Introduction
A Fortanix Confidential Computing Manager (CCM) Application is a program or service that is being protected with Runtime Encryption. In a microservice architecture, you might create an application in CCM for each of your microservices.
Since the code for an application is typically updated over time, an application definition in CCM is not associated with a particular enclave hash (MRENCLAVE). Instead, an application can be associated with one or more images, each of which represents a specific version of the application. MRENCLAVE values are associated with images.
The application record in CCM defines general characteristics for the application including the domain name(s) assigned to the application and, if the application is using EnclaveOS, the parameters to use when processing the application in the EnclaveOS converter. In the future, CCM will allow defining policies indicating where the application can run and what other applications and data stores it can communicate with.
Prerequisites
- Name of the input docker image of this application from the input registry.
- Output image location.
Steps to Add an Application
You can convert, deploy, and approve your application all at the same time using Fortanix Confidential Computing Manager.
- Sign in to the Fortanix Confidential Computing Manager user interface, click the Applications tab.
- On the Applications page, click + ADD APPLICATION to add a new application.
Figure 1: Add New Application
- There are three types of applications that you can add:
- Add EDP Application
- Add Enclave OS Application
- Add ACI Application
Add Enclave OS Application
Figure 2: Add Enclave OS Application
- In the Enclave OS application form, add a Flask Server Application. Fill in the relevant details as shown below, and click the CREATE button. You can use Fortanix's docker registry for the sample app.
- In the Add application form (Figure 3), fill all the following relevant details:
- Application name: Enter the name of the application.
- Description (optional): Enter the application’s description.
- Input image name: Enter the full path of the current application’s current docker image.
- Output image name: Enter the applicant's converted application name.
- Add Labels: To control which applications are allowed to run on which nodes, we add Labels for applications and nodes in the form of “Key:Value” pairs. Refer to Application and Compute Node Policy Enforcement for more details.
- Suggested Labels: This field will show the top 10 labels that are frequently used by users of an account.
- Add Labels: Enter the Key and Value pair and click the LABEL button to save the label. The newly created label will appear in the Labels Added field. A user can also choose an existing label from the Suggested Labels field.
Example of a “Key:Value” pairs is – “Location:Location_name” where “Location
” is the Key and “Location_name
Location_name” is the Value of the key such as “South UK
”.
- Platform Configuration: Fortanix Confidential Computing Manager allows users to run your confidential computing workloads on the following platforms:
- Intel-SGX (including Azure DC-series VMs, and bare metal in the cloud or on-premises).
- AWS Nitro
- ISVPRODID is a numeric product identifier. You must select a unique value in the range of 0-65535 for their applications.
- Memory size – Select the memory size from the drop down to change the memory size of the enclave.
- Thread count – Change the thread count to support the application.
- Memory size – Select the memory size from the drop down to change the memory size of the enclave.
- CPU count – Enter the number of vCPUs to allocate to the enclave. The number of vCPUs that you can allocate to an enclave depends on the size and configuration of the parent instance. If the parent instance is enabled for multithreading, you must leave at least 2 vCPUs for the parent instance. If multithreading is not enabled, you must leave at least 1 vCPU for the parent instance. For example, if your parent instance has 4 vCPUs and it is enabled for multithreading, you can allocate up to 2 vCPUs to the enclave.
- Certificate Configuration: Add any certificate using the Certificate Configuration section. A converted application can request a certificate from Fortanix Confidential Computing Manager when your application is started. The certificates are signed by the Fortanix Confidential Computing Manager Certificate Authority, which issues certificates only to enclaves presenting a valid attestation.
- Domain – Enter the allowed domain(s) for the application. These are domains that appear in the TLS certificates issued by the Fortanix Confidential Computing Manager. You can add multiple domains separated by a comma.
- Key path – Enter the key path that will be accessible by the application.
- Key type – Select the type of key from the drop down menu that you want to generate.
- Certificate path – Enter the certificate path that will be accessible by the application.
- RSA Key Size – Select the size of the RSA keys in bits from the drop down menu.
- Chain path (optional) – Enter the chain path for the complete certificate chain.
- Edit any Advanced settings that you might want to change.
- Environment variables – Enter any environment variables that will be set at runtime. The variables need to be comma separated values.
- Read/Write directories - Enter comma separated absolute paths of file system directories to allow read/write by the application, without encryption or integrity protection. Use this only if you understand the security implications. For more details refer to the Section: Directory Protection for Enclave OS Applications.
- Java runtime – Select the appropriate Java runtime values. When you select the Java Runtime option for an application, the converted docker image will run with the specified options for the chosen JVM (Java Virtual Machine).
OPENJDK / ORACLE - -XX:CompressedClassSpaceSize=16m -XX:-UsePerfData -XX:ReservedCodeCacheSize=16m -XX:-UseCompiler -XX:+UseSerialGC OPENJ9 / LIBERTY - -Xnojit -Xnoaot -Xdump:none
- CA Cert path – Enter the path to store the Fortanix Confidential Computing Manager CA certificate.
As an optional step, the user can install the CA certificate in the system trust store where all the certificates are stored. The following are the three options given:
- Yes, install and continue image conversion even if the installation fails – select this option if you want to convert the image even after the CA Certificate installation fails.
- Yes, install and fail image conversion if the installation fails – select this option if you want to stop image conversion after the CA Certificate installation fails.
- No, do not install – select this option if you do not want to install the CA Certificate.
Figure 3: Application Details
- Click the CREATE button to configure the image. The application will now be deployed and added to your approval and visible in the APPLICATION tab. You can approve the approval request in the Tasks tab.
Figure 4: Application Created
Figure 5: Add LabelsRefer to User's Guide: Create an Image to create an image for the Enclave OS application.
Enclave OS Directory/Filesystem Protections
Enclave OS (EOS) provides file system integrity protection. There are three possible directory configurations within an Enclave:
- Read-only (integrity protected, not encrypted, not writable) – This is the default configuration.
- Encrypted (integrity protected, encrypted, but initial contents are unencrypted).
- Read-write (unprotected).
For files in read-only directories, if Enclave OS detects that a file has been modified, it will halt the execution of the Enclave. Enclave OS will ensure that the complete root tree (all directors below "
/
") have read-only permission, except for the following directories:/etc
,/run
,/tmp
,/opt/fortanix/enclave-os/app-config/rw/
, since these directories have read-write permissions. Except for/etc
, the other directories are encrypted to prevent potential tampers from outside the Enclave.Let us examine a typical use case:
An enclaved Python Flask application will load
myapp.py
file when the enclave starts up. If this file was in a read-only folder and it was modified outside of the enclave, at run-time when the file is loaded by Flask, Enclave OS will detect the tamper and halt execution. If themyapp.py
file was in the encrypted folder but modified from outside the enclave, it will detect the tamper and halt execution.Edit an Enclave OS Application
You can edit an application after you add it to your list.
- Sign in to Fortanix Confidential Computing Manager, and then navigate to the APPLICATION tab in the Management Console.
- Click the name of the application that you want to edit. A new screen opens where you can review and edit the configuration including certificates and deployed images.
- Click the EDIT APPLICATION button.
Figure 7: Edit Application - Update the configuration that you want to make. Ensure that you understand the way that changing the advanced settings affects your application before you make any changes.
- Click the UPDATE button.
Figure 8: Update Application
Add EDP Application
Figure 9: Add EDP Application
- In the EDP Add application form, fill in the following relevant details:
- Application name: Enter the name of the application.
- Description (optional): Enter the application’s description.
- Add Labels: To control which applications are allowed to run on which nodes, you need to add Labels for applications and nodes in the form of “Key:Value” pairs. Refer to Application and Compute Node Policy Enforcement for more details.
- Suggested Labels – This field will show the top 10 labels that are frequently used by users of an account.
- Add Labels – Enter the Key and Value pair and click the LABEL button to save the label. The newly created label will appear in the Labels Added field. A user can also choose an existing label from the Suggested Labels field.
- Certificate Configuration: Add any certificate using the Certificate Configuration section. The em-app RUST library can be used by EDP apps to obtain a signed CCM Certificate over enclave-generated certificates. You can select to add multiple certificates using the ADD A CERTIFICATE button.
- Domain: Enter the allowed domain(s) for the application. These are domains that appear in the TLS certificates issued by the Fortanix Confidential Computing Manager. You can add multiple domains separated by a comma.
- Type: Enter the type of certificate to obtain for the application.
Figure 10: Add EDP Application Details
- After you configure all the certificates, click the CREATE button to configure the application.
Figure 11: Add Labels - Refer to User's Guide: Create an Image to create an image for the EDP application.
Edit an EDP Application
You can edit an EDP application after you add it to your list.
- Sign in to Fortanix Confidential Computing Manager, and then navigate to the APPLICATION tab in the Fortanix Confidential Computing Manager user interface.
- Click the name of the application that you want to edit. A new screen opens where you can review and edit the configuration including certificates.
Figure 12: Edit EDP Application - Click EDIT APPLICATION.
Figure 13: Edit EDP Application - Update the configuration that you want to make.
- Click the UPDATE button.
Figure 14: Update Application
Add ACI Application
Figure 15: Add ACI Application
- In the ACI Add application form, fill in the following relevant details:
- Application name: Enter the name of the application.
- Description (optional): Enter the application’s description.
- Image name: Enter the full path of the current application’s docker image. Ensure that the Image name does not include any container image tag.
- Certificate Configuration: Add any certificate using the Certificate Configuration section. A converted application can request a certificate from Fortanix CCM when your application is started. The certificates are signed by the Fortanix CCM Certificate Authority, which issues certificates only to enclaves presenting a valid attestation.
- Domain: Enter the allowed domain(s) for the application. These are domains that appear in the TLS certificates issued by the Fortanix Confidential Computing Manager.
- Type: Enter the type of the certificate to obtain for the application.
Figure 16: Add ACI Application
- After you configure the certificate, click the CREATE button to configure the application.
Refer to User's Guide: Create an Image to create an image for the ACI application.
Edit an ACI Application
You can edit an ACI application after you add it to your list.
- Sign in to Fortanix Confidential Computing Manager, and then navigate to the APPLICATION tab in the Fortanix Confidential Computing Manager UI.
- Click the name of the application that you want to edit. A new screen opens where you can review and edit the configuration including certificates.
Figure 17: View ACI Application - Click EDIT APPLICATION.
Figure 18: Edit ACI Application - Update the configuration that you want to make.
- Click the UPDATE button.
Figure 19: Update Application
Setting Environment Variables for your Application
Many applications can be configured by using environment variables such as a container image, a Kubernetes pod specification, or a container entrypoint script. The
{site.data.keyword.datashield_short}
conversion process transfers any environment variables that are specified by the input container image to a configuration file in the output container, where they are covered by the enclave signature. This freezes the values of the environment variables at conversion time. If variables are supplied after the conversion takes place, they are not seen by the application. Since the variables are not seen, your application is not protected from any maliciously set environment variables at runtime.By default, the only environment variable passed to the binaries in library OSes is
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. If the host environment variables specifies aHOSTNAME
then it is also included in the list of default environment variables.Syntax 1:
loader.env.[ENVIRON]=[VALUE]
This syntax specifies the environment variable value that is customized for the enclaves. This syntax can be used multiple times to specify more than one environment variable.
The list of environment variables passed to the binaries in enclaves will include a merged list of default environment variables and environment variables specified with this syntax. If there are any conflicting variables, the default environment variable will be overwritten.
Syntax 2:
loader.env.allow_all_env.all = 1
This syntax passes all the host environment variables to the binaries in the enclaves.
The list of environment variables passed to the binaries in enclaves will include a merged list of host environment variables and variables specified with syntax 1. If there are any conflicting variables, the host environment variables will be overwritten with the value specified by syntax 1. For example, if the manifest specifies
loader.env.X = Z
and the host specifiesX=Y
then the value ofX=Z
.Syntax 3:
loader.env.allow_some_env.[ENVIRON] = 1
This syntax specifies the environment variable that will be passed from the host environment variable to the binaries in the enclaves. This syntax can be used multiple times to specify more than one environment variable.
The list of environment variables passed to the binaries in enclaves will include a merged list of a subset of host environment variables as specified by Syntax 3 and variables specified with Syntax 1. If there are any conflicting variables, the host environment variables will be overwritten with the value specified by Syntax 1. For example, if the manifest specifies
loader.env.X = Z
and the host specifiesX=Y
then the value ofX=Z
.
Comments
Please sign in to leave a comment.