github.com/jlmucb/cloudproxy@v0.0.0-20170830161738-b5aa0b619bc4/Doc/FactoriesAndInterfaces.txt (about)

     1  
     2  May 8, 2014
     3  A Tao implementation (FakeTao or LinuxTao) is embedded in some other environment,
     4  e.g. an OS kernel, a hypervisor, a JVM, or just a process that is the root of a
     5  process tree. The interface between Tao and its environment is a mess.
     6  
     7  Env
     8   allocate Tao
     9   init/setup
    10    - specify TaoDomain
    11        for policy stuff
    12    - specify ChildChan
    13      - specify child chans
    14      - also specify admin chans
    15    - speicfy ParentChan
    16    - specify ProgFactory
    17   call listen
    18                                                        Tao::Listen()
    19  													    call ChildChan::Listen()
    20  					     ChildChan::Listen()
    21  						  listen on
    22  						    admin/child chans
    23  						  wait for rpc
    24  Env
    25    set up admin
    26     channel
    27    call Start()
    28                            receive rpc
    29  						  dispatch to, e.g.,
    30  						    Tao::Start()
    31  							or unseal/seal/etc.
    32  							...
    33  
    34  							                         Tao::Start()
    35  													   call ProgFactory::NewName()
    36  						ProgFactory::NewName()
    37  						  Depends on env.
    38  						                               make auth decision
    39  						                               call ChildChan::Add()
    40  						ChildChan::Add()
    41  						   setup chan
    42  						   return encoded params
    43  						                               call ProgFactory::Start()
    44  													     - give it the encoded
    45  														   params
    46  						ProgFactory::Start()
    47  						  decode encoded params
    48  						  start it up
    49  						  return
    50  						                               return
    51  
    52  					     ... ChildChan resume
    53  						  send response
    54    get response
    55  
    56  
    57  Down the middle we have:
    58  - TaoChannel: This provides the main "listen" loop driving Tao, and it provides
    59    the server/Tao side of channels to hosted programs. It is also a kind of
    60    factory for setting up those connections to hosted programs. It also provides
    61    the server side for admin channels.
    62  - ProgramFactory: responsible for starting/stopping programs (but not making
    63    authorization decisions about which hosted programs should be allowed to
    64    execute).
    65  
    66  The two are intimately tied, obviously, since each kind of child container will
    67  only support some limited range of channel types, and vice versa. You can have
    68  pipes + processes, or VMsockets + VMs, but not pipes + VMs or VMsockets +
    69  processes, for example. The same goes for the admin channels, which currently
    70  only work with unix sockets (i.e. no direct connector, pipes, etc.).
    71  
    72  Over in Tao::Start(), there are some unpleasant dependencies on the details of
    73  starting/stopping programs, and nearly all of the work is done by env, even
    74  though Tao::Start() drives it.
    75  
    76  There are three places where Tao needs to make difficult policy decisions:
    77  1. Checking whether a program should be allowed to execute. This is handed off
    78     to TaoDomain, of which there might be a variety of choices (it was passed in
    79     by env during startup, and this is the only place it is used by Tao).
    80  2/3. Seal/Unseal. Children need to specify a policy during seal, e.g. "same PCRs
    81     as me" or "same program hash as me, but ignore the arguments". Info about the
    82     policy needs to get encoded and put into the sealed bundle. Then, on unseal,
    83     after we decrypt the data, we need to check the policy. This isn't really
    84     something Tao can do itself, since it depends, at minimum, on the child names
    85     chosen by program factory. The unseal part is conceivably something that
    86     could just be passed off to TaoDomain. Perhaps the unseal part could too?
    87  
    88  I propose moving a much of this as possible out of Tao/LinuxTao. Also, we should
    89  clarify the interface between Tao and its environment. Generally, Tao should not
    90  call out to the environment. All policy checking should be done in the
    91  environment. All locking/threading issues should be handled in the environment.
    92  
    93  For the three policy decisions, those are easy to move into TaoChannel -- they
    94  all happen right at the start or end of the methods. Tao::Start should be moved
    95  almost entirely to TaoChannel, since that does almost all the work anyway.
    96  Tao just gets notified upon hosted program startup.
    97  
    98  Another upside: Tao doesn't need to know about TaoDomain and policy at all, and
    99  doesn't need a policy credential.
   100  
   101  Finally, TaoChannel should probably be renamed and/or split into multiple
   102  pieces, and LinuxTao doesn't really need the word "linux" in it any more.
   103