Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / KubeCon + CloudNativeCon Europe 2021 / 14 May 2021
Cloud Native Computing Foundation / KubeCon + CloudNativeCon Europe 2021 / 14 May 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Lightning Talk: Parsec - Marc Meunier, Arm

Description

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: Parsec - Marc Meunier, Arm

Parsec, a security project at the CNCF is maturing and expanding. In today’s talk, Marc will go over the Parsec project and discuss the latest updates and roadmap. In the presentation, there are references to a newly published tutorial as well as a demo that walks through a multi-tenancy implementation.

A

Hello, everyone, my name, is mark marinier and I work for arm and part of the infrastructure line of business focused on software ecosystem development, with a special interest in security projects.

A

So I basically work with partners to promote security advancements at the edge and in the cloud, and I represent arm at the board of governance at the confidential compute consortium.

A

Today, I'm going to talk to you about a cncf project called parsec.

A

If you're not familiar with the cncf structure, a sandbox project is an early stage project and in the case of parsec, it's a new project that fits the cncf mission.

A

It was contributed to the cncf to remove possible legal and government governance obstacles to adoption and to facilitate contribution by other developers in the community. It's a great place to collaborate openly on interesting projects that benefit multiple environments.

A

Our goal with parsec is to mature the program and to move it up to the next level of maturity within the cncf.

A

Now getting back to parsing parsec is a security project that provides an abstraction layer between router trust and applications.

A

This abstraction layer provides a set of apis for security functions such as key management or cryptographic operations, provides this api to the application layer without creating a strong dependency on the security primitives in the system.

A

Let's consider an example to showcase the flexibility that parsec brings to a system.

A

For this example, we'll take a raspberry pi and a need to implement a key exchange between a cloud service and the end device.

A

Now as a developer, you can implement this feature directly and be up and running fairly quickly, but then what happens? If you need to harden your solution and protect the keys in a hardware? Distrust like a tpm.

A

At this point, you might decide that it's easier to code to the new security interface to start over from scratch and re-implement the security functions tied to that hardware. Module you'll realize that it's a lot of work and it's complicated to implement even a simple function, such as key exchange with the tpm interface.

A

Now consider what happens if you need to change the hardware trust with a different implementation like our hsm module.

A

If you implemented directly against the tpm interface, you now need to start over once again and re-implement that security function to work with a new interface. The hsm.

A

Module: here's where parsec comes in parsec can provide a standard interface to the application layer that doesn't change with the various backends.

A

So instead you would leverage a modular back-end provider. That's part of parsec project to match up with the router trust that simple change would enable your applications to leverage the various routes of trust between these three different examples, without changing a line of code in your application.

A

Now this is a simple example, but you can imagine how this story evolves and how an abstraction layer could simplify and future proof. Your system.

A

Paul howard joined robert wolfe to record an eight-part arm software developer series that provides a step-by-step tutorial.

A

It explains how to replicate an environment based on parsec to support key exchanges as an example of a security function on a raspberry pi.

A

I will not play the video here, as it is quite long, but I encourage you to go to this link and see the eight part video series now parsec is a collaborative project and interacts with many different projects that already exist.

A

Most implementations today see parsec integrated with the linux distro in the example that paul and robert walk through, you will see how to install the service on a standard linux distro of your choice without any shortcuts.

A

If you happen to be working with red hat, fedora or opensuse, you will find a neatly packaged install that simplifies the setup of parsec, going one step further. Fedora iot now, ships with parsec pre-installed, and we are working with the community to expand this footprint with other disk grows and would welcome collaboration to bring parsec to the distro of your choice.

A

Now, parsec functionality is continuously evolving. New security functions are implemented on a regular basis. One example is the ability to serve as an arbitrator servicing multiple independent requests for a single router trust.

A

This comes up in iot gateways and edge servers where a need to protect data between multiple applications comes up now. Parsec is more than just a library, it's a microservice, and it can connect with an id provider to create independent channels to a single root of trust.

A

It could then verify the trust relationship with the provider and ensure the separation between these channels. This functionality enables my multi-tenancy environment at the edge here's. Another video shoot this one here, showcases two cncf projects that come together to offer an example of how to create a multi-tenancy environment spiffy as the id provider and parsec to verify the id and implement the independent channels to provide security service on a per application basis.

A

I encourage you to click on the link and explore this video to see how parsec can be used to enable this advanced functionality.

A

Now the api that is exposed to the application layers is based on modular blocks that can be created for the language that suits your application.

A

Currently, parsec has front-end interfaces in rust and go nnc and also supports a very practical command line interface that has proven useful to set up and test the service.

A

The number of back-end modules is also growing. Today. It includes interfaces for tpm, 2.0, pkcs, 11, embed crypto, crypto, auth lib and the team is working through the implementation that will line up with psa services in opti.

A

This diagram demonstrates other modular blocks which evolve at their own pace. The services or apis that are implemented in parsec are highlighted in green. It includes key creation.

A

Key import, export sign in verify, hash asymmetrical encryption, and then the next layer of apis in yellow represent functions that are implemented for either only one or a few of the back ends or features that aren't quite fully completed.

A

Now this completes my presentation and I encourage you to come and meet the team and leverage the great work that's been done to simplify security at the edge and in iot.

A

Thank you.