gramine icon indicating copy to clipboard operation
gramine copied to clipboard
verified publisher icon gramineproject

[tools/sgx] Improve public API of Secret Prov lib

Open dimakuv opened this issue 3 years ago • 1 comments

Description of the changes

This is a breaking change that modifies the API of the Secret Prov lib as follows:

  • secret_provision_start() allocates a context that should be supplied to all other Secret Prov APIs and must be closed afterwards.

  • secret_provision_get() requires a context as the first argument, and extracts the secret that is associated with this context. Thus, it allows for several secrets being delivered in parallel from different remote parties (previously, the secret was a global variable).

  • secret_provision_destroy() is removed. Instead, users should call secret_provision_close() that will both close the session and destroy the secret.

With these changes, the context ceases to be global, and the library becomes thread-safe. Also, leaks of mbedTLS resources are prevented.

As a small side fix, the library always returns normal POSIX error codes (previously, the library could return mbedTLS error codes).

Fixes #646. Supersedes #647.

How to test this PR?

CI should be enough. But also see manual way in #647 to test resource/memory leaks.

This change is Reviewable

dimakuv avatar Aug 02 '22 17:08 dimakuv

after changing API, cross-language-framework solution can work well on this PR. https://github.com/intel/confidential-computing-zoo/tree/main/cczoo/cross_lang_framework

liangintel avatar Aug 04 '22 06:08 liangintel