Skip to content

[WIP] AMD SNP: add derived-key endpoint #885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 147 commits into
base: main
Choose a base branch
from
Open

[WIP] AMD SNP: add derived-key endpoint #885

wants to merge 147 commits into from

Conversation

eldios
Copy link

@eldios eldios commented Jan 22, 2025

Add custom feature for AMD SNP to get a derived-key via a dedicated REST API endpoint.

@eldios eldios requested a review from a team as a code owner January 22, 2025 04:15
eldios added 14 commits January 22, 2025 15:08
eldios added 16 commits February 6, 2025 00:41
@eldios
derive_key: change key id to be correctly used confidential-containers#9
c15fb9c
@eldios
derived_key: fix function
5a15efc
@eldios
derived_key: fix function (typo)
9ce8c4d
@eldios
derived_key: fix function confidential-containers#2
cb1d791
@eldios
derived_key: fix function confidential-containers#3
28f514f
@eldios
derived_key: remove grpc from default features
e07cc69
@eldios
derived_key: add docs about GuestFieldSelect + change to guest Policy
99e124f
@eldios
devired_key: cleaning pass confidential-containers#1
6916687
@eldios
devired_key: cleaning pass confidential-containers#2
8db5333
@eldios
devired_key: cleaning pass confidential-containers#3
7142a72
@eldios
devired_key: cleaning pass confidential-containers#4
b335ba2
@eldios
devired_key: cleaning pass confidential-containers#5
fc7a925
@eldios
devired_key: cleaning pass confidential-containers#6
9e5cdd4
@eldios
devired_key: cleaning pass confidential-containers#7
2ccc9ee
@eldios
devired_key: cleaning pass confidential-containers#8
1cf7a9c
@eldios
derived-key: change fieldSelect to be measurement
ec11a2f
@Xynnn007
Copy link
Member

Xynnn007 commented Feb 6, 2025

Update: SGX has similar API.

Xynnn007
Xynnn007 reviewed May 14, 2025
View reviewed changes
Copy link
Member

@Xynnn007 Xynnn007 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @eldios , could you help to squash the commits with some commit messages? It would help review

attestation-agent/protos/attestation-agent.proto
}

service AttestationAgentService {
rpc GetDerivedKey(GetDerivedKeyRequest) returns (GetDerivedKeyResponse) {};
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add some documents or notes about the RPC, like
what is it for?
what does it require from the underlying TEE?
what attributes of the key would/would not have?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems rather intrusive change (given the API impact) to enable an SNP specific feature. Might be easier to just make /dev/sev_guest available to the workload and have the ioctl logic implemented there.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure whether the interface that Lele wants to add is to use the TEE hardware features as a trusted cryptographic seed source to derive keys for other cryptographic operations. If so, SGX/TPM have similar interfaces to derive key, and I think it can be further designed as a high-level interface, using different hardware features at the bottom layer.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, it would be good to understand (CoCo) use-case first.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one twist is that I'm not sure configfs supports this stuff

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fitzthum fitzthum fitzthum left review comments

@Xynnn007 Xynnn007 Xynnn007 left review comments

+1 more reviewer

@mythi mythi mythi left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@eldios @Xynnn007 @fitzthum @mythi