Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Confidential-Datahub API definition and Sealed Secrets #288

Merged
merged 5 commits into from
Jul 28, 2023
Merged

Confidential-Datahub API definition and Sealed Secrets #288

merged 5 commits into from
Jul 28, 2023

Conversation

Xynnn007
Copy link
Member

@Xynnn007 Xynnn007 commented Jul 20, 2023
edited
Loading

This PR:

  1. defines the API of CDH
  2. defines the format of sealed secret and model code

Also, currently sev has online/offline-sev-kbc. I think these two can be refactored into CDH's resource clients. cc @fitzthum @stevenhorsman I can help with this in future PRs.

@arronwy
Copy link
Member

arronwy commented Jul 20, 2023

cc @sameo @fitzthum @stevenhorsman @fidencio @mythi @mkulke

mozillazg
mozillazg reviewed Jul 20, 2023
View reviewed changes
confidential-datahub/docs/SEALED_SECRET.md Show resolved Hide resolved
confidential-datahub/docs/SEALED_SECRET.md Show resolved Hide resolved
confidential-datahub/docs/SEALED_SECRET.md Outdated Show resolved Hide resolved
confidential-datahub/docs/SEALED_SECRET.md Outdated Show resolved Hide resolved
@Xynnn007 Xynnn007 force-pushed the feat-cdh branch 2 times, most recently from 51be376 to 71a7636 Compare July 25, 2023 15:30
fitzthum
fitzthum reviewed Jul 25, 2023
View reviewed changes
Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few comments. Code looks fine so far.

confidential-datahub/docs/Architecture.svg Outdated Show resolved Hide resolved
confidential-datahub/docs/SEALED_SECRET.md Show resolved Hide resolved
confidential-datahub/docs/SEALED_SECRET.md Show resolved Hide resolved
@Xynnn007 Xynnn007 marked this pull request as ready for review July 26, 2023 13:04
@Xynnn007 Xynnn007 requested a review from fitzthum July 26, 2023 23:56
@Xynnn007 Xynnn007 force-pushed the feat-cdh branch 2 times, most recently from bdda230 to 9c12746 Compare July 27, 2023 02:38
bpradipt
bpradipt reviewed Jul 27, 2023
View reviewed changes
confidential-datahub/docs/SEALED_SECRET.md
and the unsealing occurs only if the remote attestation process passes,
which means the TEE environment is as expected. Also, Sealed Secret can
leverage commercial KMS/Secret Manager(Vault) productions in the unsealing
process.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Xynnn007 any reference on how sealed secret can use say hashicorp vault ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not yet. However, after merging this we will make an PR that defines the trait of a KMS and a Vault. Semantically there will be two main apis:

async fn decrypt(&mut self, ciphertext: &[u8], keyid: &str) -> Result<Vec<u8>>;
async fn get_secret(&mut self, name: &str) -> Result<Vec<u8>>;

Thus, the code of Sealed Secret will just call the trait function to get the secret directly or unseal the wrapped secret, in this way we do not need to care much about the concrete vault/kms underneath.

I glanced at api of hashicorp vault and found it matches the definition of get_secret() so it can support Vault type sealed secret. I'm not sure whether decrypt like api is supported by hashicorp vault. If so, KMS(or we say Envelope) type Sealed Secret can be supported.

fitzthum
fitzthum approved these changes Jul 27, 2023
View reviewed changes
Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Xynnn007
docs: add docs for Sealed Secrets
0228f7a 
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007
CDH: add confidential datahub crate
e4953c4 
This commit defines the basic API for confidential datahub and the basic
error handling.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007
deps/crypto: add useful derivation macros for Wraptype
0117374 
Serialize & Deserialize are for Serialization.
PartialEq & Debug are for assert_eq! in unit tests

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007
CDH: add secret crate
a398c5b 
This PR only has definition for sealed secrets.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007
CDH: add architecture diagram for CDH and new AA
0b3aab8 
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007 Xynnn007 merged commit d8b8bd7 into confidential-containers:main Jul 28, 2023
6 checks passed
@Xynnn007 Xynnn007 deleted the feat-cdh branch July 28, 2023 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mozillazg mozillazg mozillazg left review comments

@bpradipt bpradipt bpradipt left review comments

@fitzthum fitzthum fitzthum approved these changes

@jialez0 jialez0 Awaiting requested review from jialez0

@sameo sameo Awaiting requested review from sameo

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Xynnn007 @arronwy @mozillazg @fitzthum @bpradipt