 Thank you for joining us today In this session We will talk about spire My name is Augustine Martinifascio. I am part of the HP security engineering team and I am maintainer of the spire project. I'm here with Marcos Okay. Hello. I'm Marcos. I am Working on HP security engineering team, too, and I am another of the maintainer of a spire Okay, so we will be providing an introduction of a spire and Also, we will be doing a deep dive into the the new windows support that we just released So We will do an introduction to a spire in order to do that We will first talk about spifi. We will do a quick overview of a spifi Then we will look into the basic components of the spire architecture We will talk a little bit about the adoption of spire and Then we will start talking about the new windows support We will see what are the difference between running spire on windows and on linux We will see how the development experience looks like And finally, we will see a demo of Spire running on windows This is the first time that We will see spire running on windows in a conference. So looking forward to that Okay, so let's start talking about the spifi Spifi is a set of open-source standards That they all share The same common goal That is to able to be able to securely identify workloads no matter where they are running In order to do that We need To represent an ID or to provide IDs and for that we have the spifi ID That is a representation of an identity we can see that This is how a spifi ID looks like it is a URI That has the spifi scheme The authority component is what we call a trust domain a Trust domain in spifi defines security boundaries So if one trust domain is compromised that shouldn't affect a different trust domain and you may run a Trust domain for development, for example and a different trust domain for production that will Set the boundaries there and finally The path part of a spifi ID of this URI Identifies a specific workload within a trust domain so But the spifi is not only about spifi IDs We also need Some kind of document or place where we can actually put that ID And be able to verify it and for that the spifi standards define What we call a spifi verifiable identity document or SBIT We can think of an SBIT like a passport In the same way that in a passport you have your identity there and there is a way that you The identity can be verified in an SBIT You have the the spifi ID that is the identity and also you can It is cryptographically verifiable So that's good. We have a way to represent an identity We also have a document that can hold that identity, but we also need a way To retrieve that identity And for that we have the workload API The workload API is the API that spifi defines for the workloads To be able to fetch their identities And finally We have what we call the spifi trust bundle and the spifi trust bundle will allow us To verify those identities within a Trust domain because they what they are they are a set of public keys of that trust domain so Let's look into a little bit more about the workload API The workload API Has an important attribute That is that it is not authenticated So workloads Don't need to have any kind of secret or password in order to call it They will get an identity based on a workload attestation mechanism So the workload just Call the workflow API and they will get their sbit The sbit can be in two format There is one format that is the x509 sbit that is basically an x509 certificate There is also a took base sbit that is the job sbit So those are the two formats that we have for sbit Okay, now that we Know at least a little bit about the spifi we can start talking about the spire The spire is a production ready Implementation of the spifi standards and it is open source also With the spire I would say that the main goal is to be able to issue sbit to to the workloads as in many places as We can In order to do that it implements Two kind of attestation mechanism the node attestation and the workload attestation And it has two main components that is the server and the agent So Let's look a little bit deeper into this architecture We can see here the spire the spire asian That has plug-ins both the asian and the server are made of plug-ins and That provides spire An architecture that is pretty flexible that allows you to grow depending on the needs Like for example, there is a new platform or vendor that you want to park A new specific plug-in can be written for that platform And the asian is the one that implements the workload API That the workloads call in order to get their sbits Through a workload attestation mechanism and we also have the server that also implements plug-ins and had the server APIs that allows the to manage the server and The asians call the server In order to get their identities also and they go through a node attestation mechanism And I wanted to include here in this architecture also the data store The server obviously needs to store some some data What is important to know For for this presentation is that in the data store Is started what we call their registration entries? And the registration entries are the entries that really describes the workloads and they have The attributes of what we call the selectors that describes the workloads and that will allow us to Issue the identity depending on the discovered selectors And that information is stored in the data store Okay, so at this point you may wonder if Adoptive inspire is a good idea for you or for your Organizational company let's try to see what are the problems that spider solves and try to figure that out so If you're maybe struggling with issuing workload identities to workloads Because maybe because they are running in different platforms or you have workers running on-prem and in the cloud Looks like it's very good fit for that because it can issue platform agnostic identities in an automated way Also, if you are implementing a system where you need maybe mutual to LS KLS and establish trust between different software system Inspire is also designed for that And we saw that it Manages both both the the platform and the workload the station And it coordinates the issuance of the certificates and rotation. So spirally inspire is is designed to Renew the certificates even if they are short-lived Typically certificates inspire may expire in one hour and Inspire can can handle that and if you Maybe want to compare or want to see what? other organizations Have been doing with this with the spire. How how they have been adopting spire You can look at the adopters MD document that we have in the spire repo You will see there are many different examples of the adoption of spire with different use cases and how spire is being used right, so Let's get into the new windows support The windows support is being introduced as an experimental feature What that really means is that we do expect that we will be learning How spire is operated and deployed? So we expect to make changes along the way That may impact the the user experience and the functionality that you you've seen the first release You will be able to run both the server and the asian on windows We did work to adapt existing plugins and also Created a new plug-in that is the windows workload attester that is able to attest Windows workload based on windows specific attributes or selectors And the the plugin that we have updated is the doc at workload attester We will see how that works in the demo So one of the guiding principles that we have in spire is to try to make it as easy as operate and configure as possible With that in mind We didn't introduce a lot of changes in the way that you can run spire on windows Only some minimal Configuration changes are needed That are very like platform specific related For example Instead of using Unix domain sockets you will be using name and pipes on windows Okay, so let's see a little bit about what's the development experience On windows we have been using the mc2 building platform and it has been working pretty well Again building inspire on windows has pretty much the same experience as with these in linux The same makes file is you said so if you are already familiar with the make file targets you can run them and Get the same experience And now we have the demo. Okay. It's already. Okay my turn Is it working? Okay In this demo today, I want to demonstrate how we can use spire to provide identities in a windows environment Here is DRM. We have all the Sorry services, we will be using and starting we have an espire server and agent that are running in a window host together with the products API that will talk a request stitch To the spire agent using the world of API This product API will have an entry that is configured to work with the windows attestor in another side We will have two services running in different containers the web app and the customer API Each of them will communicate with this violation through the world of API and fetches bits using entries that have dockers attestor selectors Okay Before that the web app will connect with the product API using meter tillers using the certificates they got Let's move to see some configuration files Hmm Here is the configuration file for our windows for our server as you can see there are no difference with the version of you know We use on linux except for the experimental flag for name it by Here the server We'll be connecting to we'll be listening till TLS connection on port 8081 It's configured to use the transomain example the org that means that all the speeds we created for From this server will have that transomain Here we have the mentioned Experimental flag to set a different name it by that name a pad will be used it for local calls to the server API or for in case we use from the admin entries and Here I am I choose to use as no selector the x599 pop This one is the one that will validate the identity of the agent and we provide a CA that is used to validate the certificate that the Asian will provide us to verify its identity identity Let me move to the Asian config file The config file is connecting with the spire server in port 81 Has the same trans domain and set a name it by name for the world API as Here again, we are using x599 pop with the configurates Certificates that it will present As I mentioned it will be using the for at station of the world of the docker and the windows attestors before I'm starting running things I will Display you the configuration of the docker compose this part We have two Containers services story the customer API That use animation call it customer API And it's mounting the name it by that will be used it to talk with the world of API The image the web app is almost the same you have an image that it's called a web app and it's connected There is mounting the name it by and is listening in port 88 That is enough about configuration Sorry, I will Start our agent and know our server For this demo I created some scripts that will Will be used for writing to create entries to a star server all these scripts are online in my repo They will be displayed after we finish it, but you can take it take it and verify So I will start server And our agent Here we see that the server is started successfully It is listening in port 881 for TLS connections Is is listening in the name it by we provide for local calls And here we see that our agent was able to test And it provides an SPF ID That is PFI de is important because it's the parent of all the entries we will create in today because the server will provide a speech to the Asians that have the specters a SPF ID Here in the Asian side with we say that it is was able to test got this bit And the SPF ID is displayed above And it's listening in the name it by we configure To make all these services to be able to attest we need we need is entries So I will create them for this demo in total. We have three entries One is for our web app That has aspiring ID the SPF ID of the Asian which has started It have a TTL of 60 seconds. It is unreal It's not useful to have a speech with this amount of time But it's just for a demo to make things rotate faster The selectors are both of for Docker attester in this case. It is expecting than The process that is calling the world of API have the image ID web app That is our first case and the label docker compose service web app In case of our customer API is almost the same the same pattern same TTL But the difference here is that it is Expecting for customer API for Docker compose service customer API The difference here in is the next one that is a product API That is this one as you see here. It is running in the window host So we are not able to use the docker attester there and we are using the windows attester In this case The process that are running for the user name administrator would get this speed For this demo I choose a simple Selectors but if you move to the documentation on inspire you can see the complete list of Selectors with we are able to use In case of docker we have the label and we are using environment variables and image ID In case of windows we are supporting user security ID username and different selectors related with groups It is possible to add new selectors if we want is depending on Requirements for now we choose these ones Now we have our server and nation running and our entries. I will start our services I will start the docker compose and The products API You can make some time But here we can see that the process their products API was able to communicate with the agent And fetch and it's beat which the speedy ID is products API In the case of customer it was able to communicate to And get unspeak the ID that is customer API The same thing happens in web app. It was able to communicate and get that in the speed with speedy web app now that we have all created I will move to browser and Loving the web app. I spend a lot of time writing the CCS. It was stressful However for us is enough We are getting the product say the products and the customers That means that the web app was able to do a successful mutual connection with products and with customers for this demo I Am not only validating the speech, but I am validating the speedy ID That for example web app is getting from the products API If you go to the code, you will see that we are expecting the speedy product's API So to demonstrate how spire is propagating Sweet I created another scripts That I will be I will use to update the speedy of products API I will show that and you and run that that script So it is updated here and as soon as it's updated and I reload the page I See that our connection between web app and product start failing because it has a new speed That is unsupported for this web app That is because there are two ways to Where the Asian and get a new the bit in case of the entry have our steps on changes For example, I updated a bit or in cases it is about a spare a spire So in this case, I use the update one. I Will be a little more aggressive now and instead of instead of updating and speedy ID I Will update a selector for our web app Another you so as soon as it is updated and I move to locks I will start seeing that The communication between not communication The Asian is not longer able to provide its bits to the web app And there are is permission denied no identity issued. You will ask me why it's happening in the process of attestation When the process is calling our agent we calculate using different queries to Kernel API's we calculate Info we get information about that process. For example, who is running it in case of the username In case of docker the image ID the different information we want and without all that information we compare it in addition process with the all the entries and That that entry have a all the selectors We want in the case because I updated the label to another one. That is not long. It is not longer possible And it start failing If I move to the server, so sorry to the web app and if it's past time Remember it I put a special time of just 60 seconds So in the time I was a talking the species space pirate and we start getting the error in the connection If we go to the error, we will see that is because the species space period in it is not possible to use a mutated SDR to make It works again. I can just Get the selector to its previous state So we have it again And if we go to logs and wait for some seconds because there are a retry here We see that the connection is working again So it was able again to fetch its bits So that is that we demo out running on Windows Out in you want the next one? Yeah, okay That was good well if you are interesting maybe in contributing to Inspire You can join our community We are always Available at the slack Marcos and myself and the other fire maintainers You can visit the spiffy.io website obviously the the spiffy and spire repo where you can browse through the code base and Right now the demo that you Just saw it is in Marcos fork We will work to to get that work also upstream And you can download the spiffy book there You will find a lot more information about how to operate and deploy and spire That's it No errors. So that is what was successful I think we may have some time for a couple of questions Sure Hey, so I missed the beginning of the talk story for the potentially stupid question You mentioned that there was some extra work needed for the docker workload the tester on Windows I work on container the on Windows and would like to know if there's anything we could do to help you in that I think that at this point. Yeah, it was a little bit challenging to to get The information like the same kind of information that we we got like running containers only on Windows Marcos was the one that implemented the the docker Workload tester. Maybe you yes basically if you take a look to how The tester works on Linux we depends of these groups In case of we know that's it does not exist but exist a replacement that is the object shops That's what she shops has as name this container ID So what basically we're doing now is verifying Between the list of shops if the process we are getting the call is running with that shop It has charged successful and we are able to come with that ID. We are able to communicate with the docker API and get all the information we need But the process there is the challenge is there was how to get the is the Docker if you the docker ID that is running the process Maybe I if I remember correctly the most challenging part was that we didn't have like a Single API call that we could call to like yeah from a process ID to get this the job Yeah, yes We need to do several calls to several places to be able to get just the shop and with the shop then we there are there is a kernel function that is is Processing shop. I can remember there anymore right now, but we use that to validate but the hard part is Getting the all the shop to verify that That is if there if there would a way To simplify that process, maybe that that would be a great a great improvement Yes, if you look at the if you look at the code, you will see that there are a lot of different calls there loop and this different things that We would it maybe there is a simple way to do that The container windows expose ID Okay In the case of container ID, I need to verify I need to run things there But that is one of the next steps Container because there are people that are asking for container D on Linux So we want that one on Windows 2 So that's something we will be working for sure So yes, just told me and we can we're together there that you know issues Okay Any limit on the host operating system, I mean Windows 10 Pro will be sufficient to run this demo Sorry When the host operating system is a Windows server with the server but I run it on Windows On Windows 11 and work too, okay But in Mike in this demo was using Windows servers 2022 I think that is the last one Because the image I built was there You can take a look to the image and you can change the image because the code to create the image is in the demo So you can change the version if you want any results and I mean performance results to put how quick you are Did you do any measurements? We haven't done yet But interesting Yes, yes, one of the next step to is making it work on Kubernetes then it will be more challenging because there are some several limitations there But that is the next step Make name it back to work in different language because right now is supporting only on for JPC on Windows and in dotnet