~~NOTOC~~
{{wvds:title>Architektur}}
===== Systemarchitektur =====
==== Two-Daemon Architecture ====
Der WvdS Crypto Service besteht aus zwei unabhaengigen Daemons auf L4Re:
L4Re System
+---------------------------------------------------------------------+
| |
| +------------------+ +------------------+ +--------------+ |
| | crypto_service | | est_service | | OEM Gateway | |
| | | | | | | |
| | * AES-256-GCM | | * EST Protocol | | * Ihr Code | |
| | * ML-DSA Sign | | * Cert Request | | * Sensordaten| |
| | * ML-KEM KeyGen | | * Cert Renewal | | * Business | |
| +--------+---------+ +--------+---------+ +------+-------+ |
| | | | |
| +------------------------+----------------------+ |
| Shared Memory IPC |
| |
+---------------------------------------------------------------------+
=== crypto_service ===
| Funktion | Kryptografische Operationen |
| Protokoll | Request/Response ueber Shared Memory |
| Bibliothek | OpenSSL 3.6 mit FIPS Provider |
Der crypto_service fuehrt alle kryptografischen Operationen aus:
* AES-256-GCM Encrypt/Decrypt
* ML-DSA Sign/Verify
* ML-KEM KeyGen/Encaps/Decaps
=== est_service ===
| Funktion | Zertifikatsverwaltung |
| Protokoll | EST (Enrollment over Secure Transport) |
| RFC | RFC 7030 |
Der est_service handhabt:
* Initiale Zertifikatsanforderung (Enrollment)
* Zertifikatserneuerung (Re-Enrollment)
* CA-Zertifikatsabruf
----
==== Shared Memory Communication ====
Die Kommunikation zwischen OEM Gateway und Crypto Service erfolgt ueber Shared Memory:
OEM Gateway crypto_service
| |
| 1. Request in Shared Memory |
+------------------------------------->|
| |
| 2. Signal (IPC) |
+------------------------------------->|
| |
| 3. Verarbeitung |
| |
| 4. Response in Shared Memory |
|<-------------------------------------+
| |
| 5. Signal (IPC) |
|<-------------------------------------+
**Vorteile:**
* Kein Kernel-Overhead fuer Datentransfer
* Zero-Copy bei grossen Payloads
* Maximale Performance
**Einschraenkungen:**
* Max Payload: 64 KB
* Synchrone Verarbeitung (ein Request zur Zeit)
----
==== Lieferumfang ====
wvds-crypto-svc-0.2.0-oem-delivery.tar.gz
|
+-- bin/
| +-- aarch64/
| +-- wvds_crypto_service # FERTIGER DAEMON (L4Re Task)
|
+-- lib/
| +-- aarch64/ # ARM64 Target (L4Re)
| | +-- libl4re_crypto_service.so # Crypto Service Library
| | +-- libcrypto.so.3 # OpenSSL 3.6
| | +-- libssl.so.3 # OpenSSL 3.6
| | +-- fips.so # FIPS Provider
| | +-- fipsmodule.cnf # FIPS Konfiguration
| +-- x86_64/ # x86_64 (fuer lokale Tests)
| +-- [gleiche Dateien]
|
+-- include/
| +-- wvds_crypto.h # C Header fuer Helper-Funktionen
|
+-- certs/ # Test-Zertifikate
| +-- root_ca.pem / .der
| +-- service_cert.pem / .der
| +-- client_cert.pem / .der
|
+-- scripts/
| +-- extract_certs.py # Zertifikat-Tool
|
+-- install.sh # Installations-Script
+-- README_OEM.md # Quick Start
+-- WvdS_KB_OEM.md # Knowledge Base
----
==== Schluesselaufbewahrung ====
Der Crypto Service unterstuetzt verschiedene Key Storage Optionen:
| Option | Sicherheit | Konfiguration |
| File | Basis | Keys im Dateisystem (verschluesselt) |
| TPM | Hoch | Keys im Trusted Platform Module |
| HSM | Maximal | Keys im Hardware Security Module |
Die Konfiguration erfolgt ueber ''config.json'' (siehe [[.:installation|Installation]]).
----
==== Security Boundaries ====
+---------------------------------------------------------------+
| L4Re Microkernel |
+---------------------------------------------------------------+
| | | | | |
| +--+--+ +---+---+ +---+---+ +---+---+ |
| | Sigma0 | | Moe | | Crypto | | OEM | |
| | (Root) | | (Mem) | | Service| | Gateway| |
| +--------+ +-------+ +--------+ +--------+ |
| | | |
| +--------------+ |
| Shared Memory |
| (nur diese beiden) |
+---------------------------------------------------------------+
**Isolation:**
* Jeder Task hat eigenen Adressraum
* Crypto Service kann nur ueber definiertes IPC erreicht werden
* Kernel erzwingt Capability-basierte Zugriffskontrolle
----
[[.:start|< Zurueck zur Uebersicht]]