rust-rsi issue & SDK problem about islet HOT 6 CLOSED

First, thanks to you all related with remote attestation ! 😄

History

From March, HQ have prepared Islet SDK to collaborate with certifier for the demonstration at Confidential Computing Summit.
Certifier required the attestation features, getting the report and verifying it, running on x86_64 as simulated version.
When i started to developed the features, there was no linux-rsi. So, i made them with the hard-coded report and parsing it using minicbor.

After linux-rsi was merged into Islet, I used it to run Islet SDK running on FVP. Recently I removed the duplication of token parsing in #224.

About rust-rsi

What we're proposing is to check what SDK needs from rust-rsi

Islet SDK needs below running on both x86_64 and aarch64:

• Getting Attestation Token
  • hard-coded report would be returned but realm challenge could be replaced before verifying it.
• Verifying Attestation Token
• Parsing Attestation Token

What i proposing is

1. SRPOR team: Use rust-rsi regardless of current islet components
2. SRPOR team: Done remote attestation porting
3. HQ team: Use rust-rsi to sdk & remove duplicated component in Islet.
4. HQ team: If additional features needed, make the PR to rust-rsi

we can put it under Samsung space even, if needed.

In my human opinion, rust-rsi should be put to samsung space.
If you want to make rust-rsi as seperate repo, not islet, you have to proceed opensource process.

Managing repositories

Follow-up

Another point in this topic, is - whether we should really keep some of these modules - rust-rsi, realm-verifier, ratls, etc. as parts within one git repo

I think the best way is that create our github organization like gramine, veracruz.

• islet-project/islet
• islet-project/rust-rsi
• islet-project/realm-verifier
• ...

AFAIK, there were no cases, making own github org, in samsung. I will check whether it is possible after this year's goal is achieved.

from islet.

@bitboom , thanks a lot for fast response!

Regarding the steps:

SRPOR team: Use rust-rsi regardless of current islet components
SRPOR team: Done remote attestation porting
HQ team: Use rust-rsi to sdk & remove duplicated component in Islet.
HQ team: If additional features needed, make the PR to rust-rsi

@Havner , I think its okay this way, isn't it?

In my human opinion, rust-rsi should be put to samsung space.
If you want to make rust-rsi as seperate repo, not islet, you have to proceed [opensource process]> (https://opensource.sec.samsung.net/view/process).

we're not attached that much to having @Havner 's own upstream project, we did it simply because the code was pushed in Islet repo so it was in public domain already and we needed a shared one for our projects, thats all. Since I expect Islet will be our main working repo for CC, I think what we can do is to find a place somewhere under Samsung space to put it - and here we go with...

I think the best way is that create our github organization like (...)

islet-project/islet
islet-project/rust-rsi
islet-project/realm-verifier
...

thats precisely what would be the best way IMHO. Can we do this instead of keeping every dependency in single repo? Are there any obstacles - since this will require creating new entity on github and inside of it, some new repos?

And most importantly for our current work - do we need/want to continue putting these elements (incl. rust-rsi) into Islet current repo right now (continuing with the steps I've quoted in beginning of my comment) just to finish adding the remote attestation bits as fast as possible, or can we 1st create proper organization?

I see this as a long-term project, so I'd be more inclined towards the 2nd approach with creating organization 1st, but I am not fully sure the paperwork & waiting is what we can afford right now. Can someone tell?

from islet.

The idea with the separate samsung/islet-ra repo seems to be fine. So if creating the new repository is going to take a few weeks, the process can be started as soon as possible.

The rest of the plan also looks OK:

1. SRPOL team: Use rust-rsi regardless of current islet components
   

2. SRPOL team: Done remote attestation porting
   

3. HQ team: Use rust-rsi to sdk & remove duplicated component in Islet.
   

4. HQ team: If additional features needed, make the PR to rust-rsi
   

On Monday, I'm going to prepare more detailed plan.

from islet.

So if creating the new repository is going to take a few weeks, the process can be started as soon as possible.

I just started the process to create Islet RA repository.

from islet.

https://github.com/Samsung/islet-ra is created !

from islet.

HQ team discussed about this at offline. It seems to hard to create our own organization right now.
(Because of our deadline & we are currently joining CCC with samsung/islet repo)

An alternative

How about create another repository in samsung space?

• samsung/islet: Core components for on-device CC f/w
  • rmm
  • sdk
  • hes
  • scripts/fvp-cca
  • examples/veraison
• samsung/islet-asset
• (new) samsung/islet-ra (or islet-remote-attestation) : Core modules/libs for remote attestation
  • ratls
  • rust-rsi
  • realm-verifier
  • ...

Creating one repo in samsung space takes about 1~2 weeks.

from islet.