[WIP] AMD SNP: add derived-key endpoint#885
Conversation
|
Update: SGX has similar API. |
| } | ||
|
|
||
| service AttestationAgentService { | ||
| rpc GetDerivedKey(GetDerivedKeyRequest) returns (GetDerivedKeyResponse) {}; |
There was a problem hiding this comment.
Could we add some documents or notes about the RPC, like
what is it for?
what does it require from the underlying TEE?
what attributes of the key would/would not have?
There was a problem hiding this comment.
This seems rather intrusive change (given the API impact) to enable an SNP specific feature. Might be easier to just make /dev/sev_guest available to the workload and have the ioctl logic implemented there.
There was a problem hiding this comment.
I am not sure whether the interface that Lele wants to add is to use the TEE hardware features as a trusted cryptographic seed source to derive keys for other cryptographic operations. If so, SGX/TPM have similar interfaces to derive key, and I think it can be further designed as a high-level interface, using different hardware features at the bottom layer.
There was a problem hiding this comment.
Right, it would be good to understand (CoCo) use-case first.
There was a problem hiding this comment.
one twist is that I'm not sure configfs supports this stuff
4 participants
Add custom feature for AMD SNP to get a
derived-keyvia a dedicated REST API endpoint.