Using Fortanix Confidential Computing Manager to Build an Enclave OS Application from Scratch

Introduction

This guide will walk you through creating a simple dockerized python server and then deploy it within a Trusted Execution Environment using Fortanix Enclave OS. The guide offers the options to convert your docker application to an Enclave OS application either using the Fortanix CCM UI or by issuing REST API calls.

Create a Docker Application

Creating a Python Application

Let us start by creating a simple Python server using Flask. Create a file named server.py with the following contents:

from flask import Flask
app = Flask("Hello Flask Server")

@app.route("/")
def hello():
return "Hello Flask"

if __name__ == '__main__':
app.run(host='0.0.0.0', port='9000')

This application is a minimal Flask server that accepts requests on port 9000 and returns a greeting message.

Create a Docker Container

Next, let us create a docker container containing this application and push it to a container registry.

Step 1: Create a dockerfile

Create a file called dockerfile with the following contents:

FROM python:3.7

EXPOSE 9000
RUN pip3 install flask

RUN mkdir /app
COPY server.py /app/
WORKDIR /app

ENTRYPOINT ["python3", "server.py"]

Step 2: Build a docker image

You can now create a docker image by running the following command:

docker build -t fortanix/python-flask:latest .
NOTE
If you want to use your own container registry, replace "fortanix" with the name of your registry.

You can now run the docker container using the following command:

docker run -p 9000:9000 fortanix/python-flask:latest

From another terminal, you can use the following command to send an HTTP request to your newly deployed server:

curl localhost:9000

Step 3: Push the image to a registry

To make this image publicly accessible, you can push it to a public registry as follows:

docker push fortanix/python-flask:latest
NOTE
The above command will fail if you have not used your own registry, but you can skip this step since the image is already pushed and available in the Fortanix public registry. https://hub.docker.com/r/fortanix/python-flask.

Option 1: Build an Enclave OS Application Using the Fortanix CCM UI

In this section of the guide, we will walk through the steps of converting your docker application into an Enclave OS application, that can run securely inside a Trusted Execution Environment, using the Fortanix CCM UI.

Signing in to the Fortanix CCM UI

Go to https://ccm.fortanix.com and use your email address and password to log in.

CCM_5.png

Select an Account

To select an account, click the SELECT ACCOUNT button.

Quickstart17.png
Figure 2: Select an account

Create an Application

To create an application using Fortanix CCM UI, navigate to the Applications tab and click + APPLICATION to create a new application.

EOSExampleNewApp.png
Figure 3: Create an application

To create an application, select Applications from the navigation menu on the left, click +APPLICATION and add the details of the application.

CCMAppNew1a.pngQuickstart4a.png                                                      Figure 4: Configure an application

Create an Image

In the detailed view of the application, click +IMAGES to create an image.

EOSExampleNewImage.png
Figure 5: Create an image

Enter the REGISTRY CREDENTIALS for the Output image name. Registry Credentials are the credentials to access the private docker registry where the image will be pushed. The Input image does not require credentials since it is a public registry. Also, provide the image tag. Click CREATE to proceed.

CCMAppNew17.png
Figure 6: Create an image

Approve Application Build

From the navigation menu select Tasks. To approve the application build, click on the task and then click APPROVE.

Figure 7: View and approve the application build

Option 2: Build an Enclave OS Application Using REST API Calls

In this section of the guide, we will walk through the steps of converting your docker application into an Enclave OS application, that can run securely inside a Trusted Execution Environment, using the Fortanix CCM REST API.

Authenticate to Fortanix CCM

Before you can issue any requests, you first need to authenticate to Fortanix CCM using the following commands:

cpath=$(mktemp -p "/tmp" -t "fortanix_ccm_cookie.XXXXX")
curl -u <username>:<password> -c $cpath -X POST https://ccm.fortanix.com/v1/sys/auth

where <username> and <password> need to be replaced with the email address and password of your Fortanix CCM account.

NOTE
Authentication session tokens are short-lived. If you ever get the response {"message":"Forbidden","code":"FORBIDDEN"} you can run the following command to refresh the session token.
curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -X POST https://ccm.fortanix.com/v1/sys/session/refresh

Select an Account using an API Call

Once you have successfully authenticated to Fortanix CCM, you need to select an account. First, you can list all accounts available using the following command:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" https://ccm.fortanix.com/v1/accounts

This command will return a JSON string of the following form:

{"name":"My account","acct_id":"26eaa328-5eb4-41c7-b09b-8a3e0a0f65c7", ...}, ...

To select an account you need to copy the account id of the account you are interested in (the string 26eaa328-5eb4-41c7-b09b-8a3e0a0f65c7 in the example above), let us call it <account_id>, and run:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -X POST https://ccm.fortanix.com/v1/sys/session/select_account/<account_id>

Create an Application using an API Call

Next, to create a new application, create a file called app.json whose contents are shown below. Make sure to replace the output_image_name with your private registry.

{
"name":"Python Flask Server",
"description":"",
"input_image_name":"fortanix/python-flask",
"output_image_name":"fortanix-private/python-flask-sgx",
"isvprodid":1,
"isvsvn":1,
"mem_size":1024,
"threads":10,
"allowed_domains":[],
"advanced_settings":{}
}

Then, create an application using the following API call:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d @app.json -X POST https://ccm.fortanix.com/v1/apps

This will print information about the newly created application including its <app_id>:

{"name":"Python Flask Server","app_id":"cc386097-dcf7-4813-880a-ddacdafb48a2",...}

Create an Image using an API Call

Once the application has been created, you can similarly create an image by following these steps. First, create a file called build.json as shown below. Replace <app_id> with the ID of your newly created application. The <username> and <password> are the credentials of the registry that you want the converted image to be stored at. This was specified above as output_image_name.

{
"app_id":"<app_id>",
"input_docker_version":"latest",
"output_docker_version":"latest",
"outputAuthConfig":{
"username":"<username>",
"password":"<password>"
}
}
NOTE
See the Fortanix CCM Quickstart guide on how to set up registry credentials to avoid including credentials in this file.

Now you can create the image using the following command:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d @build.json -X POST https://ccm.fortanix.com/v1/builds/convert-app

This returns the output that shows the <task_id> (f0d815b6-9520-4ce4-b4f4-6a82a718bb7e in this example), among other information:

{"build_name":"fortanix-private/python-flask-sgx:latest","pending_task_id":"f0d815b6-9520-4ce4-b4f4-6a82a718bb7e",...}

Finally, you can approve the image using its <task_id> and the following command:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d '{"status":"APPROVED"}' -X PATCH https://ccm.fortanix.com/v1/tasks/<task_id>

Run the Application

Whether you chose to create your application using the UI or the API option, you should now have converted and whitelisted an application image and can run the application on an SGX compute node. Depending on the node agent attestation type, run the application using one of the following commands:

If the node attestation type is Enhanced Privacy ID (EPID), use the command:

docker run -it --device /dev/isgx:/dev/isgx --device /dev/gsgx:/dev/gsgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e NODE_AGENT_BASE_URL=http://52.152.206.164:9092/v1/ -p 9000:9000 fortanix-private/python-flask-sgx:latest

If the node attestation type is Data Center Attestation Primitives (DCAP), use the command:

docker run -it --device /dev/sgx/enclave:/dev/sgx/enclave -e NODE_AGENT_BASE_URL=http://52.152.206.164:9092/v1/ -p 9000:9000 fortanix-private/python-flask-sgx:latest

 Where, 

  • 9092 is the default port on which Node Agent listens to.
  • 52.152.206.164 is the IP address of your compute node.
  • fortanix-private/python-flask-sgx:latest is the converted app.
NOTE
Please use your own values for node IP, node agent port (if you changed it), and converted image in the above format. The information in the example above is just a sample.
Was this article helpful?
0 out of 0 found this helpful