Local sealing #6966

cjen1-msft · 2025-04-09T08:29:28Z

Add local sealing flow, to skip waiting for recovery shares when there is a previous sealed ledger secret.

This simply omits the submit_recovery_shares rpc, and still requires the transition_to_open proposal.

cjen1-msft · 2025-04-09T15:32:51Z

This currently has a test for when a single node is chosen to recover. (infra.network.recover)
However we should really test that all nodes can try and recover successfully.

src/node/node_state.h

include/ccf/node/startup_config.h

cjen1-msft · 2025-04-11T16:42:30Z

/azp run

azure-pipelines · 2025-04-11T16:42:37Z

Azure Pipelines could not run because the pipeline triggers exclude this branch/path.

maxtropets

lgtm

maxtropets · 2025-04-17T09:37:39Z

.github/workflows/ci.yml

@@ -182,7 +182,7 @@ jobs:
          ./tests.sh --output-on-failure -L unit -j$(nproc --all) -E indexing
          # Minimal end to end test that exercises SNP attestation verification
          # but works within the current 4 core budget
-          ./tests.sh --timeout 360 --output-on-failure -R code_update
+          ./tests.sh --timeout 360 --output-on-failure -R "schema_test_cft"


Don't forget to change it back?..

Yep just need a green CI run or 2 to be sure its actually working :/

…lure

cjen1-msft · 2025-04-17T17:51:25Z

If this fails I am officially confused (it is failing on my snp machine).
There is a test to validate that a key which is derived from a given TCB cannot decrypt a secret sealed with a different TCB.

But the seemingly the valid_key_different_machine.corrupt secret can always be decrypted without error.

cjen1-msft added 10 commits April 7, 2025 17:20

Check the integrity of decrypted ciphertext

a608b81

Refactor

fd8ffbf

Fmt

5d741cf

Add config options to startup_config for sealing

79f7a0a

Checkpoint for unsealing ledger

6f29ebf

Disable local sealing by default

a2010bc

revert accidental removal of previous_identity_file field

a2f014b

Add test and ensure it passes

665f04f

Reformat

edc8423

Run recovery test on 3 nodes

28c1eb7

eddyashton reviewed Apr 10, 2025

View reviewed changes

src/node/node_state.h Outdated Show resolved Hide resolved

src/node/node_state.h Outdated Show resolved Hide resolved

src/node/node_state.h Outdated Show resolved Hide resolved

include/ccf/node/startup_config.h Show resolved Hide resolved

cjen1-msft added 10 commits April 10, 2025 17:02

Horrible hacks to allow unsealing.

f3fedeb

Fix sealing on joined nodes

ef57b9d

Add test for rekey and refresh of recovery shares

4ded7a0

Ensure sealing key is set by platform not device

d79f52e

Expand testing to include all rekeying paths

9780bb6

Add config changes to cchost_config.json

56b361e

Throw error on unsealing fail. Disallow virtual unsealing

79f995f

Merge branch 'main' into local-sealing

5507b5f

Ensure that auto-dr is gated on an attested field (CLI args)

4684613

Reformat

cef27e4

cjen1-msft marked this pull request as ready for review April 11, 2025 16:42

cjen1-msft requested a review from a team as a code owner April 11, 2025 16:42

cjen1-msft added 2 commits April 14, 2025 11:23

Run schema_test_cft in 1ES pools

aed43a0

Fix typo

2f841f7

maxtropets approved these changes Apr 14, 2025

View reviewed changes

Ensure the TCB hasn't changed between sealing and unsealing

0af717b

cjen1-msft added 8 commits April 15, 2025 15:55

PR comments

59e406e

Roll back running e2e tests on snp c-aci

f614775

Add test for unsealing using corrupt ledgers

f212366

Ensure corruption test runs

c94d852

Format and propogate change of sealed_ledger_secret to jinja

8a808f0

Store tag

5f0703c

Fixup test

5a7d455

MUST_REVERT: Only run the local-sealing test

de1a6ee

cjen1-msft force-pushed the local-sealing branch from 4dd887b to de1a6ee Compare April 16, 2025 10:33

cjen1-msft added 6 commits April 16, 2025 12:42

Add golden file for a sealed ledger secret from another node

e8cf0d1

Make sealed_ledger_secret_location driven by enable_auto_dr

be650dd

Fmt

c351e6b

Pass enable_auto_dr through to node

c0fde7a

Add logging for sealing of secrets.

d9ba872

reformat

c89bca0

maxtropets reviewed Apr 17, 2025

View reviewed changes

cjen1-msft added 13 commits April 17, 2025 11:45

corrupted sealing should not have spaces

d3fa6d2

Ensure the TCB hasn't changed between sealing and unsealing

c404aad

Add test that tcb changes are reflected in different keys.

99f7c94

Trial remove bitfields

907acb3

Remove bitfields from guest_field_select and account for endianness

01b49fd

Use bitwise operators rather than bitfields

6010635

Merge branch 'bitfields-eol' into local-sealing

377b328

Fmt

f33ff23

Default initialise TcbVersions

746e25a

Merge branch 'bitfields-eol' into local-sealing

f3a1b4e

Change sealed key

82b74d8

Log tcb version when sealing

50f2079

Expand test to show that decrypting with a incorrect key causes a fai…

8f4888d

…lure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Local sealing #6966

Local sealing #6966

cjen1-msft commented Apr 9, 2025

cjen1-msft commented Apr 9, 2025

cjen1-msft commented Apr 11, 2025

azure-pipelines bot commented Apr 11, 2025

maxtropets left a comment

maxtropets Apr 17, 2025

cjen1-msft Apr 17, 2025

cjen1-msft commented Apr 17, 2025

Local sealing #6966

Are you sure you want to change the base?

Local sealing #6966

Conversation

cjen1-msft commented Apr 9, 2025

cjen1-msft commented Apr 9, 2025

cjen1-msft commented Apr 11, 2025

azure-pipelines bot commented Apr 11, 2025

maxtropets left a comment

Choose a reason for hiding this comment

maxtropets Apr 17, 2025

Choose a reason for hiding this comment

cjen1-msft Apr 17, 2025

Choose a reason for hiding this comment

cjen1-msft commented Apr 17, 2025