-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC] Add SGX KSS (Key Separation and Sharing feature) support on Occlum #589
Comments
Should we use Base64 in the ConfigID file? Because most of the time, Occlum launcher get the ID from network. |
The problem of Base64 is it may generate longer (bytes) result data compared to the original data. The current way uses the raw data from the CONFIG ID FILE, it is up to the user to decide which kind of data that want to fill in.
|
Discussed with Zongmin, file is not a proper way in cloud native env to pass information. |
My fundamental concern about PR is whether it really explores the real value of the KSS feature. This RFC propose simply exposes Intel SGX SDK's KSS feature to the Occlum users. What if we choose an alternative approach where we leverage KSS in Occlum itself and provide high-level features that enabled by KSS to the end users? Let me quote from a blog named Upcoming Intel SGX features explained.
Wow. This could be very useful to Occlum. We can build and distribute a single pre-signed Occlum enclave binary and let the end users to attach their Occlum.json and Occlum FS image to their enclaves at runtime. This will accelerate the
Wow again. This configuration SVN can enable a newer version of Occlum binary that is upgraded with security patches or bug fixes to read the encrypted FS data generated by an older version of Occlum binary. This could save the day for some customers that uses Occlum in production. The bottom line is that a RFC that proposes adding KSS support must give more intelligent advices on how to really use KSS and investigate all possible options that KSS may be integrated into Occlum, rather than simply exposing KSS to the end users. |
I realized that the KSS feature would impact the RA quote struct. So if Occlum use any of them, then Occlum need to document what is the meaning of the value and how to check it. When Occlum has any update, the RA checker needs to update the validation logic. It would be a big effort for end-user. So I think we should leave all those KSS IDs to end-user. Occlum do get benefit from the KSS feature, when we give the user some demos. For example, . But Occlum should not use KSS by default. On the other hand, KSS is SGX V2 specific feature. Occlum should not depend on this feature by default before dropping the SGX V1 supporting. |
Summary
Starting from SGX2, there is a new Key Separation and Sharing feature which current Occlum doesn't support . This RFC gives a design proposal about supporting KSS on Occlum.
Motivation
The new Key Separation and Sharing feature gives user a chance to fill in some meaningful information to the enclave either in the signing or running stage.
Signning stage:
Running stage:
All above information could be aquired from the DCAP generated quote in enclave.
Details can be found on the SGX_Developer_Reference
Thus with these user provided information binded with the enclave quote, different attestation and qualification solution can be implemented.
Guide-level explanation
To support the new KSS feature in Occlum, below changes are expected.
Reference-level explanation
After
occlum new
, below Occlum.json may be generated.User can do the changes before
occlum build
.The occlum tries to parse the string as 64bits hex integer.
For example, enable KSS and set demo IDs as below hex integer.
It is expected that the user pass a base64 encoded result string for the CONFIG ID.
Before creating SGX enclave in PAL, the base64 encoded string is decoded.
If the decoded length is not bigger than 64, copy the decoded bytes to CONFIG ID field (64 bytes, padding the rest as 0 if the decoded length is smaller than 64). Otherwise, return error, not valid Occlum Config ID Base64 String.
For example, there is a 64 bytes binary file 64.bin.
Use below command to run.
Unresolved questions
How to best utilize this new KSS feature in a practical and valuable scenario.
The text was updated successfully, but these errors were encountered: