aws / aws-nitro-enclaves-cli

Tooling for Nitro Enclave Management
Apache License 2.0
123 stars 80 forks source link

Signing enclave images with HSM/KSM #204

Open yoavj1 opened 3 years ago

yoavj1 commented 3 years ago

Currently the only option to sign an enclave image is to pass the private key and the certificate to build-enclave command. However, it prevents storing the key in a secure storage like HSM or KSM, and using it only for signing without retrieving the key itself. One solution is to allow to add the signature after the enclave was created, so the signature can be produced independently from the enclave creation.

petreeftime commented 3 years ago

Thank you for the feature request. There are two topics here:

  1. Signing with an AWS KMS asymmetric key (and/or maybe a key from an HSM or Nitro Enclave :) ).
  2. Attaching/replacing a signature to an already created image.
gal-fordefi commented 2 years ago

@petreeftime I guess that now, that you merged https://github.com/awslabs/aws-nitro-enclaves-cose/issues/5, it's possible to add the requested functionality to the CLI.

petreeftime commented 2 years ago

Yes, it should be possible to add support for this.