-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Pal/Linux-SGX] Add MAA to RA-TLS and SecretProv libs #652
Conversation
dd2f3e2
to
c23b380
Compare
c23b380
to
3abc5f0
Compare
ra_tls_verify_lib = dlopen("libra_tls_verify_maa.so", RTLD_LAZY); | ||
if (!ra_tls_verify_lib) { | ||
mbedtls_printf("%s\n", dlerror()); | ||
mbedtls_printf("User requested RA-TLS verification with MAA but cannot find lib\n"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could be more specific in this context.
For example. "User requested RA-TLS verification with MAA but cannot find helper libra_tls_verify_maa.so lib.\n"
return 1; | ||
} | ||
|
||
ra_tls_verify_lib = dlopen("libra_tls_verify_maa.so", RTLD_LAZY); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggest using a const char*
to hold the name of this external library for reuse in message if possible.
9354acc
to
60fcb1a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: 0 of 22 files reviewed, 2 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @bigdata-memory)
CI-Examples/ra-tls-mbedtls/src/client.c
line 212 at r1 (raw file):
Previously, bigdata-memory (Gordon King) wrote…
Suggest using a
const char*
to hold the name of this external library for reuse in message if possible.
Don't see a need.
CI-Examples/ra-tls-mbedtls/src/client.c
line 215 at r1 (raw file):
Previously, bigdata-memory (Gordon King) wrote…
Could be more specific in this context.
For example."User requested RA-TLS verification with MAA but cannot find helper libra_tls_verify_maa.so lib.\n"
Done.
60fcb1a
to
4673d90
Compare
Microsoft Azure Attestation (MAA) is a new attestation scheme available in the MS Azure public cloud. It uses the classic DCAP SGX quotes but replaces the DCAP/EPID quote-verification software infrastructure with the new MAA attestation provider infrastructure. In particular, the remote user is supposed to send the SGX quote in the HTTPS REST attestation request to the MAA attestation provider and receive back the JSON Web Token (JWT) that contains claims about the attesting SGX enclave. This commit introduces new `_maa` versions of the RA-TLS and Secret Provisioning verification libraries. MAA attestation should be enabled via `sgx.remote_attestation = "maa"` (`RA_TYPE=maa` in Makefiles). The documentation and the `ra-tls-mbedtls` and `ra-tls-secret-prov` examples are updated. Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii@intel.com>
4673d90
to
a216621
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: 0 of 22 files reviewed, 2 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @bigdata-memory)
a discussion (no related file):
FYI: Tested again using:
- Busybox (just checking
/dev/attestation
) - Python (using
sgx-quote.py
) - ra-tls-mbedtls:
RA_TYPE="maa" RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE=1 RA_TLS_MAA_PROVIDER_URL="https://sharedcus.cus.attest.azure.net" make check_maa
- ra-tls-mbedtls failure:
RA_TYPE="maa" RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE=1 RA_TLS_MAA_PROVIDER_URL="https://sharedcus.cus.attest.azure.net" make check_maa_fail
- ra-tls-secret-prov:
RA_TYPE="maa" RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE=1 RA_TLS_MAA_PROVIDER_URL="https://sharedcus.cus.attest.azure.net" make check_maa
Everything works fine. I also GDB'd just to make sure the correct flows are being executed.
Hi @dimakuv, I want to know when will this PR be merged and before it's merged, if we can and how we can do MAA in Gramine? |
Hard to say, but in upcoming 1-2 months I think. It depends on the review process. Which is a good opportunity to ping @mkow :)
You can use this PR (this branch) to test MAA with Gramine. There is documentation included in this PR. Or maybe you meant something else? |
@dimakuv |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which is a good opportunity to ping @mkow :)
ITL is still waiting to get an Azure instance from either Intel or MS, otherwise we can't even test this PR. Also, what about CI? ;)
Reviewable status: 0 of 22 files reviewed, 2 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @bigdata-memory)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mkow I can give you access to my Azure VM with Ubuntu 20.04 for testing. Do you want that?
Regarding CI: I don't have a good idea. I also don't have a good idea how MAA can be split as some kind of "plugin" from the rest of RA-TLS code...
Reviewable status: 0 of 22 files reviewed, 2 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @bigdata-memory)
Hi @dimakuv, any latest updates about this PR? |
@RodgerZhu Short answer is that this PR is pending on #1114. I.e., Gramine first needs to have a proper plugin architecture for external attestation schemes (like MAA), and then I'll refactor this PR to become a plugin. The timeline is uncertain for this feature... |
Description of the changes
Microsoft Azure Attestation (MAA) is a new attestation scheme available in the MS Azure public cloud. It uses the classic DCAP SGX quotes but replaces the DCAP/EPID quote-verification software infrastructure with the new MAA attestation provider infrastructure. In particular, the remote user is supposed to send the SGX quote in the HTTPS REST attestation request to the MAA attestation provider and receive back the JSON Web Token (JWT) that contains claims about the attesting SGX enclave.
This commit introduces new
_maa
versions of the RA-TLS and Secret Provisioning verification libraries. The documentation and thera-tls-mbedtls
andra-tls-secret-prov
examples are updated.For design, see #626.
This PR does not depend on any other PRs, but as part of this work I detected and fixed some attestation-related issues:
sgx.remote_attestation = "[none|epid|dcap]"
#638SECRET_PROVISION_SET_KEY
envvar in attestation #643How to test this PR?
Manually verified on a MS Azure CC VM, with the
https://sharedcus.cus.attest.azure.net
default attestation provider. See the READMEs ofra-tls-mbedtls
andra-tls-secret-prov
examples.This change is