envoy
envoy copied to clipboard
envoyproxy
contrib: add SGX private key provider
Intel® Software Guard Extensions (Intel® SGX ) offers hardware-based memory encryption that isolates specific application code and data in memory. Intel® SGX allows user-level code to allocate private regions of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels.
SGX Private Key Provider extension supports the PKCS#11 v2.40 standard and uses Intel® SGX as the hardware security module (HSM) to protect private keys used in Envoy. With this feature all private keys used in Envoy data plane are stored in the Intel® SGX enclaves. SGX Private Key Provider will perform cryptology operations in TLS handshake inside Intel® SGX enclaves, so that all these operations are protected from being hacked throughout their lifecycle.
Additional Description:
SGX Private Key Provider leverages Crypto API Toolkit for Intel(R) SGX (CTK) to protect private keys. CTK aims at enhancing the security of data and key protection applications by exposing interfaces that run the key generation and cryptographic operations securely inside an Intel(R) Software Guard Extensions (SGX) enclave. The operations are exposed and supported via PKCS11 interfaces (http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html) for Linux.
The build output of CTK (libp11sgx.so) should be viewed as a standard PKCS#11 module (shared library), so the building process of CTK shall be out of Envoy. Public/private key pairs can be safely created or imported into SGX enclave through CTK PKCS#11 interfaces. SGX Private Key Provider will use dlopen to load this shared library (libp11sgx.so) and perform secure TLS private key associated operations signing/decryption also inside the SGX enclave through CTK PKCS#11 interfaces.
Three following header files used in SGX Private Key Provider are copied from PKCS #11 v2.40 standard with minior changes (align with Envoy code style):
pkcs11.hpkcs11f.hpkcs11t.h
The support for Intel® SGX is mature in the mainline Linux kernel and in Kubernetes device plugins (to expose the SGX device files to containers).
The feature can be used standalone (will be separately documented) or with control plane like Istio (currently under development). For latter case, the feature can support both mutual TLS private key protection (used in communication between Envoy sidecars) and gateway TLS private key protection (used in communication between user and Envoy ingress gateway).
The implementation has been simplified comparing with the previous design document. We now leverage Intel SGX sealing mechanism to safely retrieve private keys (not actually getting them) and abandoned SGX Bootstrap extension in the design.
CMCC (China Mobile Communications Corporation) will be our sponsor for this contrib extension, check details here.
Risk Level: Low (contrib extension, crypto-related code) Testing: Adding unit tests Docs Changes: Protobuf comments Release Notes: N/A Platform Specific Features: Intel® processor with SGX Fix: #19217
Signed-off-by: Huang Xin [email protected] Signed-off-by: Liu, Qiming [email protected]
Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional API Considerations:]
Hi @qiming-007, welcome and thank you for your contribution.
We will try to review your Pull Request as quickly as possible.
In the meantime, please take a look at the contribution guidelines if you have not done so already.
:cat:
Caused by: https://github.com/envoyproxy/envoy/pull/22600 was opened by qiming-007.
![repokitteh-read-only[bot] avatar](https://avatars.githubusercontent.com/in/16729?v=4 "Published by a pub.dev verified publisher"){kind=small}
Retrying Azure Pipelines: Retried failed jobs in: envoy-presubmit
:cat:
Caused by: a https://github.com/envoyproxy/envoy/pull/22600#issuecomment-1207673781 was created by @gyohuangxin.
Retrying Azure Pipelines: Retried failed jobs in: envoy-presubmit
:cat:
Caused by: a https://github.com/envoyproxy/envoy/pull/22600#issuecomment-1208026546 was created by @gyohuangxin.
Retrying Azure Pipelines: Retried failed jobs in: envoy-presubmit
:cat:
Caused by: a https://github.com/envoyproxy/envoy/pull/22600#issuecomment-1208861202 was created by @qiming-007.
@envoyproxy/first-pass-reviewers assignee is @daixiang0
:cat:
Caused by: a https://github.com/envoyproxy/envoy/pull/22600#issuecomment-1209815720 was created by @kyessenov.
CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).
envoyproxy/dependency-shepherds assignee is @RyanTheOptimist
:cat:
Caused by: https://github.com/envoyproxy/envoy/pull/22600 was synchronize by qiming-007.
Retrying Azure Pipelines: Check envoy-presubmit didn't fail.
:cat:
Caused by: a https://github.com/envoyproxy/envoy/pull/22600#issuecomment-1212125745 was created by @qiming-007.
@RyanTheOptimist are you also going to review this as a maintainer or should I assign someone else?
@RyanTheOptimist are you also going to review this as a maintainer or should I assign someone else?
Oh, sorry. I wasn't planning to do a maintainer review since I was only added as a DEPS reviewer, so I'd be happy for it to be assigned elsewhere, as I'm swimming in reviews at the moment. But let me know if I should give it a maintainer review.
Hi @jmarantz and @RyanTheOptimist, any update for review maintainer of this PR?
Who is the end user that will be using this? Please have them actually use this extension and then report back and we can talk about inclusion at that time. Thank you.
/wait
Who is the end user that will be using this? Please have them actually use this extension and then report back and we can talk about inclusion at that time. Thank you.
/wait
@mattklein123 CMCC will be our end-user sponsor, check here.
@mattklein123 CMCC will be our end-user sponsor, check https://github.com/envoyproxy/envoy/issues/19217#issuecomment-1206311374.
Yes. I'm sure CMCC can compile this extension. Let's let them vet it a bit to make sure it works and they are actually going to deploy it. Once that is done we can consider upstreaming it. Feel free to email me if you want to discuss further. Thank you!
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!
The feature (SGX private key provider) will be hosted, tested and improved at intel/envoy repo. Close the PR.