Trust-Quorum: Messages, Config, Crypto (#7859)

This is the initial commit of the "real" trust quorum code as described
in RFD 238. This commit provides some of the foundation needed to
implement the trust quorum reconfiguration protocol.

The protocol itself will be implemented in a `Node` type in a
[sans-io](https://sans-io.readthedocs.io/) style with property based
tests for the full protocol, similar to LRTQ. Async code will utilize
the protocol and forward messages over sprockets channels, and handle
requests from Nexus.

This initial code was split out to keep the PR small, although it has
been used in some preliminary protocol code already that will come in a
follow up PR.

---------

Co-authored-by: Rain <[email protected]>

Author: andrewjstone

Cargo.lock

@@ -131,6 +131,7 @@ members = [
     "sled-storage",
     "sp-sim",
     "test-utils",
+    "trust-quorum",
     "trust-quorum/gfss",
     "typed-rng",
     "update-common",
@@ -279,6 +280,7 @@ default-members = [
     "sled-hardware/types",
     "sled-storage",
     "sp-sim",
+    "trust-quorum",
     "trust-quorum/gfss",
     "test-utils",
     "typed-rng",
@@ -401,6 +403,7 @@ dev-tools-common = { path = "dev-tools/common" }
 # Having the i-implement-... feature here makes diesel go away from the workspace-hack
 diesel = { version = "2.2.9", features = ["i-implement-a-third-party-backend-and-opt-into-breaking-changes", "postgres", "r2d2", "chrono", "serde_json", "network-address", "uuid"] }
 diesel-dtrace = "0.4.2"
+digest = "0.10.7"
 dns-server = { path = "dns-server" }
 dns-server-api = { path = "dns-server-api" }
 dns-service-client = { path = "clients/dns-service-client" }
@@ -435,6 +438,7 @@ gateway-sp-comms = { git = "https://github.com/oxidecomputer/management-gateway-
 gateway-test-utils = { path = "gateway-test-utils" }
 gateway-types = { path = "gateway-types" }
 gethostname = "0.5.0"
+gfss = { path = "trust-quorum/gfss" }
 glob = "0.3.2"
 guppy = "0.17.17"
 headers = "0.4.0"
@@ -679,7 +683,7 @@ static_assertions = "1.1.0"
 steno = "0.4.1"
 strum = { version = "0.26", features = [ "derive" ] }
 subprocess = "0.2.9"
-subtle = "2.6"
+subtle = "2.6.1"
 supports-color = "3.0.2"
 swrite = "0.1.0"
 sync-ptr = "0.1.1"

Cargo.toml

@@ -0,0 +1,36 @@
+[package]
+name = "trust-quorum"
+version = "0.1.0"
+edition = "2021"
+license = "MPL-2.0"
+
+[lints]
+workspace = true
+
+[dependencies]
+bcs.workspace = true
+bootstore.workspace = true
+camino.workspace = true
+chacha20poly1305.workspace = true
+derive_more.workspace = true
+gfss.workspace = true
+hex.workspace = true
+hkdf.workspace = true
+rand = { workspace = true, features = ["getrandom"] }
+secrecy.workspace = true
+serde.workspace = true
+serde_with.workspace = true
+sha3.workspace = true
+slog.workspace = true
+slog-error-chain.workspace = true
+subtle.workspace = true
+thiserror.workspace = true
+tokio.workspace = true
+uuid.workspace = true
+omicron-uuid-kinds.workspace = true
+zeroize.workspace = true
+omicron-workspace-hack.workspace = true
+
+[dev-dependencies]
+proptest.workspace = true
+test-strategy.workspace = true

trust-quorum/Cargo.toml

@@ -9,8 +9,10 @@ license = "MPL-2.0"
 workspace = true
 
 [dependencies]
+digest.workspace = true
 rand = { workspace = true, features = ["getrandom"] }
 secrecy.workspace = true
+serde.workspace = true
 subtle.workspace = true
 thiserror.workspace = true
 zeroize.workspace = true

trust-quorum/gfss/Cargo.toml

@@ -26,6 +26,7 @@ use core::fmt::{self, Binary, Display, Formatter, LowerHex, UpperHex};
 use core::ops::{Add, AddAssign, Div, Mul, MulAssign, Sub};
 use rand::Rng;
 use rand::distributions::{Distribution, Standard};
+use serde::{Deserialize, Serialize};
 use subtle::ConstantTimeEq;
 use zeroize::Zeroize;
 
@@ -34,9 +35,15 @@ use zeroize::Zeroize;
 /// We explicitly don't enable the equality operators to prevent ourselves from
 /// accidentally using those instead of the constant time ones.
 #[repr(transparent)]
-#[derive(Debug, Clone, Copy, Zeroize)]
+#[derive(Debug, Clone, Copy, Zeroize, Serialize, Deserialize)]
 pub struct Gf256(u8);
 
+impl AsRef<u8> for Gf256 {
+    fn as_ref(&self) -> &u8 {
+        &self.0
+    }
+}
+
 impl Gf256 {
     pub fn new(n: u8) -> Gf256 {
         Gf256(n)

trust-quorum/gfss/src/gf256.rs

@@ -4,8 +4,10 @@
 
 //! Shamir secret sharing over GF(2^8)
 
+use digest::Digest;
 use rand::{Rng, rngs::OsRng};
 use secrecy::Secret;
+use serde::{Deserialize, Serialize};
 use subtle::ConstantTimeEq;
 use zeroize::{Zeroize, ZeroizeOnDrop};
 
@@ -101,12 +103,35 @@ impl<'a> ValidShares<'a> {
     }
 }
 
-#[derive(Clone, Zeroize, ZeroizeOnDrop)]
+#[derive(Clone, Serialize, Deserialize, Zeroize, ZeroizeOnDrop)]
 pub struct Share {
     pub x_coordinate: Gf256,
     pub y_coordinates: Box<[Gf256]>,
 }
 
+impl Share {
+    // Return a cryptographic hash of a Share using the parameterized
+    // algorithm.
+    pub fn digest<D: Digest>(&self, output: &mut [u8]) {
+        let mut hasher = D::new();
+        hasher.update([*self.x_coordinate.as_ref()]);
+        // Implementing AsRef<[u8]> for Box<[Gf256]> doesn't work due to
+        // coherence rules. To get around that we'd need a transparent newtype
+        // for the y_coordinates and some unsafe code, which we're loathe to do.
+        let mut ys: Vec<u8> =
+            self.y_coordinates.iter().map(|y| *y.as_ref()).collect();
+        hasher.update(&ys);
+        output.copy_from_slice(&hasher.finalize());
+        ys.zeroize();
+    }
+}
+
+impl std::fmt::Debug for Share {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("KeyShareGf256").finish()
+    }
+}
+
 pub struct SecretShares {
     pub threshold: ValidThreshold,
     pub shares: Secret<Vec<Share>>,

trust-quorum/gfss/src/shamir.rs

@@ -0,0 +1,119 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! A configuration of a trust quroum at a given epoch
+
+use crate::crypto::{EncryptedRackSecret, RackSecret, Salt, Sha3_256Digest};
+use crate::{Epoch, PlatformId, ReconfigureMsg, Threshold};
+use gfss::shamir::SplitError;
+use omicron_uuid_kinds::RackUuid;
+use secrecy::ExposeSecret;
+use serde::{Deserialize, Serialize};
+use slog_error_chain::SlogInlineError;
+use std::collections::BTreeMap;
+
+#[derive(Debug, Clone, thiserror::Error, PartialEq, Eq, SlogInlineError)]
+pub enum ConfigurationError {
+    #[error("rack secret split error")]
+    RackSecretSplit(
+        #[from]
+        #[source]
+        SplitError,
+    ),
+    #[error("too many members: must be fewer than 255")]
+    TooManyMembers,
+}
+
+/// The configuration for a given epoch.
+///
+/// Only valid for non-lrtq configurations
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+pub struct Configuration {
+    /// Unique Id of the rack
+    pub rack_id: RackUuid,
+
+    // Unique, monotonically increasing identifier for a configuration
+    pub epoch: Epoch,
+
+    /// Who was the coordinator of this reconfiguration?
+    pub coordinator: PlatformId,
+
+    // All members of the current configuration and the hash of their key shares
+    pub members: BTreeMap<PlatformId, Sha3_256Digest>,
+
+    /// The number of sleds required to reconstruct the rack secret
+    pub threshold: Threshold,
+
+    // There is no previous configuration for the initial configuration
+    pub previous_configuration: Option<PreviousConfiguration>,
+}
+
+impl Configuration {
+    /// Create a new configuration for the trust quorum
+    ///
+    /// `previous_configuration` is never filled in upon construction. A
+    /// coordinator will fill this in as necessary after retrieving shares for
+    /// the last committed epoch.
+    pub fn new(
+        coordinator: PlatformId,
+        reconfigure_msg: &ReconfigureMsg,
+    ) -> Result<Configuration, ConfigurationError> {
+        let rack_secret = RackSecret::new();
+        let shares = rack_secret.split(
+            reconfigure_msg.threshold,
+            reconfigure_msg
+                .members
+                .len()
+                .try_into()
+                .map_err(|_| ConfigurationError::TooManyMembers)?,
+        )?;
+
+        let share_digests = shares.shares.expose_secret().iter().map(|s| {
+            let mut digest = Sha3_256Digest::default();
+            s.digest::<sha3::Sha3_256>(&mut digest.0);
+            digest
+        });
+
+        let members = reconfigure_msg
+            .members
+            .iter()
+            .cloned()
+            .zip(share_digests)
+            .collect();
+
+        Ok(Configuration {
+            rack_id: reconfigure_msg.rack_id,
+            epoch: reconfigure_msg.epoch,
+            coordinator,
+            members,
+            threshold: reconfigure_msg.threshold,
+            previous_configuration: None,
+        })
+    }
+}
+
+/// Information for the last committed configuration that is necessary to track
+/// in the next `Configuration`.
+#[derive(
+    Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize,
+)]
+pub struct PreviousConfiguration {
+    /// The epoch of the last committed configuration
+    pub epoch: Epoch,
+
+    /// Is the previous configuration LRTQ?
+    pub is_lrtq: bool,
+
+    /// The encrypted rack secret for the last committed epoch
+    ///
+    /// This allows us to derive old encryption keys so they can be rotated
+    pub encrypted_last_committed_rack_secret: EncryptedRackSecret,
+
+    /// A random value used to derive the key to encrypt the rack secret from
+    /// the last committed epoch.
+    ///
+    /// We only encrypt the rack secret once and so we use a nonce of all zeros.
+    /// This is why there is no corresponding `nonce` field.
+    pub encrypted_last_committed_rack_secret_salt: Salt,
+}