Quickstart Guide

Introduction

Fortanix Confidential Computing Manager (CCM) enables an application to run in a confidential environment. The solution orchestrates critical security policies such as identity verification, data access control, and code attestation for enclaves that are required for confidential computing.

This quickstart guide will help you get started with Fortanix CCM. For a detailed user guide refer to https://support.fortanix.com/hc/en-us/sections/360008695591-User-Guide 

Prerequisites: Getting Started Video

  • A private Docker registry to push converted application image(s)
  • An Azure Portal subscription account

Step 1: Signup and Log in to Fortanix Confidential Computing Manager

  1.  Visit https://ccm.fortanix.com and signup.
  2. After your account is approved by the Administrator, log in by entering your email address and password.
      CCM_5.png Figure 1: Logging in

Step 2: Create and Select an Account

  1. Once you log in to your account, you will be taken to the Accounts page. Click ADD ACCOUNT to create a new account.
  2. Enter a name for the new account and optionally add a custom logo for the account.
  3. To allow compute nodes to bypass Intel's IAS attestation and successfully enroll regardless of attestation failing, click the check box “This is a test-only deployment”. For more details about Attestation Bypass refer to the user guide Disable Fortanix CCM Attestation.
  4. Click CREATE ACCOUNT to complete the account creation.
      Quickstart19.png Figure 2: Create an account
  5. Once the account is created, click SELECT ACCOUNT to select the newly created account and start enrolling compute nodes and creating applications.
      Quickstart17.png Figure 3: Select an account

Step 3: Add an Application - Example: Flask Server

  1. Navigate to the Applications tab and click + APPLICATION to add an application. In this example, we will add an Enclave OS application running a Python Flask server. Quickstart1.png Figure 4: Create an application
  2. Click the ADD button for the Enclave OS Application.
    NOTE
    This quickstart guide covers adding an Enclave OS application. Please refer to the following link for EDP applications: EDP applications on CCM.
    EOS1.png
                          Figure 5: Add an Enclave OS application
  3. Fill in the relevant details as shown below and click NEXT. You can use Fortanix's public docker registry for the sample app.
    Details:
    Docker Hub: https://hub.docker.com/u/fortanix
    Optional: You can run the original application with the following command:
    sudo docker run fortanix/python-flask
    NOTE
    It is recommended that you use your private docker registry to store the output image.
      Nitro_AddApp.pngNitro_AddApp1.png Nitro_AddApp2.pngNitro_AddApp1.pngNitro_AddApp3.pngFigure 6: Configure an application

For more details on how to configure an Enclave OS application please refer to Adding an Enclave OS application.

Step 4: Create an Image

  1. A Fortanix CCM Image is a particular software release or a version of an application. Each image is associated with one enclave hash (MRENCLAVE).
  2. Once you create an Enclave OS application and click NEXT, you will see the Add image page where you have to configure the image of the Enclave OS application. Click the + IMAGES button to create an image. Quickstart5.png Figure 7: Create an image
  3. For the Tag field, use “latest” if you want to use the latest image builds.
  4. Enter the REGISTRY CREDENTIALS for the Output image name. Here, the registry credentials are the credentials needed to access the private docker registry where the image will be pushed. Since the input image is stored in a public registry, there is no need to provide credentials for the input image.
    • If you have added these registry credentials through the Settings page, then the check box Use saved credentials will be selected by default and the registry name will be filled automatically for the Add Registry Credentials fields.
        Nitro_CreateEOSImage.png Nitro_CreateEOSImage1.pngFigure 8: Add saved registry credentials
    • If you have not saved any Registry Credentials on the Settings page, then manually enter the registry credentials for the Output image name.
        Nitro_CreateEOSImageNoReg.pngNitro_CreateEOSImageNoReg1.pngFigure 9: Add registry credentials manually
  5. Click CREATE to proceed (Figure 9).
  6. If you selected the Image Type as Intel SGX, enter the following details:
    • ISVPRODID is a numeric product identifier. A user must choose a unique value in the range of 0-65535 for their applications.
    • ISVSVN is a numeric security version to be assigned to the Enclave. This number should be incremented if security relevant change is made to the application.
    • Memory size – Choose the memory size from the drop-down to change the memory size of the enclave.
    • Thread count – Change the thread count to support the application.

      If you selected the Image Type as AWS Nitro, enter the following details:
    • Memory size
    • CPU count – CPU count is the number of CPUs to dedicate to an enclave out of all the CPUs available to the host machine.
  7. On successful completion of the image creation, you will see a notification that the image was successfully created and your application will be listed in the Applications tab.

For more details refer to the URLs below:

Step 5: Application Image Approval

  1. On the Tasks tab, click on the "Build Whitelist for app: Python Application Server" task.
  2. Click APPROVE to whitelist the image created in the step above. Quickstart16a.png Figure 10: Approve the application Image Quickstart15.png Figure 11: Approve the application Image

Step 6: Enroll Compute Node Agent -SGX

  1. Navigate to the Compute Nodes tab and click the + ENROLL NODE button.
  2. Click COPY to copy the Join Token. This Join Token is used by the compute node to authenticate itself. NitroJoinToken.pngFigure 12: Copy the generated Join Token
  3. Visit https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortanix.rte_node_agent to create the Node Agent VM to register the compute node.
     
    NOTE
    Alternatively, you can also download the latest node agent software from Fortanix Node Agent and install it on your own machine.
      Quickstart10.png Figure 13: Create node agent in Azure
  4. Fill in the information as shown below to spin up the node agent on Azure. Paste the Token generated earlier on the "Join Token" field on the Azure portal.
     
    NOTE
    The node agent instance is currently available in (US) East US(UK) South UK, and Central Canada regions only.
    Quickstart11.png Figure 14: Configure the node agent  Quickstart12.png Figure 15: Configuring the node agent 
  5. Once the node agent is created, the compute node will be enrolled in Fortanix CCM, you will see it under the Compute Nodes overview table. Quickstart13.png Figure 16: Node enrolled

For more details on how to enroll compute nodes refer to CCM Compute Nodes

Step 6: Enroll Comput Node Agent - AWS Nitro

For details to set up the environment, refer to User's Guide: Setting up the Environment.

  1. Obtain the join token from Fortanix CCM. To generate your Join Token, please log in to https://ccm.fortanix.com/. In the Infrastructure tab, click +ENROLL NODE on the Compute Nodes page. 
  2. In the ENROLL NODE window, a Join Token will be generated in the text box for "Get a join token to register a compute node". This Join Token is used by the compute node to authenticate itself. NitroJoinToken.pngFigure 17: Copy join token
  3. Click Copy to copy the Join Token (Figure 17).  
  4. Download the Amazon Linux node agent installer.
    <link TBD>
  5. Extract the contents of the package and open the folder.
  6. Open the readme file which contains the steps to enroll the compute node in Fortanix CCM.
  7. To enroll the compute node:
    1. Copy the file installer.sh to your VM.
    2. Run the installer.sh with the join token copied in Step 3 . This will enroll the compute node in Fortanix CCM.
      sudo bash ./installer.sh <join-token>
    3. Once the compute node is enrolled in Fortanix CCM, you will see it under the Compute Nodes overview table. NitroEnrollNode.pngFigure 18: Node enrolled

Step 7: Run the application image on the enrolled Compute Node

  1. Install docker on the enrolled compute node. To install docker, use the command:
    sudo apt install docker.io
  2. Finally, run this application image on the node by using the following command:
    For this example application, for SGX Platform, the command would be:
    sudo docker run --device /dev/sgx:/dev/sgx --device /dev/gsgx:/dev/gsgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e NODE_AGENT_BASE_URL=http://52.152.206.164:9092/v1/ fortanix-private/python-flask-sgx
    Where,
    • 9092 is the default port on which Node Agent listens to.
    • 52.152.206.164 is the node agent Host IP.
    • fortanix-private/python-flask-sgx is the converted app that can be found in the Images tab under the Image Name column in the Images table.
    RunApp.png

    For AWS Nitro Platform, the command would be:
    sudo docker run -it --rm --privileged -v /run/nitro_enclaves:/run/nitro_enclaves -e RUST_LOG=debug -e NODE_AGENT_BASE_URL=http://172.31.14.110:9092/v1/ -p 80:80 -p 443:443 513076507034.dkr.ecr.us-west-1.amazonaws.com/development-images/em-test-framework-nginx-9913:nitro
    Where,
    • 9092 is the default port on which Node Agent listens to.
    • 172.31.14.110 is the node agent Host IP.
    • em-test-framework-nginx-9913:nitro is the converted app that can be found in the Images tab under the Image Name column in the Images table.
    NOTE
    Please use your own values for node IP, port (if you changed it), and Converted Image in the above format. The information in the example above is just a sample.

Where to go from here

Congratulations, you have just deployed your first confidential computing application using the Fortanix Confidential Computing Manager! To explore more features of Fortanix CCM please visit one of the following guides:

For quick support, please join our Slack community: https://fortanix.com/community
Channel: #enclavemanager

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful