Secrets required to bootstrap a node

[TheBankster]

I tried and failed to find the code that allows a newly bootstrapped node to obtain the "root" signing and encryption keys it needs in order to participate in the consortium and to decrypt its confidential tables.
In particular, ability to seal/unseal keys to/from the platform it is not part of the newly created PAL. At any rate, that probably wouldn't work anyways because the workload in a public datacenter cannot be assumed to be pinned to a particular piece of hardware.
If nodes are expected to fetch secrets from their peer nodes contingent on attestation, that still leaves the question of how the very first node is bootstrapped (or, equivalently, how can a system recover from a power failure or a total shutdown).
Can anyone point me at what I need to know?
Thank you.

[achamayou]

The different keys CCF uses are documented under https://microsoft.github.io/CCF/main/architecture/cryptography.html

Network bootstrapping is covered under https://microsoft.github.io/CCF/main/operations/start_network.html for the operational part, and https://microsoft.github.io/CCF/main/governance/open_network.html for the governance part.

Similarly, DR operation: https://microsoft.github.io/CCF/main/operations/recovery.html and governance: https://microsoft.github.io/CCF/main/governance/accept_recovery.html

CCF does not use SGX key sealing, precisely for the reason you point out. Instead a wrapper key is created, used the encrypt the ledger secrets, and split among members (see the first link for details).

The endpoint that's called by a new node joining is /node/join, you can find the logic under https://github.com/microsoft/CCF/blob/main/src/node/rpc/node_frontend.h#L614. That is called and then polled, once the node has transitioned to trusted (see governance for details), the ledger and network secrets are returned here: https://github.com/microsoft/CCF/blob/main/src/node/rpc/node_frontend.h#L535