Fortanix Data Security Manager - DCAP Offline Attestation

1.0 Introduction

Fortanix-Data-Security-Manager (DSM) is built to operate entirely within Intel® Software Guard Extensions (SGX) enclaves, ensuring that users’ cryptographic keys are protected from even highly privileged attacks. To fully leverage the security benefits of SGX, it is essential to verify that Fortanix DSM software is running unmodified within a genuine SGX enclave on trusted hardware.

This article provides instructions for configuring Data Center Attestation Primitives (DCAP) Offline Attestation in Fortanix DSM clusters.

2.0 What is Intel SGX Attestation?

Intel® Software Guard Extensions (SGX) is a technology that allows software developers to encrypt their application’s data at run time. It achieves this by allowing applications to launch specially protected software containers, also known as enclaves. These enclaves can be used for protecting the application’s data from adversaries who could have root privileges or even physically tap the memory bus.

To utilize the security guarantees of SGX fully, the user must also verify that the application that they have built is running unmodified inside a secure enclave. With the clustered environment, it is also important that each node shares data only after verifying the authenticity of the Software and Hardware of the other node.

The SGX attestation process enables each node in a Fortanix DSM cluster to cryptographically prove the following:

The DSM software, as built and signed by Fortanix, is running unaltered inside a genuine Intel® SGX enclave.
The underlying hardware is a trusted SGX platform with all required microcode updates applied at boot.
All necessary hardware and software configurations for SGX are correctly in place.

3.0 Attestation Events

Attestation is performed when substantial changes are made to a Fortanix DSM cluster. Fortanix DSM communicates with the DCAP service when a valid attestation is required for a node.

Below are the events when this is required:

Creation of a new cluster.
Addition of a new node to the cluster.
Replacing nodes in an existing cluster (for example: replacing failed hardware nodes).
Software upgrade. All nodes require attestation.
Node reboot post-BIOS changes.

Once the above events pass with valid attestations, no further attestation is sought during the normal software execution or API requests.

4.0 What is Intel DCAP?

Intel® enables attestation of SGX enclaves through a remote attestation service called DCAP.

DCAP is a set of libraries and APIs provided by Intel to enable attestation of SGX enclaves without relying on Intel’s IAS (Intel Attestation Service).

DCAP allows relying parties (verifiers) to perform attestation within a data center, using platform-provided evidence.

5.0 What is Offline Attestation?

Intel DCAP Offline Attestation is a method of verifying the trustworthiness of a system using Intel® SGX, without requiring direct access to Intel’s cloud-based attestation service. It is commonly used in confidential computing environments where external internet access is restricted.

6.0 Configure DCAP Offline Attestation

Perform the following steps to configure DCAP Offline Attestation on a new Fortanix DSM cluster:

Create a config.yaml file, including the following:

global:
 rebootEnabled: true
 attestation:
   dcap:
    type: offline
 externalLoadBalancer: true
sdkms:
 clusterIp: 1.1.1.1

NOTE
If your Fortanix DSM version is below 4.36, then use the following configuration format for DCAP offline attestation:
global:
 rebootEnabled: true
 attestation:
   dcap: offline
externalLoadBalancer: true
sdkms:
 clusterIp: 1.1.1.1

Run the following command to create a Fortanix DSM cluster:
```
sudo sdkms-cluster create --config ./config.yaml --self <NODE_IP>
```
This is required only when creating a cluster and is not needed for joining a node.
Run the following command to use /usr/bin/retrieve-pckid to fetch the pckid of the current node:
```
sudo /usr/bin/retrieve-pckid
```
This command will display the pckid in the output and also save it to /tmp/pckid.csv.
Copy the pckid.csv file from the node to a system that has internet access. This system will be used to download the required DCAP artifacts.
Next, download the dcap-artifact-retrieval command-line tool, which is used to retrieve DCAP artifacts. The tool is available at Fortanix Rust Enclave Development Platform GitHub release page.
1. Run the following commands to download the tool and verify its SHA256 checksum:
```
wget https://github.com/fortanix/rust-sgx/releases/download/dcap-artifact-retrieval_v0.4.2/dcap-artifact-retrieval-x86_64-unknown-linux-gnu.tgz
echo "4454880107a686ca7f005d73b323160d20906a550197ec9faf1cdf9a8faf135a dcap-artifact-retrieval-x86_64-unknown-linux-gnu.tgz" | sha256sum -c
```
  NOTE
  The SHA256 checksum is available on the release page linked above.
2. Run the following commands to extract the tool and ensure it is executable:
```
tar -zxvf ./dcap-artifact-retrieval-x86_64-unknown-linux-gnu.tgz
chmod +x dcap-artifact-retrieval
```
Run the dcap-artifact-retrieval tool to download the DCAP artifacts. In this example, the --output-dir /tmp/dcap-artifacts option is used to specify the download path to /tmp/dcap-artifacts.
```
./dcap-artifact-retrieval --verbose --pckid-file ./pckid.csv --output-dir /tmp/dcap-artifacts
```
NOTE
- Artifacts can be downloaded on a separate Linux host with internet access.
- The pckid is unique for each node, and therefore the DCAP artifacts are also node-specific. Ensure that the artifacts for each node are copied to the corresponding node and stored under /data/dcap-artifacts.
After ensuring that the DCAP artifacts are copied to /data/dcap-artifacts, run the following command to delete the sdkms pod and ensure that the pod restarts without issues:
```
sudo kubectl delete pod sdkms-...
```
Continue with the normal workflow:
1. For cluster creation: Proceed with the certificate installation steps.
  - get_csrs
  - install_certs
2. For node join: Run sudo sdkms-cluster node join ...
For more information, refer to the Fortanix Data Security Manager Installation Guide - On-Prem.
Repeat Steps 3 to 7 for each node to join more nodes to the cluster.

7.0 PPID Verification with DCAP Offline Attestation

NOTE
The Fortanix Attestation Service manages all attestation-related features and validates the appliance’s Platform Provisioning ID (PPID) against the remote attestation PPID defined in the cluster join policy to confirm that the FX3400 appliance was produced by Fortanix.

To verify the authenticity of a Fortanix FX3400 appliance using PPID verification when a connection to the Fortanix Attestation Service is unavailable, perform the following offline PPID verification flow:

The PPID is wrapped in a JSON Web Token (JWT). Download the JWT from https://infra-support.fortanix.com/device-assurance/v1/endorsements/ppid/[ppid-hex] and place it in the DCAP artifacts folder (/data/dcap-artifacts/) on the node. Replace [ppid-hex] with the actual PPID of the appliance in lowercase.
For example, support.fortanix.com/device-assurance/v1/endorsements/ppid/d4be204c8a8399290428d18374a164fd .
NOTE
- Contact Fortanix Support to obtain the PPID of your Fortanix DSM node.
- The downloaded JWT file will be saved in the format [PPID.hex].jwt .
Once the JWT is downloaded to the folder, the sdkms-cli automatically checks this location for PPID verification if it cannot connect to the Fortanix Attestation Service.

8.0 Frequently Asked Questions

Can I switch from online to offline DCAP attestation on an existing cluster?
Yes. If the cluster was configured with attestation enabled, it can switch from online to offline mode. In the event of a network outage, the cluster will automatically fall back to offline attestation using the artifacts stored in /data/dcap-artifacts.
Can I enable offline attestation on a cluster that was not configured for attestation?
No. Offline attestation cannot be enabled on clusters that were initially set up without any attestation mode. In such cases, you must recreate the cluster with attestation enabled in the configuration.