Skip to content

Send open-source code

The code of your Microservice Encryption can be public hosted, on Github for example.

You can make direct use of public hosted code, without downloading it and submitting it by yourself.

All you need is the URL of the repository of your Microservice Encryption code which must be organized like this:

$ git clone https://github.com/SomeOwner/my_project.git
$ tree my_project
my_project
├── secret_module.py
└── run.py

An example of such Microservice Encryption code repository can be found here: https://github.com/Cosmian/csc-csv-merge.

If you don’t know how to structure your code, visit Write code.

Supported platforms

At this time we only support Github URL, but we plan to add some more soon.

Before sending your code to the enclave, you need to fetch back the keys generated during the first step. The page Registration explains how to save and load these keys.

Then, upload your code by giving the URL of your Microservice Encryption repository code.

# send_code_git_url.py
from cosmian_secure_computation_client import CodeProviderAPI, CryptoContext

# load the previous CryptoContext created at the registration step
cp_crypto_ctx = CryptoContext.from_json(Path("cp_crypto_context.json").read_text(encoding="utf-8"))
code_provider = CodeProviderAPI(token=cosmian_token, ctx=cp_crypto_ctx)

computation_uuid = "xxxxxxxxxxxxxxxxxxxxxx"
git_url = "https://github.com/Cosmian/csc-csv-merge"
code_provider.upload_code_from_git(computation_uuid, git_url)

Approve the computation as a code provider

Cosmian generates the enclave’s identity asynchronously, you need to wait the end of the generation which takes approximately one minute. This is done after all the participants send their public keys and the code provider sent the Python code.

enclave_public_key: bytes = code_provider.wait_for_enclave_identity(computation_uuid)

The enclave’s identity can be checked from the following elements:

  • Intel SGX quote generated by the enclave to attest the code is running in an Intel SGX enclave (can be checked with Azure remote attestation or Intel remote attestation service), it includes:
  • MRENCLAVE, a SHA-256 digest of the whole program loaded in memory
  • MRSIGNER, a SHA-256 digest of Cosmian’s RSA public key which signs the enclave
  • Enclave’s public key (SHA-256 digest can be found in the report data field of the quote)
  • TOML manifest with the hash of all the files loaded in the enclave, including:
    • serialized trusted args of the code which contains a list of participant’s public keys
    • hash digest of the entrypoint run.py

Everything should be verified to trust that Cosmian is running the computation inside an Intel SGX enclave:

  • Audit source code of cosmian_lib_sgx to see how enclave’s public key is included in the SGX quote. We generate a random key pair whose seed is specific to MRENCLAVE (Seal Key with Intel SGX instruction EGETKEY based on MRENCLAVE). If the Python code or any participant’s key changes, MRENCLAVE will also be modified
  • Re-compute MRSIGNER with Cosmian’s RSA public key
  • And finally you can re-compute MRENCLAVE with the same docker used in the execution (will be available soon) thanks to manifest and the Python code of the code provider
from cosmian_secure_computation_client.api.remote_attestation import azure_remote_attestation

computation = code_provider.get_computation(computation_uuid)
azure_remote_attestation(computation.enclave.identity.quote)

To approve the computation, send your symmetric key sealed for the enclave’s public key:

code_provider.key_provisioning(computation_uuid, enclave_public_key)

© Copyright 2018-2022 Cosmian. All rights reserved