Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Random key generation #385

Merged
merged 1 commit into from
Dec 22, 2023
Merged

Conversation

piotrpalcz
Copy link
Contributor

This PR is realted to Shim/rune PR confidential-containers/enclave-cc#256 and enclave-cc PR confidential-containers/enclave-cc#265

Creates a randomly generated key to use in unionFS that is then stored in file and passed to be mounted and read by boot enclave to use that unionFS

@arronwy
Copy link
Member

arronwy commented Nov 3, 2023

As described in: https://rust-random.github.io/book/guide-rngs.html#not-a-crypto-library
"It should be emphasised that this is not a cryptography library"
"It is therefore recommended to use specialized libraries where possible,
for example openssl, ring and the RustCrypto libraries."

image-rs also have two features encryption-openssl and encryption-ring for them.

@piotrpalcz
Copy link
Contributor Author

As described in: https://rust-random.github.io/book/guide-rngs.html#not-a-crypto-library "It should be emphasised that this is not a cryptography library" "It is therefore recommended to use specialized libraries where possible, for example openssl, ring and the RustCrypto libraries."

image-rs also have two features encryption-openssl and encryption-ring for them.

Updated, but I need to explain :
In issues regarding this matter ( confidential-containers/enclave-cc#20 & confidential-containers/enclave-cc#149) there wasnt specified that this key needs to be cryptographically secure and generated with specific library. I just chose the easiest approach at the time.

Now I updated the branch using already existing in Ocicrypt-rs module rand_bytes function, which does exactly what I needed here and is already being drived by cfg feature with default value in its cfg. This though needed me to change it's access level from pub(crate) to pub.

@piotrpalcz piotrpalcz force-pushed the random_key_2 branch 4 times, most recently from 50d59ed to bd495aa Compare December 21, 2023 12:18
Copy link
Contributor

@mythi mythi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM and we have enclave-cc CI passing with this

@piotrpalcz piotrpalcz force-pushed the random_key_2 branch 4 times, most recently from 8b78aed to 4f58887 Compare December 21, 2023 12:50
image-rs/src/image.rs Outdated Show resolved Hide resolved
@mythi
Copy link
Contributor

mythi commented Dec 22, 2023

@arronwy does this look OK?

Copy link
Member

@arronwy arronwy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @piotrpalcz LGTM! Just a minor suggest.

let random_key = generate_random_key();
std::fs::write(PathBuf::from(&keys_mount_path.join("key.txt")), &random_key)?;
nix::mount::umount(keys_mount_path)?;

let options = format!(
"dir={},key={}",
Path::new("/images").join(cid).join("sefs/lower").display(),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can also use key_mount_options here.·

@arronwy arronwy merged commit 5d4bb95 into confidential-containers:main Dec 22, 2023
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants