feat: Prepare PKCS#11/TPM KEK support in storage#907
Merged
Conversation
|
🦢 Load Test Results Goose Attack ReportPlan Overview
Request Metrics
Response Time Metrics
Status Code Metrics
Transaction Metrics
Scenario Metrics
|
2e72cc2 to
2d64361
Compare
ADR 0016-v2 §2.1 named "HSM / PKCS#11 / Cloud KMS" as the production KEK source but never specified a mechanism, leaving the Pkcs11KekStub as a reserved-but-unimplemented interface boundary. Adds §2.5, specifying the PKCS#11 (CKM_AES_GCM against a non-extractable token key, same wire format as EnvKek) and TPM 2.0 (TPM-resident non-duplicable key, Encrypt-then-MAC since TPM2 has no native AES-GCM command) KEK mechanisms, plus invariants 13-15 covering non-extractable key material, file-only credential input, and authenticate-before-decrypt for non-AEAD providers. Adds the corresponding kek_provider configuration schema (crates/config/src/distributed_storage.rs): an env/pkcs11/tpm selector with per-provider sections, cross-field validation (env requires dev_mode, pkcs11/tpm require their config section, TPM key reference is exactly one of handle or context file), and file-based secret loading for the PKCS#11 PIN and TPM auth value, wired into Config::load_all alongside the existing TLS cert loading. This lands the ADR and config groundwork only; the storage-crypto-pkcs11 and storage-crypto-tpm provider crates, SoftHSM-backed integration test, and TPM sample are follow-up work. Tracks the sequencing for ADR 0016-v2 §2.5 (added in the previous commit): crate layout, TPM trust model, and test/credential-input decisions taken with the requester, plus the step-by-step plan from ADR addendum + config schema (done) through provider crates, wiring, SoftHSM CI test, docs, and supply-chain updates (not started). Kept out of doc/src/SUMMARY.md since it's a working tracking doc, not user-facing documentation. Assisted-By: Claude Sonnet 5 <noreply@anthropic.com> Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
2d64361 to
82a507f
Compare
|
| Branch | claude/raft-pkcs11-tpm-support-tc29i2 |
| Testbed | ubuntu-latest |
Click to view all benchmark results
| Benchmark | Latency | Benchmark Result nanoseconds (ns) (Result Δ%) | Upper Boundary nanoseconds (ns) (Limit %) |
|---|---|---|---|
| Command_Serde/apply/remove | 📈 view plot 🚷 view threshold | 130,570.00 ns(-56.46%)Baseline: 299,875.94 ns | 1,712,790.26 ns (7.62%) |
| Command_Serde/apply/set | 📈 view plot 🚷 view threshold | 142,090.00 ns(-43.64%)Baseline: 252,112.19 ns | 1,028,781.94 ns (13.81%) |
| Command_Serde/pack/delete | 📈 view plot 🚷 view threshold | 127.73 ns(+5.45%)Baseline: 121.13 ns | 145.36 ns (87.87%) |
| Command_Serde/pack/delete_index | 📈 view plot 🚷 view threshold | 111.72 ns(+1.67%)Baseline: 109.89 ns | 131.44 ns (85.00%) |
| Command_Serde/pack/set | 📈 view plot 🚷 view threshold | 219.26 ns(+12.72%)Baseline: 194.52 ns | 236.54 ns (92.70%) |
| Command_Serde/pack/set_index | 📈 view plot 🚷 view threshold | 111.55 ns(+1.68%)Baseline: 109.71 ns | 130.88 ns (85.23%) |
| Command_Serde/unpack/delete | 📈 view plot 🚷 view threshold | 193.18 ns(+0.30%)Baseline: 192.59 ns | 235.33 ns (82.09%) |
| Command_Serde/unpack/delete_index | 📈 view plot 🚷 view threshold | 170.70 ns(+6.73%)Baseline: 159.93 ns | 198.56 ns (85.97%) |
| Command_Serde/unpack/set | 📈 view plot 🚷 view threshold | 294.37 ns(+10.56%)Baseline: 266.24 ns | 331.53 ns (88.79%) |
| Command_Serde/unpack/set_index | 📈 view plot 🚷 view threshold | 166.83 ns(+4.76%)Baseline: 159.25 ns | 196.77 ns (84.78%) |
| Payload_encryption/pack/remove_cmd | 📈 view plot 🚷 view threshold | 122.54 ns(+5.99%)Baseline: 115.62 ns | 139.80 ns (87.65%) |
| Payload_encryption/pack/set_cmd | 📈 view plot 🚷 view threshold | 217.04 ns(+7.55%)Baseline: 201.81 ns | 266.25 ns (81.52%) |
| Payload_encryption/unpack/remove_cmd | 📈 view plot 🚷 view threshold | 213.07 ns(+4.15%)Baseline: 204.57 ns | 253.19 ns (84.15%) |
| Payload_encryption/unpack/set_cmd | 📈 view plot 🚷 view threshold | 304.11 ns(+9.01%)Baseline: 278.96 ns | 349.98 ns (86.89%) |
| Raft_1Node_Latency/prefix/1node | 📈 view plot 🚷 view threshold | 2,572,900.00 ns(-7.15%)Baseline: 2,771,084.22 ns | 6,322,932.89 ns (40.69%) |
| Raft_1Node_Latency/read/1node | 📈 view plot 🚷 view threshold | 43,431.00 ns(+153.32%)Baseline: 17,144.78 ns | 64,689.22 ns (67.14%) |
| Raft_1Node_Latency/remove/1node | 📈 view plot 🚷 view threshold | 389,760.00 ns(-31.61%)Baseline: 569,913.59 ns | 2,316,710.74 ns (16.82%) |
| Raft_1Node_Latency/write/1node | 📈 view plot 🚷 view threshold | 407,570.00 ns(-31.22%)Baseline: 592,592.03 ns | 2,149,088.86 ns (18.96%) |
| build_snapshot/default | 📈 view plot 🚷 view threshold | 120,530.00 ns(+10.34%)Baseline: 109,230.97 ns | 162,891.27 ns (73.99%) |
| fernet token/project | 📈 view plot 🚷 view threshold | 1,418.90 ns(+2.82%)Baseline: 1,379.92 ns | 1,634.83 ns (86.79%) |
| get_data_keyspace | 📈 view plot 🚷 view threshold | 0.31 ns(-0.68%)Baseline: 0.31 ns | 0.37 ns (85.10%) |
| get_db | 📈 view plot 🚷 view threshold | 0.31 ns(-0.40%)Baseline: 0.31 ns | 0.37 ns (85.41%) |
| get_fernet_token_timestamp/project | 📈 view plot 🚷 view threshold | 155.25 ns(+8.61%)Baseline: 142.95 ns | 178.90 ns (86.78%) |
| get_keyspace | 📈 view plot 🚷 view threshold | 4.43 ns(-8.24%)Baseline: 4.83 ns | 9.76 ns (45.43%) |
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ADR 0016-v2 §2.1 named "HSM / PKCS#11 / Cloud KMS" as the production KEK
source but never specified a mechanism, leaving the Pkcs11KekStub as a
reserved-but-unimplemented interface boundary. Adds §2.5, specifying the
PKCS#11 (CKM_AES_GCM against a non-extractable token key, same wire
format as EnvKek) and TPM 2.0 (TPM-resident non-duplicable key,
Encrypt-then-MAC since TPM2 has no native AES-GCM command) KEK
mechanisms, plus invariants 13-15 covering non-extractable key material,
file-only credential input, and authenticate-before-decrypt for non-AEAD
providers.
Adds the corresponding kek_provider configuration schema
(crates/config/src/distributed_storage.rs): an env/pkcs11/tpm selector
with per-provider sections, cross-field validation (env requires
dev_mode, pkcs11/tpm require their config section, TPM key reference is
exactly one of handle or context file), and file-based secret loading
for the PKCS#11 PIN and TPM auth value, wired into Config::load_all
alongside the existing TLS cert loading.
This lands the ADR and config groundwork only; the storage-crypto-pkcs11
and storage-crypto-tpm provider crates, SoftHSM-backed integration test,
and TPM sample are follow-up work.
Tracks the sequencing for ADR 0016-v2 §2.5 (added in the previous
commit): crate layout, TPM trust model, and test/credential-input
decisions taken with the requester, plus the step-by-step plan from ADR
addendum + config schema (done) through provider crates, wiring, SoftHSM
CI test, docs, and supply-chain updates (not started). Kept out of
doc/src/SUMMARY.md since it's a working tracking doc, not user-facing
documentation.
Assisted-By: Claude Sonnet 5 noreply@anthropic.com
Signed-off-by: Artem Goncharov artem.goncharov@gmail.com