incubator-teaclave-sgx-sdk icon indicating copy to clipboard operation
incubator-teaclave-sgx-sdk copied to clipboard

Published 20 hours ago verified publisher icon apache

support kvdb for enclave?

Open bradyjoestar opened this issue 5 years ago • 11 comments

I want to support memdb for rust-sgx-sdk and at the same time writing a sample which works in the following ways:

  • If we start the encalve, it will initialize a memdb.
  • when we call set function, it will write the data into the memdb
  • when we call get function, it will read the data from memdb.

Is this feasible in theory? If true, I'd like to be reviewed and merged. :smile:

bradyjoestar avatar May 11 '19 06:05 bradyjoestar

Really good idea!

I think it's a pretty good start of a protected db. The sample code will be a fantastic proof-of-concept.

To use it in production, one needs to consider about authentication and authorization.

dingelish avatar May 12 '19 21:05 dingelish

yeah!it's may be more useful if we consider the persistence of protected db.:beers:

bradyjoestar avatar May 13 '19 05:05 bradyjoestar

Maybe we could directly try to support kvdb in enclave? It includes kvdb-memdb and kvdb-rocksdb which from paritytech/parity-commons. At the same time we would provide two examples:

memdb

This is used to show how to save some data which we want to be reused for a long time, such as the tls keypair.

rocksdb

This is used to show how to use rocksdb as protected db, we may need to solve the following problems:

  • encryption at rest
  • authentication and authorization.

bradyjoestar avatar May 14 '19 02:05 bradyjoestar

@bradyjoestar @dingelish for the persistent (e.g. rocksdb) backend, one additional problem would be freshness -- one could overwrite the db state with an old authentic and encrypted state. As this is for "cloud" web apps (https://github.com/baidu/rust-sgx-sdk/issues/110 ) Intel ME functionality (like monotonic counters) that could help may not be available.

tomtau avatar May 20 '19 07:05 tomtau

I guess a more "cloud-friendly" alternative for persistent db freshness would be some fault-tolerant enclave kvdb replication?

tomtau avatar May 20 '19 07:05 tomtau

https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-matetic.pdf

tomtau avatar May 20 '19 07:05 tomtau

Just noticed that parity’s kvdb-memorydb is under GPLv3. Do we really need to depend on this?

dingelish avatar May 20 '19 16:05 dingelish

I think I need to fork parity-common to another repo instead of place them in this repo.

dingelish avatar May 20 '19 16:05 dingelish

  • [ ] fork and port elastic-array to elastic-array-sgx
  • [ ] fork and port parity-common to parity-common-sgx
  • [ ] remove parity-common from third_party directory
  • [ ] fix the sample code kvdb-memdb

Assigned to myself.

dingelish avatar May 20 '19 17:05 dingelish

Sure!

bradyjoestar avatar May 21 '19 01:05 bradyjoestar

I guess a more "cloud-friendly" alternative for persistent db freshness would be some fault-tolerant enclave kvdb replication?

@tomtau I'm not proficient in database so give me some time to learn :smile: Thanks to your suggestion and I will read the paper carefully.

bradyjoestar avatar May 21 '19 01:05 bradyjoestar