pkcs11: Bring pkcs11 module of out experimental stage

containers / ocicrypt

Encryption libraries for Encrypted OCI Container images

Apache License 2.0

133 stars 31 forks source link

pkcs11: Bring pkcs11 module of out experimental stage #36

Closed stefanberger closed 3 years ago

stefanberger commented 3 years ago

Bring the pkcs11 module out of the experimental stage. This will now cause that any previously pkc11-encrypted images will not be accessible anymore.

Signed-off-by: Stefan Berger stefanb@linux.ibm.com

lumjjb commented 3 years ago

i'm a bit worried about how this will work on other systems with different HSMs, etc. I am a bit hesitant because of the amount of testing and different consumers that this could have that we don't have coverage for. I am worried about someone using this and have issues with their HSM.

I personally think that until we have an ask from someone that wants to use this in production, we can consider promoting it, if not there is very little incentive that comes with this risk to take it out of experimental.

stefanberger commented 3 years ago

What does 'experimental' here actually mean? So far it really only means that images encrypted as experimental will not decrypt once it is not experimental anymore, which is a pain for everyone. So maybe we should merge this patch and have a print statement in this code to still declare it experimental that users who use it hopefully see.

Similarly one may argue that there is no actual implementation of a keyprovider so that one could show that it works in production.

lumjjb commented 3 years ago

My main concern is that we can't make any changes if we decide for example the details of the annotation packet needs to change, unless we incorporate versioning of it within the annotation packet itself. We will have to support backward compatibility going forward of what we have today.

Since you are more familiar with this, if you think we are fairly certain that it will not need any changes in the annotation packet then I agree with doing what you proposed - i.e. removing experimental from the protocol and putting it into the feature description.

Similarly one may argue that there is no actual implementation of a keyprovider so that one could show that it works in production.

Intel has an implementation of this that they are using that ties into the ISecL Keybroker. They will use this instead of the current fork of crio today.

stefanberger commented 3 years ago

We could today assume that if no version is given in the annotation it's version '0'.