JWT Authentication.

[martijnlammers]

Two quick questions;
Where does the JWT validation happen? If it validates it internally (might be a misconception) I assume that there are some limitations on which encryption algorithms are available, so which algorithms would be supported besides RSA?

[achamayou]

Validation happens in-enclave, and the JWT issuers and associated collateral is stored in KV/ledger and refreshed periodically. This is covered in more detail under https://microsoft.github.io/CCF/main/build_apps/auth/jwt.html
We do support RSA, but I don't know for sure if we support anything else, I'll double check.

[achamayou]

I'm not sure what you mean by cap out. As spelled out in the document you link, the Linux SGX driver will swap to software-encrypted memory if you exceed EPC size, access will become slower but will still work. Earlier SGX SKUs had small EPCs, but it's now half of the available RAM on Ice Lake, topping out at 256Gb in Azure (https://docs.microsoft.com/en-us/azure/virtual-machines/dcv3-series).

Unless you have a considerable amount of JWT issuers, you're only ever going to be storing a few RSA public keys in store, so perhaps tens of Kb worth of memory, which is quite manageable even on Coffee Lake.

[martijnlammers]

Aha, I see, thanks for your elaboration. I'm aware CCF thrives on utilizing the CPU and RAM to store its data, but it didn't came to my mind VM's actually had 384Gb of RAM. I initially thought that it was non-volatile memory that enclaves wouldn't put their data onto.

[achamayou]

We've made preliminary changes to the CCF KV to make it possible to implement manual paging to the disk in the future if necessary, but existing use cases have not required it so far. On VM-based TEEs such as AMD SEV-SNP and TDX, OS-provided paging will be available, so running with a KV state larger than RAM will become possible without manual paging.

[martijnlammers]

Right, so that would mean - in the future - the user would be capable of upscaling storage capacity as much as necessary? (Assuming you run out of 256Gb of EPC memory)

[achamayou]

Yes, exactly.