-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Leases #55
Conversation
bc77998
to
1abdda1
Compare
Doesn't currently work due to streams missing.
This makes it more consistent and allows us to use get_untrusted_host_time_v1. This function isn't static so we can't have our handlers be static either.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! I think the implications of using the time of the untrusted host (there's no secure time in the enclave) should be spelled out somewhere. This effectively means that a malicious operator could revoke a lease early or extend an existing one (i.e. there's an attack vector every time the app uses get_time_s
). How bad is this? Should the API be extended for the client to pass in their current local time?
Yep the lack of secure timing is a bit of a nuisance. Since leases might typically be used for some sort of leader election I'd imagine that it could be a bit troublesome (constantly flipping leaders). I'm not sure if the clients that use the lease would be trusted enough to provide times either since they could maliciously give a time that invalidates other leases. Perhaps we could compromise, expose a way of clients also providing their current time in the request, and then comparing it to the local time from the OS. If they are not too different (within a configurable limit) then we know we can trust the timing somewhat. If they are too different just error out? Something to bear in mind and discuss going forwards. I'll make an issue. |
Fixes #21
Except #68