Skip to content

feat: Prepare PKCS#11/TPM KEK support in storage#907

Merged
gtema merged 1 commit into
mainfrom
claude/raft-pkcs11-tpm-support-tc29i2
Jul 3, 2026
Merged

feat: Prepare PKCS#11/TPM KEK support in storage#907
gtema merged 1 commit into
mainfrom
claude/raft-pkcs11-tpm-support-tc29i2

Conversation

@gtema

@gtema gtema commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

ADR 0016-v2 §2.1 named "HSM / PKCS#11 / Cloud KMS" as the production KEK
source but never specified a mechanism, leaving the Pkcs11KekStub as a
reserved-but-unimplemented interface boundary. Adds §2.5, specifying the
PKCS#11 (CKM_AES_GCM against a non-extractable token key, same wire
format as EnvKek) and TPM 2.0 (TPM-resident non-duplicable key,
Encrypt-then-MAC since TPM2 has no native AES-GCM command) KEK
mechanisms, plus invariants 13-15 covering non-extractable key material,
file-only credential input, and authenticate-before-decrypt for non-AEAD
providers.

Adds the corresponding kek_provider configuration schema
(crates/config/src/distributed_storage.rs): an env/pkcs11/tpm selector
with per-provider sections, cross-field validation (env requires
dev_mode, pkcs11/tpm require their config section, TPM key reference is
exactly one of handle or context file), and file-based secret loading
for the PKCS#11 PIN and TPM auth value, wired into Config::load_all
alongside the existing TLS cert loading.

This lands the ADR and config groundwork only; the storage-crypto-pkcs11
and storage-crypto-tpm provider crates, SoftHSM-backed integration test,
and TPM sample are follow-up work.

Tracks the sequencing for ADR 0016-v2 §2.5 (added in the previous
commit): crate layout, TPM trust model, and test/credential-input
decisions taken with the requester, plus the step-by-step plan from ADR
addendum + config schema (done) through provider crates, wiring, SoftHSM
CI test, docs, and supply-chain updates (not started). Kept out of
doc/src/SUMMARY.md since it's a working tracking doc, not user-facing
documentation.

Assisted-By: Claude Sonnet 5 noreply@anthropic.com
Signed-off-by: Artem Goncharov artem.goncharov@gmail.com

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🦢 Load Test Results

Goose Attack Report

Plan Overview

Action Started Stopped Elapsed Users
Increasing 26-07-03 11:15:40 26-07-03 11:15:58 00:00:18 0 → 30
Maintaining 26-07-03 11:15:58 26-07-03 11:16:28 00:00:30 30
Decreasing 26-07-03 11:16:28 26-07-03 11:16:28 00:00:00 0 ← 30

Request Metrics

Method Name # Requests # Fails Average (ms) Min (ms) Max (ms) RPS Failures/s
DELETE DELETE /v3/auth/tokens 506 0 108.12 10 170 16.87 0.00
DELETE DELETE /v3/projects/:id (teardown) 2 0 42.50 30 55 0.07 0.00
DELETE DELETE /v3/users/:id (teardown) 3 0 43.33 31 52 0.10 0.00
GET 4618 0 101.81 73 200 153.93 0.00
GET GET /v3/auth/tokens (validate new) 504 0 108.41 43 146 16.80 0.00
GET GET /v3/projects/:id 723 0 82.94 72 110 24.10 0.00
GET GET /v3/projects/:id (catalog) 718 0 83.17 72 120 23.93 0.00
GET GET /v3/users/:id 1006 0 89.47 78 124 33.53 0.00
GET GET /v3/users/:id (catalog) 791 0 89.09 80 119 26.37 0.00
POST POST /v3/auth/tokens 502 0 81.64 72 111 16.73 0.00
Aggregated 9373 0 96.11 10 200 312.43 0.00

Response Time Metrics

Method Name 50%ile (ms) 60%ile (ms) 70%ile (ms) 80%ile (ms) 90%ile (ms) 95%ile (ms) 99%ile (ms) 100%ile (ms)
DELETE DELETE /v3/auth/tokens 110 110 110 110 120 120 130 170
DELETE DELETE /v3/projects/:id (teardown) 30 30 30 55 55 55 55 55
DELETE DELETE /v3/users/:id (teardown) 47 47 47 47 52 52 52 52
GET 94 98 100 110 160 160 170 200
GET GET /v3/auth/tokens (validate new) 110 110 110 110 120 120 130 146
GET GET /v3/projects/:id 82 83 85 86 89 91 100 110
GET GET /v3/projects/:id (catalog) 83 84 85 87 89 92 100 120
GET GET /v3/users/:id 89 90 91 93 95 98 110 120
GET GET /v3/users/:id (catalog) 88 89 90 92 95 97 110 119
POST POST /v3/auth/tokens 81 82 83 85 87 89 99 110
Aggregated 89 93 99 110 110 160 170 200

Status Code Metrics

Method Name Status Codes
DELETE DELETE /v3/auth/tokens 506 [204]
DELETE DELETE /v3/projects/:id (teardown) 2 [204]
DELETE DELETE /v3/users/:id (teardown) 3 [204]
GET 4,618 [200]
GET GET /v3/auth/tokens (validate new) 504 [200]
GET GET /v3/projects/:id 723 [200]
GET GET /v3/projects/:id (catalog) 718 [200]
GET GET /v3/users/:id 1,006 [200]
GET GET /v3/users/:id (catalog) 791 [200]
POST POST /v3/auth/tokens 502 [200]
Aggregated 8,862 [200], 511 [204]

Transaction Metrics

Transaction # Times Run # Fails Average (ms) Min (ms) Max (ms) RPS Failures/s
ReadHeavy
0.0 1 0 27.00 27 27 0.03 0.00
0.1 784 0 101.17 89 136 26.13 0.00
0.2 784 0 84.10 74 112 26.13 0.00
0.3 782 0 82.95 73 111 26.07 0.00
TokenLifecycle
1.0 0 0 0.00 0 0 0.00 0.00
1.1 506 0 299.26 135 348 16.87 0.00
ValidateToken
2.0 0 0 0.00 0 0 0.00 0.00
2.1 761 0 158.05 144 200 25.37 0.00
UserCRUD
3.0 0 0 0.00 0 0 0.00 0.00
3.1 0 0 0.00 0 0 0.00 0.00
3.2 1006 0 89.52 78 124 33.53 0.00
3.3 3 0 43.33 31 52 0.10 0.00
ProjectCRUD
4.0 0 0 0.00 0 0 0.00 0.00
4.1 0 0 0.00 0 0 0.00 0.00
4.2 723 0 82.99 72 111 24.10 0.00
4.3 2 0 42.50 30 55 0.07 0.00
UserRead
5.0 0 0 0.00 0 0 0.00 0.00
5.1 791 0 100.62 81 132 26.37 0.00
5.2 791 0 89.15 80 120 26.37 0.00
ProjectRead
6.0 0 0 0.00 0 0 0.00 0.00
6.1 716 0 84.28 74 111 23.87 0.00
6.2 718 0 83.21 72 120 23.93 0.00
Aggregated 8368 0 107.65 27 348 278.93 0.00

Scenario Metrics

Transaction # Users # Times Run Average (ms) Min (ms) Max (ms) Scenarios/s Iterations
ReadHeavy 7 781 269.22 250 315 26.03 111.57
TokenLifecycle 5 501 299.71 278 348 16.70 100.20
ValidateToken 4 757 158.03 144 200 25.23 189.25
UserCRUD 3 1003 89.50 78 124 33.43 334.33
ProjectCRUD 2 721 82.99 72 111 24.03 360.50
UserRead 5 790 190.26 175 233 26.33 158.00
ProjectRead 4 715 167.96 155 204 23.83 178.75
Aggregated 30 5268 170.85 72 348 175.60 1432.60

View full report

@gtema gtema force-pushed the claude/raft-pkcs11-tpm-support-tc29i2 branch 3 times, most recently from 2e72cc2 to 2d64361 Compare July 3, 2026 10:22
ADR 0016-v2 §2.1 named "HSM / PKCS#11 / Cloud KMS" as the production KEK
source but never specified a mechanism, leaving the Pkcs11KekStub as a
reserved-but-unimplemented interface boundary. Adds §2.5, specifying the
PKCS#11 (CKM_AES_GCM against a non-extractable token key, same wire
format as EnvKek) and TPM 2.0 (TPM-resident non-duplicable key,
Encrypt-then-MAC since TPM2 has no native AES-GCM command) KEK
mechanisms, plus invariants 13-15 covering non-extractable key material,
file-only credential input, and authenticate-before-decrypt for non-AEAD
providers.

Adds the corresponding kek_provider configuration schema
(crates/config/src/distributed_storage.rs): an env/pkcs11/tpm selector
with per-provider sections, cross-field validation (env requires
dev_mode, pkcs11/tpm require their config section, TPM key reference is
exactly one of handle or context file), and file-based secret loading
for the PKCS#11 PIN and TPM auth value, wired into Config::load_all
alongside the existing TLS cert loading.

This lands the ADR and config groundwork only; the storage-crypto-pkcs11
and storage-crypto-tpm provider crates, SoftHSM-backed integration test,
and TPM sample are follow-up work.

Tracks the sequencing for ADR 0016-v2 §2.5 (added in the previous
commit): crate layout, TPM trust model, and test/credential-input
decisions taken with the requester, plus the step-by-step plan from ADR
addendum + config schema (done) through provider crates, wiring, SoftHSM
CI test, docs, and supply-chain updates (not started). Kept out of
doc/src/SUMMARY.md since it's a working tracking doc, not user-facing
documentation.

Assisted-By: Claude Sonnet 5 <noreply@anthropic.com>
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
@gtema gtema force-pushed the claude/raft-pkcs11-tpm-support-tc29i2 branch from 2d64361 to 82a507f Compare July 3, 2026 10:44
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🐰 Bencher Report

Branchclaude/raft-pkcs11-tpm-support-tc29i2
Testbedubuntu-latest
Click to view all benchmark results
BenchmarkLatencyBenchmark Result
nanoseconds (ns)
(Result Δ%)
Upper Boundary
nanoseconds (ns)
(Limit %)
Command_Serde/apply/remove📈 view plot
🚷 view threshold
130,570.00 ns
(-56.46%)Baseline: 299,875.94 ns
1,712,790.26 ns
(7.62%)
Command_Serde/apply/set📈 view plot
🚷 view threshold
142,090.00 ns
(-43.64%)Baseline: 252,112.19 ns
1,028,781.94 ns
(13.81%)
Command_Serde/pack/delete📈 view plot
🚷 view threshold
127.73 ns
(+5.45%)Baseline: 121.13 ns
145.36 ns
(87.87%)
Command_Serde/pack/delete_index📈 view plot
🚷 view threshold
111.72 ns
(+1.67%)Baseline: 109.89 ns
131.44 ns
(85.00%)
Command_Serde/pack/set📈 view plot
🚷 view threshold
219.26 ns
(+12.72%)Baseline: 194.52 ns
236.54 ns
(92.70%)
Command_Serde/pack/set_index📈 view plot
🚷 view threshold
111.55 ns
(+1.68%)Baseline: 109.71 ns
130.88 ns
(85.23%)
Command_Serde/unpack/delete📈 view plot
🚷 view threshold
193.18 ns
(+0.30%)Baseline: 192.59 ns
235.33 ns
(82.09%)
Command_Serde/unpack/delete_index📈 view plot
🚷 view threshold
170.70 ns
(+6.73%)Baseline: 159.93 ns
198.56 ns
(85.97%)
Command_Serde/unpack/set📈 view plot
🚷 view threshold
294.37 ns
(+10.56%)Baseline: 266.24 ns
331.53 ns
(88.79%)
Command_Serde/unpack/set_index📈 view plot
🚷 view threshold
166.83 ns
(+4.76%)Baseline: 159.25 ns
196.77 ns
(84.78%)
Payload_encryption/pack/remove_cmd📈 view plot
🚷 view threshold
122.54 ns
(+5.99%)Baseline: 115.62 ns
139.80 ns
(87.65%)
Payload_encryption/pack/set_cmd📈 view plot
🚷 view threshold
217.04 ns
(+7.55%)Baseline: 201.81 ns
266.25 ns
(81.52%)
Payload_encryption/unpack/remove_cmd📈 view plot
🚷 view threshold
213.07 ns
(+4.15%)Baseline: 204.57 ns
253.19 ns
(84.15%)
Payload_encryption/unpack/set_cmd📈 view plot
🚷 view threshold
304.11 ns
(+9.01%)Baseline: 278.96 ns
349.98 ns
(86.89%)
Raft_1Node_Latency/prefix/1node📈 view plot
🚷 view threshold
2,572,900.00 ns
(-7.15%)Baseline: 2,771,084.22 ns
6,322,932.89 ns
(40.69%)
Raft_1Node_Latency/read/1node📈 view plot
🚷 view threshold
43,431.00 ns
(+153.32%)Baseline: 17,144.78 ns
64,689.22 ns
(67.14%)
Raft_1Node_Latency/remove/1node📈 view plot
🚷 view threshold
389,760.00 ns
(-31.61%)Baseline: 569,913.59 ns
2,316,710.74 ns
(16.82%)
Raft_1Node_Latency/write/1node📈 view plot
🚷 view threshold
407,570.00 ns
(-31.22%)Baseline: 592,592.03 ns
2,149,088.86 ns
(18.96%)
build_snapshot/default📈 view plot
🚷 view threshold
120,530.00 ns
(+10.34%)Baseline: 109,230.97 ns
162,891.27 ns
(73.99%)
fernet token/project📈 view plot
🚷 view threshold
1,418.90 ns
(+2.82%)Baseline: 1,379.92 ns
1,634.83 ns
(86.79%)
get_data_keyspace📈 view plot
🚷 view threshold
0.31 ns
(-0.68%)Baseline: 0.31 ns
0.37 ns
(85.10%)
get_db📈 view plot
🚷 view threshold
0.31 ns
(-0.40%)Baseline: 0.31 ns
0.37 ns
(85.41%)
get_fernet_token_timestamp/project📈 view plot
🚷 view threshold
155.25 ns
(+8.61%)Baseline: 142.95 ns
178.90 ns
(86.78%)
get_keyspace📈 view plot
🚷 view threshold
4.43 ns
(-8.24%)Baseline: 4.83 ns
9.76 ns
(45.43%)
🐰 View full continuous benchmarking report in Bencher

@gtema gtema merged commit 8bd7be3 into main Jul 3, 2026
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant