From da3a7983140277e06ee188d1f384c8f944087273 Mon Sep 17 00:00:00 2001 From: Carlos Segarra Date: Sun, 7 Dec 2025 23:41:51 +0000 Subject: [PATCH 1/5] [ci] B: Fix SNP Bare Metal Test --- .github/workflows/snp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snp.yml b/.github/workflows/snp.yml index 6050f9d..e126407 100644 --- a/.github/workflows/snp.yml +++ b/.github/workflows/snp.yml @@ -44,7 +44,7 @@ jobs: # Build SNP applications and embed the attestation service's certificate. - name: "Build SNP applications" - run: ./scripts/accli_wrapper.sh applications build --clean --as-cert-dir ./certs/cert.pem --in-cvm + run: ./scripts/accli_wrapper.sh applications build --clean --as-cert-dir ./certs --in-cvm - name: "Run supported SNP applications" run: | From 4860c10c7e5c9597ab22275b5b8e716d31281bd3 Mon Sep 17 00:00:00 2001 From: Carlos Segarra Date: Mon, 8 Dec 2025 10:18:29 +0000 Subject: [PATCH 2/5] [accli] B: Fix SCP-Logic In Apps --- accli/src/tasks/applications.rs | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/accli/src/tasks/applications.rs b/accli/src/tasks/applications.rs index a05bac7..0d1c14e 100644 --- a/accli/src/tasks/applications.rs +++ b/accli/src/tasks/applications.rs @@ -7,6 +7,7 @@ use clap::ValueEnum; use log::error; use std::{ fmt::{Display, Formatter, Result as FmtResult}, + fs, path::{Path, PathBuf}, str::FromStr, }; @@ -163,7 +164,17 @@ impl Applications { if let Some(host_cert_dir) = as_cert_dir { let guest_cert_dir = host_cert_dir_to_target_path(&host_cert_dir, &ApplicationBackend::Cvm)?; - scp_files.push((host_cert_dir, guest_cert_dir.clone())); + for entry in fs::read_dir(&host_cert_dir)? { + let entry = entry?; + let file_type = entry.file_type()?; + if !file_type.is_file() { + anyhow::bail!( + "certificate directory may only contain files (found: {})", + entry.path().display() + ); + } + scp_files.push((entry.path(), guest_cert_dir.join(entry.file_name()))); + } cmd.push("--as-cert-dir".to_string()); cmd.push(guest_cert_dir.display().to_string()); From 387351c3869c19cfdee0feba91165c6077e0d22c Mon Sep 17 00:00:00 2001 From: Carlos Segarra Date: Mon, 15 Dec 2025 09:39:54 +0000 Subject: [PATCH 3/5] [experiments] E: Few Tweaks --- accli/src/tasks/experiments/plot.rs | 53 ++-- accli/src/tasks/experiments/profile.rs | 77 +++++- experiments/README.md | 48 ++++ experiments/escrow-cost/plots/escrow-cost.svg | 2 +- .../policy-decryption/data/conjunction.csv | 240 +++++++++--------- .../data/disjunction-single-authority.csv | 121 +++++++++ .../policy-decryption/data/disjunction.csv | 240 +++++++++--------- .../plots/policy-decryption-decrypt.svg | 39 ++- .../plots/policy-decryption-encrypt.svg | 57 ++++- .../secret-release-breakdown/README.md | 33 +++ 10 files changed, 632 insertions(+), 278 deletions(-) create mode 100644 experiments/README.md create mode 100644 experiments/policy-decryption/data/disjunction-single-authority.csv create mode 100644 experiments/secret-release-breakdown/README.md diff --git a/accli/src/tasks/experiments/plot.rs b/accli/src/tasks/experiments/plot.rs index 53c4c63..b1fe1b2 100644 --- a/accli/src/tasks/experiments/plot.rs +++ b/accli/src/tasks/experiments/plot.rs @@ -11,7 +11,7 @@ use crate::{ use anyhow::Result; use csv::ReaderBuilder; use log::{debug, error, info}; -use plotters::prelude::*; +use plotters::{element::DashedPathElement, prelude::*}; use serde::Deserialize; use std::{ collections::BTreeMap, @@ -1378,7 +1378,7 @@ fn plot_escrow_cost() { )) .unwrap(); root.draw(&Text::new( - "# of users ", + "# of tenants", (120, 280), ("sans-serif", FONT_SIZE).into_font().color(&BLACK), )) @@ -1564,6 +1564,7 @@ fn plot_policy_decryption(data_files: &Vec) -> Result<()> { enum PolicyShape { Conjunction, Disjunction, + DisjunctionSingleAuthority, } impl PolicyShape { @@ -1572,6 +1573,7 @@ fn plot_policy_decryption(data_files: &Vec) -> Result<()> { match stem { "conjunction" => Some(Self::Conjunction), "disjunction" => Some(Self::Disjunction), + "disjunction-single-authority" => Some(Self::DisjunctionSingleAuthority), _ => None, } } @@ -1580,15 +1582,22 @@ fn plot_policy_decryption(data_files: &Vec) -> Result<()> { match self { Self::Conjunction => "all conjunction policy", Self::Disjunction => "all disjunction policy", + Self::DisjunctionSingleAuthority => "all disjunction policy (single authority)", } } fn color(&self) -> Result { match self { Self::Conjunction => get_color_from_label("dark-red"), - Self::Disjunction => get_color_from_label("dark-blue"), + Self::Disjunction | Self::DisjunctionSingleAuthority => { + get_color_from_label("dark-blue") + } } } + + fn is_dashed(&self) -> bool { + matches!(self, Self::DisjunctionSingleAuthority) + } } let mut agg: BTreeMap> = BTreeMap::new(); @@ -1695,23 +1704,31 @@ fn plot_policy_decryption(data_files: &Vec) -> Result<()> { ))?; for (shape, rows) in data { - let series = rows.iter().map(|(x, vals)| (*x as i32, selector(vals))); + let series: Vec<(i32, f64)> = rows + .iter() + .map(|(x, vals)| (*x as i32, selector(vals))) + .collect(); - // Draw line. - chart.draw_series(LineSeries::new( - series, - shape.color()?.stroke_width(STROKE_WIDTH), - ))?; + if shape.is_dashed() { + chart.draw_series(std::iter::once(DashedPathElement::new( + series.clone().into_iter(), + 5, + 5, + shape.color()?.stroke_width(STROKE_WIDTH), + )))?; + } else { + chart.draw_series(LineSeries::new( + series.clone(), + shape.color()?.stroke_width(STROKE_WIDTH), + ))?; + } - // Draw points on line. chart - .draw_series(rows.iter().map(|(x, vals)| { - Circle::new( - (*x as i32, selector(vals)), - 5, - shape.color().unwrap().filled(), - ) - })) + .draw_series( + series + .iter() + .map(|(x, y)| Circle::new((*x, *y), 5, shape.color().unwrap().filled())), + ) .unwrap(); } @@ -1731,7 +1748,7 @@ fn plot_policy_decryption(data_files: &Vec) -> Result<()> { )) .unwrap(); - // legend as color box + text. + // legend as colored box + text let x_pos = 100; let y_pos = 5; let square_side = 20; diff --git a/accli/src/tasks/experiments/profile.rs b/accli/src/tasks/experiments/profile.rs index 9b68093..23c8f6a 100644 --- a/accli/src/tasks/experiments/profile.rs +++ b/accli/src/tasks/experiments/profile.rs @@ -12,6 +12,7 @@ use clap::Args; use csv::Writer; use indicatif::{ProgressBar, ProgressStyle}; use log::{error, info}; +use rand::{seq::SliceRandom, thread_rng}; use std::{ fs::{self, File}, path::PathBuf, @@ -48,6 +49,21 @@ impl PolicyShape { } } +#[derive(Clone, Copy)] +enum AttributeFlavor { + AllAuthorities, + SingleAuthorityOnly, +} + +impl AttributeFlavor { + fn file_suffix(&self) -> &'static str { + match self { + AttributeFlavor::AllAuthorities => "", + AttributeFlavor::SingleAuthorityOnly => "-single-authority", + } + } +} + #[derive(serde::Serialize)] struct Record { #[serde(rename = "NumAuthorities")] @@ -64,12 +80,29 @@ fn build_authorities(num: usize) -> Vec { (0..num).map(|idx| format!("as{idx:02}")).collect() } -fn build_user_attributes(authorities: &[String]) -> Result> { +fn build_user_attributes( + authorities: &[String], + flavor: AttributeFlavor, +) -> Result> { let mut user_attrs = Vec::new(); - for auth in authorities { - user_attrs.push(UserAttribute::parse(&format!("{auth}.wf:{WORKFLOW_ID}"))?); - user_attrs.push(UserAttribute::parse(&format!("{auth}.node:{NODE_ID}"))?); - } + match flavor { + AttributeFlavor::AllAuthorities => { + for auth in authorities { + user_attrs.push(UserAttribute::parse(&format!("{auth}.wf:{WORKFLOW_ID}"))?); + user_attrs.push(UserAttribute::parse(&format!("{auth}.node:{NODE_ID}"))?); + } + } + AttributeFlavor::SingleAuthorityOnly => { + // Pick an attribute at random. + let mut rng = thread_rng(); + if let Some(auth) = authorities.choose(&mut rng) { + user_attrs.push(UserAttribute::parse(&format!("{auth}.wf:{WORKFLOW_ID}"))?); + user_attrs.push(UserAttribute::parse(&format!("{auth}.node:{NODE_ID}"))?); + } else { + anyhow::bail!("cannot build user attributes without authorities"); + }; + } + }; Ok(user_attrs) } @@ -119,12 +152,40 @@ fn measure_single_run( } fn run_shape(shape: PolicyShape, args: &ProfileRunArgs) -> Result<()> { + // Skip unsupported combinations. + if matches!(shape, PolicyShape::Conjunction) { + return run_shape_with_flavor(shape, AttributeFlavor::AllAuthorities, args); + } + run_shape_with_flavor(shape, AttributeFlavor::AllAuthorities, args)?; + run_shape_with_flavor(shape, AttributeFlavor::SingleAuthorityOnly, args) +} + +fn run_shape_with_flavor( + shape: PolicyShape, + flavor: AttributeFlavor, + args: &ProfileRunArgs, +) -> Result<()> { + if matches!( + (shape, flavor), + ( + PolicyShape::Conjunction, + AttributeFlavor::SingleAuthorityOnly + ) + ) { + info!("Skipping single-authority flavour for conjunction policy"); + return Ok(()); + } + let data_dir = ensure_data_dir()?; let mut csv_path = data_dir; - csv_path.push(format!("{}.csv", shape.file_stem())); + csv_path.push(format!("{}{}.csv", shape.file_stem(), flavor.file_suffix())); let mut writer = Writer::from_writer(File::create(csv_path)?); let total_iters = (POLICY_SIZES.len() as u64) * (args.num_warmup_runs + args.num_runs) as u64; - let pb = ProgressBar::new(total_iters).with_message(shape.file_stem()); + let pb = ProgressBar::new(total_iters).with_message(format!( + "{}{}", + shape.file_stem(), + flavor.file_suffix() + )); pb.set_style( ProgressStyle::with_template("{msg} [{bar:40.cyan/blue}] {pos}/{len}") .unwrap() @@ -133,7 +194,7 @@ fn run_shape(shape: PolicyShape, args: &ProfileRunArgs) -> Result<()> { for &num_auth in POLICY_SIZES { let authorities = build_authorities(num_auth); - let user_attrs = build_user_attributes(&authorities)?; + let user_attrs = build_user_attributes(&authorities, flavor)?; let auths_ref: Vec<&str> = authorities.iter().map(|s| s.as_str()).collect(); let mut rng = StdRng::seed_from_u64(1337 + num_auth as u64); diff --git a/experiments/README.md b/experiments/README.md new file mode 100644 index 0000000..c931cf3 --- /dev/null +++ b/experiments/README.md @@ -0,0 +1,48 @@ +# Accless Experiments + +Figure 5: +- 5.a: [Escrow Throughput-Latency](./escrow-xput/README.md) - FINISH ME +- 5.a: [Escrow Cost](./escrow-cost/README.md) - FINISH ME +Table 4: [Attribute Minting Latency Breakdown](./secret-release-breakdown/README.md) + +List of experiment claims -> Experiment that validates them: +C1. Accless is cheaper than centralized escrow -> E1 +C2. Accless has better throughput-latency than centralized escrow -> E1 +C3. Accless has better throughput-latency than single-authority CP-ABE -> E1 + FIXME: this is not true. what if we increase the size of the VM running the single-auth system? +C4. The size of the policy does not affect decryption time. +C5. The attribute minting protocol introduces negligible overhead compared to ?? +C6. The attribute minting protocol introduces negligible overhead compared to cold-start time. +C7. Accless introduces negligible overhead in the end-to-end execution of workflows. + +List of experiments: +E1. Throughput-latency of different access control mechanisms. +E2. Micro-benchmark of decryption time as we increase the number of attestation services. (also include encryption time and the corresponding CP-ABE operations like keygen) (needs I6) +E3. Access control breakdown (time to "decrypt" payload) +E4. Cold-start breakdown + +Big implementation tasks: +I1. Verify azure cVM reports -> Done +I2. Actually implement the user-side encryption of data from template graph +I3. Run SGX functions from accli +I4. Embed accless checks in S3 library +I5. Support running with multiple replicated attestation-services -> Done +I6. Implement CP-ABE hybrid scheme. + +Order: +- Escrow-xput: + - Use as opportunity to fix SNP HW mode + - Use as opportunity to try to run SNP bare-metal stuff from `accli`. + - Use as an opportunity to fix SNP in a para-virtualized VM + - If we could get rid of the annoyint azguestattestaion crate that would be perfect, and vendor in the code. +- Breakdown table: + - Compile to native and cross-compile to WASM + - Use as opportunity to fix SGX HW mode + - Use as opportunity to try to run WASM functions through Faasm in the `accli`. + - SNP breakdown could be run either para-virtualized or bare metal. +- Cold start CDF: + - Use as opportunity to close the loop in generating template graph and uploading encrypted dta +- Chaining ubench + - Use as opportunity to close the loop on the chainig protocol w/ CP-ABE +- Workflows + - Move workflows to `./applications` diff --git a/experiments/escrow-cost/plots/escrow-cost.svg b/experiments/escrow-cost/plots/escrow-cost.svg index 5e4034d..af87250 100644 --- a/experiments/escrow-cost/plots/escrow-cost.svg +++ b/experiments/escrow-cost/plots/escrow-cost.svg @@ -116,7 +116,7 @@ Latency [ms] -# of users +# of tenants Op. Cost [$/month] diff --git a/experiments/policy-decryption/data/conjunction.csv b/experiments/policy-decryption/data/conjunction.csv index 979dac2..0fea0e0 100644 --- a/experiments/policy-decryption/data/conjunction.csv +++ b/experiments/policy-decryption/data/conjunction.csv @@ -1,121 +1,121 @@ NumAuthorities,Run,EncryptMs,DecryptMs -1,0,10.295616,6.7347850000000005 -1,1,10.164797,6.723604 -1,2,10.219607,6.727094999999999 -1,3,10.135097,6.724614 -1,4,9.974817,6.718335 -1,5,10.168216000000001,6.729765 -1,6,10.210376,6.719385 -1,7,10.102896999999999,6.718484 -1,8,10.073628,6.720674000000001 -1,9,10.144457000000001,6.734095 -1,10,10.214766000000001,6.736605 -1,11,10.189496,6.726135 -1,12,10.090127,6.732424 -1,13,10.210637,6.730574 -1,14,10.049908,6.719044 -1,15,10.196467,6.748784 -1,16,10.194837,6.724795 -1,17,10.014437,6.715984000000001 -1,18,10.101617000000001,6.7329039999999996 -1,19,10.050127000000002,6.732405 -2,0,17.012681,8.060830999999999 -2,1,16.768901999999997,8.067431 -2,2,16.937262,8.070191000000001 -2,3,16.958541,8.061662 -2,4,16.629701999999998,8.078011 -2,5,16.808291999999998,8.082321 -2,6,16.779122,8.064122 -2,7,17.14685,8.085682 -2,8,16.986141,8.073311 -2,9,16.977601,8.067182 -2,10,16.711872,8.067301 -2,11,17.064201,8.070542 -2,12,17.002921,8.062871 -2,13,17.106890999999997,8.074512 -2,14,16.844071,8.063652 -2,15,17.25877,8.068901 -2,16,16.876242,8.058941 -2,17,16.925141,8.080752 -2,18,16.938702,8.058291 -2,19,16.751062,8.071010999999999 -4,0,30.063302,10.740235 -4,1,30.563779999999998,10.729235000000001 -4,2,30.063302,10.736615 -4,3,30.278831,10.732555 -4,4,30.003881,10.740125999999998 -4,5,30.038001,10.742455 -4,6,30.991149,10.738416 -4,7,29.942491,10.733456 -4,8,30.26421,10.749616 -4,9,29.884371,10.749405999999999 -4,10,30.092441,10.744355 -4,11,29.813622000000002,10.755125000000001 -4,12,30.541951,10.741795 -4,13,30.683259,10.749916 -4,14,30.60642,10.754395 -4,15,30.897619000000002,10.752085999999998 -4,16,30.916869,10.740744999999999 -4,17,30.541671,10.746085 -4,18,30.39506,10.744695 -4,19,30.102552000000003,10.743495000000001 -8,0,57.349059000000004,16.084803 -8,1,55.835522,16.090033000000002 -8,2,56.556981,16.087253 -8,3,57.605379,16.109563 -8,4,58.170276,16.100754 -8,5,58.112246,16.111003 -8,6,56.989079999999994,16.098153 -8,7,56.567240999999996,16.095733000000003 -8,8,57.244398000000004,16.082404 -8,9,57.385028,16.085603 -8,10,58.218477,16.099902999999998 -8,11,57.358939,16.081802999999997 -8,12,57.981887,16.077932999999998 -8,13,57.364329,16.089623 -8,14,57.14905,16.099982999999998 -8,15,57.045889,16.089524 -8,16,56.188382000000004,16.085573 -8,17,57.257509,16.087843 -8,18,57.191129000000004,16.080372999999998 -8,19,57.077859000000004,16.099373 -12,0,85.019285,21.420571 -12,1,83.844678,21.406221 -12,2,84.584496,21.405680999999998 -12,3,84.093408,21.432291 -12,4,85.42332499999999,21.425791 -12,5,84.366127,21.416091 -12,6,82.94523,21.436121 -12,7,84.488016,21.468811000000002 -12,8,83.888608,21.419561 -12,9,84.083397,21.554961000000002 -12,10,85.37246499999999,21.47578 -12,11,85.084586,21.42151 -12,12,83.43490000000001,21.40957 -12,13,84.089528,21.408390999999998 -12,14,84.456957,21.42384 -12,15,85.077486,21.4286 -12,16,85.079906,21.454280999999998 -12,17,84.176158,21.401361 -12,18,83.940058,21.412891 -12,19,85.795264,21.418150999999998 -16,0,111.963183,26.762009 -16,1,110.211848,26.794728 -16,2,112.726702,26.786238 -16,3,111.159606,26.765579000000002 -16,4,110.906176,26.752619 -16,5,111.33185499999999,26.758058000000002 -16,6,108.973571,26.768528 -16,7,111.128476,26.755019 -16,8,110.217647,26.753909 -16,9,113.126481,26.760879000000003 -16,10,111.072315,26.779819 -16,11,112.449912,26.772269 -16,12,112.391613,26.766629000000002 -16,13,111.935863,26.754809 -16,14,112.443962,26.766538999999998 -16,15,111.442855,26.783088 -16,16,110.621437,26.814989 -16,17,108.106912,26.760099 -16,18,110.449877,26.783538999999998 -16,19,111.696774,26.772288000000003 +1,0,10.197832,6.715923 +1,1,10.069333,6.707582 +1,2,10.121993,6.709372 +1,3,10.004483,6.711602 +1,4,9.867643000000001,6.728092 +1,5,10.079253,6.724992 +1,6,10.115443,6.7247319999999995 +1,7,9.996924,6.728212 +1,8,9.966483,6.7180219999999995 +1,9,10.049263,6.7164019999999995 +1,10,10.114793,6.719022 +1,11,10.103383000000001,6.709022 +1,12,10.004223,6.716522 +1,13,10.100263,6.713432 +1,14,9.958063,6.710462000000001 +1,15,10.083543,6.719212 +1,16,10.085433,6.715762 +1,17,9.920303,6.715522 +1,18,9.990433,6.712432 +1,19,9.956514,6.716461 +2,0,16.882344,8.064989 +2,1,16.631905,8.042818 +2,2,16.780756,8.056198 +2,3,16.752395,8.060808 +2,4,16.486666,8.065998 +2,5,16.676916,8.047728000000001 +2,6,16.661535,8.042608999999999 +2,7,17.034523999999998,8.043439 +2,8,16.844944,8.050939 +2,9,16.850265,8.048648 +2,10,16.585145,8.046609 +2,11,16.931624,8.048549 +2,12,16.993984,8.276788 +2,13,16.981834000000003,8.052359000000001 +2,14,16.732525000000003,8.045128 +2,15,17.101705,8.059368000000001 +2,16,16.710385000000002,8.043889 +2,17,16.799844,8.045299 +2,18,16.800115,8.051048 +2,19,16.486396,8.051067999999999 +4,0,29.84287,10.715311 +4,1,30.336828,10.712361999999999 +4,2,29.89524,10.730001 +4,3,30.076609,10.725021 +4,4,29.781981,10.74505 +4,5,29.794470999999998,10.726230999999999 +4,6,30.786067,10.727032 +4,7,29.731201,11.01517 +4,8,30.054188999999997,10.733472 +4,9,29.642519999999998,10.721432 +4,10,29.896631,10.736771000000001 +4,11,29.62784,10.713090999999999 +4,12,30.310139,10.719011 +4,13,30.490728,10.732092 +4,14,30.407968,10.725172 +4,15,30.217589,10.717762 +4,16,30.698327000000003,10.724822 +4,17,30.369937999999998,10.733830999999999 +4,18,30.165478999999998,10.725741000000001 +4,19,29.86131,10.722710999999999 +8,0,56.961667,16.324857 +8,1,55.83847,16.110547 +8,2,56.084878999999994,16.071728 +8,3,57.280047,16.084726 +8,4,57.805745,16.098027000000002 +8,5,57.587946,16.074837000000002 +8,6,56.516298,16.068956999999997 +8,7,56.183999,16.077107 +8,8,56.915568,16.109367 +8,9,57.016016,16.059587 +8,10,57.79707500000001,16.069967000000002 +8,11,56.954507,16.077547000000003 +8,12,57.597266,16.066567 +8,13,56.973377,16.069137 +8,14,56.845718000000005,16.105536 +8,15,56.634328,16.084616999999998 +8,16,55.799901,16.055736 +8,17,56.936718,16.076907000000002 +8,18,56.819317,16.073687 +8,19,56.677178000000005,16.074057 +12,0,84.218165,21.393662 +12,1,83.29507699999999,21.409232 +12,2,84.35160499999999,21.391732 +12,3,83.517596,21.402763 +12,4,84.845872,21.401543 +12,5,83.943815,21.439842000000002 +12,6,82.43826899999999,21.427453 +12,7,83.89972499999999,21.394582 +12,8,83.346177,21.418822000000002 +12,9,83.521447,21.428852000000003 +12,10,84.339014,21.414422 +12,11,84.52704399999999,21.402022 +12,12,83.067998,21.404202 +12,13,82.34809899999999,21.396593 +12,14,83.904555,21.404712999999997 +12,15,84.56900300000001,21.428613 +12,16,84.575104,21.405072 +12,17,83.540386,21.405343000000002 +12,18,83.396516,21.413483 +12,19,84.850142,21.400793 +16,0,111.280432,26.753698 +16,1,109.480987,26.733078 +16,2,112.261749,26.756698999999998 +16,3,110.48701299999999,26.740529 +16,4,110.141124,26.727949000000002 +16,5,110.597423,26.737618 +16,6,108.20401,26.736539 +16,7,110.435963,26.751449 +16,8,109.33527699999999,26.753428 +16,9,112.286649,27.030137999999997 +16,10,110.643664,26.725068 +16,11,111.674791,26.736598 +16,12,111.77167,26.787339 +16,13,111.199202,26.726198 +16,14,111.68169999999999,26.753389 +16,15,110.293574,26.756838000000002 +16,16,109.907086,26.751628 +16,17,107.605942,26.748738 +16,18,109.706206,26.735298 +16,19,111.00708300000001,26.759178000000002 diff --git a/experiments/policy-decryption/data/disjunction-single-authority.csv b/experiments/policy-decryption/data/disjunction-single-authority.csv new file mode 100644 index 0000000..a1b7c57 --- /dev/null +++ b/experiments/policy-decryption/data/disjunction-single-authority.csv @@ -0,0 +1,121 @@ +NumAuthorities,Run,EncryptMs,DecryptMs +1,0,10.190153,6.722842 +1,1,10.076823000000001,6.717712 +1,2,10.114133,6.720582 +1,3,10.002263000000001,6.725242000000001 +1,4,9.873593999999999,6.725262 +1,5,10.068152,6.738092 +1,6,10.123273000000001,6.7277819999999995 +1,7,10.001464,6.726962 +1,8,9.978903,6.716452 +1,9,10.089813,6.721371 +1,10,10.113183,6.7176919999999996 +1,11,10.129203,6.718542 +1,12,9.996944000000001,6.722742 +1,13,10.109511999999999,6.712442 +1,14,9.954673000000001,6.719773 +1,15,10.103081999999999,6.712633 +1,16,10.101602,6.716303 +1,17,9.941023,6.719392 +1,18,9.978114,6.720872 +1,19,9.956102999999999,6.724862 +2,0,16.684276,6.712162 +2,1,16.749745,6.718072 +2,2,17.125264,6.718921999999999 +2,3,16.911505000000002,6.718781 +2,4,16.769876,6.716881 +2,5,16.895995,6.715482 +2,6,17.058775,6.707562 +2,7,16.883433999999998,6.716142 +2,8,16.670316,6.718502 +2,9,16.627935,6.710362 +2,10,16.746085,6.724302 +2,11,16.710065,6.718052 +2,12,16.732656,6.716082 +2,13,16.663726,6.712491999999999 +2,14,16.785795,6.717932 +2,15,17.067324,6.716582 +2,16,16.726896,6.707381 +2,17,16.738965,6.7089929999999995 +2,18,16.794975,6.723922 +2,19,16.527975,6.721282 +4,0,30.02006,6.721732 +4,1,30.510658,6.732602 +4,2,30.357408,6.722733 +4,3,29.909129999999998,6.729431999999999 +4,4,30.546548,6.756372 +4,5,30.579048,6.730252 +4,6,29.76794,6.720961999999999 +4,7,30.10054,6.7296320000000005 +4,8,29.939899,6.723672 +4,9,29.841199999999997,6.726882 +4,10,30.434679,6.739152 +4,11,29.980279,6.7171330000000005 +4,12,30.165680000000002,6.726731 +4,13,29.93461,6.732842 +4,14,30.195329,6.737162 +4,15,29.74354,6.728972 +4,16,30.282659,6.727282000000001 +4,17,30.541608,6.735662 +4,18,30.316409,6.732272 +4,19,29.83687,6.726612 +8,0,57.324056999999996,6.748452 +8,1,56.476999,6.761031 +8,2,57.142827,6.742962 +8,3,57.184097,6.768622000000001 +8,4,57.616776,6.880081 +8,5,57.333636,6.744252 +8,6,55.97853,6.742112 +8,7,57.601576,6.747892 +8,8,56.47614900000001,6.745451 +8,9,56.388249,6.750062000000001 +8,10,56.569519,6.753922 +8,11,56.988026999999995,6.747091999999999 +8,12,56.807247,6.751742 +8,13,57.290597,6.754602 +8,14,56.940816999999996,6.745032 +8,15,56.278228999999996,6.742252 +8,16,55.767329999999994,6.751453 +8,17,57.758386,6.745492 +8,18,56.673258,6.748032 +8,19,57.735025,6.7462420000000005 +12,0,83.098017,6.762512 +12,1,83.412656,6.761132000000001 +12,2,84.563784,6.765701 +12,3,82.44501,6.7767219999999995 +12,4,81.723021,6.767991 +12,5,83.995045,6.759452 +12,6,83.702096,6.7572719999999995 +12,7,83.052347,6.7488019999999995 +12,8,84.17650499999999,6.766332 +12,9,82.605549,6.768072 +12,10,83.14191699999999,6.762982 +12,11,83.683196,6.765892 +12,12,84.52467299999999,6.769562 +12,13,83.872366,6.779541 +12,14,82.703589,6.790441 +12,15,84.35163499999999,6.758241 +12,16,82.967438,6.775992 +12,17,84.520054,6.756011 +12,18,84.09896499999999,6.755512 +12,19,81.798721,6.758032 +16,0,113.854215,6.784592 +16,1,109.576186,6.790942 +16,2,110.98543199999999,6.801142 +16,3,110.734664,6.778012 +16,4,109.634566,6.794292 +16,5,110.773813,6.774812 +16,6,110.677104,6.779342 +16,7,111.369962,6.767002000000001 +16,8,109.817755,6.781542 +16,9,110.65625399999999,6.775682 +16,10,111.68648,6.780712 +16,11,112.33999899999999,6.771222000000001 +16,12,111.664181,6.777512000000001 +16,13,111.325332,6.776601 +16,14,109.553017,6.790652000000001 +16,15,111.600641,6.766332 +16,16,110.361274,6.770402 +16,17,110.743573,6.977551999999999 +16,18,113.25827600000001,6.782462000000001 +16,19,111.96985,6.790782 diff --git a/experiments/policy-decryption/data/disjunction.csv b/experiments/policy-decryption/data/disjunction.csv index 32a369a..039b7d2 100644 --- a/experiments/policy-decryption/data/disjunction.csv +++ b/experiments/policy-decryption/data/disjunction.csv @@ -1,121 +1,121 @@ NumAuthorities,Run,EncryptMs,DecryptMs -1,0,10.272066,6.761035000000001 -1,1,10.173216,6.732545 -1,2,10.224046000000001,6.740925 -1,3,10.111397,6.727904 -1,4,9.961828,6.743544 -1,5,10.156777,6.7359849999999994 -1,6,10.231577,6.725175 -1,7,10.114896,6.720645 -1,8,10.081866999999999,6.728574 -1,9,10.145316999999999,6.726405000000001 -1,10,10.231297,6.718965000000001 -1,11,10.200167,6.714644 -1,12,10.107407,6.725835 -1,13,10.220246000000001,6.730725 -1,14,10.044987,6.734064 -1,15,10.221786999999999,6.720674000000001 -1,16,10.207177,6.727964 -1,17,10.006137,6.7972850000000005 -1,18,10.377636,6.731644999999999 -1,19,10.075327,6.724654 -2,0,16.947771,6.729905 -2,1,16.895421000000002,6.737324 -2,2,16.938181,6.744955 -2,3,16.964552,6.755204 -2,4,16.768852000000003,6.743863999999999 -2,5,16.905611,6.747665 -2,6,16.812141,6.730575 -2,7,17.082811,6.763344 -2,8,16.954832,6.755674 -2,9,16.966500999999997,6.730315 -2,10,16.715421000000003,6.727835 -2,11,17.033101,6.732394 -2,12,17.005080999999997,6.730185 -2,13,16.974571,6.728365 -2,14,16.910831,6.728235 -2,15,17.175079999999998,6.745064999999999 -2,16,16.878211,6.727365 -2,17,16.837090999999997,6.744114 -2,18,16.926552,6.735035 -2,19,16.665121000000003,6.737735 -4,0,30.074621,6.749034999999999 -4,1,30.740469,6.7470550000000005 -4,2,30.205111,6.7451550000000005 -4,3,30.582239,6.743435 -4,4,30.073560999999998,6.749683999999999 -4,5,30.047032,6.754215 -4,6,31.157909,6.746045 -4,7,29.864392,6.754194 -4,8,30.186831,6.749535 -4,9,29.851952,6.758084 -4,10,29.926610999999998,6.735125 -4,11,29.944521,6.752885 -4,12,30.449360000000002,6.749325 -4,13,30.51775,6.753534 -4,14,30.61776,6.749245 -4,15,30.51537,6.7523349999999995 -4,16,30.909948999999997,6.754524 -4,17,30.57205,6.749494 -4,18,30.382321,6.745225 -4,19,30.015941,6.754834000000001 -8,0,57.752048,6.771075 -8,1,55.492302,6.779925 -8,2,56.500911,6.774083999999999 -8,3,57.751257,6.771915 -8,4,58.011796999999994,6.780665 -8,5,57.896246999999995,6.766974 -8,6,56.87707,6.785254999999999 -8,7,56.457350000000005,6.7846649999999995 -8,8,57.363609000000004,6.770685 -8,9,57.310398,6.7757249999999996 -8,10,58.415766,6.788145 -8,11,57.201958,6.775565 -8,12,57.905837,6.791415000000001 -8,13,57.610488000000004,6.770594 -8,14,57.160548999999996,6.770255000000001 -8,15,57.625058,6.772254 -8,16,55.948892,6.771285 -8,17,57.434798,6.7702040000000006 -8,18,57.328299,6.775855 -8,19,56.793959,6.771115 -12,0,84.621156,6.790995000000001 -12,1,83.814168,6.806134 -12,2,85.275975,6.807834 -12,3,83.849609,6.796654 -12,4,85.472014,6.812734 -12,5,84.425627,6.801704000000001 -12,6,83.12306,6.798623999999999 -12,7,84.325307,6.808654 -12,8,84.062468,6.8044139999999995 -12,9,83.87920799999999,6.790845 -12,10,84.979475,6.811224999999999 -12,11,85.098884,6.804514999999999 -12,12,83.400199,6.801134 -12,13,82.868781,6.799434 -12,14,84.480826,6.803713999999999 -12,15,85.095956,6.809344 -12,16,85.147765,6.808565 -12,17,83.971338,6.805004 -12,18,83.782078,6.798645 -12,19,86.490712,6.806594 -16,0,111.825404,6.817944000000001 -16,1,110.613697,6.817474 -16,2,112.553892,6.832165000000001 -16,3,111.461404,6.828195 -16,4,110.50786699999999,6.807904 -16,5,111.670234,6.816095000000001 -16,6,109.276079,6.829934000000001 -16,7,110.983226,6.8558639999999995 -16,8,110.099458,6.812984999999999 -16,9,112.787292,6.817985 -16,10,111.06932599999999,6.828385 -16,11,112.452823,6.813164 -16,12,112.261763,6.816985 -16,13,111.834873,6.826944 -16,14,112.702302,6.832694 -16,15,110.987716,6.814065 -16,16,110.64552599999999,6.822005 -16,17,108.469752,6.829835 -16,18,110.779957,6.819214 -16,19,111.890463,6.839435 +1,0,10.203973,6.721452 +1,1,10.067302999999999,6.717122 +1,2,10.123813,6.726132 +1,3,10.015943,6.711382 +1,4,9.880103,6.713493 +1,5,10.076032,6.741533 +1,6,10.111302,6.732522 +1,7,9.991243,6.727671999999999 +1,8,9.971772999999999,6.723093 +1,9,10.051743,6.714262000000001 +1,10,10.123722,6.720362 +1,11,10.100382999999999,6.717792 +1,12,9.979743,6.717803 +1,13,10.123862,6.710452 +1,14,9.961944,6.713721 +1,15,10.096483,6.717052000000001 +1,16,10.091663,6.721062 +1,17,9.910093999999999,6.720682 +1,18,9.970903,6.709492 +1,19,9.987993000000001,6.718392 +2,0,16.799305,6.722271999999999 +2,1,16.708295000000003,6.717642000000001 +2,2,16.788475000000002,6.721342 +2,3,17.238224,6.938902000000001 +2,4,16.637945000000002,6.704542 +2,5,16.757975000000002,6.725072 +2,6,16.648765,6.720063 +2,7,16.978095,6.706142 +2,8,16.826225,6.703252 +2,9,16.819704,6.717233 +2,10,16.574645,6.7107019999999995 +2,11,16.882465,6.726412 +2,12,16.835695,6.714422 +2,13,16.824845,6.723912 +2,14,16.760665,6.712802 +2,15,17.056894999999997,6.7105619999999995 +2,16,16.731875,6.707961999999999 +2,17,16.715295,6.714391999999999 +2,18,16.805525000000003,6.719872 +2,19,16.528176,6.716672 +4,0,29.842489999999998,6.736602 +4,1,30.520757999999997,6.732672 +4,2,29.98696,6.730091 +4,3,30.217949,6.730912 +4,4,29.894730000000003,6.731492 +4,5,29.85738,6.730722 +4,6,30.923257,6.742312 +4,7,29.655860999999998,6.753851 +4,8,29.99152,6.741472 +4,9,29.586541,6.722982 +4,10,29.84441,6.727072 +4,11,29.71633,6.736322 +4,12,30.224569,6.730932 +4,13,30.300519,6.755510999999999 +4,14,30.404259,6.734132000000001 +4,15,30.293449,6.734782 +4,16,30.657317,6.728472 +4,17,30.313849,6.740272 +4,18,30.149549,6.718902 +4,19,29.77641,6.753952 +8,0,58.080824,6.764962000000001 +8,1,55.129892,6.7605319999999995 +8,2,56.07708,6.765132 +8,3,57.351267,6.763152 +8,4,57.725605,6.7660919999999996 +8,5,57.494526,6.783361 +8,6,56.438539000000006,6.771172 +8,7,56.093919,6.768022 +8,8,56.981098,6.7682020000000005 +8,9,56.975567,6.763732 +8,10,57.976144,6.760981999999999 +8,11,56.850148000000004,6.755442 +8,12,57.535555,6.770542 +8,13,57.204327,6.757772 +8,14,56.807497999999995,6.766472 +8,15,56.850897999999994,6.761452 +8,16,55.59093,6.777952 +8,17,57.077948000000006,6.759722 +8,18,56.951118,6.7545720000000005 +8,19,56.466998999999994,6.772132 +12,0,83.992235,6.788031 +12,1,83.25974699999999,6.786922 +12,2,84.37278400000001,6.790382 +12,3,83.27348699999999,6.780831999999999 +12,4,84.932383,6.785181000000001 +12,5,83.917485,6.7945519999999995 +12,6,82.495829,6.798152 +12,7,83.827965,6.796842 +12,8,83.51631599999999,6.797752 +12,9,83.313797,6.793041 +12,10,84.425984,6.790772 +12,11,84.58887299999999,6.798152 +12,12,82.955657,6.783822 +12,13,82.34587,6.789451000000001 +12,14,83.987745,6.790202000000001 +12,15,84.564713,6.789702 +12,16,84.80655300000001,6.810302 +12,17,83.45662700000001,6.797522000000001 +12,18,83.291216,6.795072 +12,19,84.796503,6.796322 +16,0,111.006193,6.816971 +16,1,109.855166,6.823922 +16,2,111.86488999999999,6.805172 +16,3,110.691133,6.813362 +16,4,109.868835,6.811342 +16,5,110.402574,6.805282 +16,6,108.632069,6.807282 +16,7,110.32370499999999,6.837532 +16,8,109.498307,6.802122 +16,9,112.01992,6.806781 +16,10,110.334935,6.814501 +16,11,111.709051,6.808592 +16,12,111.58059100000001,6.8164419999999994 +16,13,111.070582,6.799472 +16,14,111.681551,6.831671 +16,15,110.27191499999999,6.803542 +16,16,110.523763,6.802282 +16,17,107.69102099999999,6.810332 +16,18,110.14450500000001,6.810612 +16,19,111.201323,6.809912000000001 diff --git a/experiments/policy-decryption/plots/policy-decryption-decrypt.svg b/experiments/policy-decryption/plots/policy-decryption-decrypt.svg index 982f650..90d2881 100644 --- a/experiments/policy-decryption/plots/policy-decryption-decrypt.svg +++ b/experiments/policy-decryption/plots/policy-decryption-decrypt.svg @@ -41,11 +41,11 @@ - + - + @@ -98,6 +98,41 @@ Latency [ms] + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/experiments/policy-decryption/plots/policy-decryption-encrypt.svg b/experiments/policy-decryption/plots/policy-decryption-encrypt.svg index c6b00d7..d320600 100644 --- a/experiments/policy-decryption/plots/policy-decryption-encrypt.svg +++ b/experiments/policy-decryption/plots/policy-decryption-encrypt.svg @@ -31,14 +31,14 @@ - + - + @@ -79,19 +79,58 @@ Latency [ms] # of attestation services - + - - - - + + + + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/experiments/secret-release-breakdown/README.md b/experiments/secret-release-breakdown/README.md new file mode 100644 index 0000000..0231f7f --- /dev/null +++ b/experiments/secret-release-breakdown/README.md @@ -0,0 +1,33 @@ +# Attribute-Minting Latency Breakdown + +This experiment breaks down the overhead of each (client-side) operation +involved in the attribute-minting protocol. The results of this experiment are +included in Table 4. + +## SNP (Bare Metal) + +This part assumes you have access to a host with SNP enabled. In that case, +first set-up the cVM image (if you have not before): + +```bash +accli dev cvm setup [--clean] +``` + +then you may start the attestation service locally: + +```bash +accli attestation-service run --certs-dir ./config/attestation-service/certs --force-clean-certs +export AS_CERT_DIR="./config/attestation-service/certs" +``` + +now you can re-build the application inside the cVM, and run it with: + +```bash +accli applications build --clean --as-cert-dir ${AS_CERT_DIR} --in-cvm + +AS_URL=$(accli attestation-service health --url "https://0.0.0.0:8443" --cert-dir ${AS_CERT_DIR} 2>&1 \ + | grep "attestation service is healthy and reachable on:" | awk '{print $NF}') +accli applications run function escrow-xput --as-url ${AS_URL} --as-cert-dir ${AS_CERT_DIR} --in-cvm +``` + +you should see the breakdown results printed to the standard out. From e82dc60df482e1962f25b049f32ca414e638c11c Mon Sep 17 00:00:00 2001 From: Carlos Segarra Date: Mon, 15 Dec 2025 12:50:11 +0000 Subject: [PATCH 4/5] [ci] B: Install APT In Snp Wflow --- .github/workflows/snp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snp.yml b/.github/workflows/snp.yml index e126407..9fd5c6c 100644 --- a/.github/workflows/snp.yml +++ b/.github/workflows/snp.yml @@ -40,7 +40,7 @@ jobs: BRANCH=${GITHUB_REF_NAME} fi ./scripts/accli_wrapper.sh dev cvm run -- \ - "git fetch origin $BRANCH && git checkout $BRANCH && git reset --hard origin/$BRANCH" + "git fetch origin $BRANCH && git checkout $BRANCH && git reset --hard origin/$BRANCH && ./scripts/apt.sh" # Build SNP applications and embed the attestation service's certificate. - name: "Build SNP applications" From 2a90d57ee19bc1c1e0aeafcc191a29464aa84346 Mon Sep 17 00:00:00 2001 From: Carlos Segarra Date: Mon, 15 Dec 2025 14:01:50 +0000 Subject: [PATCH 5/5] [accli] B: Warn When Parsing key.pem --- .github/workflows/snp.yml | 2 +- accli/src/tasks/attestation_service.rs | 12 ++++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/snp.yml b/.github/workflows/snp.yml index 9fd5c6c..f382571 100644 --- a/.github/workflows/snp.yml +++ b/.github/workflows/snp.yml @@ -49,7 +49,7 @@ jobs: - name: "Run supported SNP applications" run: | # First get the external IP so that we can reach the attestation-service from the cVM. - AS_URL=$(./scripts/accli_wrapper.sh attestation-service health --url "https://0.0.0.0:8443" --cert-path ./certs/cert.pem 2>&1 \ + AS_URL=$(./scripts/accli_wrapper.sh attestation-service health --url "https://0.0.0.0:8443" --cert-dir ./certs 2>&1 \ | grep "attestation service is healthy and reachable on:" | awk '{print $NF}') echo "Got AS URL: ${AS_URL}" ./scripts/accli_wrapper.sh applications run function hello-snp --backend cvm -- --as-url ${AS_URL} --as-cert-path ./certs/cert.pem diff --git a/accli/src/tasks/attestation_service.rs b/accli/src/tasks/attestation_service.rs index 74f1ae5..86f6f36 100644 --- a/accli/src/tasks/attestation_service.rs +++ b/accli/src/tasks/attestation_service.rs @@ -1,6 +1,6 @@ use crate::env::Env; use anyhow::{Context, Result}; -use log::info; +use log::{info, warn}; use nix::{ sys::signal::{Signal, kill}, unistd::Pid, @@ -154,7 +154,15 @@ impl AttestationService { let path = entry.path(); if path.is_file() && path.extension().is_some_and(|s| s == "pem") { let cert = fs::read(&path)?; - let cert = reqwest::Certificate::from_pem(&cert)?; + let cert = match reqwest::Certificate::from_pem(&cert) { + Ok(cert) => cert, + Err(e) => { + warn!( + "health(): error parsing certificate PEM file (path={path:?}, error={e:?})" + ); + continue; + } + }; client_builder = client_builder.add_root_certificate(cert); } }