Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Protection for data in use
Enarx intro for SGX workshop
Mike BursellEnarx co-founder
Nathaniel McCallumEnarx co-founder
https://enarx.io
The Enarx 5-bullet overview
● Uses TEEs (SGX, SEV, etc.) for confidential workloads
● Easy development and deployment with WebAssembly
● Strong security design principles
● Cloud-native → Openshift, kubernetes
● Open source: project, not production-ready (yet)
Enarx is a Development Deployment Framework
Choose Your Language / Tools
Compile to WebAssembly
Develop Application
Choose Host
Instance Configuration
Enarx Principles
1. We don’t trust the host owner2. We don’t trust the host software3. We don’t trust the host users4. We don’t trust the host hardware
a. … with the exception of CPU + firmware
Enarx Runtime Architecture
VM-BasedKeep
Process-BasedKeep
SGX
Sanctum
SEV
PEF
WebAssembly
WASI
Language Bindings (libc, etc.)
W3Cstandards
Application
MKTME
Layers - process-based Keep
Trusted via Measurement
Root of Trust
Distrusted
CPU (Intel)KernelLoaderShim
WASM (JIT)WASI
Application
Enarx
Silicon architecture-dependent
Enarx Keep
Silicon architecture-dependent
Our most recent milestone
Same binary
CPU (AMD)Kernel
Loader (VMM) Shim
ELF static-PIE binary
Enarx
KernelLoaderShim
CPU (Intel)
ELF static-PIE binary
Enarx
Where we’d like to be next
One binary
CPU (AMD)Kernel
Loader (VMM) Shim
Enarx
KernelLoaderShim
CPU (Intel)
Wasm binary
WASM (JIT)WASI
Enarx
9
Enarx architectural components & integrations(Simplified)Host Client
Orchestrator(e.g. Openshift/k8s,
Openstack)
Enarx runtime
Application
Enarx host agent
Enarx client agent
CLIKeep
CPU + firmware
Enarx architectural componentsHost Client
Orchestrator(e.g. Openshift/k8s, Openstack)
CPU + firmware
Enarx client agent
CLI
Contract manager
Keep runtime image
httpKeep manager
Attestation measurement database
Keep runtime repository
code layer
Application
Shim
Main external loop Keep loader
App loader
AttestorWas
mcode layer
Application
Shim
Main external loop Keep loader
App loader
AttestorWas
m
code layer
WASI
We are an open project
11
● Code● Wiki● Design● Issues & PRs● Chat● CI/CD resources● Stand-ups● Diversity
✓ GitHub✓ GitHub✓ GitHub✓ GitHub✓ Rocket.Chat✓ Packet.io✓ Open to all✓ Contributor Covenant CofC
We want you!
12
Website: https://enarx.io
Code: https://github.com/enarx
Chat: https://chat.enarx.io/
License: Apache 2.0
Language: Rust
Daily stand-ups open to all! Check the website wiki for details.