Create Application Build

1.0 Introduction

This article describes the steps to create an application build in the Fortanix Confidential Computing Manager (CCM). Fortanix CCM provides users with the ability to quickly and easily navigate the interface to run containerized applications accordingly.

A Fortanix CCM build is a specific version of an application. Each build contains platform-specific verification information that Fortanix CCM uses during attestation and workload validation.

When a build is first created in Fortanix CCM, it is in an unapproved state. After the required approval actions are completed, the build is considered approved. Once approved, Fortanix CCM treats the builds as a trusted application instance and issues certificates associated with the application's configured domain name(s).

2.0 Prerequisites

Ensure the following:

• For Enclave OS (Operating System) applications - the Tag of the Docker image for the application.

• For Enclave Development Platform (EDP) applications - the sigstruct.bin file which is used to register the enclave with Fortanix CCM.

• For Azure Container Instances (ACI) applications - the Tag of the Docker image for the application.  

• For Azure Confidential Virtual Machine (CVM) applications - a Confidential VM is created in Azure, and the Fortanix attestation agent runs on it.

• For Intel TDX applications - access to a system that supports Intel® Trust Domain Extensions (TDX) and the required attestation measurements for the workload are available.

• For Advanced Micro Devices (AMD) Secure Encrypted Virtualization (SEV) – Secure Nested Paging (SNP) applications – access to a system that supports AMD SEV-SNP and the required attestation measurements for the workload.

3.0 Create an Application Build

This section describes how to create an application build for different application types supported by Fortanix CCM.

An application build defines the trusted workload configuration that Fortanix CCM builds, verifies, and approves before deployment.

3.1 Enclave OS Applications

Before creating the build, ensure that you have created an Enclave OS application as mentioned in Add Application.

Perform the following steps to create a build for the Enclave OS application:

1. In the CCM user interface (UI) left navigation panel, click the Applications menu item and select the required Enclave OS application for which you want to configure an application build.

2. On the application details page, click ADD BUILD to configure the build of the Enclave OS application.

   

3. In the Add Build form:

   1. In the Image Type section, the AWS Nitro Enclaves is selected by default.

   2. In the Input image name section, enter the required Tag name for the input image.

   3. In the Output image name section, enter the required Tag name, Registry Username and Registry Password for the output image. Here, the registry credentials are the credentials needed to access the private Docker registry where the image will be pushed. Since the input image is stored in a public registry, there is no need to provide credentials for the input image.

      • If you have added a registry in a particular account as described in Application Build Registry, then Use same credential as input image registry check box will be selected by default, and the registry names for the output image will be filled automatically.

      • If you have not saved any Registry Credentials, then manually enter the registry credentials for the Output image name.  

   4. In the Enclave Parameters section,

      • Memory size: Select the memory size from the drop-down to change the memory size of the Nitro Enclave.

      • CPU count: Specify the number of CPUs allocated to the enclave out of all the CPUs available to the host machine.

      NOTE

      The Memory size and CPU count can be overridden at runtime with the following environment variables:

      • MEM_SIZE

      • CPU_COUNT

      • File Persistence – This check box is selected by default. This feature allows you to save the filesystem changes to an encrypted container mount. It enables the Nitro Enclave to access a managed security object in Fortanix DSM to be able to encrypt and decrypt the Linux Unified Key Setup (LUKS) overlay file system. For more information, refer to AWS Nitro File Persistence.

      NOTE

      For the File Persistence feature to work, you must configure the app certificate since when a Nitro build runs, it must be configured ahead of time to receive a certificate, which will authorize access to Fortanix DSM to obtain the keys for the Linux Unified Key Setup (LUKS) volume. Without the app certificate, this feature will not work.

4. Click ADD BUILD to create the build.

5. A build approval task is created and added which is visible on the Tasks page. You can approve the task to approve the application build.

   For more information on how to approve the application build tasks for the Enclave OS application, refer to Domain and Application Build Approval.

6. After it is approved, a green tick will appear in the Approval status column for that build.

   NOTE

   The Source Image tag and Output Image tag are optional fields and by default, the tag value is “latest” internally. If the user is entering a different tag value, then it can either be different values or the same. Once a build of an application is created, it will be pushed to the specified location in the Output Image Name of the application.

Ensure that you have created an EDP application as mentioned in Add Applications.

Perform the following steps to create a build for the EDP application:

1. In the CCM UI left navigation panel, click the Applications menu item and select the required EDP application for which you want to configure an application build.

2. On the application details page, click ADD BUILD to configure the build of the EDP application.

   

3. In the Add Build form:

   1. Build Version: Enter the version of the build.

   2. Image Type: Select Intel SGX or AWS Nitro Enclaves as the platform.

      If you select the Image Type as Intel SGX, you must add the Sigstruct details. The SIGSTRUCT for an enclave is generated when an application is signed. It is used to register the enclave with Fortanix Confidential Computing Manager.

      • Enclave Configuration SIGSTRUCT: Three options are available to add SIGSTRUCT:

        • Upload Enclave SIGSTRUCT: To upload an enclave sigstruct.bin file, click BROWSE. Here is a sample sigstruct.bin file.
          OR

        • Paste Base64-encoded Enclave SIGSTRUCT: You can also paste a Base64-encoded SIGSTRUCT binary in the text box provided.
          OR

        • Enter Enclave SIGSTRUCT Parameters: Enter the following parameters:

          • MRENCLAVE: This is the identity or hash of the enclave.

          • MRSIGNER: This is the identity of the signer of the enclave.

          • ISVPRODID: This is the numeric product identifier to be assigned to the enclave. Select a unique value in the range 0-65535 for each application.

          • ISVSVN: This is the numeric security version to be assigned to the enclave. Increment this value when a security-relevant change is made to the application.

        NOTE

        The Enclave SIGSTRUCT Parameters section is automatically filled when you either upload a sigstruct.bin file or paste a base64 encoded enclave SIGSTRUCT.

      If you select the Image Type as AWS Nitro Enclaves, you must add the Enclave Configuration JSON details which are unique enclave measurements that includes a series of Hashes and Platform. The JSON measurements for an enclave are generated when an application is signed. It is used to register the enclave with Fortanix Confidential Computing Manager.

      • Enclave Configuration JSON: Three options are available to add measurements:

        • Upload Measurement JSON: To upload an enclave measurement.json file, click BROWSE.
          OR

        • Paste Measurement JSON: You can also paste the JSON enclave measurements in the text box provided.
          OR

        • Enter Measurement: Enter the following parameters:

          • PCR0: This is the hash of the enclave image file.

          • PCR1: This is the hash of the Linux kernel and bootstrap.

          • PCR2: This is the Hash of the user application.

      NOTE

      The Enter Measurement section is automatically filled when you either upload a measurement.json file or paste the JSON enclave measurements.

4. Click ADD BUILD to create the EDP application build.

5. A build approval task is created and added, which is visible on the Tasks page. You can approve the task to approve the build.

   For more information on how to approve the application build tasks for the EDP application, refer to Domain and Application Build Approval.

6. After the build is approved, a green tick will appear in the Approval status column for that build.

Ensure that you have created an ACI application as mentioned in Add Applications.

Perform the following steps to create a build for the ACI application:

1. In the CCM UI left navigation panel, click the Applications menu item and select the required ACI application for which you want to configure an application build.

2. On the application details page, click ADD BUILD to configure the build of the ACI application.

   

3. In the Add Build form:

4. In the Input image name section, enter the Tag name of the Docker image.

   NOTE

   If an existing ACI application build already uses the same tag value, Fortanix CCM returns an error. Use a unique tag value.

5. ADD REGISTRY CREDENTIALS: Enter the Registry Username and Registry Password for the Input image name. Here, the registry credentials are the credentials needed to access the private docker registry where the image will be pulled. Since the input image is stored in a public registry, there is no need to provide credentials for the input image.

   • If you have added a registry in a particular account as described in Application Build Registry, then the Use saved credentials check box will be selected by default.

     NOTE

     If registry credentials are configured, the image name must include the registry domain. For example, Docker Hub images do not require a domain prefix when credentials are not used. However, if registry credentials are provided, the image name must include a domain prefix such as docker.io/.

6. ADVANCED SETTINGS: It is recommended to select the Wait for node registration to begin check box unless the application has special deployment requirements. Selecting this check box prevents the application from starting until the Fortanix ACI Node Agent retrieves the signed application certificate from the Fortanix CCM backend cluster.

   • CPU count: Specify the number of CPU cores allocated to the container. By default, the value is 1.

   • Memory in GB: Specify the amount of memory allocated to the container in GB. By default, the value is 1.

7. Click GENERATE SECURE POLICY to generate the JSON Fortifier template used to deploy the confidential ACI container group.

   NOTE

   The creation of an application build may take up to a few minutes.

8. A build approval task is created and added, which is visible on the Tasks page. You must approve the task to approve the build.

   For more information on how to approve the application build tasks for the ACI application, refer to Domain and Application Build Approval.

9. After the build is approved, a green tick will appear in the Approval status column for that build.

Perform the following steps to deploy the application build to Fortanix ACI either through the Azure Portal or with the Azure CLI:

1. In the CCM left navigation panel, navigate to Applications → BUILDS, and select the required build from the list.

2. Click the POLICY tab to view the JSON Azure Resource Manager (ARM) template encoding of the security policy generated in the previous section.

3. Click DOWNLOAD to save the ARM template for the deployment procedure.

For more information on how to deploy an ACI application, refer to Deploying the ACI Application Using Azure Portal.

Ensure that you have created an Intel TDX application as mentioned in Add Applications.

Perform the following steps to create a build for the Intel TDX application:

1. In the CCM UI left navigation panel, click the Applications menu item and select the required Intel TDX application for which you want to configure an application build.

2. On the application details page, click ADD BUILD to configure the build of the Intel TDX application.

   

3. In the Add Build form:

   1. Build Version: Enter a unique tag for the build.

   2. In the Secure VM attributes section,

      1. MRTD: Enter the platform-specific attestation measurement value associated with the secure image as copied in Section 10.0: Calculate Image Measurements of Create and Run Intel TDX Application.

      2. RTMR: Enter the Runtime Measurement Register values in RTMR0, RTMR1, RTMR2, and RTMR3 fields.

   3. Coprocessors: Select an option to configure the NVIDIA Graphics Processing Unit (GPU) attestation setting:

      1. Ignored: The virtual machine (VM) must have a GPU, and the attestation agent collects GPU attestation data, but Fortanix CCM does not validate this attestation; it only checks that GPU attestation data is present. The actual attestation result is ignored during verification.

      2. Required: The VM must have a GPU, and the attestation agent collects GPU attestation data, and Fortanix CCM validates this data using NVIDIA Remote Attestation Service (NRAS).

4. Click ADD BUILD to create the build.

5. A build approval task is created and added, which is visible on the Tasks page. You can approve the task to approve the build.

   For more information on how to approve the application build tasks for the Intel TDX application, refer to Domain and Application Build Approval.

6. After the build is approved, a green tick will appear in the Approval status column for that build.

Ensure that you have created an AMD SEV-SNP application as mentioned in Add Application.

Perform the following steps to create a build for the AMD SEV-SNP application:

1. In the CCM UI left navigation panel, click the Applications menu item and select the required AMD SEV-SNP application for which you want to configure an application build.

2. On the following page, click ADD BUILD to configure the build of the AMD SEV-SNP application.

   

3. In the Add Build form:

   1. Build Version: Enter a unique tag for the build.

   2. In the Secure VM attestation section,

      1. Measurement: Enter the platform specific attestation measurement value associated with the secure build as copied in Deploy Confidential VM Applications on AMD SEV-SNP Using Fortanix CCM.

      2. VMPL: Select the VMPL0, VMPL1, VMPL2, or VMPL3 as Virtual Machine Privilege Level.

   3. Coprocessors: Select an option to configure the NVIDIA Graphics Processing Unit (GPU) attestation setting:

      1. Ignored: The virtual machine (VM) must have a GPU, and the attestation agent collects GPU attestation data, but Fortanix CCM does not validate this attestation, it only checks that GPU attestation data is present. The actual attestation result is ignored during verification.

      2. Required: The VM must have a GPU, and the attestation agent collects GPU attestation data, and Fortanix CCM validates this data using NVIDIA Remote Attestation Service (NRAS).

         

4. Click ADD BUILD to create the build.

5. A build approval task is created and added, which is visible on the Tasks page. You can approve the task to approve the build.

   For more information on how to approve the application build tasks for the AMD SEV-SNP application, refer to Domain and Application Build Approval.

6. After the build is approved, a green tick will appear in the Approval status column for that build.

Before creating the build, ensure that you have collected the required Platform Configuration Register (PCR) values from the Azure CVM environment.

For more information on deploying a CVM on Azure and obtaining PCR values for creating the application build, refer to the following guides:

• Azure Confidential VM Setup - Linux

• Azure Confidential VM Setup - Windows

Perform the following steps to create a build for the Azure CVM application:

1. In the CCM UI left navigation panel, click the Applications menu item and select the required Azure CVM application for which you want to configure an application build.

2. On the application details page, click ADD BUILD to configure the build of the Azure CVM application.

   

3. In the Add Build form:

4. Build Version: Enter a version identifier for the build in the format <build-version>.

5. Platform Configuration Register (PCR): Enter one or more PCR values collected from the Azure CVM. These values are verified during attestation to validate the integrity of the workload. You can enter values from PCR0 to PCR22 in 64-character hex string format only, depending on your security requirements.

   NOTE

   • When entering PCR values copied from the VM console, remove the “0X” prefix from each value, if any.

   • No two application builds in Fortanix CCM can use the exact same combination of PCR values. However, you can create multiple builds if their PCR combinations differ.

     For example,

     • Build 1: [pcr0 – abc]

     • Build 2: [pcr0 – def]

       OR

     • Build 1: [pcr0 – abc]

     • Build 2: [pcr0 –  abc, pcr1 – xyz]

6. Click ADD BUILD to create the build.

7. A build approval task is created and added, which is visible on the Tasks page. You can approve the task to approve the build.

   For more information on how to approve the application build tasks for the Azure CVM application, refer to Domain and Application Build Approval.

8. After the build is approved, a green tick will appear in the Approval status column for that build.

During Azure CVM attestation, builds are validated against their configured PCR values. When multiple builds are enrolled, the attestation service evaluates PCRs in priority order to determine which build should be attested. The examples below illustrate how different PCR configurations affect this selection.

1. If you do not provide any PCR values for a build, the attestation will still succeed for this build if there is no matching build determined by the PCR priority.

   For example,

   • Build 1 = [pcr0 - not set]

   • Build 2 = [pcr1 - xxx]

   • Azure CVM = pcr0 - aaa, pcr1 - bbb

   In this case, Image 1 will be attested.

2. If multiple builds are enrolled and at least one build has valid PCR values, the build without PCR values will not be considered.

   For example,

   • Build 1 = [pcr0 – not set, pcr1 - bbb]

   • Build 2 = [pcr0 - aaa, pcr1 – bbb]

   • Azure CVM = pcr0 - aaa, pcr1 - bbb

   In this case, Image 2 will be attested.

3. The images with valid PCR values will be evaluated for attestation based on their priority order.
   For example,

   • Image 1 = [pcr0 - aaa, pcr1 - bbb]

   • Image 2 = [pcr3 - ddd, pcr4 - eee]

   • Image 3 = [pcr7 - hhh, pcr9 - jjj]

   • Image 4 = [pcr9 - jjj, pcr10 - lll, pcr11 - mmm]

   • The Azure CVM = pcr0 - aaa, pcr1 - bbb, pcr2 - ccc, pcr3 - ddd, pcr4 - eee, pcr5 - fff, pcr6 - ggg, pcr7 - hhh, pcr8 - iii, pcr9 - jjj, pcr10 - lll, pcr11 - mmm

   In this case, Image 1 will be attested because pcr0 and pcr1 have the highest priority. The order in which the images were created does not affect the attestation decision.

4. If two images are enrolled - one without PCR values set and another that is not approved in Fortanix CCM, the attestation process will evaluate the available PCR values based on their priority order.

   For example,

   • Image 1 = [pcr0 – not set, pcr1 - bbb]

   • Image 2 (unapproved) = [pcr0 - aaa, pcr1 - bbb]

   • Azure CVM = pcr0 - aaa, pcr1 – bbb

   In this case, Image 2 will be selected for attestation because it has PCR values of highest priority defined. However, the attestation will fail since Image 2 is not an approved build. To resolve this, either approve image 2 or delete it.

5. If two images are enrolled - one without PCR values set and another whose PCR values do not fully match the Azure CVM, the attestation process will evaluate the available PCR values based on their priority order.

   For example,

   • Image 1 = [pcr0 – not set, pcr1 - bbb]

   • Image 2 = [pcr0 - aaa, pcr2 - ccc]

   • Azure CVM = pcr0 - aaa, pcr1 – bbb

   In this case, Image 2 will be selected for attestation because its highest-priority matching PCR (pcr0) aligns with the Azure CVM. However, the attestation will fail because the remaining PCRs do not match the Azure CVM PCR values. To resolve this, either delete Image 2, or create and approve Image 3, which is a copy of Image 1 but with pcr0 set so that it has a higher priority than Image 2.

   • Image 3 = [pcr0 - aaa, pcr1 - bbb]

6. If all PCR values are invalid for an image (for example, set to all zeros), the attestation certificate is not generated. To determine the reason for the failure, you must check the agent logs. When run with RUST_LOG=debug, the log will display the message ‘Build with matching PCRs not found’.