Skip to content

Add support for loading and verifying signed Wasm modules.#147

Merged
PiotrSikora merged 9 commits intoproxy-wasm:masterfrom
PiotrSikora:wasmsign
May 15, 2021
Merged

Add support for loading and verifying signed Wasm modules.#147
PiotrSikora merged 9 commits intoproxy-wasm:masterfrom
PiotrSikora:wasmsign

Conversation

@PiotrSikora
Copy link
Member

@PiotrSikora PiotrSikora commented Apr 6, 2021

Signed-off-by: Piotr Sikora piotrsikora@google.com

@PiotrSikora PiotrSikora requested a review from mathetake as a code owner April 6, 2021 00:57
@PiotrSikora
Copy link
Member Author

PiotrSikora commented Apr 6, 2021

cc @asraa

@mathetake
Copy link
Contributor

mathetake commented Apr 6, 2021
edited
Loading

can this be runtime-agnostic, or is there any V8-specific stuff here?

mathetake
mathetake reviewed Apr 6, 2021
View reviewed changes
Copy link
Contributor

@mathetake mathetake left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would add openssl dependency on proxy-wasm-cpp-host and I see that the logc can be runtime-agnostic by only using getCustomSection, so I would suggest that we move this logic to Envoy side. WDYT?

@mathetake
Copy link
Contributor

mathetake commented Apr 6, 2021

at least I would like to have tests for this feature here.

@PiotrSikora
Copy link
Member Author

PiotrSikora commented Apr 6, 2021

This would add openssl dependency on proxy-wasm-cpp-host

We already have that dependency (in exports, for WASI random).

I see that the logc can be runtime-agnostic by only using getCustomSection

This is indeed runtime-agnostic, and it shoudn't be here.

Unfortunately, we have a lot of code duplication and runtime-agnostic code in runtime-specific implementations. At the very least, all bytecode parsing (getCustomSection, getStrippedSource, buildFunctionNameIndex), logic around precompiled modules and now this signature verification should be extracted to common utils.

Filled: #148

so I would suggest that we move this logic to Envoy side. WDYT?

There is absolutely no reason for this code to live in Envoy, which doesn't operate on the Wasm bytecode.

at least I would like to have tests for this feature here.

Agreed.

Note that this is mostly me "throwing the code over the wall", so that @asraa can use it as a base to implement this feature end-to-end in Envoy (including trusted public key configuration over xDS vs embedded in the binary at build-time as in this PR), so it's not expected to stay this way.

We can also wait until #148 is fixed before merging this.

@mathetake
Copy link
Contributor

mathetake commented Apr 6, 2021

Right. Thanks for clarifying!

asraa
asraa reviewed Apr 9, 2021
View reviewed changes
@asraa asraa mentioned this pull request Apr 9, 2021
Closed
@asraa asraa mentioned this pull request Apr 22, 2021
Open
@PiotrSikora
Add support for loading and verifying signed Wasm modules.
6b830b0 
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
@PiotrSikora
Copy link
Member Author

PiotrSikora commented May 12, 2021

can this be runtime-agnostic, or is there any V8-specific stuff here?

Done, PTAL.

@PiotrSikora PiotrSikora requested a review from mathetake May 12, 2021 10:02
@mathetake
Copy link
Contributor

mathetake commented May 13, 2021

Do you mind adding tests? 🙏

@PiotrSikora
Copy link
Member Author

PiotrSikora commented May 13, 2021

Do you mind adding tests? 🙏

I've made tests, but they require a new Rust tool for generating signatures, so I had to split Rust updates into #163, otherwise the PR was dominated by unrelated changes. Once that PR is merged, I'm going to push tests.

@mathetake
Copy link
Contributor

mathetake commented May 13, 2021

Makes sense, thanks! let me have a look at 163.

@mathetake
Copy link
Contributor

mathetake commented May 13, 2021

just merged #163 :)

@PiotrSikora
Merge remote-tracking branch 'origin/master' into PiotrSikora/wasmsign
2ae1229 
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
@PiotrSikora
review: add wasmsign tool.
e1ba0f5 
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
@PiotrSikora
review: add tests.
3e8a8a7 
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
@PiotrSikora
review: change error message.
3f2676d 
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
@PiotrSikora
review: use FAIL().
aee99d0 
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
@PiotrSikora
Copy link
Member Author

PiotrSikora commented May 14, 2021

@mathetake tests added and passed, PTAL.

@PiotrSikora
review: inline xxd instead of hardcoding the value.
4c997b5 
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
mathetake
mathetake reviewed May 15, 2021
View reviewed changes
mathetake
mathetake approved these changes May 15, 2021
View reviewed changes
Copy link
Contributor

@mathetake mathetake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!

@PiotrSikora
review: provide an alias for "cargo_bin_wasmsign".
7791594 
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
@PiotrSikora
review: use wildcard version.
b7f79bd 
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
@PiotrSikora PiotrSikora merged commit e4042ae into proxy-wasm:master May 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@asraa asraa asraa left review comments

@mathetake mathetake mathetake approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@PiotrSikora @mathetake @asraa