See more

User's Guide: Create an Image

  • Last updated:
  • access_time Reading time:

Introduction

A Fortanix Confidential Computing Manager (CCM) image is a particular software release or a version of an application. Each image is associated with one enclave hash (MRENCLAVE).

When an image is first created in Fortanix CCM, it is in an unapproved state. After configurable approval actions are taken, the image is considered approved. When an image is approved, Fortanix CCM knows that enclaves with the associated hash (MRENCLAVE) are trusted instances of the corresponding application, and will issue certs with the application’s domain name(s) to those enclaves.

Prerequisites

  • For Enclave OS application - the Tag of the Docker image for the application.
  • For EDP application - The sigstruct.bin file which is used to register the enclave with Fortanix CCM.

Create an Image for Enclave OS Applications

  1. Once you create an Enclave OS application and click NEXT, you will see the Add image page where you have to configure the image of the Enclave OS application as shown in Figure 2 below. You can also configure an application image from the detailed view of an application (Figure 1) using the +IMAGES button. CCM_22.png                                                            Figure 1: Image tab  
     
  2. In the Add image form, enter the image Tag which is the tag value of the Docker image.
  3. Enter the REGISTRY CREDENTIALS for Input image name and Output image name. The Registry Credentials are the credentials to access the private docker registry from which an image is going to be pulled or pushed.
    • If you have added a registry in a particular account using the Settings page as described in the article User's Guide: Image Registry of Fortanix CCM, then the check box Use saved credentials will be selected by default and the registry names for input image and output image will be filled automatically for the Add Registry Credentials fields.
        CCM_23.png                                                            Figure 2: Add saved registry credentials  
       
    • If you have not saved any Registry Credentials in the Settings page of Fortanix CCM, then manually enter the registry credentials for the Input image name and Output image name. If the private docker registry is the same for the input image and the output image, then select the check box Use same credential as input image registry in the Output image name.
        CCM_24a.png                                                            Figure 3: Add registry credentials manually
       
  4. Click CREATE to create the image (Figure 2).                                                               
  5. An image approval task is created and added which is visible on the Tasks page. You can approve the task to approve the image. Once approved, a green tick would appear in the Approval status column for that image.
      CCM_36.png                                                         Figure 4: Image created and approved                                         
     
    NOTE
    The Source Image tag and Output Image tag is the same. Once an image of an application is created, it will be pushed to the specified location in the Output Image Name of the application.

Create an Image for EDP Applications

  1. Once you create an EDP application and click NEXT, you will see the Add image page where you have to configure the image of the EDP application as shown in Figure 6 below. You can also configure an application image from the detailed view of an application (Figure 5) using the +IMAGES button. CCM_35.png
                                                                         Figure 5: Images tab
     
  2. In the Add image form, enter the Image Version.
  3. Next, you have to add the Sigstruct details. The SIGSTRUCT for an enclave is generated when an application is signed. It is used to register the enclave with Fortanix CCM. In the Enclave Configuration SIGSTRUCT section, you will see three options to add SIGSTRUCT:
     
    1. Upload Enclave SIGSTRUCT: To upload an enclave sigstruct.bin file, click the UPLOAD button as shown in Figure 6. Here is a sample sigstruct.bin file.
                                                            OR
    2. Paste Base64-encoded Enclave SIGSTRUCT: You can also paste a Base64-encoded SIGSTRUCT binary in the text box provided.
                                                            OR
    3. Enter Enclave SIGSTRUCT Parameters: Enter the following parameters:
      • MRENCLAVE: This is the identity or hash of the enclave.
      • MRSIGNER: This is the identity of the signer of the enclave.
      • ISVPRODID: This is the numeric product identifier to be assigned to the enclave. Choose a unique value in the range 0-65535 for each application.
      • ISVSVN: This is the numeric security version to be assigned to the enclave. Increment this value when a security-relevant change is made to the application.
         
        NOTE
        The Enclave SIGSTRUCT Parameters section is automatically filled when you either upload a sigstruct.bin file or paste a base64 encoded enclave SIGSTRUCT.

          CCM_32.pngCCM_33.png
                                                               Figure 6: Create an EDP Application Image                                  
         
  4. Click CREATE to create the EDP application image.                                  
  5. An image approval task is created and added which is visible on the Tasks page. You can approve the task to approve the image. Once approved, a green tick would appear in the Approval status column for that image.
                                                         CCM_34.png
                                                               Figure 7: Image created and approved