DFC Upgrade

The DFC upgrade is a procedure to modify the dataflow configuration in a Sharemind HI Server. Many things can be changed, but the most relevant need for this comes from patching security vulnerabilities in task enclaves, which is necessary a handful of times per year. The following can be changed:

Note: stakeholders, tasks and topics cannot be deleted.

Since modifications to the DFC can put existing confidential data at risk, enforcers need to approve the new DFC, the staging DFC, the same way as they approved the initial DFC. The initial DFC is activated in the running Sharemind HI Server when the last approval arrived. For further DFC upgrades the administrator needs to restart the Sharemind HI Server.

Performing the DFC Upgrade procedure requires the system administrator to restart the Sharemind HI Server twice, once to load in the new DFC, and once for the approved DFC to become active.

The coordinator first makes all relevant changes to the dataflow configuration file and sends it to the system administrator. The system administrator replaces the existing dataflow configuration file dfc.yaml (as referenced by the server configuration server.yaml) in the file system and restarts the Sharemind HI Server to make it re-read the updated dataflow configuration, which becomes the staging dataflow configuration (Note: Future versions of Sharemind HI will be able to re-read the updated dataflow configuration file during runtime without a restart). Now the enforcers can approve the staging dataflow configuration. When all approvals have arrived, then the system administrator can restart the Sharemind HI Server again to make the staging dataflow configuration the new active dataflow configuration.

Note: The Sharemind HI Server copies all task enclave images which it finds (configured in server.yaml) into its data directory, using the mrenclave and mrsigner values of the task enclave in the path name. This means that you can replace the old task enclave .so files with new files (when they need to be updated, e.g. for security patches) while the old ones are still active in some Sharemind HI Server instance.

For most stakeholders the DFC upgrade procedure is largely invisible and only comes with the slight downtime of restarting the server. Only the stakeholders with the Enforcer role need to interact with the procedure, as they need to examine the new DFC, and give their approval.

The approval consists of several signatures. One signature is consumed by the core enclave and states that the Enforcer approves the activation of the staging DFC. The other signatures are consumed by the key enclave, which uses it to update the sender and receiver identity information (the universal participant ID, Upid) of the key encryption keys.

Once all enforcers have approved the new DFC, the Sharemind HI Server server can be restarted and the new DFC becomes active.