Ming-Wei Aeva Black [he/him] [they/them] Software Open Source Engineer Program Manager

https://github.com/mingweishih @aevavoom

aevaonline The Confidential Computing Consortium

› Community focused on open source licensed projects securing data in use and accelerating the adoption of confidential computing through open collaboration › Announced the intent to form in August at the Open Source Summit North America in San Diego, formally launched on 17 October 2019 with governance in place

Please visit https://confidentialcomputing.io Associate General Premier Introduction to Open Enclave SDK

Ming-Wei Shih, Microsoft github.com/openenclave/openenclave

Confidential Computing Consortium Webinar 2021 Confidential Computing 101

Enclave

SSL/TLS Data in transit Data in use Hardware-based Trusted Execution Environment (TEE)

Hacker, System admin, Cloud provider…

Disk Encryption Data at rest Requirements for Developing Enclave Programs

Instantiation Runtime Attestation Load a binary into an enclave Support high-level language Allow remote parties to verify from the untrusted host features inside the enclave the identity of the enclave

Requirement: TEE-specific Requirement: conforming Requirement: supporting loaders TEE’s security model attestation primitives - Interact with TEE hardware - Host memory is untrusted - Evidence generation and drivers - Only the enclave can send - Evidence verification data to the host Open Enclave SDK: An Open-source C/C++ SDK for Enclave Programs

Instantiation Runtime Attestation

Multi-TEE Loader Support: Multi-OS Support: Attestation Plugin APIs: Intel SGX Linux, Windows SGX Plugins ARM TrustZone (preview) Ported C POSIX Library (musl)

Other 3rd party Libraries: LLVM libc++, Mbed TLS, OpenSSL Architecture

Host (untrusted) Enclave

Host Program Enclave Program

Open Enclave OE Attestation Plugins Software Stack LLVM libc++ OpenSSL Mbed TLS Open Enclave Host Libraries Open Enclave Trusted boundary musl libc

Open Enclave Runtime Libraries

TEE Components Intel SGX Libraries OP-TEE

Intel SGX ARM TrustZone Programming Model

Host Program Enclave Program Input: signed binary The enclave program takes the form in ELF for both Linux and Windows Load the binary Enclave creation Tool to sign an ELF binary Invoke an enclave function (ECALL) APIs to create and terminate an enclave Invoke a host function (OCALL)

Return to the enclave Tool to generate edge routines that handle parameters passing for ECALLs, OCALLs Return to the host

Enclave termination Minimal Project: Helloworld helloworld ├── host │ ├── host.c │ ├── Makefile │ ├── helloworld_u.c, helloworld_u.h ├── enclave Build-time generated │ ├── enclave.c files for edge routines │ ├── enclave.conf │ ├── Makefile │ ├── helloworld_t.c, helloworld_t.h ├── helloworld.edl ├── Makefile Example of Edge Routine Generations

helloworld.edl enclave { ECALLs/OCALLs are defined via an EDL file from "openenclave/edl/syscall.edl" import *; from "openenclave/edl/sgx/platform.edl" import *; The oeedger8r tool generates the boundary code in C for both the host and enclave trusted { - Host public void enclave_helloworld(); $oeedger8r --untrusted }; helloworld.edl –-search-path ECALL /opt/openenclave/include untrusted { - Enclave void host_helloworld(); $oeedger8r --trusted }; helloworld.edl –-search-path }; OCALL /opt/openenclave/include

Learn more at: github.com/openenclave/oeedger8r-cpp Host and Enclave Programs

host.c enclave.c int main(int argc, const char* argv[]) void enclave_helloworld() { { oe_enclave_t* enclave = NULL; printf(“Hello world from the enclave\n”); oe_create_helloworld_enclave( ECALL arg[1], OE_ENCLAVE_TYPE_AUTO, host_helloworld(); 1, NULL, 0, &enclave); }

enclave_helloworld(enclave); OCALL Sign oe_terminate_enclave(enclave); $oesign sign –e enclave \ return 0; –c enclave.conf –k key.pem } void host_helloworld() Run { $./host enclave.signed printf(“Hello world from the host\n”); Hello world from the enclave } Hello world from the host ECALL Behind the Scene

Host Program Enclave Program enclave_helloworld(enclave); void enclave_helloworld() { printf(“Hello world from the enclave\n”);

host_helloworld(); }

Host-side ECALL routine Enclave-side ECALL routine Serialize arguments into buffers Copy the host buffers into enclave memory Transfer execution to the enclave Unserialize and sanitize the arguments Unserialize the return values from host buffers Invoke enclave_helloworld() Return to the invocation of the ECALL Serialize return values into buffers Copy the buffers into host buffers Transfer execution back to the host OCALL Behind the Scene

Host Program Enclave Program void host_helloworld() void enclave_helloworld() { { printf(“Hello world from the host\n”); printf(“Hello world from the enclave\n”); } host_helloworld(); }

Host-side OCALL routine Enclave-side OCALL routine Unserialize and sanitize the arguments Serialize arguments into buffers Invoke host_helloworld() Copy the buffers into host memory Serialize return values into buffers Transfer execution to the host Transfer execution back to the enclave Unserialize and copy the return values from host buffers Return to the invocation of the OCALL Remote Attestation Plugins

Design to support TEE-specific attestation - SGX plugins Attestation Service (Microsoft Attestation Service) Enclave Program APIs to generate and verify quotes - oe_get_evidence() - oe_verify_evidence() oe_verify_evidence() oe_get_evidence()

TEE Components (Intel SGX DCAP libraries) Additional Features

Features Tools More (planned or unplanned) • Logging callback APIs • Debuggers • FIPS Module Loading • Sealing APIs • GDB • Improve syscall/libc Support • Deep-copy for ECALLs/OCALLs • WinDbg • High-level Language Binding • Pluggable Allocators • IDE Extensions (e.g., Rust) • Debug Malloc • Visual Studio • Simulation Mode • VS Code • Package Manager • apkman (experimental) apkman: Package Manager for OE SDK

Typical workflow to add a 3rd party library to enclaves git clone https://github.com/protocolbuffers/protobuf.git → (….. Manual porting …..) → Build the library Use the library in an enclave program Ideal workflow on Linux #include sudo apt install libprotobuf-dev …

google::protobuf::util::MessageToJsonString(…) Workflow with apkman apkman add libprotobuf-dev Link

clang -o enclave enclave.o libprotobuf.a …

(*) apkman is a bash script, created by the OE-SDK dev team. Learn more at: github.com/anakrish/apkman apkman Design

Based on the apk tool: the package Alpine Linux Packages manager for Alpine Linux

The libraries built for Alpine Linux is based on musl libc apk → Compatible with OE Enclave protobuf lua Enclave program sqlite curl zlib apkman libprotobuf.a PRoot alpine-fs Open Enclave libs Linux Host apkman add libprotobuf-dev Demo: apkman Position in the Ecosystem

Write an enclave program from the ground-up Foundation for building a high-level framework with the lower TCB - Confidential Consortium Framework (CCF) - Azure cloud services - EdgelessRT - SGX-LKL - Mysitkos

Unmodified Rust Go Blockchain App App App App Host Enclave High-Level Framework for Normal Code Security-Critical Code Confidential Computing Apps

Open Enclave (TEE Abstraction)

TEE Use Case: Mystikos

Application (rootfs) libc calls* C runtime (libmyst-crt.so) system calls* trusted execution User-mode kernel (libsmyst-kernel.so) MIT license target calls* Targets Open Enclave (SGX) Linux host calls* Host OS Mystikos

* most calls terminate in trusted code Learn more at: github.com/deislabs/mystikos Demo: Mystikos How to Get Involved

• Open Enclave on Github github.com/openenclave/openenclave • Follow the Docs to write your own enclave programs! • Contribute • Use github issues to report bugs, ask questions, and provide feedbacks • Search issues with the good first issue label • Submit pull requests • Weekly open meetings: lists.confidentialcomputing.io/g/oesdk/calendar • Triage meeting: Monday 10 AM PST • SIG Architecture meeting: Tuesday 11 AM PST • SIG Attestation meeting: Wednesday 10 AM PST Questions?

Open Enclave SDK github.com/openenclave/openenclave

Ming-Wei Shih, @mingweishih Microsoft Azure Confidential Compute