Skip to content

KES agent integration #1487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

KES agent integration #1487

wants to merge 8 commits into from

Conversation

jasagredo
Copy link
Contributor

@jasagredo jasagredo commented Apr 30, 2025
edited
Loading

This changes Consensus such that mlocked KES keys are used internally.

This is important groundwork for supporting KES agents in the future. In this form, the code will still load KES keys from disk, which is unsound, but the internal machinery is ready to also accept KES keys from other sources, and once loaded, KES keys will be handled appropriately (kept in mlocked RAM at all times, securely erased when expired).

This also involves a restructuring of the HotKey data structure, which now manages not only a KES SignKey, but also the corresponding OpCert. This is necessary for two reasons:

  • With a KES agent, the OpCert will be provided along with the SignKey; this is the easiest way to make sure that the OpCert always matches the SignKey it is used with
  • With the new structure, KES keys can be replaced in a live node kernel, without having to restart it and reload the entire configuration. Because of this, the HotKey, which manages the dynamic part of the node kernel's signing mechanism, needs to be able to replace not just the SignKey (which it already did, in order to handle key evolution), but also the OpCert (which will not change when a SignKey evolves, but it will change when a new SignKey is provided).

Supersedes #1284.

Issue #558.

This adds KES Agent connectivity to consensus.

To use a KES Agent to source KES SignKeys and OpCerts, the praosCredentialsSource in the PraosCanBeLeader data structure can now be pointed to a domain socket address where it will look for a KES Agent.

Also covers #1077.

jasagredo
jasagredo commented Apr 30, 2025
View reviewed changes
@jasagredo jasagredo force-pushed the js/tdammers/kes-agent-conectivity branch from a10939e to 1cf35e6 Compare April 30, 2025 10:46
@jasagredo jasagredo force-pushed the js/tdammers/kes-agent-conectivity branch from ceb0550 to 4ca03a3 Compare April 30, 2025 11:11
@jasagredo jasagredo linked an issue Apr 30, 2025 that may be closed by this pull request
Adapt KES usage to new, non-pure, interface #558
Open
@jasagredo jasagredo force-pushed the js/tdammers/kes-agent-conectivity branch from 108bfcb to 833650d Compare May 5, 2025 12:23
@jasagredo jasagredo force-pushed the js/tdammers/kes-agent-conectivity branch from 833650d to 4828699 Compare May 5, 2025 12:24
@jasagredo jasagredo marked this pull request as ready for review May 5, 2025 12:26
@tdammers tdammers self-requested a review May 15, 2025 08:55
tdammers
tdammers requested changes May 15, 2025
View reviewed changes
Copy link
Contributor

@tdammers tdammers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changelog needs to be fixed, rest looks good.

ouroboros-consensus-cardano/src/unstable-shelley-testlib/Test/ThreadNet/Infra/Shelley.hs
Comment on lines +190 to +191
vrfKey <- genKeyVRF <$> genSeed (seedSizeVRF (Proxy @(VRF c)))
kesKey <- unsoundPureGenKeyKES <$> genSeed (seedSizeKES (Proxy @(KES c)))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why the extra spaces?

ouroboros-consensus-protocol/changelog.d/20250130_101128_tdammers_mlocked_kes_rebase.md
Comment on lines +14 to +18
specifies how to obtain the actual credentials (OpCert and KES SignKey). For
now, the only supported method is passing an OpCert and an
UnsoundPureSignKeyKES, presumably loaded from disk
(`PraosCredentialsUnsound`); future iterations will add support for
connecting to a KES agent.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
specifies how to obtain the actual credentials (OpCert and KES SignKey). For
now, the only supported method is passing an OpCert and an
UnsoundPureSignKeyKES, presumably loaded from disk
(`PraosCredentialsUnsound`); future iterations will add support for
connecting to a KES agent.
specifies how to obtain the actual credentials (OpCert and KES SignKey).
Two methods are supported:
- Directly passing an OpCert and an UnsoundPureSignKeyKES, presumably loaded
from disk (`PraosCredentialsUnsound`)
- Passing a socket address to a KES Agent from which OpCerts and (sound)
SignKeyKES can be obtained (`PraosCredentialsAgent`)

@jasagredo jasagredo mentioned this pull request May 13, 2025
Open
31 tasks
@jasagredo jasagredo changed the title Js/tdammers/kes agent conectivity KES agent integration May 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tdammers tdammers tdammers requested changes

@nfrisby nfrisby Awaiting requested review from nfrisby nfrisby is a code owner

@amesgen amesgen Awaiting requested review from amesgen amesgen is a code owner

@fraser-iohk fraser-iohk Awaiting requested review from fraser-iohk fraser-iohk is a code owner

@dnadales dnadales Awaiting requested review from dnadales dnadales is a code owner

@geo2a geo2a Awaiting requested review from geo2a geo2a is a code owner

@jorisdral jorisdral Awaiting requested review from jorisdral

Requested changes must be addressed to merge this pull request.

Assignees

@fraser-iohk fraser-iohk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Adapt KES usage to new, non-pure, interface
4 participants
@jasagredo @tdammers @fraser-iohk @lehins