1.0 Introduction
This article describes the steps to create an application image in the Fortanix Confidential Computing Manager (CCM). The users are provided the ability to quickly and easily navigate the interface to run containerized applications accordingly.
A Fortanix CCM image is a particular software release or a version of an application. Each image is associated with one enclave hash (MRENCLAVE).
When an image is first created in Fortanix CCM, it is in an unapproved state. After configurable approval actions are taken, the image is considered approved. When an image is approved, Fortanix CCM knows that enclaves with the associated hash (MRENCLAVE) are trusted instances of the corresponding application, and will issue certs with the application’s domain name(s) to those enclaves.
2.0 Prerequisites
Ensure the following:
For Enclave OS application - the Tag of the Docker image for the application.
For EDP application - the
sigstruct.bin
file which is used to register the enclave with Fortanix CCM.For ACI application - the Tag of the Docker image for the application.
3.0 Create an Image for Enclave OS Applications
Ensure that you have created an Enclave OS application as mentioned in the User's Guide: Add and Edit an Application.
Perform the following steps to create an image for Enclave OS application:
Navigate to the Applications menu item in the CCM UI left navigation panel and select the required Enclave OS application for which you want to configure an application image.
On the following page, click the + ADD IMAGE button to configure the image of the Enclave OS application.
Figure 1: Image tab
In the Image form, do the following:
In the Image Type section, the AWS Nitro Enclaves is selected by default.
In the Input image name section, add the required tag name.
In the Output image name section, add the required tag name and enter the REGISTRY CREDENTIALS. Here, the registry credentials are the credentials needed to access the private docker registry where the image will be pushed. Since the input image is stored in a public registry, there is no need to provide credentials for the input image.
If you have added a registry in a particular account as described in the User's Guide: Image Registry, then Use same credential as input image registry check box will be selected by default and the registry names for the output image will be filled automatically for the Add Registry Credentials fields.
If you have not saved any Registry Credentials, then manually enter the registry credentials for the Output image name.
In the Enclave Parameters section,
Memory size - Select the memory size from the drop-down to change the memory size of the Nitro.
CPU count - CPU count is the number of CPUs dedicated to an enclave out of all the CPUs available to the host machine.
NOTE
The Memory size and CPU count can be overridden at runtime with the following environment variables:
MEM_SIZE
CPU_COUNT
File persistence – This check box is selected by default. This feature allows you to save the filesystem changes to an encrypted container mount. It allows the Nitro system to access a managed Security-object in Fortanix DSM to be able to encrypt and decrypt the Linux Unified Key Setup (LUKS) overlay file system. For more details, refer to User’s Guide: AWS Nitro File Persistence.
NOTE
For the File Persistence feature to work, you must configure the app certificate since when a Nitro image runs, it must be configured ahead of time to receive a certificate, which will authorize access to Fortanix DSM to obtain the keys for the Linux Unified Key Setup (LUKS) volume. Without the app certificate, this feature will not work.
Click SAVE to create the image.
Figure 2: Add image
An image approval task is created and added which is visible on the Tasks page. You can approve the task to approve the application image.
For more information on how to approve the application image tasks for the Enclave OS application, refer to the User's Guide: Domain and Application Image Approval.
After it is approved, a green tick will appear in the Approval status column for that image.
Figure 3: Image created and approved
NOTE
The Source Image tag and Output Image tag are optional fields and by default, the tag value is “latest” internally. If the user is entering a different tag value, then it can either be different values or the same. Once an image of an application is created, it will be pushed to the specified location in the Output Image Name of the application.
4.0 Create an Image for EDP Applications
Ensure that you have created an EDP application as mentioned in the User's Guide: Add and Edit an Application.
Perform the following steps to create an image for EDP application:
Navigate to the Applications menu item in the CCM UI left navigation panel and select the required EDP application for which you want to configure an application image.
On the following page, click the + ADD IMAGE button to configure the image of the EDP application.
Figure 4: Images tab
In the Image form, fill in the following details:
Image Version: Enter the version of the image.
Image Type: Select Intel SGX or AWS Nitro Enclaves as the platform.
If you select the Image Type as Intel SGX, you have to add the Sigstruct details. The SIGSTRUCT for an enclave is generated when an application is signed. It is used to register the enclave with Fortanix Confidential Computing Manager.Enclave Configuration SIGSTRUCT: Three options are available to add SIGSTRUCT:
Upload Enclave SIGSTRUCT: To upload an enclave
sigstruct.bin
file, click the UPLOAD button as shown in Figure 6. Here is a sample sigstruct.bin file.
ORPaste Base64-encoded Enclave SIGSTRUCT: You can also paste a Base64-encoded SIGSTRUCT binary in the text box provided.
OREnter Enclave SIGSTRUCT Parameters: Enter the following parameters:
⁃ MRENCLAVE: This is the identity or hash of the enclave.
⁃ MRSIGNER: This is the identity of the signer of the enclave.
⁃ ISVPRODID: This is the numeric product identifier to be assigned to the enclave. Choose a unique value in the range 0-65535 for each application.
⁃ ISVSVN: This is the numeric security version to be assigned to the enclave. Increment this value when a security-relevant change is made to the application.NOTE
The Enclave SIGSTRUCT Parameters section is automatically filled when you either upload a
sigstruct.bin
file or paste a base64 encoded enclave SIGSTRUCT.
If you select the Image Type as AWS Nitro Enclaves, you have to add the Enclave Configuration JSON details which are unique enclave measurements that include a series of Hashes and Platform. The JSON measurements for an enclave are generated when an application is signed. It is used to register the enclave with Fortanix Confidential Computing Manager.
Enclave Configuration JSON: Three options are available to add measurements:
Upload Measurement JSON: To upload an enclave
measurement.json
file, click the UPLOAD button as shown in Figure 7.
ORPaste Measurement JSON: You can also paste the JSON enclave measurements in the text box provided.
OREnter Measurement: Enter the following parameters:
⁃ PCR0: This is the hash of the enclave image file.
⁃ PCR1: This is the hash of the Linux kernel and bootstrap.
⁃ PCR2: This is the Hash of the user application.NOTE
The Enter Measurement section is automatically filled when you either upload a
measurement.json
file or paste the JSON enclave measurements.
Figure 5: Create an EDP application image for Intel SGX platform
Figure 6: Create an EDP application Image for AWS Nitro platform
Click SAVE to create the EDP application image.
An image approval task is created and added which is visible on the Tasks page. You can approve the task to approve the image.
Refer to the User's Guide: Domain and Application Image Approval to approve the application image tasks for the EDP application.After the image is approved, a green tick will appear in the Approval status column for that image.
Figure 7: Image created and approved
5.0 Create Image for ACI Application
Ensure that you have created an ACI application as mentioned in the User's Guide: Add and Edit an Application.
Perform the following steps to create an image for ACI application:
Navigate to the Applications menu item from the CCM UI left navigation panel and select the required ACI application for which you want to configure an application image.
On the following page, click the + ADD IMAGE button to configure the image of the ACI application.
Figure 8: Image tab
On the Add Image form, fill in the following details:
Tag: Enter the tag value of the docker image.
WARNING
If an image of an existing ACI application already has the same tag value as the current ACI application image, then it will give an error. Use a new tag value.
Add Registry Credentials: Enter the REGISTRY CREDENTIALS for the Input image name. Here, the registry credentials are the credentials needed to access the private docker registry where the image will be pulled. Since the input image is stored in a public registry, there is no need to provide credentials for the input image.
NOTE
If a registry credential is given, then the image name must have a domain. For example, if the image is from Docker Hub, then the domain prefix is not required. However, if a registry credential is given, then the image name must start with `docker.io/` or similar.
If you have added a registry in a particular account as described in the article User's Guide: Image Registry of Fortanix CCM, then the check box Use saved credentials will be selected by default.
Figure 9: Add saved registry credentials
Advanced Settings: It is recommended to always select the Wait for node registration to begin check box unless the application has special requirements. Selecting this checkbox does not allow the execution, before the Fortanix ACI node agent has retrieved the signed app certificate from the Fortanix CCM backend cluster.
CPU Count: Enter the number of CPU cores. By default, the value is 1.
Memory in GB: Enter the amount of required RAM in GB units. By default, the value is 1.
Click the GENERATE SECURE POLICY button to initiate the build of the JSON Fortifier template, which is used to deploy the confidential ACI container group.
NOTE
The creation of an application image may take up to a few minutes.
An image approval task is created and added which is visible on the Tasks page. You can approve the task to approve the image.
Refer to User's Guide: Domain and Application Image Approval to approve the application image tasks for the ACI application.After the image is approved, a green tick will appear in the Approval status column for that image.
Figure 10: Image created and approved
6.0 Deploy the ACI Application Using Azure Portal
Perform the following steps to deploy the application image to Fortanix ACI either through the Azure Portal or with the Azure CLI:
Navigate to the Applications → Image menu item and select the required image from the list.
Click the POLICY tab to view the JSON Azure Resource Manager (ARM) template encoding of the security policy generated earlier in Section 5.0: Create an Image for ACI Application.
Figure 11: JSON ARM template
Click the DOWNLOAD button to save the ARM template for the deployment procedure.
Refer to User's Guide: Deploying ACI Using Azure Portal to create an image for the EDP application.