hardware key runners #1977

James-Pickett · 2024-12-04T23:16:52Z

adds secure enclave create key command to desktop user server, client, and root desktop runner
adds a "runner" style struct to handle initializing keys for both tpm and secure enclave that is added to the rungroup in main launcher command, this allows for initializing (and retrying failures) of tpm and secure enclave keys
signing with secure enclave will come in a follow on PR

ee/desktop/user/client/client.go

ee/secureenclaverunner/secureenclaverunner.go

ee/tpmrunner/tpmrunner.go

RebeccaMahany

I really like how all of this fits together with the runners!

ee/desktop/user/client/client.go

ee/secureenclaverunner/secureenclaverunner.go

ee/tpmrunner/tpmrunner_test.go

RebeccaMahany · 2024-12-06T15:09:30Z

ee/tpmrunner/tpmrunner.go

@@ -0,0 +1,241 @@
+package tpmrunner


Would you add a quick diagram/writeup in the docs/architecture folder for this? Since this work traverses both root and user launcher, and the implementation differs between darwin/other OSes (plus the keys are pretty important) I think it's worth documenting how the different pieces fit together. Doesn't have to be in this PR!

I'm a little curious about this as well. I understand why we need to move the secure enclave signing. But I'm much less sure what's happening with the TPM

@RebeccaMahany , I will write up some docs for this PR

@directionless there are 2 reasons I went ahead and made the tpm a "runner" style like secure enclave.

We do see errors pop up with TPM operations that I can't reproduce. I'm hoping that these have something to do with the TPM not being ready or unavailable for some reason, taking this route we'll keep trying in the background hoping it becomes available.

It felt cleaner to have both hardware signature mechanisms operate in the same way. Understanding that no kind of hardware signing can be expected to be available immediately after start up.

ee/tpmrunner/tpmrunner.go

ee/secureenclaverunner/secureenclaverunner.go

ee/agent/keys_darwin.go

directionless · 2024-12-06T15:47:42Z

ee/agent/keys_tpm.go

-	}
-
-	k, err := tpm.New(priData, pubData)
+// SetHardwareKeysRunner creates a tpm runner and sets it as the agent hardware key as it also implements the keyInt/cyrpto.Signer interface.


Naming question... If this returns a runner, why is it called Set?

The runner also implements keyInt & crypto.Signer and gets set as the hardware key, maybe CreateSetHardwareKeysRunner? Or possible different functions for create and set?

ee/secureenclaverunner/secureenclaverunner.go

directionless · 2024-12-06T16:44:07Z

ee/tpmrunner/tpmrunner.go

@@ -0,0 +1,241 @@
+package tpmrunner


I'm a little curious about this as well. I understand why we need to move the secure enclave signing. But I'm much less sure what's happening with the TPM

ee/tpmrunner/tpmrunner.go

RebeccaMahany

Just a couple small nitpicks, LGTM! Sorry for the delay on re-review this time around

ee/desktop/user/client/client.go

ee/secureenclaverunner/secureenclaverunner.go

ee/tpmrunner/tpmrunner.go

RebeccaMahany

Nice!!

rough draft

3f86421

James-Pickett changed the title ~~rough draft~~ hardware key runners Dec 4, 2024