Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tools/orc: Add support for ephemeral signer key #2168

Merged
merged 1 commit into from
Mar 5, 2025
Merged

tools/orc: Add support for ephemeral signer key #2168

merged 1 commit into from
Mar 5, 2025
+133 −30

Conversation

kostko
Copy link
Member

@kostko kostko commented Mar 4, 2025

Fixes #2167

@netlify Netlify
Copy link

netlify bot commented Mar 4, 2025
edited
Loading

Deploy Preview for oasisprotocol-oasis-sdk canceled.

Name Link
🔨 Latest commit e1bf113
🔍 Latest deploy log https://app.netlify.com/sites/oasisprotocol-oasis-sdk/deploys/67c6d75993e6b700082f80eb

peternose
peternose approved these changes Mar 5, 2025
View reviewed changes
tools/orc/main.go
//
// The code below is adopted from the Go standard library as it is otherwise not possible to
// customize the exponent.
func sgxGenerateKey(random io.Reader) (*rsa.PrivateKey, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add some kind of test, e.g. to test that e == 3, bits == 3072, two primes, ...?

tools/orc/main.go
@@ -531,6 +556,84 @@ func showTdxComponent(indent string, bnd *bundle.Bundle, comp *bundle.Component)
fmt.Printf("%s Memory: %d MiB\n", indent, comp.TDX.Resources.Memory)
}

// sgxGenerateKey generates a 3072-bit RSA key with public exponent 3 as required for SGX.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought that small exponents should be avoided. But if they required 3, then what can you do? 🤷

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't really matter as MRSIGNER is not used anywhere in our system (we just compare against a reference value in the policy). So it doesn't really matter even if this key is compromised. Which is why we are adding these ephemeral keys here.

@kostko kostko merged commit fc4b55e into main Mar 5, 2025
26 checks passed
@kostko kostko deleted the kostko/feature/orc-sgx-setsig-rngkey branch March 5, 2025 10:14
github-actions bot added a commit that referenced this pull request Mar 5, 2025
@github-actions
Deploy js API reference Merge pull request #2168 from oasisprotocol/k…
be29ece 
…ostko/feature/orc-sgx-setsig-rngkey fc4b55e
github-actions bot added a commit that referenced this pull request Mar 5, 2025
@github-actions
Deploy rust API reference Merge pull request #2168 from oasisprotocol…
62fb0f7 
…/kostko/feature/orc-sgx-setsig-rngkey fc4b55e
github-actions bot added a commit to OasisUnofficial/oasis-sdk that referenced this pull request Mar 5, 2025
@github-actions
Deploy js API reference Merge pull request oasisprotocol#2168 from oa…
ccd901b 
…sisprotocol/kostko/feature/orc-sgx-setsig-rngkey fc4b55e
github-actions bot added a commit to OasisUnofficial/oasis-sdk that referenced this pull request Mar 5, 2025
@github-actions
Deploy rust API reference Merge pull request oasisprotocol#2168 from …
d0aaa6c 
…oasisprotocol/kostko/feature/orc-sgx-setsig-rngkey fc4b55e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peternose peternose peternose approved these changes

@pro-wh pro-wh Awaiting requested review from pro-wh pro-wh is a code owner

@ptrus ptrus Awaiting requested review from ptrus ptrus is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

tools/orc: Add support for ephemeral signer key
2 participants
@kostko @peternose