sigstore icon indicating copy to clipboard operation
sigstore copied to clipboard
verified publisher icon sigstore

Add initial eHSM-KMS support for signstore

Open syan10 opened this issue 2 years ago • 6 comments

eHSM-KMS is An End-to-End Distributed and Scalable Cloud KMS built on top of Intel SGX enclave-based HSM(Hardware Security Module), aka eHSM.

More details, please refer to: https://github.com/intel/ehsm

syan10 avatar Sep 08 '23 08:09 syan10

hi cpanato, bobcallaway,

would you help to review this PR, which is to provide another alternative cloud KMS eHSM-KMS.

eHSM-KMS is An End-to-End Distributed and Scalable Cloud KMS built on top of Intel SGX enclave-based HSM(Hardware Security Module), aka eHSM, that cloud KMS could be attested by the user to make sure it's actually runs in the TEE(Trusty Execution Environment).

More details, please refer to: https://github.com/intel/ehsm

syan10 avatar Sep 14 '23 05:09 syan10

Hey @lukehinds @cpanato , what should be done to get this PR merged?

Xynnn007 avatar Sep 21 '23 01:09 Xynnn007

sorry for the delay, I will need a bit more time to review and have others to review as well

cc @haydentherapper

cpanato avatar Sep 21 '23 07:09 cpanato

sorry for the delay, I will need a bit more time to review and have others to review as well

cc @haydentherapper

Thanks. Any comments for this PR?

syan10 avatar Oct 17 '23 12:10 syan10

Hi @syan10

First off sorry for the late reply and thank you for your contribution.

A few considerations that come to mind (correct me if wrong on any of these):

  • To test this (functionally) it requires someone have in their possession an SGX capable machine. This is an issue as none of the sigstore/sigstore maintainers have such a device.

  • We generally only accept new KMS providers when there is significant community interest shown (for example there were a lot of requests to support the widely used KMS providers Amazon Web Services , Google Cloud Platform, Hashicorp Vault, Microsoft Azure). This is the only request we have so far for the eHSM.

Please let me know and this can help guide our decisions.

Many Thanks,

Luke

lukehinds avatar Oct 19 '23 20:10 lukehinds

Hi @syan10

First off sorry for the late reply and thank you for your contribution.

A few considerations that come to mind (correct me if wrong on any of these):

  • To test this (functionally) it requires someone have in their possession an SGX capable machine. This is an issue as none of the sigstore/sigstore maintainers have such a device.
  • We generally only accept new KMS providers when there is significant community interest shown (for example there were a lot of requests to support the widely used KMS providers Amazon Web Services , Google Cloud Platform, Hashicorp Vault, Microsoft Azure). This is the only request we have so far for the eHSM.

Please let me know and this can help guide our decisions.

Many Thanks,

Luke

Thanks Luke.

Yes, eHSM requires a SGX-capable machine for testing. Compared to the commercial Cloud KMS offered by CSPs, eHSM-KMS is a more convenient option for private cloud usage, offering enhanced security compared to Hashicorp Vault for users who prefer not to rely on CSPs. Anyway, we can hold off on merging this patch for now and consider it when you receive similar requests. Thanks

syan10 avatar Oct 23 '23 08:10 syan10