CCF icon indicating copy to clipboard operation
CCF copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Multi-Container: Implement the registration protocol

Open eddyashton opened this issue 3 years ago • 1 comments

It should be possible to separate registration from the rest of execution, so that registration can be done in a common sidecar and handed over to the 'real' executor.

The flow here is roughly:

  • A new executor creates a fresh public-private key-pair
  • The executor contacts CCF's /register_executor endpoint over (anonymous-client) TLS, presenting their attestation A and public key P
  • The CCF nodes checks the attestation A, and checks the contained code ID is trusted (#4154)
  • The CCF node stores the public key P as accepted for its executor auth policy, and responds with an OK
  • The executor uses the private key (possibly transmitted from the side car to the 'real' executor) to establish a TLS connection with CCF
  • That TLS connection authorises access to the API defined in #4153

eddyashton avatar Aug 19 '22 14:08 eddyashton

Revisit:

  • [ ] Explore if we need certificate endorsements for Executors
  • [ ] Explore if we need to use attested TLS

MahatiC avatar Sep 14 '22 12:09 MahatiC

@MahatiC @eddyashton is this complete? is this only missing an end to end test using ACI + attestation container?

achamayou avatar Jan 31 '23 19:01 achamayou

@achamayou Yes, an end to end test will complete this -- that's already being tracked here https://github.com/microsoft/CCF/issues/4799. So I'm closing this.

MahatiC avatar Feb 01 '23 10:02 MahatiC