20. September 2022

[dimakuv]

Agenda

(please write your proposed agenda items in comments under this discussion)

• Sankar: Encryption with Azure KeyVault HSM

Sankar: Enclave signing with Azure KeyVault HSM

We want to have a two-step signing process, where the second step is "take the enclave info, send it HSM as input, HSM signs with the private signing key and returns back the signed enclave info". This is needed to protect the private signing key.

An example of such HSM is the Azure KeyVault HSM. We can have an integration script (like a reference script).

This HSM integration is required for Curated Applications. Manual signing with a plaintext key on some machine/VM is considered bad practice. So we need an additional option, other than manual signing, -- a hook into Curated Apps script (and also into GSC scripts) that signs using HSM.

Sankar: File Encryption with Azure KeyVault HSM

Typically users would want to keep the symmetric encryption key in some HSM. And users want to use different kinds of keys. Users don't want to restrict themselves to some specific format/length of keys (as is currently done in Protected Files format in Gramine).

Also, users don't want to use some ad-hoc format to encrypt their files. Protected Files feature requires Gramine-specific tools to encrypt/decrypt tools, as well as a specific format of the PF key (128-bit key). Also, the format forces to put files in specific absolute/relative paths, which may be confusing and annoying (and users may not care about this particular no-file-swaps-possible guarantee).

Michal: we provide a tool that encrypts/decrypts the file. Mona: but imagine an ML model provider who wants to encrypt the model once, and then they can deploy it not only with Gramine but with other frameworks as well. So we're talking about some kind of standardization.

Michal: First: PF format is guaranteed to work. Second: There is no standard way to encrypt files.

Mona: we could add an intermediate tool to Curated Apps, that would take some-format-encrypted input from the client and the tool will generate the corresponding Gramine-format-encrypted file (to be fed to Gramine as input). Sankar: yes, could be done, but there is a problem of the key mismatch (Gramine's PF uses 128-bit keys, and some-format may use a different length of the key). And if the client wants the output files encrypted in their some-format, then Curated Apps need to run this intermediate tool on the way back.

Woju: the client encrypts the data. How is the app supposed to decrypt it? We should standardize Protected Files format as a solution to put encrypted files into SGX enclaves.

Michal and Woju: there is NO standard tool that would fit our use case (read-only file, with integrity and confidentiality guarantees). There is NOTHING we can take as a basis and use it as a de-facto standard. So, for now our ad-hoc Protected Files format is actually the best we can have.

Mona: Is this problem ("no standard format to encrypt read-only files") something that could be brought to the CCC TAC meeting? Question to Eric Voit. Eric: this was not talked about yet, nobody tried yet to find common encryption formats.

Sankar: there is a libmhsm_ssr.so library provided by Microsoft (see https://github.com/deislabs/mystikos/tree/main/samples/confidential_ml). Maybe there is open source somewhere, and we could use it in Gramine, for simpler integration with Azure KeyVault, rather than writing our own code. Could we bring it up to Microsoft?