Add Quorum Key Resharding Service

.github/workflows/artifacts.yml → .github/workflows/stagex.yml

@@ -1,4 +1,4 @@
-name: artifacts-build
+name: stagex-build
 
 on:
   push:

.gitignore

@@ -22,6 +22,10 @@ target/
 !src/integration/mock/boot-e2e/all-personal-dir/user2-dir/*
 !src/integration/mock/boot-e2e/all-personal-dir/user3-dir/*
 !src/integration/mock/boot-e2e/genesis-dir/*
+!src/integration/mock/new-share-set-secrets/*
+!src/integration/mock/reshard/user1/qkey1/*
+!src/integration/mock/reshard/user2/qkey1/*
+!src/integration/mock/reshard/user3/qkey1/*
 src/integration/mock/pivot-build-fingerprints.txt
 src/integration/pivot_ok2_works
 src/integration/pivot_ok_works

CHANGELOG.MD

@@ -14,6 +14,15 @@ Removed: for now removed features.
 Fixed: for any bug fixes.
 Security: in case of vulnerabilities.
 
+## Unreleased
+
+### Added
+
+- BREAKING CHANGE: qos_core: quorum key resharding service, new state machine transitions, and new `ProtocolMsg` variants (#428)
+- qos_client: commands to run quorum key resharding and high level documentation (#428)
+- qos_crypto: function to generate n choose k variants (#428)
+- qos_hex: support more array sizes for serde deserialize
+
 ## [0.4.0] 2024.4.9
 
 ### Added

README.md

@@ -152,36 +152,8 @@ make toolchain-shell
 make toolchain-update
 ```
 
-
-### Release Process
-
- 0. Determine the release semver version by consulting the [changelog](./CHANGELOG.MD).
- 1. Create a branch for your release e.g.
-    `git checkout -b release/v1.0.0`
- 2. Run `make dist` as described in ["Release" section](#release)
- 3. Commit the new dist folder `git commit -m "Release v1.0.0" -- dist/`
- 4. Push up your branch to github, and make a pull request.
- 5. You may also create and push a signed `-rcX` git tag where the number after `rc` doesn't already exist.
-    `git tag -S v1.0.0-rc0 -m v1.0.0-rc0`
-    `git push origin v1.0.0-rc0`
- 6. Wait for others to replicate your build, see ["Verify" section](#verify)
- 7. Once the release has enough `git sig` signatures, make the final tag and merge the pull request.
-    `git tag -S v1.0.0 -m v1.0.0`
-    `git push origin v1.0.0`
-
-
 [gs]: https://codeberg.org/distrust/git-sig
 
-### LFS setup
-
-This repository externalises large files so that they do not bulk up the git repo itself.
-This is done through a tool called `git-lfs`, which must be installed for it to work.
-Additionally, we use a custom agent to store our LFS objects in S3 (rather than the default and more expensive Github LFS service).
-
-In order to setup our s3 based lfs:
-
-1) Install [tkinfra](https://github.com/tkhq/mono/tree/main/src/go/tkinfra)
-2) Run `./scripts/setup-lfs.sh`
 
 #### Troubleshooting
 

src/Makefile

@@ -48,7 +48,7 @@ local-host:
 	cargo run --bin qos_host \
 		-- \
 		--host-ip 127.0.0.1 \
-		--host-port 3000 \
+		--host-port 3001 \
 		--usock ./dev.sock
 
 .PHONY: vm-host

src/images/common/Containerfile

@@ -50,4 +50,4 @@ COPY --from=file . /
 COPY --from=gcc . /
 COPY --from=linux-nitro /bzImage .
 COPY --from=linux-nitro /nsm.ko .
-COPY --from=linux-nitro /linux.config .
+COPY --from=linux-nitro /linux.config .

src/integration/Cargo.toml

@@ -25,3 +25,4 @@ aws-nitro-enclaves-nsm-api = { version = "0.3", default-features = false }
 rand = "0.8"
 ureq = { version = "2.9", features = ["json"], default-features = false }
 serde = { version = "1", features = ["derive"] }
+serde_json = "1.0"

src/integration/mock/keys/new-share-set/quorum_threshold

@@ -0,0 +1 @@
+3

src/integration/mock/keys/new-share-set/reshard-1.pub

@@ -0,0 +1 @@
+040ee9045f3718bd1345dccf88693c993626d08448fdeba8ecaf1b867f4d0572d439852ef460963a9e8fab08864a55994c0779216b44a165b4eaced98722ed3778041646e59014eaec046b2636d3943f446282363c26cf995320d5944b8b4d7af0aa588c208c13ded5c86c3e9a31af687c4027d4636173f405503e7b1baeeee7eaa5

src/integration/mock/keys/new-share-set/reshard-2.pub

@@ -0,0 +1 @@
+04c82672b2f8c4d520c5c7cda207b4a05f433e4db7f0daed9bbde6f54d42814af5aeabec191d2dda32ba4cdc6616aa3fda0a6711affa0d42efbe11144043028622044810d6d24626abfe6c31e884e674c870a2197c9e9cd80786b2fd3a087e2c38cad8376d9b7086901915d261ecb92bde5a757d27bbf1a20904120ff079b8a8ef71

src/integration/mock/keys/new-share-set/reshard-3.pub

@@ -0,0 +1 @@
+049872acc56bca90eea07e1e1185e3015be3b7295b4ba484299702489bf4858b1374928b335d3405a16221ec240e80817fbfd783c7052446a31bd1821a9a10ff9c0469361a228e22e7cad34774a50f7cd8f97e7d6542f3903bf9d14647302691ef9195ae2c08ec62dcd0e845bc75e94ef8b9fa45925199a2f7d94d00981d6d2e0d85

src/integration/mock/keys/new-share-set/reshard-4.pub

@@ -0,0 +1 @@
+0442993076a3b8345cb58b860477bce9db21bb6caceae8df298860410594ea08d4fc2ffec944fd7623a893b57037e0f20c44ff8eee6eff03110717efb9269181ed04bb495296212027597e2eb93ffbba07f0c41ae3018409b9ad2177e87b53a2729806f52ad6d0f6399ca3d37edddc81a687cd2a0a9f8aab914d76be2930ff8f5bba

src/integration/mock/new-share-set-secrets/reshard-1.secret

@@ -0,0 +1 @@
+60dd1d44decfa12be68c49abdb47b02c7d03e63de8f6d61ac7d9c4a59e2bf381

src/integration/mock/new-share-set-secrets/reshard-2.secret

@@ -0,0 +1 @@
+1b28ba3a047709e4bac8f5911bd213dbeca7b7023a702ea5333837a80c2ed170

src/integration/mock/new-share-set-secrets/reshard-3.secret

@@ -0,0 +1 @@
+f37186894abb1f45ce0eb5b24b5184334d7d85278037d28af11423f50043d83b

src/integration/mock/new-share-set-secrets/reshard-4.secret

@@ -0,0 +1 @@
+ccb796f57e4a5f52f2ebd81af50a7c98d7576b5503b5dddc337e67b6217d1fa3

src/integration/mock/reshard/user1/qkey1/quorum_key.pub

@@ -0,0 +1 @@
+04c9434ba0a681ee7c21e17c7ce4f668360803686b198774c9362dac090f9995eeb68961319370969bd0d657167d9cfce13a7466ec47aba9845fbfc4fe9277866d04043daa777f57c1ebef21ff3eb71e00a681921da56186ac96b5d3b06b645c88c512fe8072d12971ce1f9592ef6bafd98b4982f8cf73cb6e80c8f6424294e54c71

src/integration/mock/reshard/user2/qkey1/quorum_key.pub

@@ -0,0 +1 @@
+04c9434ba0a681ee7c21e17c7ce4f668360803686b198774c9362dac090f9995eeb68961319370969bd0d657167d9cfce13a7466ec47aba9845fbfc4fe9277866d04043daa777f57c1ebef21ff3eb71e00a681921da56186ac96b5d3b06b645c88c512fe8072d12971ce1f9592ef6bafd98b4982f8cf73cb6e80c8f6424294e54c71

src/integration/mock/reshard/user3/qkey1/quorum_key.pub

@@ -0,0 +1 @@
+04c9434ba0a681ee7c21e17c7ce4f668360803686b198774c9362dac090f9995eeb68961319370969bd0d657167d9cfce13a7466ec47aba9845fbfc4fe9277866d04043daa777f57c1ebef21ff3eb71e00a681921da56186ac96b5d3b06b645c88c512fe8072d12971ce1f9592ef6bafd98b4982f8cf73cb6e80c8f6424294e54c71

src/integration/src/lib.rs

@@ -34,6 +34,8 @@ pub const LOCAL_HOST: &str = "127.0.0.1";
 pub const PCR3: &str = "78fce75db17cd4e0a3fb8dad3ad128ca5e77edbb2b2c7f75329dccd99aa5f6ef4fc1f1a452e315b9e98f9e312e6921e6";
 /// QOS dist directory.
 pub const QOS_DIST_DIR: &str = "./mock/dist";
+/// Mock pcr3 pre-image.
+pub const PCR3_PRE_IMAGE_PATH: &str = "./mock/namespaces/pcr3-preimage.txt";
 
 const MSG: &str = "msg";
 

src/integration/tests/boot.rs

@@ -7,7 +7,8 @@ use std::{
 
 use borsh::de::BorshDeserialize;
 use integration::{
-	LOCAL_HOST, PIVOT_OK2_PATH, PIVOT_OK2_SUCCESS_FILE, QOS_DIST_DIR,
+	LOCAL_HOST, PCR3_PRE_IMAGE_PATH, PIVOT_OK2_PATH, PIVOT_OK2_SUCCESS_FILE,
+	QOS_DIST_DIR,
 };
 use qos_core::protocol::{
 	services::{
@@ -51,7 +52,6 @@ async fn standard_boot_e2e() {
 	let namespace = "quit-coding-to-vape";
 
 	let personal_dir = |user: &str| format!("{all_personal_dir}/{user}-dir");
-
 	let user1 = "user1";
 	let user2 = "user2";
 	let user3 = "user3";
@@ -81,7 +81,7 @@ async fn standard_boot_e2e() {
 			"--qos-release-dir",
 			QOS_DIST_DIR,
 			"--pcr3-preimage-path",
-			"./mock/namespaces/pcr3-preimage.txt",
+			PCR3_PRE_IMAGE_PATH,
 			"--manifest-path",
 			&cli_manifest_path,
 			"--pivot-args",
@@ -157,7 +157,7 @@ async fn standard_boot_e2e() {
 				"--manifest-approvals-dir",
 				&*boot_dir,
 				"--pcr3-preimage-path",
-				"./mock/namespaces/pcr3-preimage.txt",
+				PCR3_PRE_IMAGE_PATH,
 				"--pivot-hash-path",
 				PIVOT_HASH_PATH,
 				"--qos-release-dir",
@@ -306,7 +306,7 @@ async fn standard_boot_e2e() {
 			"--host-ip",
 			LOCAL_HOST,
 			"--pcr3-preimage-path",
-			"./mock/pcr3-preimage.txt",
+			PCR3_PRE_IMAGE_PATH,
 			"--unsafe-skip-attestation",
 		])
 		.spawn()
@@ -361,7 +361,7 @@ async fn standard_boot_e2e() {
 				"--manifest-envelope-path",
 				&manifest_envelope_path,
 				"--pcr3-preimage-path",
-				"./mock/namespaces/pcr3-preimage.txt",
+				PCR3_PRE_IMAGE_PATH,
 				"--manifest-set-dir",
 				"./mock/keys/manifest-set",
 				"--alias",
@@ -400,9 +400,9 @@ async fn standard_boot_e2e() {
 		stdin.write_all("yes\n".as_bytes()).expect("Failed to write to stdin");
 
 		assert_eq!(
-				&stdout.next().unwrap().unwrap(),
-				"Does this AWS IAM role belong to the intended organization: arn:aws:iam::123456789012:role/Webserver? (yes/no)"
-			);
+			&stdout.next().unwrap().unwrap(),
+			"Does this AWS IAM role belong to the intended organization: arn:aws:iam::123456789012:role/Webserver? (yes/no)"
+		);
 		stdin.write_all("yes\n".as_bytes()).expect("Failed to write to stdin");
 
 		assert_eq!(

src/integration/tests/genesis.rs

@@ -6,7 +6,7 @@ use std::{
 };
 
 use borsh::de::BorshDeserialize;
-use integration::{LOCAL_HOST, QOS_DIST_DIR};
+use integration::{LOCAL_HOST, PCR3_PRE_IMAGE_PATH, QOS_DIST_DIR};
 use qos_core::protocol::services::genesis::GenesisOutput;
 use qos_crypto::{sha_512, shamir::shares_reconstruct};
 use qos_nsm::nitro::unsafe_attestation_doc_from_der;
@@ -153,7 +153,7 @@ async fn genesis_e2e() {
 			"--qos-release-dir",
 			QOS_DIST_DIR,
 			"--pcr3-preimage-path",
-			"./mock/pcr3-preimage.txt",
+			PCR3_PRE_IMAGE_PATH,
 			"--dr-key-path",
 			DR_KEY_PUBLIC_PATH,
 			"--unsafe-skip-attestation"
@@ -225,7 +225,7 @@ async fn genesis_e2e() {
 				"--qos-release-dir",
 				QOS_DIST_DIR,
 				"--pcr3-preimage-path",
-				"./mock/pcr3-preimage.txt",
+				PCR3_PRE_IMAGE_PATH,
 				"--unsafe-skip-attestation"
 			])
 			.spawn()

src/integration/tests/key.rs

@@ -1,6 +1,8 @@
 use std::{fs, process::Command};
 
-use integration::{LOCAL_HOST, PIVOT_LOOP_PATH, QOS_DIST_DIR};
+use integration::{
+	LOCAL_HOST, PCR3_PRE_IMAGE_PATH, PIVOT_LOOP_PATH, QOS_DIST_DIR,
+};
 use qos_crypto::sha_256;
 use qos_p256::{P256Pair, P256Public};
 use qos_test_primitives::{ChildWrapper, PathWrapper};
@@ -158,7 +160,7 @@ fn generate_manifest_envelope() {
 			"--restart-policy",
 			"always",
 			"--pcr3-preimage-path",
-			"./mock/namespaces/pcr3-preimage.txt",
+			PCR3_PRE_IMAGE_PATH,
 			"--pivot-hash-path",
 			PIVOT_HASH_PATH,
 			"--qos-release-dir",
@@ -196,7 +198,7 @@ fn generate_manifest_envelope() {
 				"--manifest-approvals-dir",
 				BOOT_DIR,
 				"--pcr3-preimage-path",
-				"./mock/namespaces/pcr3-preimage.txt",
+				PCR3_PRE_IMAGE_PATH,
 				"--pivot-hash-path",
 				PIVOT_HASH_PATH,
 				"--qos-release-dir",
@@ -293,7 +295,7 @@ fn boot_old_enclave(old_host_port: u16) -> (ChildWrapper, ChildWrapper) {
 			"--host-ip",
 			LOCAL_HOST,
 			"--pcr3-preimage-path",
-			"./mock/namespaces/pcr3-preimage.txt",
+			PCR3_PRE_IMAGE_PATH,
 			"--unsafe-skip-attestation",
 		])
 		.spawn()
@@ -343,7 +345,7 @@ fn boot_old_enclave(old_host_port: u16) -> (ChildWrapper, ChildWrapper) {
 				"--manifest-envelope-path",
 				MANIFEST_ENVELOPE_PATH,
 				"--pcr3-preimage-path",
-				"./mock/namespaces/pcr3-preimage.txt",
+				PCR3_PRE_IMAGE_PATH,
 				"--manifest-set-dir",
 				"./mock/keys/manifest-set",
 				"--alias",