Comments (4)
Hi Dmitrii,
thanks a lot for your comments/questions. I'll try to reply to them now and then also update the wiki to make things clearer.
-
Yes, they are under the control of the OS. The idea should be that the nonce is provided to whoever launches the enclave externally though and gives you a guarantee that when you receive a report with the nonce attached that it's fresh and not a quote/report that has been generated previously for an already running enclave. How that nonce is provided to the untrusted host (maybe it's a VM under your own control, maybe it's a cloud provider that launches the enclave for you and has some API for it) is out of scope of SGX-LKL itself I would say.
-
Yes, your understanding is correct! The key pair is generated inside the enclave on startup. Only the public key is attached to the report. Same as with RA-TLS.
-
Yes, Wireguard is part of the kernel (LKL). Currently we patch the kernel sources to include it, but it has been proposed for inclusion in the Linux kernel for a while, so in the long term it will be part of the kernel and with that of LKL, so we won't even have to do that. There is no need to make any changes to the application.
-
Wireguard is not TLS, it's a separate protocol (see https://www.wireguard.com). In general, there TLS is not required at all with SGX-LKL. Of course, if your application uses TLS that's possible too. You are right that it's a multi-step process, but it's actually the other way around. First, the quote (or attestation verification report) is retrieved and verified, then the connection/VPN is established by adding the enclave's public Wireguard key to the local Wireguard device.
There were a number of reasons for choosing Wireguard and this multi-step process:
- Wireguard is part of the kernel (or rather will be soon) and therefore is already available to us as part of LKL.
- It's layer 3 which means SGX-LKL can protect network traffic for any transport layer protocol including TCP and UDP.
- SGX-LKL can protect the confidentiality of applications running in top of it. In order to that, you first provide an encrypted/integrity-protected disk image to SGX-LKL at startup. Then you retrieve the quote and do the remote attestation and establish a secure channel, and only then you provide the enclave with a disk encryption key and application arguments. At the time of attestation, the application itself might not even run yet. Keep in mind that executables are loaded by SGX-LKL at runtime and are not part of the enclave measurement.
That said, if you only care about the integrity of your executable, it would definitely be good to have a way of starting an application right away and then proving it's integrity as part of the remote attestation process, e.g. by including the root hash of the disk image in the report data. Right now, that's not yet supported.
I guess the above also outlines the differences to RA-TLS. Do those points make sense?
I'm also adding a sequence diagram to the Wiki page (https://github.com/lsds/sgx-lkl/wiki/Remote-Attestation-and-Remote-Control). Let us know if anything is unclear or you have any other questions!
from sgx-lkl.
Thanks for quick and informative replies, Christian!
I should have first read about WireGuard, sorry. I assumed it's similar to OpenVPN, but now I understand it much better (very cool stuff!).
I also misunderstood the idea of the nonce. In your case, the nonce is generated by and/or known to the verifier (client) beforehand, so the attacker changing the nonce to old/random value has a consequence of the client rejecting the communication with such a manipulated server (because the expected-by-client nonce is different from the received one).
Do I understand correctly that your WireGuard-based RA solution doesn't rely on X.509 and PKI at all? (Apart from talking to IAS which happens over the normal TLS+X.509 protocol.) It seems that you only need to embed the server's public key + nonce into the SGX quote, send it to the client, who verifies the SGX quote and enclave measurements and finally establishes a WireGuard connection using the extracted server's public key.
This is a very interesting approach, and quite different from RA-TLS (which has the primary goal of working on top of existing TLS code of server/client with minimal changes). I hope to see the paper soon :)
from sgx-lkl.
Yes, that's all correct :) Right now it also relies on the fact that it will accept exactly one Wireguard peer configuration at startup in release mode. That means you provide the trusted client's public key at startup. Then, after attestation, with the enclave's public key you try to establish a secure connection. If you can, you can be sure that you are the only one that is able to talk to the enclave at that point. You can then add additional peers, or of course if your application needs to be accessible by many other hosts and it has support for TLS (e.g. a webserver) still use TLS for the application itself.
from sgx-lkl.
Thanks for informative replies, closing this issue.
from sgx-lkl.
Related Issues (20)
- [Test] Enable back 5 tests failing with ethreads=1 after bugs fixed HOT 1
- [Test] LTP test is not reported failed if binary is not built successfully HOT 2
- [Test] Build only enabled LTP tests
- [Test] Fix LTP tests for sync_file_range02 and fdatasync03 HOT 1
- Dead code in sgx-lkl-musl HOT 3
- Linux kernel version 5.3 is no longer being updated with functional and security patches
- Feature: multi party attestation HOT 2
- Fix broken samples HOT 2
- A futex wait interrupted by a signal returns the wrong errno value (516 vs EINTR)
- branch cleanup-musl deleted ? HOT 2
- Benchmarking file system operations in the enclave; caching ? HOT 1
- problem with redis
- helloworld sample case failed in SGX1
- Unable to use JVM (openjdk-15) inside enclave
- Disk integrity protection status
- ERROR: Failed to map /geth: Resource busy
- helloworld fails on SGX2
- SGX driver used by OpenEnclave is not supported by the latest Ubuntu 18.04 (kernel version 5.4.0)
- Specify the Maximum Heap Size in Enclave HOT 1
- ERROR: Failed to map /foo: Resource busy
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sgx-lkl.