Protection for data in use

Enarx intro for SGX workshop

Mike BursellEnarx co-founder

Nathaniel McCallumEnarx co-founder

https://enarx.io

The Enarx 5-bullet overview

● Uses TEEs (SGX, SEV, etc.) for confidential workloads

● Easy development and deployment with WebAssembly

● Strong security design principles

● Cloud-native → Openshift, kubernetes

● Open source: project, not production-ready (yet)

Enarx is a Development Deployment Framework

Choose Your Language / Tools

Compile to WebAssembly

Develop Application

Choose Host

Instance Configuration

Enarx Principles

1. We don’t trust the host owner2. We don’t trust the host software3. We don’t trust the host users4. We don’t trust the host hardware

a. … with the exception of CPU + firmware

Enarx Runtime Architecture

VM-BasedKeep

Process-BasedKeep

SGX

Sanctum

SEV

PEF

WebAssembly

WASI

Language Bindings (libc, etc.)

W3Cstandards

Application

MKTME

Layers - process-based Keep

Trusted via Measurement

Root of Trust

Distrusted

CPU (Intel)KernelLoaderShim

WASM (JIT)WASI

Application

Enarx

Silicon architecture-dependent

Enarx Keep

Silicon architecture-dependent

Our most recent milestone

Same binary

CPU (AMD)Kernel

Loader (VMM) Shim

ELF static-PIE binary

Enarx

KernelLoaderShim

CPU (Intel)

ELF static-PIE binary

Enarx

Where we’d like to be next

One binary

CPU (AMD)Kernel

Loader (VMM) Shim

Enarx

KernelLoaderShim

CPU (Intel)

Wasm binary

WASM (JIT)WASI

Enarx

9

Enarx architectural components & integrations(Simplified)Host Client

Orchestrator(e.g. Openshift/k8s,

Openstack)

Enarx runtime

Application

Enarx host agent

Enarx client agent

CLIKeep

CPU + firmware

Enarx architectural componentsHost Client

Orchestrator(e.g. Openshift/k8s, Openstack)

CPU + firmware

Enarx client agent

CLI

Contract manager

Keep runtime image

httpKeep manager

Attestation measurement database

Keep runtime repository

code layer

Application

Shim

Main external loop Keep loader

App loader

AttestorWas

mcode layer

Application

Shim

Main external loop Keep loader

App loader

AttestorWas

m

code layer

WASI

We are an open project

11

● Code● Wiki● Design● Issues & PRs● Chat● CI/CD resources● Stand-ups● Diversity

✓ GitHub✓ GitHub✓ GitHub✓ GitHub✓ Rocket.Chat✓ Packet.io✓ Open to all✓ Contributor Covenant CofC

We want you!

12

Website: https://enarx.io

Code: https://github.com/enarx

Chat: https://chat.enarx.io/

License: Apache 2.0

Language: Rust

Daily stand-ups open to all! Check the website wiki for details.

Questions?

https://enarx.io