Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

runtime/src/enclave_rpc: Verify RPC quotes with key manager quote policy #5092

Merged
merged 8 commits into from
Dec 12, 2022
Merged

runtime/src/enclave_rpc: Verify RPC quotes with key manager quote policy #5092

merged 8 commits into from
Dec 12, 2022

Conversation

peternose
Copy link
Contributor

@peternose peternose commented Dec 9, 2022
edited
Loading

Currently EnclaveRPC session establishment always uses the default quote verification policy to verify quotes. When the runtime is configured with a consensus layer trust root it could instead use the quote verification policy specified in the consensus layer for the key manager runtime.

How things work:

  • RPC remote client starts with empty enclaves, without key manager quote policy and waits for them to be set and regularly updated via local rpc calls.
  • Demux uses no enclaves (enclaves authorization is checked at the application level) and local RAK quote policy which might be empty until TEE attestation is finished. Note that compute runtimes use their own quote policy in the demux and not from the key manager, but that should be fine as they currently never use demux.

@peternose peternose force-pushed the peternose/feature/quote-policy branch 3 times, most recently from 3ac1830 to 28b322f Compare December 9, 2022 11:21
@peternose peternose marked this pull request as ready for review December 9, 2022 11:57
kostko
kostko reviewed Dec 9, 2022
View reviewed changes
go/runtime/registry/host.go Show resolved Hide resolved
go/runtime/host/protocol/types.go Outdated Show resolved Hide resolved
go/runtime/registry/host.go Outdated Show resolved Hide resolved
runtime/src/policy.rs Outdated Show resolved Hide resolved
keymanager/src/policy/cached.rs Outdated Show resolved Hide resolved
runtime/src/policy.rs Show resolved Hide resolved
runtime/src/policy.rs Outdated Show resolved Hide resolved
runtime/src/rak.rs Show resolved Hide resolved
@peternose peternose mentioned this pull request Dec 9, 2022
Merged
@peternose
keymanager/src/policy: Fix copy-pasted comment and logging
473b1ca
@peternose
runtime/src/rak: Fetch quote policy only once when doing attestations
961acd5 
Every deployment has its own quote policy which cannot change while
the runtime is running. Fetching the policy on every attestation
is time consuming and can be done only once, even before the protocol
is fully initialized.
@peternose
runtime/src/policy: Move SGX and quote policy verification to one place
55106f8
@peternose
keymanager/src/client/remote: Verify key manager policy
97bc6d6 
Verify that the policy belongs to the key manager and that it has been
published in the consensus layer.
@peternose
go/runtime/registry: Fix watching policy updates
0744f28 
When multiple key managers were running, the last known status of the
runtime's key manager was overwritten with each status update. On runtime
(re)starts, this resulted in the wrong policy being set.
@peternose
go/runtime/registry: Refactor watching policy updates
a67a159
@peternose
runtime/src/enclave_rpc: Verify RPC quotes with key manager quote policy
52536d2
@peternose peternose force-pushed the peternose/feature/quote-policy branch from 28b322f to 52abc7e Compare December 12, 2022 03:15
@codecov
Copy link

codecov bot commented Dec 12, 2022
edited
Loading

Codecov Report

Merging #5092 (d9ed76b) into master (12e7d6f) will increase coverage by 0.26%.
The diff coverage is 80.53%.

@@            Coverage Diff             @@
##           master    #5092      +/-   ##
==========================================
+ Coverage   67.18%   67.45%   +0.26%     
==========================================
  Files         501      501              
  Lines       53381    53459      +78     
==========================================
+ Hits        35864    36059     +195     
+ Misses      13163    13074      -89     
+ Partials     4354     4326      -28
Impacted Files Coverage Δ
go/runtime/host/multi/multi.go 75.00% <ø> (-2.21%) ⬇️
go/runtime/host/protocol/types.go 54.54% <ø> (ø)
go/registry/api/runtime.go 51.27% <50.00%> (-0.03%) ⬇️
go/runtime/registry/host.go 71.10% <81.13%> (+1.16%) ⬆️
go/common/namespace.go 80.64% <100.00%> (+0.64%) ⬆️
go/roothash/api/sanity_check.go 60.00% <0.00%> (-4.00%) ⬇️
go/governance/api/api.go 71.90% <0.00%> (-3.31%) ⬇️
go/oasis-node/cmd/ias/auth_registry.go 65.81% <0.00%> (-2.57%) ⬇️
go/runtime/host/protocol/connection.go 68.79% <0.00%> (-2.26%) ⬇️
... and 44 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

kostko
kostko approved these changes Dec 12, 2022
View reviewed changes
runtime/src/types.rs
@@ -321,6 +325,9 @@ pub struct Features {
/// Schedule control feature.
#[cbor(optional)]
pub schedule_control: Option<FeatureScheduleControl>,
/// A feature specifying that the runtime supports updating key manager's quote policy.
#[cbor(optional)]
pub key_manager_quote_policy_updates: bool,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably implement a custom Default that sets this to true.

peternose
peternose commented Dec 12, 2022
View reviewed changes
go/runtime/registry/host.go
stCh, stSub := n.consensus.KeyManager().WatchStatuses()
defer stSub.Close()

// Subscribe to runtime host events.
// Subscribe to epoch transitions (quote policy might change).
epoCh, sub, err := n.consensus.Beacon().WatchEpochs(ctx)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kostko As key managers have different upgrade procedure as compute runtimes, changing the quote policy on epoch transitions might not be ok as every key manager can run its own version (which might not be the active one, can be higher or lower). I see few options:

  • Keep the way it is and expect key manager upgrades to follow versioning.
  • Follow versions of key manager nodes and use the latest one.
  • Use quote policy of the key manager we are talking to (we would probably need to fetch the quote policy during session initialization, as we cannot know to which key manager the p2p stack will send the request).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm good point. I think using the active deployment for the quote policy makes the most sense.

@peternose peternose force-pushed the peternose/feature/quote-policy branch from 52abc7e to d9ed76b Compare December 12, 2022 10:26
@peternose peternose merged commit 5636945 into master Dec 12, 2022
@peternose peternose deleted the peternose/feature/quote-policy branch December 12, 2022 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kostko kostko kostko approved these changes

@Yawning Yawning Awaiting requested review from Yawning

@peterjgilbert peterjgilbert Awaiting requested review from peterjgilbert peterjgilbert is a code owner

@pro-wh pro-wh Awaiting requested review from pro-wh pro-wh is a code owner

@ptrus ptrus Awaiting requested review from ptrus ptrus is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@peternose @kostko