Add initial eHSM-KMS support for signstore #1393
Conversation
syan10
force-pushed
the
main
branch
5 times, most recently
from
a78743f
to
0d68e4d
Compare
eHSM-KMS is an End-to-End Distributed and Scalable Cloud KMS built on top of Intel SGX enclave-based HSM(Hardware Security Module), aka eHSM. More details, please refer to: https://github.com/intel/ehsm Signed-off-by: Yan, Shaopu <shaopu.yan@intel.com>
|
hi cpanato, bobcallaway, would you help to review this PR, which is to provide another alternative cloud KMS eHSM-KMS. eHSM-KMS is An End-to-End Distributed and Scalable Cloud KMS built on top of Intel SGX enclave-based HSM(Hardware Security Module), aka eHSM, that cloud KMS could be attested by the user to make sure it's actually runs in the TEE(Trusty Execution Environment). More details, please refer to: |
|
Hey @lukehinds @cpanato , what should be done to get this PR merged? |
|
sorry for the delay, I will need a bit more time to review and have others to review as well |
Thanks. Any comments for this PR? |
|
Hi @syan10 First off sorry for the late reply and thank you for your contribution. A few considerations that come to mind (correct me if wrong on any of these):
Please let me know and this can help guide our decisions. Many Thanks, Luke |
Thanks Luke. Yes, eHSM requires a SGX-capable machine for testing. Compared to the commercial Cloud KMS offered by CSPs, eHSM-KMS is a more convenient option for private cloud usage, offering enhanced security compared to Hashicorp Vault for users who prefer not to rely on CSPs. Anyway, we can hold off on merging this patch for now and consider it when you receive similar requests. Thanks |
eHSM-KMS is An End-to-End Distributed and Scalable Cloud KMS built on top of Intel SGX enclave-based HSM(Hardware Security Module), aka eHSM.
More details, please refer to:
https://github.com/intel/ehsm