-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added two security enhancements to AA #273
Conversation
0838b2c
to
879935e
Compare
184fff8
to
e26aa2c
Compare
We should not use the same pair of RSA keys for a long time, as this will bring forward security issues. This commit alleviates this issue by updating the TEE key every time the attestation is redone. Signed-off-by: Jiale Zhang <zhangjiale@linux.alibaba.com>
7bdcf20
to
a663da6
Compare
@mythi Now this PR is rebased, you can try to test it. We are trying to get this PR merged :-) |
Add parameters for setting customized KBS Root certificate when creating HTTP client, so that TLS communication can be enabled in various deployment scenarios. Signed-off-by: Jiale Zhang <zhangjiale@linux.alibaba.com>
@Xynnn007 Updated :-) |
@jialez0 how did you test this with the kbs client tool? My app gets an error
besides that error, another weird part is it uses openssl even if I'm asking |
I think the dependency issue will be fixed by this commit 24e2b57#diff-8a5ee983a9fbee31b805469c7a7f54371823f89a8f9c7946bda449462bf6d188R41-R42 I have test locally. |
My binary gets host OpenSSL dependency regardless of this change. |
But that's not important right now. The real issue is: seanmonstar/reqwest#1260 |
So I got the functionality verified after I changed:
|
Update TEE key when generate evidence
We should not use the same pair of RSA keys for a long time, as this will bring forward security issues.
This change alleviates this issue by updating the TEE key every time the attestation is redone.
Allow setting custom KBS certificates to enable TLS
Add parameters for setting customized KBS Root certificate when creating HTTP client, so that TLS communication can be enabled in various deployment scenarios.