seen much happening with the KBS. @hdxia @jiazhang0 |
|
@hdxia is this issue still relevant or can be closed? |
Authors
Liang Zhou
Jia Zhang
Haidong Xia
Motivation
CC enables container confidential computing with image at-rest protection using encryption and signing, and runtime protection with hardware-based trust execution environment (TEE).
One of the important tasks in the CC architecture is for the attestation agent to fetch image decryption key (DEK) from a key broker service (KBS) to decrypt the container image. It is also expected that the KBS only releases the DEK to the attestation agent after the attestation of the workload execution environment. Therefore, key broker service and attestation service are fundamental to the end to end (E2E) flow of CC. However, both components are not part of CC yet.
The CC's Attestation-Agent has implemented the modular KBC design that is compatible with any vendor-specific attestation service. Generally, a vendor can implement a completely customized attestation service according to their special requirements. But the CC community still lacks a complete reference design of the attestation system that includes all the RATS defined roles of the Attester, Verifier, and Relaying Party presently. The lack of reference design causes confusion and the inconvenience for potential CC users to use this confidential container solution.
The Attestation-Agent has already implemented the role of Attester, so this proposal focuses on Verifier and Relaying Party high level architecture design, per RATs architecture specification.
Background - RATS Architecture
IETF has defined RATS architecture defining different entities involved in attestation and use of the attestation result. It is best to understand it first to avoid any confusion and misuse of terminologies.
The following is the reference architecture from RATS[1, Architectural Overview]:
The definition of each entity are as follows, in the context of CC.
Goal
The goal of this proposal is to
High Level Architecture of KBS & Attestation Service
Per RATs architecture specification, we propose to have a KBS and attestation service. KBS implements the Relying Party, and Attestation Service implements the Verifier in RATs architecture. They are decoupled as two separate services/modules to make KBS a hardware agnostic component for key policy and key management. The whole architecture aligns with RATS Background-Check Model[1, Topological Patterns].
The interaction procedures should be:
TODO: A separate proposal to introduce these interaction message format in details.
KBS (Relying Party)
KBS is hardware agnostically and it includes the following features:
A reference architecture and implementation of KBS is illustrated in figure below. Detailed discussion of KBS design will be in its own key broker service repo.
TODO: A separate proposal to discuss the KBS architecture in details.
Attestation Service (Verifier)
Attestation Service includes the following features:
A high architecture of Attestation service is illustrated in the Figure below. Note the detailed design discussion of attestation service will be in its repo.
TODO: A separate proposal to discuss the Attestation Service architecture in details.
References
The text was updated successfully, but these errors were encountered: