KME Replication at trusted layer #765
Conversation
rranjan3
requested review from
danintel,
dcmiddle,
EugeneYYY,
karthikamurthy,
manju956,
pankajgoyal2,
Ram-srini,
SriharshaSubbakrishna and
TomBarnes
as code owners
rranjan3
force-pushed
the
kme-replication
branch
from
7ea73df
to
0e70b37
Compare
| @@ -32,6 +32,14 @@ enum KmeRegistrationStatus { | |||
| ERR_UNIQUE_ID_NOT_MATCH = 7 /// WPE unique id didn't match | |||
| }; | |||
|
|
|||
| enum KmeReplicationReturnCode { /// KME Replication operation(state-uid, state-request, get-state, set-state) status | |||
There was a problem hiding this comment.
modify Replication operation to Replication operations
| * | ||
| * @param in_work_order_data - vector of work order indata. | ||
| * It consists of the unique_id and signing key | ||
| * @param out_work_order_data - vector of work order outdata |
There was a problem hiding this comment.
Add description about contents of out_work_order_data as well.
| // replica KME | ||
| ByteArray uid_ba = in_work_order_data[0].decrypted_data; | ||
| // Generate random bytes of size 16, | ||
| ByteArray nonce_bytes = tcf::crypto::RandomBitString(16); |
There was a problem hiding this comment.
Can we define numeric constant for nonce size? It makes easy to modify later.
| ByteArray uid_nonce_sig = in_work_order_data[3].decrypted_data; | ||
| // Extract replica KME pub signing key from in_data that comes in | ||
| // the request | ||
| ByteArray pub_sig_key_ba = in_work_order_data[4].decrypted_data; |
There was a problem hiding this comment.
does attestation_info not contain public signing key and encryption key of the replica KME? Or is it only the attestation report?
There was a problem hiding this comment.
Have not included the attestation_info as of now. Can do away with the public keys once it is added.
| } | ||
|
|
||
| //Cleanup in-memory state-uid | ||
| state_uid_hex = ""; |
There was a problem hiding this comment.
Better to clean state variables at the end to avoid failures post this step.
| serialized_str += ByteArrayToStr(it->first); | ||
| serialized_str += ":"; | ||
| serialized_str += ByteArrayToStr((it->second).serialize()); | ||
| serialized_str += "|"; |
There was a problem hiding this comment.
Why can't we use the same delimiter for serializing both encryrption and signature key maps.
There was a problem hiding this comment.
The WPEInfo causes the difference which also needs some delimiter.
| @@ -33,6 +33,26 @@ typedef struct WPEInfo { | |||
|
|
|||
| WPEInfo(); | |||
| WPEInfo(const ByteArray& _sk); | |||
| WPEInfo(const uint64_t _wo_c, const ByteArray& _sk); | |||
|
|
|||
| ByteArray serialize(){ | |||
|
|
||
| return StrToByteArray(serialized); | ||
| } | ||
| void deserialize(ByteArray ba){ |
| @@ -27,6 +27,7 @@ class BaseEnclaveInfo { | |||
| const std::string& persisted_sealed_data, | |||
| const int num_of_enclaves); | |||
| virtual ~BaseEnclaveInfo(); | |||
| void terminate_enclave(); | |||
There was a problem hiding this comment.
Good to have consistent function naming convention.
There was a problem hiding this comment.
We have followed the convention of naming the function like TerminateEnclave() in cpp code. Good to keep the convention aligned. I am sure there are some places this convention is not followed, needs to be fixed.
| @@ -79,7 +79,7 @@ EnclaveData::EnclaveData(const uint8_t* inSealedData) { | |||
| nullptr, 0, &decrypted_data[0], &decrypted_size); | |||
| tcf::error::ThrowSgxError(ret, "Failed to unseal data"); | |||
| std::string decrypted_data_string(reinterpret_cast<const char*>(&decrypted_data[0])); | |||
| DeserializeSealedData(decrypted_data_string); | |||
| DeserializePrivateData(decrypted_data_string); | |||
There was a problem hiding this comment.
Any reason to rename the function?
There was a problem hiding this comment.
Yes it is essentially deserializing only the private data.
rranjan3
force-pushed
the
kme-replication
branch
3 times, most recently
from
5ded7b8
to
c10a4b4
Compare
Implementation of workorder targetted for KME (primary/replica) - state-uid - state-request - get-state - set-state Signed-off-by: Rajeev Ranjan <[email protected]>
Signed-off-by: Rajeev Ranjan [email protected]