From 48780ed0d2f3d704dee81f332c594f2d4636acc9 Mon Sep 17 00:00:00 2001 From: Chris Eager Date: Wed, 12 Feb 2025 14:21:24 -0600 Subject: [PATCH] Update README.md --- README.md | 38 ++++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 6b54dc1..7add7c2 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ -# Secure Value Recovery Service v2/3 +Secure Value Recovery Service v2/3 +================================== The SecureValueRecovery2 (SVR2) project aims to store client-side secrets server-side protected by a human-remembered (and thus, low-entropy) pin. @@ -23,7 +24,8 @@ _liveness_ (the ability to serve back anything) in order to maintain the security properties of the system. We'll happily discard every secret in the system rather than expose one of the secrets to a leak. -## History +History +------- SVR2 is a successor to the [SecureValueRecovery](https://github.com/signalapp/SecureValueRecovery) @@ -42,7 +44,8 @@ SVR3 builds upon the implemented SVR2 data model, exposing a different client request/response protocol that exposes a Ristretto-based oblivious pseudo- random function (OPRF) rather than a direct store/retrieve database. -## Building +Building +-------- In order to build and test everything in this repository, you should be able to just run `make` at the top-level. You must have a valid `docker` installed @@ -65,7 +68,8 @@ make host # Make all of the host stuff (cd host && make $SOMETARGET) # Make just a specific target in host ``` -## Code layout +Code layout +----------- Code is divided into a few main directories at the top-level @@ -83,7 +87,8 @@ Code is divided into a few main directories at the top-level for use in AMD SEV-SNP and other environments where the trusted unit is a VM rather than a binary. -## Verifying build measurements +Verifying build measurements +---------------------------- SVR2/3 clients can attest that a server is running a particular application version. These versions are hard-coded into clients and correspond to artifacts published in this repository. @@ -112,11 +117,11 @@ make enclave ### Verifying SVR3 measurements SVR3 supports multiple trusted compute platforms. The specifics of verification depend on the platform. + #### Verifying SGX measurements - See the SVR2 verification section. For SVR3, you can find what MRENCLAVE a client attests [in libsignal](https://github.com/signalapp/libsignal/blob/a4a0663528dadc38215e46c6f94484b435f5fe02/rust/attest/src/constants.rs#L21). -#### Verifying Nitro measurements +#### Verifying Nitro measurements Nitro builds are also deterministic, and so you can verify an attested server corresponds to the committed source code by building the eif image yourself and comparing the resulting PCR measurements. Suppose your client attests the nitro version [ffe631d7.52b91975.a4544fb5](https://github.com/signalapp/libsignal/blob/a4a0663528dadc38215e46c6f94484b435f5fe02/rust/attest/src/constants.rs#L21) with [these PCRs](https://github.com/signalapp/libsignal/blob/a4a0663528dadc38215e46c6f94484b435f5fe02/rust/attest/src/constants.rs#L29). @@ -166,7 +171,6 @@ compiled into the Signal client (in libsignal) and can be checked against. Some only a subset will be visible within the Signal client. #### Running the Verify Script - Run the following script to run numerous automated checks: ``` @@ -187,8 +191,22 @@ It will then give you the option of keeping the partitions mounted so that you can do any further investigation you see fit (checking against known files, looking at systemd configuration, etc). -## License +Contributing bug reports +------------------------ -Copyright 2023-2024 Signal Messenger, LLC +We use [GitHub][github issues] for bug tracking. Security issues should be sent to security@signal.org. + +Help +---- + +We cannot provide direct technical support. Get help running this software in your own environment in our [unofficial community forum][community forum]. + +License +------- + +Copyright 2023 Signal Messenger, LLC Licensed under the [AGPLv3](LICENSE) + +[github issues]: https://github.com/signalapp/SecureValueRecovery2/issues +[community forum]: https://community.signalusers.org