kms: Append some RPC description

Dstack-TEE · Feb 8, 2025 · 6b77340 · 6b77340
1 parent 16d815a
commit 6b77340
Showing 1 changed file with 40 additions and 0 deletions.
diff --git a/kms/README.md b/kms/README.md
@@ -147,3 +147,43 @@ The verification process follows these steps:
 2. Recover `pK1` from `S2` and `pK2` + `<purpose-id>`
 3. Recover `pK0` from `S1` and `pK1` + `<app-id>`
 4. Compare the recovered `pK0` with the registered `pK0` in the KmsAuth contract
+
+## The RPC Interface
+
+The KMS RPC interface is defined in [kms.proto](rpc/proto/kms.proto).
+
+The core interface serving the dstack app are:
+- `GetAppKey`: Requests an app key using the app ID and TDX quote
+- `GetAppEnvEncryptPubKey`: Requests the app environment encryption public key using the app ID
+- `SignCert`: Signs a certificate
+
+Let's explain each one:
+
+### GetAppKey
+
+The `GetAppKey` RPC is used by the dstack app to request an app key. In this RPC, the KMS node will:
+
+- Verify the TDX quote and extract the app ID and MRs from it
+- Query the smart contract to check if the app is authorized to request the app key
+- If authorized, derive the app keys from the root key and app ID
+- Sign the app keys with the root key
+- Return the app keys to the app
+
+
+Note:
+There are multiple keys derived for different usage, see [kms.proto](rpc/proto/kms.proto) for more details.
+The root key is generated by a genesis KMS node in TEE and would be stored in the KMS node's encrypted local disk, replicated to other KMS nodes.
+The keys are derived with app id which guarantees apps can not get the keys from other apps.
+
+### GetAppEnvEncryptPubKey
+
+The `GetAppEnvEncryptPubKey` RPC is used by the frontend web page to request the app environment encryption public key when deploying a new app. This key is used to encrypt the app environment variables, which can only be decrypted by the app in TEE.
+
+### SignCert
+
+The `SignCert` RPC is used by the dstack app to sign a TLS certificate. In this RPC, the KMS node will:
+
+- Verify the TDX quote and extract the Certificate Signing Request (CSR)
+- Verify the CSR signature
+- Query the smart contract to check if the app is authorized
+- If authorized, sign the CSR with the CA root key and return the certificate chain to the app