-
Notifications
You must be signed in to change notification settings - Fork 75
Expand file tree
/
Copy pathkms_rpc.proto
More file actions
166 lines (144 loc) · 4.63 KB
/
kms_rpc.proto
File metadata and controls
166 lines (144 loc) · 4.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
// SPDX-FileCopyrightText: © 2024-2025 Phala Network <dstack@phala.network>
//
// SPDX-License-Identifier: Apache-2.0
syntax = "proto3";
import "google/protobuf/empty.proto";
package kms;
message GetAppKeyRequest {
uint32 api_version = 1;
string vm_config = 2;
}
message AppId {
bytes app_id = 1;
}
message PublicKeyResponse {
bytes public_key = 1;
// Legacy signature without timestamp (for backward compatibility).
// Signs: Keccak256("dstack-env-encrypt-pubkey" + ":" + app_id + public_key)
bytes signature = 2;
// Unix timestamp in seconds when the response was generated.
uint64 timestamp = 3;
// New signature with timestamp to prevent replay attacks.
// Signs: Keccak256("dstack-env-encrypt-pubkey" + ":" + app_id + timestamp_be_bytes + public_key)
bytes signature_v1 = 4;
}
message AppKeyResponse {
// TLS CA certificate which is used as the trust anchor for all HTTPS RPCs in the system.
string ca_cert = 1;
// Disk encryption key used as the key phrase for the App's full disk encryption.
bytes disk_crypt_key = 2;
// X25519 key for decrypting secret environment variables.
bytes env_crypt_key = 3;
// ECDSA key for app's Ethereum-compatible signing operations.
bytes k256_key = 4;
// Signature of the k256 key signed by the root k256 key.
bytes k256_signature = 5;
// Reverse proxy app ID from DstackKms contract. (Deprecated. For backward compatibility)
string tproxy_app_id = 6;
// Reverse proxy app ID from DstackKms contract.
string gateway_app_id = 7;
// OS Image hash
bytes os_image_hash = 8;
}
message GetMetaResponse {
string ca_cert = 1;
bool allow_any_upgrade = 2;
bytes k256_pubkey = 3;
BootstrapResponse bootstrap_info = 4;
bool is_dev = 5;
optional string gateway_app_id = 6;
optional string kms_contract_address = 7;
optional uint64 chain_id = 8;
optional string app_auth_implementation = 9;
}
message GetKmsKeyRequest {
string vm_config = 1;
}
message KmsKeys {
string ca_key = 1;
bytes k256_key = 2;
}
message KmsKeyResponse {
string temp_ca_key = 1;
repeated KmsKeys keys = 2;
}
message GetTempCaCertResponse {
string temp_ca_cert = 1;
string temp_ca_key = 2;
string ca_cert = 3;
}
message SignCertRequest {
uint32 api_version = 1;
bytes csr = 2;
bytes signature = 3;
string vm_config = 4;
}
message SignCertResponse {
repeated string certificate_chain = 1;
}
// The kms public RPC service.
service KMS {
// Request the app key given the app id and tdx quote
rpc GetAppKey(GetAppKeyRequest) returns (AppKeyResponse);
// KMS key handover
rpc GetKmsKey(GetKmsKeyRequest) returns (KmsKeyResponse);
// Request the app environment encryption public key given the app id
rpc GetAppEnvEncryptPubKey(AppId) returns (PublicKeyResponse);
// Request the KMS instance metadata for use as a probe and health check.
rpc GetMeta(google.protobuf.Empty) returns (GetMetaResponse);
// Request the temporary CA certificate and key
rpc GetTempCaCert(google.protobuf.Empty) returns (GetTempCaCertResponse);
// Sign a certificate
rpc SignCert(SignCertRequest) returns (SignCertResponse);
// Clear the image cache
rpc ClearImageCache(ClearImageCacheRequest) returns (google.protobuf.Empty);
}
message ClearImageCacheRequest {
string token = 1;
string image_hash = 2;
string config_hash = 3;
}
message BootstrapRequest {
string domain = 1;
}
message BootstrapResponse {
bytes ca_pubkey = 1;
bytes k256_pubkey = 2;
bytes attestation = 3;
}
message OnboardRequest {
string source_url = 1;
string domain = 2;
}
message OnboardResponse {
// k256 public key (secp256k1) inherited from source KMS
bytes k256_pubkey = 1;
}
// Attestation info needed for on-chain KMS authorization.
message AttestationInfoResponse {
// Device ID (SHA256 of platform device identifier)
bytes device_id = 1;
// Aggregated measurement of the VM execution environment
bytes mr_aggregated = 2;
// OS image hash
bytes os_image_hash = 3;
// Attestation mode (e.g. "dstack-tdx", "dstack-gcp-tdx")
string attestation_mode = 4;
// Custom site name for display
string site_name = 5;
// Ethereum RPC URL from auth API
string eth_rpc_url = 6;
// KMS contract address from auth API
string kms_contract_address = 7;
}
// The Onboard RPC service.
service Onboard {
// Bootstrap a new KMS
rpc Bootstrap(BootstrapRequest) returns (BootstrapResponse);
// Onboard from existing KMS
rpc Onboard(OnboardRequest) returns (OnboardResponse);
// Get attestation info for on-chain KMS authorization
rpc GetAttestationInfo(google.protobuf.Empty) returns (AttestationInfoResponse);
// Finish onboarding
rpc Finish(google.protobuf.Empty) returns (google.protobuf.Empty);
}