Skip to content

Add new Attestation Protocol "None" - phase 2 #1425

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 38 commits into from
Jan 24, 2022
Merged

Add new Attestation Protocol "None" - phase 2 #1425

merged 38 commits into from
Jan 24, 2022

Conversation

@johnnypham
Copy link
Contributor

@johnnypham johnnypham commented Dec 8, 2021
edited
Loading

Summary of feature
Currently, VBS enclaves are supported on-prem and SGX enclaves on Azure VMs. VBS support for Azure is in the works but strong attestation is not possible on Azure VMs due to restrictions against accessing the host machine's Trusted Platform Module (TPM).
A new attestation protocol called "None" will be allowed in the connection string, allowing users to forgo enclave attestation when using VBS enclaves: Attestation Protocol = None

Phase 2 changes

  • Attestation Protocol = None can now be added to the connection string. When this is set, the Enclave Attestation Url property is optional (it's required if Attestation Protocol is HGS or AAS).
  • Attestation Protocol = None only works when the server returns an enclave type of VBS. An exception is thrown for any other enclave type.
  • When using Attestation Protocol = None, the NoneAttestationEnclaveProvider will be used to set up an enclave session. This provider does not perform attestation and only derives the shared secret required to set up a secure enclave session.
  • Building the driver with -p:BuildSimulator=true will still work, the driver will simply use NoneAttestationEnclaveProvider. When working with SQL Server in simulator mode, the attestation protocol should now be specified as None and not SIM.
  • Tests: all of the current enclave manual tests will be run with an additional connection string using Attestation Protocol = None. Example run

lcheunglci and others added 28 commits October 25, 2021 11:21
@lcheunglci
Add test coverage to SqlCollation for FirstSupportedCollationVersion …
b1d3720 
…and to verify out of range for LocaleId
@lcheunglci
Merge branch 'main' into Test-CodeCoverage
92897eb
@lcheunglci
Add tests to SqlConnectionStringBuilder to all properties that throws…
02a65c6 
… an exception
@lcheunglci
Add a test cases for SqlClientLogger for code coverage
16c0a64
@lcheunglci
Add code coverage for SqlClientFactory covering CreateDataSourceEnume…
60172e4 
…rator and GetService for netfx and CreateCommandBuilder for both
@lcheunglci
Add tests to SqlParameterCollection for code coverage
296049b
@lcheunglci
Add missing code coverage to SqlCommandSet
2d57ffe
@lcheunglci
Merge branch 'main' into Test-CodeCoverage-part1
dfd6457
remove unnecessary asserts
8b5ee21
Update Microsoft.Data.SqlClient.csproj
b0ba491
Merge remote-tracking branch 'upstream/main'
7bce454
Merge remote-tracking branch 'upstream/main'
cd4aea7
Merge remote-tracking branch 'upstream/main'
2c09672
Merge remote-tracking branch 'upstream/main'
965ce94
Merge remote-tracking branch 'upstream/main'
7179deb
rename simulator enclave provider
5fcaab3
Update EnclaveDelegate.Crypto.cs
a39aa88
Update EnclaveDelegate.Crypto.cs
7d95c36
use Array.Empty<byte>()
a4d148a
docs
0be73d5
use enum for protocol id fields
b4fc190
Merge branch 'rename-sim' into none-attest
b22043f
netcore
d0e204d
tests
7860792
Update SqlDbManager.cs
89e4932
netfx changes
b91f065
Update SqlDbManager.cs
b269df6
Update ExceptionTest.cs
8ef2990
@DavoudEshtehari
Copy link
Contributor

/azp run

@azure-pipelines
Copy link

You have several pipelines (over 10) configured to build pull requests in this repository. Specify which pipelines you would like to run by using /azp run [pipelines] command. You can specify multiple pipelines using a comma separated list.

@johnnypham
Copy link
Contributor Author

johnnypham commented Jan 5, 2022
edited
Loading

The main purpose of having ENCLAVE_SIMULATOR directive comes from SqlConnectionAttestationProtocol.SIM which is now updated with NONE and available as a public API. I believe we can get rid of it.

#if ENCLAVE_SIMULATOR is still needed. SQL Server can run in simulator mode wherein the server will send an enclave type of SIMULATOR. When this happens, we still need the code inside those directives. For example, we still need the simulator if you want to simulate attestation with SGX enclaves, since "None" attestation won't work for SGX.

@johnnypham johnnypham added this to the 4.1.0 milestone Jan 10, 2022
@johnnypham johnnypham added the Public API 🆕 Issues/PRs that introduce new APIs to the driver. label Jan 10, 2022
Kaur-Parminder
Kaur-Parminder reviewed Jan 17, 2022
View reviewed changes
DavoudEshtehari
DavoudEshtehari reviewed Jan 21, 2022
View reviewed changes
@DavoudEshtehari
Update src/Microsoft.Data.SqlClient/tests/FunctionalTests/AlwaysEncry…
f226666 
…ptedTests/ConnectionStringBuilderShould.cs

Co-authored-by: DavoudEshtehari <[email protected]>
@JRahnama JRahnama merged commit 3b945ee into dotnet:main Jan 24, 2022
DavoudEshtehari added a commit to DavoudEshtehari/SqlClient that referenced this pull request Jan 27, 2022
@DavoudEshtehari
Add new Attestation Protocol "None" - phase 2 (dotnet#1425)
e5ace6a 
# Conflicts:
#	src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/TdsEnums.cs
@DavoudEshtehari DavoudEshtehari mentioned this pull request Jan 27, 2022
Merged
DavoudEshtehari added a commit to DavoudEshtehari/SqlClient that referenced this pull request Jan 27, 2022
@DavoudEshtehari
Add new Attestation Protocol "None" - phase 2 (dotnet#1425)
9ac11d3 
# Conflicts:
#	src/Microsoft.Data.SqlClient/netfx/src/Microsoft/Data/SqlClient/TdsEnums.cs
@johnnypham johnnypham deleted the none-attest branch January 27, 2022 18:10
@DavoudEshtehari DavoudEshtehari modified the milestones: 4.1.0, 5.0.0-preview1 Jan 27, 2022
@DavoudEshtehari DavoudEshtehari mentioned this pull request Jan 27, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@David-Engel David-Engel David-Engel approved these changes

+3 more reviewers

@JRahnama JRahnama JRahnama approved these changes

@DavoudEshtehari DavoudEshtehari DavoudEshtehari approved these changes

@Kaur-Parminder Kaur-Parminder Kaur-Parminder approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Public API 🆕 Issues/PRs that introduce new APIs to the driver.

Projects

None yet

Milestone

5.0.0-preview1

Development

Successfully merging this pull request may close these issues.

6 participants

@johnnypham @DavoudEshtehari @David-Engel @JRahnama @Kaur-Parminder @lcheunglci