-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wasm module signature label #1274
Comments
What if we need the data to be processed by two nodes A and B, signed by the same party? What would the label look like if we will not use exact module hashes? If it will look like |
I think the label should also include the name of the module: message WebAssemblyModuleSignature {
string name = 1;
bytes public_key = 2;
} |
That should be the same as having only one module signed by that party? I don't think there is an intuitive meaning of "needs to be declassified by two arbitrary modules signed by google.com, but really not just one, there must be exactly two of them"? |
It could be just two different modules that serve different purpose. |
I initially thought that too, but now I think it's simpler to just assume that whoever is doing the signing, would just derive separate signing keys for different names, via a key derivation function from a master key, or by generating distinct keys for distinct "names". |
if they serve different purposes, probably they have different "names", right? in which case, either:
|
Is |
yes it would be the name, of course we are just using an informal, made-up textual representation of actual protobuf objects in this discussion, but the two should be isomorphic. |
Also, since we will probably use |
Based on the following discussion https://project-oak.slack.com/archives/CHE9E13C3/p1596545541005600?thread_ts=1596538417.497200&cid=CHE9E13C3 Parties involved: developer, maintainer, CA and client. The workflow could look like this:
|
Possible workflow from the point of view of the maintainer (organization/person who runs already written and packed Oak applications): The maintainer:
The disadvantage of this approach is that the maintainer will need to know which modules are in the |
In order to clearer understand how it is better to implement signature checking and specification, here is a life cycle overview of an Oak application: from development to deployment. Platforms used in Oak life cycle:
In reality the Application store and the Review platform could be merged into a single platform for convenience. The parties involved are:
The life cycle:
cc @project-oak/core |
Thanks, I think this looks much more realistic! A few notes:
|
This change adds: - Wasm module ed25519 signature labels using `minisign` - Adds the ability to add ed25519 signatures and public keys to `oak_loader` via a Toml config file - Adds a `sign_module` script Fixes #1274
One of the ways that Oak allows for delegation is in the choice of declassification modules.
Currently it is possible to label data with a label referring to the hash of an individual Wasm module with the following:
oak/oak/proto/label.proto
Lines 58 to 65 in 1b3b4b2
But in many cases it is not possible or desirable to enumerate the list of allowed Wasm modules upfront at label creation time. Oak should provide a way of specifying a family of Wasm modules.
This proposal is to allow cryptographic signatures of Wasm module to be used as labels.
A possible implementation would add a tag such as:
in which the public key may be a
minisign
key: https://jedisct1.github.io/minisign/ or some other public key suitable for signing arbitrary data.Any Wasm module signed with the provided key would be granted the privilege to declassify tags referring to that key.
Key distribution and discovery is a separate problem, i.e. it needs to happen out-of-band. How keys are published and obtained (and also revoked) is out of scope for this issue, but should probably be investigated more closely in a separate issue at some point once we have a better idea.
The text was updated successfully, but these errors were encountered: