TQ: Add RackSecretLoader (#8943)

Add the mechanism for loading rack secrets on demand. This is the
primary mechanism to be used by the key manager when deriving storage
encryption keys.

A follow up PR will integrate the `RackSecretLoader` into `Node` and add
support for it to our cluster proptest.

The `RackSecretLoader` follows a polling model and is sans-io like the
rest of the protocol code. When to load and clear secrets will be
controlled by an async wrapper on top of the `Node` api.

Author: andrewjstone

trust-quorum/src/alarm.rs

@@ -6,7 +6,10 @@
 
 use serde::{Deserialize, Serialize};
 
-use crate::{Configuration, Epoch, PlatformId};
+use crate::{
+    Configuration, Epoch, PlatformId,
+    crypto::{DecryptionError, RackSecretReconstructError},
+};
 
 #[allow(clippy::large_enum_variant)]
 #[derive(
@@ -33,4 +36,34 @@ pub enum Alarm {
     /// share digests in the Configuration. However, computation of the share
     /// still failed. This should be impossible.
     ShareComputationFailed { epoch: Epoch, err: gfss::shamir::CombineError },
+
+    /// We started collecting shares for a committed configuration,
+    /// but we no longer have that configuration in our persistent state.
+    CommittedConfigurationLost {
+        latest_committed_epoch: Epoch,
+        collecting_epoch: Epoch,
+    },
+
+    /// Decrypting the encrypted rack secrets failed when presented with a
+    /// `valid` RackSecret.
+    ///
+    /// `Configuration` membership contains the hashes of each valid share. All
+    /// shares utilized to reconstruct the rack secret were validated against
+    /// these hashes, and the rack seceret was reconstructed. However, using
+    /// the rack secret to derive encryption keys and decrypt the secrets from
+    /// old configurations still failed. This should never be possible, and
+    /// therefore we raise an alarm.
+    RackSecretDecryptionFailed { epoch: Epoch, err: DecryptionError },
+
+    /// Reconstructing the rack secret failed when presented with `valid` shares.
+    ///
+    /// `Configuration` membership contains the hashes of each valid share. All
+    /// shares utilized to reconstruct the rack secret were validated against
+    /// these hashes, and yet, the reconstruction still failed. This indicates
+    /// either a bit flip in a share after validation, or, more likely, an
+    /// invalid hash.
+    RackSecretReconstructionFailed {
+        epoch: Epoch,
+        err: RackSecretReconstructError,
+    },
 }

trust-quorum/src/crypto.rs

@@ -114,15 +114,30 @@ impl ExposeSecret<[u8; SECRET_LEN]> for ReconstructedRackSecret {
     }
 }
 
-// Only use this in unit tests in this module
-#[cfg(test)]
 impl Clone for ReconstructedRackSecret {
     fn clone(&self) -> Self {
         self.expose_secret().as_slice().try_into().unwrap()
     }
 }
 
-#[derive(Debug, Clone, PartialEq, Eq, thiserror::Error)]
+#[cfg(test)]
+impl PartialEq for ReconstructedRackSecret {
+    fn eq(&self, other: &Self) -> bool {
+        self.expose_secret().ct_eq(other.expose_secret()).into()
+    }
+}
+
+#[derive(
+    Debug,
+    Clone,
+    PartialEq,
+    Eq,
+    thiserror::Error,
+    PartialOrd,
+    Ord,
+    Serialize,
+    Deserialize,
+)]
 #[error("invalid rack secret size")]
 pub struct InvalidRackSecretSizeError;
 
@@ -168,7 +183,18 @@ impl From<RackSecret> for ReconstructedRackSecret {
     }
 }
 
-#[derive(Debug, Clone, thiserror::Error, PartialEq, Eq, SlogInlineError)]
+#[derive(
+    Debug,
+    Clone,
+    thiserror::Error,
+    PartialEq,
+    Eq,
+    SlogInlineError,
+    PartialOrd,
+    Ord,
+    Serialize,
+    Deserialize,
+)]
 pub enum RackSecretReconstructError {
     #[error("share combine error")]
     Combine(
@@ -274,7 +300,18 @@ pub struct EncryptedRackSecrets {
     data: Box<[u8]>,
 }
 
-#[derive(Debug, Clone, PartialEq, Eq, thiserror::Error, SlogInlineError)]
+#[derive(
+    Debug,
+    Clone,
+    PartialEq,
+    Eq,
+    PartialOrd,
+    Ord,
+    thiserror::Error,
+    SlogInlineError,
+    Serialize,
+    Deserialize,
+)]
 pub enum DecryptionError {
     // An opaque error indicating decryption failed
     #[error("Failed to decrypt rack secrets")]
@@ -363,6 +400,10 @@ impl PlaintextRackSecrets {
         self.secrets.get(&epoch)
     }
 
+    pub fn into_inner(self) -> BTreeMap<Epoch, ReconstructedRackSecret> {
+        self.secrets
+    }
+
     /// Consume the plaintext and return an `EncryptedRackSecrets`
     ///
     /// We are encrypting rack secrets for prior epochs with the latest

trust-quorum/src/lib.rs

@@ -24,6 +24,8 @@ mod messages;
 mod node;
 mod node_ctx;
 mod persistent_state;
+#[allow(unused)]
+mod rack_secret_loader;
 mod validators;
 pub use configuration::Configuration;
 pub use coordinator_state::{