Skip to content

feat(cdh): add aliyun KMS attestation client to fetch resources by remote attestation#100

Open
jialez0 wants to merge 1 commit into
inclavare-containers:mainfrom
jialez0:feat/cdh-kms-trustee
Open

feat(cdh): add aliyun KMS attestation client to fetch resources by remote attestation#100
jialez0 wants to merge 1 commit into
inclavare-containers:mainfrom
jialez0:feat/cdh-kms-trustee

Conversation

@jialez0

@jialez0 jialez0 commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

What this PR does

Adds a new attestation client type to the aliyun KMS plugin in
confidential-data-hub. It lets a confidential guest fetch confidential
resources (KMS secrets) from an Aliyun KMS instance that has the Trustee
Attestation Service integrated, authorized by TEE remote attestation
instead of a pre-provisioned client key or any long-term credential.

Background

Besides serving secrets over the RCAR protocol from a standalone Trustee KBS,
the Trustee Attestation Service can now be integrated inside an Aliyun KMS
instance. In that model the KMS itself verifies the TEE evidence and returns
the secret encrypted to a public key that is bound into the evidence, so the
plaintext is only recoverable inside the attested TEE. This client implements
the guest side of that flow.

How it works

All requests are RPC-style POST / form bodies signed with the Aliyun POP
HMAC-SHA1 scheme, sent to the dedicated instance endpoint
({instance}.cryptoservice.kms.aliyuncs.com) over its private CA.

  1. Fetch a temporary STS credential from the ECS RAM role via IMDS — no
    long-term secret is stored in the TEE.
  2. GetChallenge{ Nonce, ChallengeToken }.
  3. Generate an ephemeral RSA-2048 key pair, build the structured runtime
    data { challenge_token, nonce, tee-pubkey }, hash it canonically with
    SHA-384 (via canon-json, matching the AS), and let the attestation-agent
    embed the hash into the TEE evidence report data.
  4. GetSecretValue with a Trustee Recipient carrying the evidence; the KMS
    verifies it and returns CiphertextForRecipient = RSAES-OAEP-SHA256(secret).
  5. Decrypt CiphertextForRecipient with the ephemeral private key.

Integration

The client plugs into the existing vault sealed-secret Getter path, so no
routing change is needed. A Vault secret whose provider is aliyun and whose
provider settings carry client_type: "attestation" is served by this client:

{
  "client_type": "attestation",
  "kms_instance_id": "kst-xxxxxxxx",
  "region_id": "cn-hangzhou",
  "ecs_ram_role_name": "your-ecs-ram-role"
}

The KMS instance private CA is read from
{ALIYUN_IN_GUEST_KEY_PATH}/PrivateKmsCA_{instance}.pem, mirroring the
existing client_key layout.

Testing

  • Unit tests: canonical-JSON hash is order independent, RSAES-OAEP-SHA256
    round-trip with the ephemeral key, exported public exponent is AQAB.
  • End-to-end on a real Intel TDX ECS instance against a KMS instance with the
    integrated attestation service: sealing a Vault secret and unsealing it
    returns the provisioned plaintext.

Note on the OAEP backend

The ephemeral key uses the rsa crate directly to guarantee OAEP with SHA-256
for both the digest and MGF1. The shared crypto crate's OpenSSL backend still
maps PaddingMode::OAEP to OpenSSL's default (SHA-1) OAEP, which would not
interoperate with the KMS RSAES_OAEP_SHA_256 wrapping.

@shankailun-aliyun

Copy link
Copy Markdown
Collaborator

@jialez0 ,您好,您的请求已接收,请耐心等待结果。

@shankailun-aliyun

Copy link
Copy Markdown
Collaborator

@jialez0 ,您好,未检测到有镜像需要构建,如需重新检测请评论 /start

…mote attestation

Add a new `attestation` client type to the aliyun KMS plugin that fetches
confidential resources from a KMS instance with the Trustee Attestation
Service integrated, authorized by TEE remote attestation instead of a
pre-provisioned client key.

The client:
- fetches a temporary STS credential from the ECS RAM role via IMDS, so no
  long-term secret is stored in the TEE;
- calls GetChallenge, generates an ephemeral RSA-2048 key pair, and binds its
  public key into the TEE evidence through the canonical SHA-384 of the
  structured runtime data;
- retrieves the secret via GetSecretValue with a Trustee Recipient and
  decrypts the returned CiphertextForRecipient (RSAES-OAEP-SHA256) with the
  ephemeral private key.

It plugs into the existing vault sealed-secret Getter path, so no routing
change is needed: a Vault secret with provider "aliyun" and
`client_type: "attestation"` in its provider settings is served by this
client.

Verified end-to-end on a real Intel TDX ECS instance against a KMS instance
with the integrated attestation service: sealing a Vault secret and unsealing
it returns the provisioned plaintext.

Signed-off-by: Jiale Zhang <zhangjiale@linux.alibaba.com>
@jialez0
jialez0 force-pushed the feat/cdh-kms-trustee branch from f28ba4a to ec69627 Compare July 17, 2026 02:02
@shankailun-aliyun

Copy link
Copy Markdown
Collaborator

@jialez0 ,您好,您的请求已接收,请耐心等待结果。

@shankailun-aliyun

Copy link
Copy Markdown
Collaborator

@jialez0 ,您好,未检测到有镜像需要构建,如需重新检测请评论 /start


/// `Recipient.KeyEncryptionAlgorithm` understood by the KMS Trustee integration.
/// The secret is wrapped with RSAES-OAEP using SHA-256 for both the hash and MGF1.
const KEY_ENCRYPTION_ALGORITHM: &str = "RSAES_OAEP_SHA_256";

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RSA算法是KMS那边要求的么? 可否考虑椭圆曲线系列的

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants