Security
Intel SGX and Gramine¶
Intel Software Guard eXtensions (SGX) offers hardware-based memory encryption that isolates specific application code and data in memory. Intel SGX allows user-level code to allocate private regions of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels.
Because working with Intel SGX requires low-level C programming with the Intel SDK, we use Gramine, a lightweight guest OS designed to run a single Linux application with minimal host requirements and no modification. It is the foundation of Cosmian Enclave which allows us to expose a Python confidential web application in the cloud.
Code encryption¶
Before sending the Python code of your Cosmian Enclave, each file is encrypted with XSalsa20-Poly1305 using a random symmetric key. The symmetric key is provisioned when you are confident that your code is running in the enclave by checking the remote attestation.
Remote attestation¶
A very important aspect of Intel SGX (and more generally Trusted Execution Environments) is attestation. This is a mechanism for a remote user to verify that the application runs on a real hardware in an up-to-date hardware and software with the expected initial state. In other words, remote attestation provides the assurance to the user that the remotely executing SGX enclave is trusted and that the correct code is executed.
To process the remote attestation, an SGX quote is required as a proof of trustworthiness. It’s a structure which contains, among others, interesting fields for the end user:
MRENCLAVE, SHA-256 hash digest of the memory footprint during the execution of the codeMRSIGNER, SHA-256 hash digest of Cosmian’s enclave signer public key- Debug flag, which must not be set in production
- Intel’s certification chain and signature to attest the quote
Verification of trustworthiness is done using intel-sgx-ra.
The SGX quote is embedded in the TLS certificate generated by all Cosmian Enclave in a protocol called RA-TLS.
RA-TLS¶
To ease the transport of the quote without modifying TLS, the quote is directly embedded in a specific X509 extension of the TLS certificate.
In addition, a SHA-256 hash digest of the certificate public key is included in the REPORTDATA field of the quote to link the quote to the certificate (i.e. the certificate has been generated in the code corresponding to MRENCLAVE).
It allows to fetch the certificate before using the API provided by the application in Cosmian Enclave and check first that it runs in an up-to-date SGX enclave with the correct code (by checking MRENCLAVE).
Then you can add the certificate as CA in your HTTPS client to be sure that you will always interact with the same microservice you checked.
┌────────────────────────────────┐
│ Server │
│ │
│ ┌────────────────────────────┐ │
│ │ Intel SGX │ │
│ │ ┌────────────────────────┐ │ │
│ │ │ Code │ │ │
│ │ │ │ │ │
┌──────────┐ │ │ │ ┌────────────────────┐ │ │ │
│ │ RA-TLS Channel │ │ │ │ │ │ │ │
│ Client ├─────────────────────────┼─┼─┼─┤ TLS Private key │ │ │ │
│ │ │ │ │ │ │ │ │ │
└──────────┘ │ │ │ └────────────────────┘ │ │ │
│ │ │ ┌────────────────────┐ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ RA-TLS Certificate │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ └────────────────────┘ │ │ │
│ │ └────────────────────────┘ │ │
│ └────────────────────────────┘ │
└────────────────────────────────┘
Direct encryption to your enclave¶
When you can’t communicate on the RA-TLS channel (proxy or third party sending data to your enclave), it is still possible to encrypt the payload for your enclave in a programmatic way.
The REPORTDATA field of the SGX quote included in the RA-TLS certificated is 64 bytes field structured as follow:
The purpose of the Curve25519 enclave’s public key is to encrypt data for your enclave anonymously using NaCl seal boxes.
On the enclave’s code side, it’s then possible to decrypt using the private key only available inside the enclave in /key/enclave.key file.
We recommend to use our cryptographic library cenclave-lib-crypto which is already available in your Cosmian Enclave but any library compatible with NaCl should work.