Using Fortanix Confidential Computing Manager to run an Enclave OS pre-trained Object Detection Tensorflow Model

Introduction

In this example, we will demonstrate the TensorFlow (TF) Model running inside the enclave using Fortanix Confidential Computing Manager (CCM). For the demonstration purpose, we are taking the object detection model from this URL. This is a pre-trained TF model, capable of classifying basic objects from an image, like; cat, dog, table, person, chair, kite, and so on.

Authenticate to Fortanix CCM

Before you can issue any requests, you first need to authenticate to Fortanix CCM using the following commands:

cpath=$(mktemp -p "/tmp" -t "fortanix_ccm_cookie.XXXXX")
curl -u <username>:<password> -c $cpath -X POST https://ccm.fortanix.com/v1/sys/auth

where <username> and <password> need to be replaced with the email address and password of your Fortanix CCM account.

NOTE
If your token expires you can refresh by running:
curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -X POST https://ccm.fortanix.com/v1/sys/auth/refresh

Select an Account Using an API Call

Once you have successfully authenticated to Fortanix CCM, you need to select an account. First, you can list all accounts available using the following command:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" https://ccm.test.fortanix.com/v1/accounts

This command will return a JSON string of the following form:

{"name":"My account","acct_id":"26eaa328-5eb4-41c7-b09b-8a3e0a0f65c7", ...}, ...

To select an account you need to copy the account id of the account you are interested in (the string 26eaa328-5eb4-41c7-b09b-8a3e0a0f65c7 in the example above), let us call it <account_id>, and run:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -X POST https://ccm.fortanix.com/v1/sys/session/select_account/<account_id>\>

Create an Application

Create a TF Object Detection Model application using the configuration provided in the app.json file below.

NOTE
fortanix/tensorflow-serving:1.9.0-faster_rcnn_resnet_serving-sgx is the converted, enclave-os image which can be directly run on the enrolled node.
{
"name": "Object Detection TF Model",
"description": "Faster Rcnn Resnet Object Detection Model",
"input_image_name": "fortanix/tensorflow-serving",
"output_image_name": "<repository_path_where_output_image_will_be_stored>",
"isvprodid": 1,
"isvsvn": 1,
"mem_size": 4096,
"threads": 128
}
curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d @app.json -X POST https://ccm.fortanix.com/v1/apps

Create an Image Using an API Call

Once the application has been created, you can similarly create an image by following these steps.

  • First, create a file called build.json as shown below.
  • Replace <app_id> with the ID of your newly created application.
  • The <username> and <password> are the credentials of the registry that you want the converted image to be stored at. This was specified above as output_image_name.
{
"app_id": "<app_id>",
"input_docker_version": "latest",
"output_docker_version": "sgx",
"outputAuthConfig": {
"username": "<username>",
"password": "<password>"
}
}

 

NOTE
See the Fortanix CCM Quickstart guide on how to set up registry credentials to avoid including credentials in this file.

Now you can create the image using the following command:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d @build.json -X POST https://ccm.fortanix.com/v1/builds/convert-app

Approve Task

This returns the output that shows the <task_id> (f0d815b6-9520-4ce4-b4f4-6a82a718bb7e in this example), among other information:

{"build_name":"fortanix-private/python-flask-sgx:latest","pending_task_id":"f0d815b6-9520-4ce4-b4f4-6a82a718bb7e",...}

Finally, you can approve the image using <task_id> of the image and the following command:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d '{"status":"APPROVED"}' -X PATCH https://ccm.fortanix.com/v1/tasks/<task_id>

Run the Application

Whether you chose to create your application using the UI or the API option, you should now have converted and whitelisted an application image and can run the application on an SGX compute node. Depending on the node agent attestation type, run the application using one of the following commands:

If the node attestation type is Enhanced Privacy ID (EPID), use the command:

docker run -it --device /dev/isgx:/dev/isgx --device /dev/gsgx:/dev/gsgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e NODE_AGENT_BASE_URL=http://<your_ip>:9092/v1/ -p 9000:9000 tensorflow/serving:sgx

If the node attestation type is Data Center Attestation Primitives (DCAP), use the command:

docker run -it --device /dev/sgx:/dev/sgx -e NODE_AGENT_BASE_URL=http://<your_ip>:9092/v1/ -p 9000:9000 tensorflow/serving:sgx

Output:

sudo docker run -it --device /dev/sgx:/dev/sgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e NODE_AGENT_BASE_URL=http://10.0.3.4:9092/v1/ -p 9000:9000 513076507034.dkr.ecr.us-west-1.amazonaws.com/development-images/tensorflow-example:latestFortanix(R) EnclaveOS Runtime Encryption Platform 3.1.340-EM
Copyright 2017-2021 Fortanix, Inc. All rights reserved.
2021-04-28 02:48:30.784800: I tensorflow_serving/model_servers/server.cc:88] Building single TensorFlow model file config: model_name: model model_base_path: /models/model
2021-04-28 02:48:30.832495: I tensorflow_serving/model_servers/server_core.cc:464] Adding/updating models.
2021-04-28 02:48:30.832572: I tensorflow_serving/model_servers/server_core.cc:587] (Re-)adding model: model

 

Was this article helpful?
0 out of 0 found this helpful