Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple enclave keys support #78

Merged
merged 31 commits into from
Jul 19, 2023
Merged

Multiple enclave keys support #78

merged 31 commits into from
Jul 19, 2023

Conversation

bluele
Copy link
Member

@bluele bluele commented Jul 19, 2023
edited
Loading

Core

  • introduce a new Enclave Key Manager that uses SQLite
    • It was chosen because it is desirable that there can be multiple writer processes and be able to use flexible query
  • use sgx_tseal as sealing library
    • Because of the change from file to DB management

Relayer

  • relayer now checks the expiry date of the keys it uses
  • also fetches a list of available keys from the LCP service and selects the appropriate one
  • add key_expiration field to config

CLI

  • removed the following commands
    • enclave init-key
    • enclave show-avr
  • instead, added the following
    • enclave generate-key: generate a new enclave key
    • enclave list-keys: show available keys
    • enclave prune-keys: prune expired keys

bluele added 30 commits June 30, 2023 17:15
@bluele
crypto: use sgx_tseal instead of sgx_tprotected_fs as sealing Enclave…
709fb85 
… Key

Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
ecall-commands: rename CommandParams with CommandContext
cce6ec4 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
introduce keymanager crate and add ek signer option to commands
dd6adda 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
implement EnclaveKeyManager
2da89de 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
refactor enclave key management
3125a60 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
move persisting key and avr process to enclave api
0de3c39 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
fix lint errors
5ccb353 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
proto: add query service for Enclave Key
ee94562 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
Merge branch 'main' into sealing
6477097
@bluele
service: implement query service for enclave keys
4aa0377 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
relay: implement enclave key updater
73486c1 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
Merge remote-tracking branch 'origin/main' into go-sealing
a1c1820
@bluele
crypto: implement as_address method for EnclavePublicKey
69545bc 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
Merge remote-tracking branch 'origin/main' into go-sealing
d50b7c1
@bluele
print an address of generated enclave key
8b57707 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
remove unused dependencies
b4351e5 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
go: fix misc
27b2440 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
tests: fix deprecated commands
39c46e7 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
runtime: improve error log
d4c98fb 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
crypto: fix hex error handling
45785d4 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
enclave-api: improve log
680a1bf 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
split execution and query dispatcher
b2f37b3 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
ecall-commands: clarify error msgs
775b29a 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
go/relay: set enclave key address
74d2017 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
implement sqlite-backend keymanager
4d1a979 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
use lcp_types::Mrenclave instead
15854df 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
go/relay: add mrenclave parameter to query request
58c34b6 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
go/relay: check if attestation info matches the allowed status from c…
aabe562 
…onfig

Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
bump up chrono version
dbedd47 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele
keymanager: improve test
ca325fd 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele bluele changed the title Multiple enclave key support Multiple enclave keys support Jul 19, 2023
@bluele
go/relay: make key_expiration configurable
b21d83a 
Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>
@bluele bluele merged commit 8efd38f into main Jul 19, 2023
3 checks passed
@bluele bluele deleted the multiple-ek branch July 19, 2023 09:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@bluele