light-vllm-security 0.0.1__tar.gz

light_vllm_security-0.0.1/LICENSE

@@ -0,0 +1,161 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship made available under
+      the License, as indicated by a copyright notice that is included in
+      or attached to the work (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean, as submitted to the Licensor for inclusion
+      in the Work by the copyright owner or by an individual or Legal Entity
+      authorized to submit on behalf of the copyright owner. For the purposes
+      of this definition, "submitted" means any form of electronic, verbal,
+      or written communication sent to the Licensor or its representatives,
+      including but not limited to communication on electronic mailing lists,
+      source code control systems, and issue tracking systems that are managed
+      by, or on behalf of, the Licensor for the purpose of discussing and
+      improving the Work, but excluding communication that is conspicuously
+      marked or otherwise designated in writing by the copyright owner as
+      "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any Legal Entity on behalf of
+      whom a Contribution has been received by the Licensor and subsequently
+      incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, You must include a readable copy of the
+          attribution notices contained within such NOTICE file, in
+          at least one of the following places: within a NOTICE text
+          file distributed as part of the Derivative Works; within
+          the Source form or documentation, if provided along with the
+          Derivative Works; or, within a display generated by the
+          Derivative Works, if and wherever such third-party notices
+          normally appear. The contents of the NOTICE file are for
+          informational purposes only and do not modify the License.
+          You may add Your own attribution notices within Derivative
+          Works that You distribute, alongside or as an addendum to
+          the NOTICE text from the Work, provided that such additional
+          attribution notices cannot be construed as modifying the License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or reproducing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or exemplary damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or all other
+      commercial damages or losses), even if such Contributor has been
+      advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS

light_vllm_security-0.0.1/MANIFEST.in

@@ -0,0 +1,4 @@
+include README.md
+include LICENSE
+include vllm_model_security.pth
+recursive-include vllm/model_security *.py py.typed

light_vllm_security-0.0.1/PKG-INFO

@@ -0,0 +1,222 @@
+Metadata-Version: 2.4
+Name: light-vllm-security
+Version: 0.0.1
+Summary: Model encryption and authorization extension for vLLM
+Author-email: Lightr <lightr@88.com>
+License: Apache-2.0
+Project-URL: Homepage, https://github.com/W-Lightr/light-vllm-security
+Project-URL: Documentation, https://github.com/W-Lightr/light-vllm-security#readme
+Project-URL: Repository, https://github.com/W-Lightr/light-vllm-security
+Project-URL: Issues, https://github.com/yourusername/light-vllm-security/issues
+Keywords: vllm,llm,model-encryption,authorization,security
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Science/Research
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Scientific/Engineering :: Artificial Intelligence
+Classifier: Topic :: Security :: Cryptography
+Requires-Python: >=3.12
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: vllm==0.8.5.post1
+Requires-Dist: cryptography>=41.0.0
+Requires-Dist: psutil>=5.9.0
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0; extra == "dev"
+Requires-Dist: pytest-cov>=4.0; extra == "dev"
+Requires-Dist: black>=23.0; extra == "dev"
+Requires-Dist: ruff>=0.1.0; extra == "dev"
+Dynamic: license-file
+
+# light-vllm-security
+
+vLLM 模型加密与授权扩展包。为 vLLM 提供模型权重加密、离线授权验证和机器指纹绑定功能。
+
+## 特性
+
+- 🔐 **AES-256-GCM 加密** — 流式加密，支持大模型分片
+- 📜 **RSA 签名授权** — 离线验证，无需联网
+- 🖥️ **机器指纹绑定** — 防止授权文件被复制到其他机器
+- 🤖 **自动检测** — 检测到 `.enc` 文件自动启用加密加载
+- 🔌 **零侵入** — 不修改官方 vllm 源码，通过命名空间包扩展
+
+## 安装
+
+```bash
+# 1. 安装官方 vllm
+pip install vllm==0.8.5.post2
+
+# 2. 安装本扩展包
+pip install light-vllm-security
+```
+
+安装后自动生效，无需任何额外配置。
+
+## 快速开始
+
+### 第一步：生成厂商密钥对（一次性操作）
+
+```bash
+vllm-gen-license --gen-keypair \
+    --private-key vendor_private.pem \
+    --public-key vendor_public.pem
+```
+
+> ⚠️ **保管好 `vendor_private.pem`！** 这是你的签名私钥，泄露后无法撤销已签发的授权。
+
+### 第二步：加密模型
+
+```bash
+# 加密 HuggingFace 格式模型目录
+vllm-encrypt-model \
+    --input ./my_model \
+    --output ./my_model_encrypted
+
+# 加密单个 GGUF 文件
+vllm-encrypt-model \
+    --input ./model.gguf \
+    --output ./model.gguf.enc
+```
+
+加密后目录结构：
+```
+my_model_encrypted/
+├── config.json          # 原样复制
+├── tokenizer.json       # 原样复制
+├── model.safetensors.enc  # 加密的权重文件
+└── .model_key           # 密钥元数据（需妥善保管）
+```
+
+### 第三步：获取客户机器指纹（可选，用于机器绑定）
+
+在客户机器上运行：
+
+```bash
+vllm-get-fingerprint
+```
+
+输出示例：
+```
+Machine Fingerprint: a1b2c3d4e5f6...
+```
+
+### 第四步：生成授权文件
+
+```bash
+# 无机器绑定（测试用）
+vllm-gen-license \
+    --model-dir ./my_model_encrypted \
+    --vendor-key vendor_private.pem \
+    --customer "客户名称" \
+    --policy none \
+    --out customer.lic
+
+# 绑定到特定机器
+vllm-gen-license \
+    --model-dir ./my_model_encrypted \
+    --vendor-key vendor_private.pem \
+    --customer "客户名称" \
+    --fingerprint a1b2c3d4e5f6... \
+    --policy single \
+    --expire 2027-12-31 \
+    --out customer.lic
+```
+
+### 第五步：分发给客户
+
+将以下文件发给客户：
+- `my_model_encrypted/` — 加密模型目录
+- `vendor_public.pem` — 厂商公钥（用于验证授权签名）
+- `customer.lic` — 授权文件
+- `vendor_secret.bin` — 厂商密钥（用于解密 DEK，**通过安全渠道传递**）
+
+### 第六步：客户运行模型
+
+```bash
+# 方式一：环境变量（推荐）
+export VLLM_VENDOR_SECRET=<vendor_secret_hex>
+vllm serve ./my_model_encrypted \
+    --load-format encrypted
+
+# 方式二：命令行参数
+vllm serve ./my_model_encrypted \
+    --load-format encrypted \
+    --model-loader-extra-config '{"vendor_secret": "<hex>", "license_path": "./customer.lic", "vendor_pubkey_path": "./vendor_public.pem"}'
+
+# 方式三：自动检测（模型目录包含 .enc 文件时自动启用）
+export VLLM_VENDOR_SECRET=<vendor_secret_hex>
+vllm serve ./my_model_encrypted
+```
+
+授权文件和公钥默认从模型目录自动发现：
+- `<model_dir>/model.lic` — 授权文件
+- `<model_dir>/vendor_public.pem` — 厂商公钥
+
+## 文件格式
+
+### 加密文件格式（`.enc`）
+
+```
+[Header 32B]
+  magic:     8B  "VLLMENC\x00"
+  version:   1B  0x01
+  algorithm: 1B  0x01 (AES-256-GCM)
+  key_id:   16B  UUID
+  reserved:  6B
+
+[Chunk 1]
+  size:  4B  (little-endian uint32, ciphertext+tag 长度)
+  nonce: 12B
+  data:  N B  (ciphertext + 16B GCM tag)
+
+[Chunk 2] ...
+```
+
+### 授权文件格式（`.lic`）
+
+JSON 格式，包含：
+- `license_id` — 唯一授权 ID
+- `customer` — 客户名称
+- `model_key_id` — 对应模型的密钥 ID
+- `dek_encrypted` — 加密的数据加密密钥
+- `dek_hash` — DEK 完整性校验
+- `issued_at` / `expire_at` — 签发/过期日期
+- `fingerprint_policy` — 机器绑定策略
+- `allowed_fingerprints` — 允许的机器指纹列表
+- `signature` — RSA-PSS 签名
+
+## 安全说明
+
+| 组件 | 安全级别 | 说明 |
+|------|---------|------|
+| 模型权重 | AES-256-GCM | 工业级对称加密 |
+| 授权签名 | RSA-3072 PSS | 防篡改 |
+| DEK 保护 | HKDF + AES-256-GCM | 基于 vendor_secret 派生 |
+| 机器绑定 | SHA-256 指纹 | 防止授权文件复制 |
+
+**重要：** `vendor_secret` 的安全性等同于 `vendor_private.pem`，必须通过安全渠道传递给客户（如加密邮件、密钥管理服务等）。
+
+## 与 vllm 版本兼容性
+
+| light-vllm-security | 兼容 vllm 版本 |
+|--------------------|--------------|
+| 0.1.x              | 0.8.5.post1+ |
+
+## 开发
+
+```bash
+git clone https://github.com/yourusername/light-vllm-security
+cd light-vllm-security
+pip install -e ".[dev]"
+pytest tests/
+```
+
+## 许可证
+
+Apache License 2.0

light_vllm_security-0.0.1/README.md

@@ -0,0 +1,186 @@
+# light-vllm-security
+
+vLLM 模型加密与授权扩展包。为 vLLM 提供模型权重加密、离线授权验证和机器指纹绑定功能。
+
+## 特性
+
+- 🔐 **AES-256-GCM 加密** — 流式加密，支持大模型分片
+- 📜 **RSA 签名授权** — 离线验证，无需联网
+- 🖥️ **机器指纹绑定** — 防止授权文件被复制到其他机器
+- 🤖 **自动检测** — 检测到 `.enc` 文件自动启用加密加载
+- 🔌 **零侵入** — 不修改官方 vllm 源码，通过命名空间包扩展
+
+## 安装
+
+```bash
+# 1. 安装官方 vllm
+pip install vllm==0.8.5.post2
+
+# 2. 安装本扩展包
+pip install light-vllm-security
+```
+
+安装后自动生效，无需任何额外配置。
+
+## 快速开始
+
+### 第一步：生成厂商密钥对（一次性操作）
+
+```bash
+vllm-gen-license --gen-keypair \
+    --private-key vendor_private.pem \
+    --public-key vendor_public.pem
+```
+
+> ⚠️ **保管好 `vendor_private.pem`！** 这是你的签名私钥，泄露后无法撤销已签发的授权。
+
+### 第二步：加密模型
+
+```bash
+# 加密 HuggingFace 格式模型目录
+vllm-encrypt-model \
+    --input ./my_model \
+    --output ./my_model_encrypted
+
+# 加密单个 GGUF 文件
+vllm-encrypt-model \
+    --input ./model.gguf \
+    --output ./model.gguf.enc
+```
+
+加密后目录结构：
+```
+my_model_encrypted/
+├── config.json          # 原样复制
+├── tokenizer.json       # 原样复制
+├── model.safetensors.enc  # 加密的权重文件
+└── .model_key           # 密钥元数据（需妥善保管）
+```
+
+### 第三步：获取客户机器指纹（可选，用于机器绑定）
+
+在客户机器上运行：
+
+```bash
+vllm-get-fingerprint
+```
+
+输出示例：
+```
+Machine Fingerprint: a1b2c3d4e5f6...
+```
+
+### 第四步：生成授权文件
+
+```bash
+# 无机器绑定（测试用）
+vllm-gen-license \
+    --model-dir ./my_model_encrypted \
+    --vendor-key vendor_private.pem \
+    --customer "客户名称" \
+    --policy none \
+    --out customer.lic
+
+# 绑定到特定机器
+vllm-gen-license \
+    --model-dir ./my_model_encrypted \
+    --vendor-key vendor_private.pem \
+    --customer "客户名称" \
+    --fingerprint a1b2c3d4e5f6... \
+    --policy single \
+    --expire 2027-12-31 \
+    --out customer.lic
+```
+
+### 第五步：分发给客户
+
+将以下文件发给客户：
+- `my_model_encrypted/` — 加密模型目录
+- `vendor_public.pem` — 厂商公钥（用于验证授权签名）
+- `customer.lic` — 授权文件
+- `vendor_secret.bin` — 厂商密钥（用于解密 DEK，**通过安全渠道传递**）
+
+### 第六步：客户运行模型
+
+```bash
+# 方式一：环境变量（推荐）
+export VLLM_VENDOR_SECRET=<vendor_secret_hex>
+vllm serve ./my_model_encrypted \
+    --load-format encrypted
+
+# 方式二：命令行参数
+vllm serve ./my_model_encrypted \
+    --load-format encrypted \
+    --model-loader-extra-config '{"vendor_secret": "<hex>", "license_path": "./customer.lic", "vendor_pubkey_path": "./vendor_public.pem"}'
+
+# 方式三：自动检测（模型目录包含 .enc 文件时自动启用）
+export VLLM_VENDOR_SECRET=<vendor_secret_hex>
+vllm serve ./my_model_encrypted
+```
+
+授权文件和公钥默认从模型目录自动发现：
+- `<model_dir>/model.lic` — 授权文件
+- `<model_dir>/vendor_public.pem` — 厂商公钥
+
+## 文件格式
+
+### 加密文件格式（`.enc`）
+
+```
+[Header 32B]
+  magic:     8B  "VLLMENC\x00"
+  version:   1B  0x01
+  algorithm: 1B  0x01 (AES-256-GCM)
+  key_id:   16B  UUID
+  reserved:  6B
+
+[Chunk 1]
+  size:  4B  (little-endian uint32, ciphertext+tag 长度)
+  nonce: 12B
+  data:  N B  (ciphertext + 16B GCM tag)
+
+[Chunk 2] ...
+```
+
+### 授权文件格式（`.lic`）
+
+JSON 格式，包含：
+- `license_id` — 唯一授权 ID
+- `customer` — 客户名称
+- `model_key_id` — 对应模型的密钥 ID
+- `dek_encrypted` — 加密的数据加密密钥
+- `dek_hash` — DEK 完整性校验
+- `issued_at` / `expire_at` — 签发/过期日期
+- `fingerprint_policy` — 机器绑定策略
+- `allowed_fingerprints` — 允许的机器指纹列表
+- `signature` — RSA-PSS 签名
+
+## 安全说明
+
+| 组件 | 安全级别 | 说明 |
+|------|---------|------|
+| 模型权重 | AES-256-GCM | 工业级对称加密 |
+| 授权签名 | RSA-3072 PSS | 防篡改 |
+| DEK 保护 | HKDF + AES-256-GCM | 基于 vendor_secret 派生 |
+| 机器绑定 | SHA-256 指纹 | 防止授权文件复制 |
+
+**重要：** `vendor_secret` 的安全性等同于 `vendor_private.pem`，必须通过安全渠道传递给客户（如加密邮件、密钥管理服务等）。
+
+## 与 vllm 版本兼容性
+
+| light-vllm-security | 兼容 vllm 版本 |
+|--------------------|--------------|
+| 0.1.x              | 0.8.5.post1+ |
+
+## 开发
+
+```bash
+git clone https://github.com/yourusername/light-vllm-security
+cd light-vllm-security
+pip install -e ".[dev]"
+pytest tests/
+```
+
+## 许可证
+
+Apache License 2.0