Introduction
A Fortanix Confidential Computing Manager (CCM) image is a particular software release or a version of an application. Each image is associated with one enclave hash (MRENCLAVE).
When an image is first created in Fortanix Confidential Computing Manager, it is in an unapproved state. After configurable approval actions are taken, the image is considered approved. When an image is approved, Fortanix CCM knows that enclaves with the associated hash (MRENCLAVE) are trusted instances of the corresponding application, and will issue certs with the application’s domain name(s) to those enclaves.
Prerequisites
- For Enclave OS application - the Tag of the Docker image for the application.
- For EDP application - The
sigstruct.bin
file which is used to register the enclave with Fortanix CCM. - For ACI application - the Tag of the Docker image for the application.
Create an Image for Enclave OS Applications
- After you create an Enclave OS application, navigate to Applications tab, and select the required Enclave OS application for which you want to configure an application image.
- On the following page, click the + IMAGE button to configure the image of the Enclave OS application.
Figure 1: Image Tab
- In the Add image form, select the Image Type as Intel SGX or AWS Nitro Enclaves depending on the platform used.
- Enter the REGISTRY CREDENTIALS for the Output image name. Here, the registry credentials are the credentials needed to access the private docker registry where the image will be pulled. Since the input image is stored in a public registry, there is no need to provide credentials for the input image.
- If you have added a registry in a particular account as described in the article User's Guide: Image Registry, then the check box Use saved credentials will be selected by default and the registry names for the output image will be filled automatically for the Add Registry Credentials fields.
Figure 2: Add Saved Registry Credentials
- If you have not saved any Registry Credentials, then manually enter the registry credentials for the Output image name.
- If you have added a registry in a particular account as described in the article User's Guide: Image Registry, then the check box Use saved credentials will be selected by default and the registry names for the output image will be filled automatically for the Add Registry Credentials fields.
- Enter the image Tag which is the tag value of the Docker image.
- If you selected the Image Type as Intel SGX, enter the following details:
- ISVPRODID is a numeric product identifier. A user must choose a unique value in the range of 0-65535 for their applications.
- ISVSVN is a numeric security version to be assigned to the Enclave. This number should be incremented if security-relevant change is made to the application.
- Memory size – Select the memory size from the drop-down to change the memory size of the enclave.
- Thread count – Change the thread count to support the application.
- Memory size
- CPU count - CPU count is the number of CPUs dedicated to an enclave out of all the CPUs available to the host machine.
- Click CREATE to create the image (Figure 2).
- An image approval task is created and added which is visible on the Tasks page. You can approve the task to approve the image.
Refer to User's Guide: Domain and Application Image Approval to approve the application image tasks for the Enclave OS application.
- After it is approved, a green tick would appear in the Approval status column for that image.
Figure 3: Image created and approved
SGX1 and SGX2 Application Support
When an application is converted, the converter app supports signing and running the application in both SGX1 and SGX2 hardware. After the application is converted, the application will have both SGX1 and SGX2 signatures, and the correct signature would be used depending on the hardware available.
The converted container will have two different MRENCLAVE values corresponding to SGX1 and SGX2 respectively. This allows you to run the same converted container on both SGX1 and SGX2 hardware.
On the hardware that supports dynamically adding pages to an enclave, pages for unallocated memory are not included in the initial enclave image, so the enclave can start faster. On hardware without that support, the initial enclave image includes zeroed pages for unallocated memory.
To view the MRENCLAVE values in the Fortanix CCM UI:
- Go to the detailed view of an image, and select the ENCLAVE tab.
- Notice the MRENCLAVE (SGX1) and MRENCLAVE (SGX2) fields under the MRENCLAVE Values section.
Figure 4: MRENCLAVE Values
Create an Image for EDP Applications
- After you create an EDP application, navigate to Applications tab and select the required EDP application for which you want to configure an application image.
- On the following page, click the + IMAGE button to configure the image of the EDP application.
Figure 5: Images tab - In the Add image form, fill in the following details:
- Image Version: Enter the version of the image.
- Image Type: Select Intel SGX or AWS Nitro Enclaves as the platform.
If you select the Image Type as Intel SGX, you have to add the Sigstruct details. The SIGSTRUCT for an enclave is generated when an application is signed. It is used to register the enclave with Fortanix Confidential Computing Manager.- Enclave Configuration SIGSTRUCT section, you will see three options to add SIGSTRUCT:
- Upload Enclave SIGSTRUCT: To upload an enclave
sigstruct.bin
file, click the UPLOAD button as shown in Figure 6. Here is a sample sigstruct.bin file.
OR - Paste Base64-encoded Enclave SIGSTRUCT: You can also paste a Base64-encoded SIGSTRUCT binary in the text box provided.
OR - Enter Enclave SIGSTRUCT Parameters: Enter the following parameters:
⁃ MRENCLAVE: This is the identity or hash of the enclave.
⁃ MRSIGNER: This is the identity of the signer of the enclave.
⁃ ISVPRODID: This is the numeric product identifier to be assigned to the enclave. Choose a unique value in the range 0-65535 for each application.
⁃ ISVSVN: This is the numeric security version to be assigned to the enclave. Increment this value when a security-relevant change is made to the application.
- Upload Enclave SIGSTRUCT: To upload an enclave
- Enclave Configuration JSON: Three options to add measurements:
- Upload Measurement JSON: To upload an enclave
measurement.json
file, click the UPLOAD button as shown in Figure 7.
OR - Paste Measurement JSON: You can also paste the JSON enclave measurements in the text box provided.
OR - Enter Measurement: Enter the following parameters:
⁃ PCR0: This is the hash of the enclave image file.
⁃ PCR1: This is the hash of the Linux kernel and bootstrap.
⁃ PCR2: This is the Hash of the user application.
Figure 6: Create an EDP Application Image for Intel SGX platform
Figure 7: Create an EDP Application Image for AWS Nitro Platform - Upload Measurement JSON: To upload an enclave
- Enclave Configuration SIGSTRUCT section, you will see three options to add SIGSTRUCT:
- Click CREATE to create the EDP application image.
- An image approval task is created and added which is visible on the Tasks page. You can approve the task to approve the image.
Refer to User's Guide: Domain and Application Image Approval to approve the application image tasks for the EDP application. - After the image is approved, a green tick would appear in the Approval status column for that image.
Figure 8: Image Created and Approved
Create Image for ACI Application
- After you create an ACI application, navigate to Applications tab and select the required ACI application for which you want to configure an application image.
- On the following page, click the + IMAGE button to configure the image of the ACI application.
Figure 9: Image Tab - On the Add Image form, fill in the following details:
- Tag: Enter the tag value of the docker image.
- Add Registry Credentials: Enter the REGISTRY CREDENTIALS for the Input image name. Here, the registry credentials are the credentials needed to access the private docker registry where the image will be pushed. Since the input image is stored in a public registry, there is no need to provide credentials for the input image.
- If you have added a registry in a particular account as described in the article User's Guide: Image Registry of Fortanix CCM, then the check box Use saved credentials will be selected by default.
Figure 10: Add Saved Registry Credentials
- If you have added a registry in a particular account as described in the article User's Guide: Image Registry of Fortanix CCM, then the check box Use saved credentials will be selected by default.
- Advanced Settings: It is recommended to always select the Wait for node registration to begin check box unless the application has special requirements. Selecting this checkbox does not allow the execution, before the Fortanix ACI node agent has retrieved the signed app certificate from the Fortanix CCM backend cluster.
- CPU Count: Enter the number of CPU cores. By default, the value is 1.
- Memory in GB: Enter the amount of required RAM in GB units. By default, the value is 1.
- Tag: Enter the tag value of the docker image.
- Click the GENERATE SECURE POLICY button to initiate the build of the JSON Fortifier template, which is used to deploy the confidential ACI container group.
- An image approval task is created and added which is visible on the Tasks page. You can approve the task to approve the image.
Refer to User's Guide: Domain and Application Image Approval to approve the application image tasks for the ACI application. - After the image is approved, a green tick would appear in the Approval status column for that image.
Figure 11: Image Created and Approved
Deploy the ACI application Using Azure Portal
You can deploy the application image to Fortanix ACI either through the Azure Portal or with the Azure CLI.
- Navigate to Applications > Image tab and select the required image from the list.
- Next, click the POLICY tab to view the JSON Azure resource Manager (ARM) template encoding of the security policy generated earlier in Section: Create an Image for ACI Application.
Figure 12: JSON ARM Template - Click the DOWNLOAD button to save the ARM template for the deployment procedure.
Refer to User's Guide: Deploying ACI Using Azure Portal to create an image for the EDP application.
Comments
Please sign in to leave a comment.