Base changes for SSL and TEE: build, HTTP client/server, options, green zone#668
Base changes for SSL and TEE: build, HTTP client/server, options, green zone#668PeterFarber wants to merge 5 commits intoedgefrom
Conversation
- rebar: OpenSSL CFLAGS/LDFLAGS on Linux; snp_nif port; OVMF copy to priv/ovmf; remove dev_snp_nif from cargo; add ssl_cert dep; relax NIF CFLAGS; hook tweaks - hb_opts: http_follow_redirects, gun_max_redirects; ssl-cert@1.0 device - Move OVMF-1.55.fd from test/ to root for TEE/measured boot - erlang_ls: add _build default lib include dirs
- Client: scheme-aware HTTP/HTTPS (uri_string), TLS cacerts for Gun, follow redirects (gun + httpc, gun_max_redirects), route label in metrics - Server: start_https_node/5, redirect-to-HTTPS, default constants and test cert paths; refactor startup and server hooks
- Rework init/3, join/3, key/3, become/3 with maybe and small helpers - Add encrypt_data/2, decrypt_data/3 exports; drop is_trusted from device API - Add type specs and doc updates for public and helper functions
src/dev_green_zone.erl
Outdated
| %% @param Opts Configuration options containing identities and wallet info | ||
| %% @returns Wallet to use for encryption operations | ||
| get_appropriate_wallet(Opts) -> | ||
| Identities = hb_opts:get(identities, #{}, Opts), |
There was a problem hiding this comment.
IIRC there are functions in hb_opts to handle this?
src/dev_green_zone.erl
Outdated
| build_key_response(EncryptedData, IV) -> | ||
| {ok, #{ | ||
| <<"status">> => 200, | ||
| <<"encrypted_key">> => base64:encode(EncryptedData), |
There was a problem hiding this comment.
All of the _s in this device are non-standard. Unless absolutely necessary we should normalize them as -.
src/dev_green_zone.erl
Outdated
| end, | ||
| % Extract and validate peer parameters | ||
| NodeLocation = | ||
| hb_opts:get(<<"green_zone_peer_location">>, undefined, Opts), |
There was a problem hiding this comment.
The binary->atom normalization of Opts should be handling key conversion, right? Any reason not to use the atom form? Atoms -> _s, binaries -> - always.
| GreenZoneWallet = {{KeyType, Priv, Pub}, {KeyType, Pub}}, | ||
| ok ?= update_node_identity(GreenZoneWallet, Opts), | ||
| % Mount encrypted volume and finalize | ||
| try_mount_encrypted_volume(GreenZoneWallet, Opts), |
There was a problem hiding this comment.
Calling hooks would be a more generic solution here, then the on-join action could be determined by the setup of the zone. That would be much better than always just trying to mount disks. An example usage might be generating and loading SSL keys after a join, or publishing a new location record, etc.
There was a problem hiding this comment.
Understood will implement this is a separate pr
src/dev_green_zone.erl
Outdated
| %% | ||
| %% @param InitOpts Initial configuration options | ||
| %% @returns {ok, Req} with prepared request, or {error, Reason} | ||
| default_zone_required_opts(_Opts) -> |
src/dev_green_zone.erl
Outdated
| %% @param Opts The options map to fetch replacement values from | ||
| %% @returns A new map with <<"self">> values replaced | ||
| replace_self_values(Config, Opts) -> | ||
| maps:map( |
There was a problem hiding this comment.
100% sure there will never be any lazy links?
src/dev_green_zone.erl
Outdated
| % Generate random IV | ||
| IV = crypto:strong_rand_bytes(16), | ||
| % Convert data to binary if needed | ||
| DataBin = case is_binary(Data) of |
There was a problem hiding this comment.
I don't think this can work? The encrypt_data and decrypt_data will not be reciprocal. You have essentially defined a new binary format codec using term_to_binary, but then you don't tag the output so the decoder cannot unwind it correctly as it cannot differentiate the form.
Why not just only support binaries, or allow the caller to specify a codec that has a binary to form and prepend the encrypted data with that? Ex:
encrypt_data(Msg, Opts) -> encrypt_data(Msg, ?DEFAULT_CODEC, Opts).
encrypt_data(Msg, Codec, Opts) ->
Bin = hb_message:convert(Msg, #{ <<"codec-device">> => Codec, <<"encoding">> => <<"binary">> }, Opts),
TypedBin = << "~", Codec, "/from&body=", Bin >> % Or something...
.......then split on this in decrypt and reverse.
You would have to add the encoding support but it is a good idea anyway.
src/hb_opts.erl
Outdated
| #{<<"name">> => <<"trie@1.0">>, <<"module">> => dev_trie}, | ||
| #{<<"name">> => <<"tx@1.0">>, <<"module">> => dev_codec_tx}, | ||
| #{<<"name">> => <<"volume@1.0">>, <<"module">> => dev_volume}, | ||
| #{<<"name">> => <<"ssl-cert@1.0">>, <<"module">> => dev_ssl_cert}, |
| {post, [ | ||
| {compile, {pc, compile}}, | ||
| {clean, {pc, clean}}, | ||
| {clean, {cargo, clean}} |
There was a problem hiding this comment.
Why deliberately delete the build artifacts rather than this? Or perhaps the opposite: Is this even necessary anyway? Would be much nicer if we weren't wiping all of these build artifacts at all (including for WAMR) on node start every time. It is noisy and slow.
…e default zone opts; remove ssl-cert from preloaded_devices
2 participants
Foundation for upcoming SSL (HTTPS, certs) and TEE (SNP) work. No new features enabled; prepares build, HTTP stack, and green zone for follow-up PRs.
snp_nifport; OVMF moved to root and copied topriv/ovmf;ssl_certdep; NIF CFLAGS and hook tweaks.start_https_node/5, HTTP→HTTPS redirect,ssl-cert@1.0device in defaults; startup/greeter refactors.http_follow_redirects,gun_max_redirects;ssl-cert@1.0in default devices.maybeand helpers; addencrypt_data/decrypt_dataexports; dropis_trustedfrom device API; specs and docs._build/default/libinclude dirs.