Add key management documentation for MSI v2 #5513
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| # MSI v2 — Key Logic | ||
|
|
||
| ## Overview | ||
|
|
||
| In MSI v2, before MSAL can do anything with IMDS or ESTS, it needs a key pair. This private key is the root trust anchor for all subsequent operations (CSR, cert issuance, PoP binding). | ||
|
|
||
| ## Key Responsibilities | ||
|
|
||
| - Generate and hold the RSA private key. | ||
| - Ensure the key is protected to the maximum capability of the platform. | ||
| - Provide the key for signing (CSR, PoP requests, mTLS handshakes). | ||
| - Never allow export if backed by hardware/KeyGuard. | ||
|
|
||
|
|
||
| ## Key Selection Priority | ||
|
|
||
| MSAL implements a hierarchical key provider strategy: | ||
|
|
||
| ### KeyGuard (awlays for PoP) | ||
gladjohn marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| - Requires Virtualization-Based Security (VBS). | ||
| - Keys are isolated in a secure enclave. | ||
| - Strongest guarantee that the private key cannot be exfiltrated. | ||
| - Used for Proof-of-Possession (PoP). | ||
|
There was a problem hiding this comment. Why did you only put this here and not the other key types? Every Key type listed here can be used in PoP. |
||
|
|
||
| ### Hardware / TPM / KSP (fallback) | ||
|
There was a problem hiding this comment. Can you write out the TPM acronym here? |
||
|
|
||
| - Keys are backed by TPM or the Platform Crypto Provider. | ||
| - Non-exportable, tied to the device. | ||
|
There was a problem hiding this comment. KeyGuard is also not exportable, can you add this to the KeyGuard section too? |
||
| - Provides strong hardware-based protection, but not as strict as VBS isolation. | ||
|
|
||
| ### In-memory RSA (last resort on Windows and only option in Linux) | ||
|
|
||
| - Keys are created and held in memory. | ||
| - Software-based only, weakest in terms of protection. | ||
| - Used only when platform protections are unavailable. | ||
|
|
||
| ## Mermaid — Key Selection Flow | ||
|
|
||
| ```mermaid | ||
| sequenceDiagram | ||
| autonumber | ||
| participant MSAL | ||
| participant KeyProvider as Key Provider | ||
| MSAL->>KeyProvider: GetOrCreateKey() | ||
| alt Cached key exists | ||
| KeyProvider-->>MSAL: Return cached key | ||
| else No cached key | ||
| KeyProvider-->>KeyProvider: Acquire semaphore | ||
| alt KeyGuard available | ||
| KeyProvider-->>MSAL: KeyGuard key (preferred) | ||
| else Hardware/TPM available | ||
|
There was a problem hiding this comment. add "KeyGuard not available" |
||
| KeyProvider-->>MSAL: Hardware key | ||
| else | ||
| KeyProvider-->>MSAL: In-memory RSA key | ||
|
There was a problem hiding this comment. add "KeyGuard and TPM not available" |
||
| end | ||
| KeyProvider-->>KeyProvider: Cache key & release semaphore | ||
| end | ||
| ``` | ||
|
|
||
|
|
||
| ✅ Summary: | ||
|
|
||
| In MSI v2, everything starts with a key. MSAL enforces a secure-first fallback chain: KeyGuard → TPM → In-memory. For PoP tokens, KeyGuard is the preferred option since it offers the strongest binding guarantees. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what does "hold" mean?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 ... and to generalize the concept, we should have some Windows / Linux notes .. I assume on Windows "hold" means "write to it a keystore" and on Linux means "write it to memory"