openfl icon indicating copy to clipboard operation
openfl copied to clipboard

Published 20 hours ago verified publisher icon securefederatedai

WIP: Add ISV product ID and ISV SVN fields to manifest

Open DL8 opened this issue 3 years ago • 8 comments

ISV product ID and ISV SVN fields are defined and signed in SIGSTRUCT. In Gramine, they are defined in the manifest and then used on enclave signing in enclave build flow. Add the option to configure them in OpenFL manifest with new flags to the makefile: SGX_ISVPRODID and SGX_ISVSVN. Their default values are 0, to maintain backwards compatibility.

Currently ISV SVN is configurable in build time, but this is not necessarily the desired behavior. Required behavior is open for discussion and should be updated once a decision is made.

Related issue: #501

DL8 avatar Sep 08 '22 13:09 DL8

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

github-actions[bot] avatar Sep 08 '22 13:09 github-actions[bot]

I have read the CLA Document and I hereby sign the CLA

DL8 avatar Sep 08 '22 13:09 DL8

recheck

DL8 avatar Sep 08 '22 13:09 DL8

Thank you for your contribution! I must note that no example in https://github.com/gramineproject/examples feature these fields in manifests and the related section in Gramine docs is rather humble. Thus it is unclear how developers can come up with relevant product ID numbers and automate manifest versioning.

igor-davidyuk avatar Sep 18 '22 08:09 igor-davidyuk

Thank you for your contribution! I must note that no example in https://github.com/gramineproject/examples feature these fields in manifests and the related section in Gramine docs is rather humble. Thus it is unclear how developers can come up with relevant product ID numbers and automate manifest versioning.

I guess the ISV product ID and SVN are not an important detail in Gramine examples, so zero is used implicitly. They are mentioned in the samples of Intel's SGX SDK, but I looked at some of them and they used zeroes.

More information about those fields can be found here. Quote (emphasis is mine):

Each enclave is associated with a SIGSTRUCT structure, which is signed by its author and contains the enclave measure, signer public key, version number (ISV, reflecting the security level) and product identifier (ISVPRODID, to distinguish between enclaves from the same author). It allows to ensure that the enclave hasn't been modified and then re-signed with a different key.

As I understand it, product ID convention is up to enclave developer. Assigning each enclave with a different number (e.g. 1 for server and 2 for client) is a good approach. Once chosen, I don't see any reason to change it. I don't understand what is manifest versioning. Do you mean ISVSVN? This is not manifest version, but enclave security version. It should start with zero and increment when a security vulnerability is fixed (not 100% automatic).

DL8 avatar Sep 18 '22 10:09 DL8

Thank you for the detailed explanation, @DL8 We can start incrementing ISVSVN on our side. Another idea is to bind this number to the OpenFL version, as it is the main application running inside our enclave, do you think it is a good idea?

igor-davidyuk avatar Sep 19 '22 11:09 igor-davidyuk

@igor-davidyuk you shouldn't increment ISVSVN with every version, but only in case the new version includes security vulnerability fixes. Also, if the SVN was incremented, it should be mentioned in the release notes

DL8 avatar Sep 20 '22 08:09 DL8

Ok then, seems like there is nothing to add to this PR. Are you going to remove WIP?

igor-davidyuk avatar Sep 20 '22 12:09 igor-davidyuk

If you believe this is the right way to implement this, I will remove the WIP

DL8 avatar Sep 28 '22 10:09 DL8