Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Versioning of the Nitro Secure Module? #48

Open
robotal opened this issue May 18, 2023 · 1 comment
Open

Versioning of the Nitro Secure Module? #48

robotal opened this issue May 18, 2023 · 1 comment

Comments

@robotal
Copy link

robotal commented May 18, 2023
edited
Loading

I couldn't find any documentation of how to interpret the results of DescribeNSM response

From src/api/mod.rs:

pub enum Request {
...
  DescribeNSM
...
}

pub enum Response {
...
  DescribeNSM {
          /// Breaking API changes are denoted by `major_version`
          version_major: u16,
          /// Minor API changes are denoted by `minor_version`. Minor versions should be backwards compatible.
          version_minor: u16,
          /// Patch version. These are security and stability updates and do not affect API.
          version_patch: u16,
          /// `module_id` is an identifier for a singular NitroSecureModule
          module_id: String,
          /// The maximum number of PCRs exposed by the NitroSecureModule.
          max_pcrs: u16,
          /// The PCRs that are read-only.
          locked_pcrs: BTreeSet<u16>,
          /// The digest of the PCR Bank
          digest: Digest,
      },
...

}

Other than trying out different nitro enclaves and seeing what values it returns, is there some sort of guidance on how to interpret the versions returned here? Would that potentially affect the API used to send requests to the nsm device API in src/driver/mod.rs? Is that something my enclave application should worry about checking?
@petreeftime
Copy link
Contributor

petreeftime commented May 22, 2023
edited
Loading

The enclave application shouldn't really care about the version exposed in this field, except maybe for debugging reasons, or for libraries to be able to provide backwards compatibility.

For example, if we replace a method or field in version 2.0, a library might be able to run a compatibility layer than transforms the input from it's API to work with either version 1.0 or version 2.0.

Another reason to check might be if a feature is added, it might take some time until it propagates everywhere, so a library might want to check and emit a useful error message if the required functionality is not yet available, or fall back on an already existing API.

In practice, the API will be either backwards compatible (ie. version 1.x.y), or if there is a breaking change, it will require opt-in as an additional enclave feature (ie. nitro-cli run-enclave --nsm-version 2), such that users will not be impacted by changes without their express consent.

Today, the reported version is static, so it should always be 1.0.y (but obviously won't be the same forever).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robotal @petreeftime