Present attestation architecture of keybroker

[tylerfanelli]

I recently spoke at the latest CCC TAC meeting on how we're building confidential computing support in existing container projects:

https://youtu.be/hSQC9GWvK-M?list=PLmfkUJc39uMjaB_I1dYW72I44kr9QzG_B&t=3355

In that presentation, I spoke a bit about the remote attestation server we built to support this work, known as keybroker. keybroker is still in its infancy, but I'd like to present its architecture to the Attestation SIG if given the opportunity. keybroker will become an official VirTEE-supported project at some point.

https://github.com/tylerfanelli/keybroker

In the meantime, I will add some documentation to the keybroker repository showing its architecture; and specifically, what it does different than existing attestation server implementations.

[tylerfanelli]

@thomas-fossati I'm not a contributor to this repository, so I'm unable to add the labels open source software and attestation architectures.

[thomas-fossati]

@thomas-fossati I'm not a contributor to this repository, so I'm unable to add the labels open source software and attestation architectures.

Done!

A couple of points on the logistics:

• I have pencilled you in on the 7th of May, if that doesn't work for any reason let us know.
• How much time do you need (including Q&A)?

Thanks for an excellent proposal!

[tylerfanelli]

• I have pencilled you in on the 7th of May, if that doesn't work for any reason let us know.

Thanks, will do.

• How much time do you need (including Q&A)?

Probably about 30-45 min?

[muhammad-usama-sardar]

keybroker is still in its infancy, but I'd like to present its architecture to the Attestation SIG if given the opportunity.

Sounds very interesting. We have a very recently accepted project within the CCC Attestation SIG to work on the formalization of the CoCo KBS protocol. Related to that, what I would like to be emphasized in the talk is the following:

• Motivation: Given a well-known CoCo KBS attestation protocol, why is there a need for VirTEE keybroker? or in other words, what exactly is missing in CoCo KBS attestation protocol that VirTEE would help in improving the ecosystem? or maybe what is the limitation of CoCo KBS attestation protocol that you are trying to address via VirTEE?
• Attestation Protocol: How is the secure channel established in VirTEE? Does it use pre-handshake attestation/post-handshake attestation/intra-handshake attestation? or by infancy, did you mean that it is only the architecture that you would like to present?

[tylerfanelli]

• Motivation: Given a well-known CoCo KBS attestation protocol, why is there a need for VirTEE keybroker? or in other words, what exactly is missing in CoCo KBS attestation protocol that VirTEE would help in improving the ecosystem? or maybe what is the limitation of CoCo KBS attestation protocol that you are trying to address via VirTEE?

keybroker follows the KBS protocol. Most of its differences lie in reference value handling and registration. I'm actually experimenting with porting keybroker as a backend for coco-kbs (a replacement of attestation-service for our needs).

• Attestation Protocol: How is the secure channel established in VirTEE? Does it use pre-handshake attestation/post-handshake attestation/intra-handshake attestation? or by infancy, did you mean that it is only the architecture that you would like to present?

I'm not sure what you mean when you refer to VirTEE in this scenario. VirTEE is simply an organization to host open source TEE projects. If you're referring to keybroker, since it uses the KBS protocol, the secure channel establishment follows the method of coco-kbs.

[gkostal]

@tylerfanelli - thank you so much for presenting on 6/18/24. Can you possibly share your slides from the presentation so they can be added to the meeting materials in this repo? You can either submit a PR to this repo, or you can share the slides with me, and I can create a PR on your behalf.

[tylerfanelli]

@gkostal Thanks for allowing me to present! I can create a PR with the slides.