Workflow

Roles

The typical usage of a QingTian Enclave instance involves the following roles:

• Data security administrator: has control permissions for the confidential data and Huawei Cloud KMS keys. A data security administrator owns a Huawei Cloud account and has the highest permissions. For example, a data security administrator can create IAM users and grant them the minimum permissions, such as creating encryption keys and encrypting sensitive data. In this example, we suppose that the data security administrator is also responsible for building the QingTian Enclave image file. This party obtains the expected measurements PCR0 and PCR8 and uses these values as condition keys in IAM policies.
• Parent instance administrator: is authorized by the data security administrator and has permission to access the parent instance and manage the lifecycle of QingTian Enclave instances. This party launches a QingTian Enclave instance using the QingTian Enclave image file built by the data security administrator.
• QingTian Enclave application developer: develops applications running in the QingTian Enclave instances. In this example, the application needs to obtain the ciphertext object from OBS bucket Bucket1, call the kms-decrypt API to decrypt the ciphertext, process the data, and generate the results to Bucket2.

  In the specified directory, download the huawei-qingtian-enclave source code.

  cd /home
  git clone https://gitee.com/HuaweiCloudDeveloper/huawei-qingtian.git

Data and Environment Preparation

The following gives an overview of the data encryption process, attestation settings, and QingTian Enclave instance creation.

1. The data security administrator creates keys in KMS (a sub-service of DEW). For details, see Creating a Key.
2. The data security administrator uses KMS keys to encrypt a piece of sensitive data, for example, bank card information. For details, see Example 1: Encrypting or Decrypting Small Volumes of Data.
3. The data security administrator uses the command line tool obsutil to upload the encrypted ciphertext to a Huawei Cloud OBS bucket. For details, see Uploading an Object.
4. The data security administrator compiles and packages the QingTian Enclave application by creating a Docker image and using the qt CLI to convert the Docker image into a QingTian Enclave image file. For details, see descriptions about how to build a QingTian Enclave image file. The data security administrator records PCR0 and PCR8 generated when the QingTian Enclave image file is built.
5. The data security administrator sets PCR0 and PCR8 as condition keys of the IAM access control policies (controlling the kms-decrypt API).

   On the IAM console, use an account with administrator permissions to create a custom identity policy. For details, see Creating a Custom Policy.

   The following is an example custom identity policy:

   {
     "Version": "5.0",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "kms::generateRandom",
           "kms:cmk:createDataKey",
           "kms:cmk:decryptData",
           "kms:cmk:decryptDataKey"
         ],
         "Condition": {
           "StringEqualsIgnoreCase": {
             "kms:RecipientAttestation/PCR0": [
               "8f2cbfb3930e59c6de5c4caff0a3f4c0457e8956bfb4556a7ca1f5f4614a741eeee39ae10447eb5baee48d49e6c1cb6c",
               "ff7ba807a385b49fc1c3346bb47215aef503dee6df22d32f733e22b90a9bc4b22424ca7de1a3537ac9608d7ebe461d67",
               "a28e765550d6ad1188860d30167b1fdb9e29c8da825543861bc76ef1e8427fac6b444ec6a1847fc2c22deae8170c2e67"
             ],
             "kms:RecipientAttestation/PCR8": [
               "a9add94b0ecbbd992baded2176370ecf3bfed2cb39b2ec547512b5174279799f2036fa0b8577bdaf503836178bd11ee2"
             ]
           }
         }
       },
       {
         "Effect": "Allow",
         "Action": [
           "kms:cmk:encryptData",
           "kms:cmk:encryptDataKey"
         ]
       }
     ]
   }

   In the example identity policy, the parameters are described as follows:

   • kms::generateRandom: Generate a random number.
   • kms::cmk:createDataKey: Create data keys.
   • kms:cmk:decryptData: Decrypt data.
   • kms:cmk:decryptDataKey: Decrypt data keys.
   • kms:cmk:encryptDataKey: Encrypt data keys.
   • kms:cmk:encryptData: Encrypt data.

   kms:RecipientAttestation/PCR0 and kms:RecipientAttestation/PCR8 are condition keys determined during QingTian Enclave image creation. Multiple values are supported.

6. The parent instance administrator boots the parent instance, starts the qt-proxy service to forward the QingTian Enclave KMS network requests, and then boots the QingTian Enclave instance using the QingTian Enclave image file.

   You can obtain the KMS endpoints in different regions by referring to Regions and Endpoints.

Remote Attestation and Data Decryption

The following describes the execution process of a QingTian Enclave application.

1. With the qproxy service, the QingTian Enclave application downloads the ciphertext from the Huawei OBS bucket to the QingTian Enclave instance.
2. The QingTian Enclave application generates a pair of RSA public and private keys (pubKey and priKey) for end-to-end data encryption with the KMS service. The encryption does not depend on HTTPS. Then, the QingTian Enclave SDK is used to call the KMS-provided kms-decrypt API that supports the attestation document as the input parameter. The attestation document includes the QingTian Enclave instance's PCRs and the encrypted pubKey generated by the application.
3. Huawei Cloud KMS receives the request and verifies whether the attestation document is signed by the QingTian Attestation PKI. During the access control check of the kms-decrypt API, PCRs in the attestation document will be compared with those in the IAM policies. If they match, the API can be called. If they do not match, the access will be denied.
4. KMS decrypts the data first, encrypts the data using the pubKey provided by the attestation document, and sends the encrypted data to the QingTian Enclave application. The QingTian Enclave application uses the priKey to decrypt the received ciphertext data.

   For details about the sample code, see https://gitee.com/HuaweiCloudDeveloper/huawei-qingtian/tree/master/enclave/qtsm-sdk-c/samples.