⚙️
Morphisms: Confidential Serverless Containers
  • Introduction
  • Preliminaries
    • What is Confidential Computing?
      • Threat Model
      • Intel SGX
        • Threat Model
        • Memory Layout
        • Memory encryption
        • Enclave Lifecycle
        • Entering and Exiting an Enclave
        • Measurement
        • Certificate
        • Key Derivation
        • Attestation
        • Gramine
        • SGX2
        • Secret Key Provisioning
      • AMD SEV-SNP
        • Encrypted CPU Registers
        • Memory encryption
        • Secure Nested Paging
        • Virtual Machine Privilege Levels (VMPL's)
        • Cryptographic Keys
        • Secret Key Provisioning
        • Guest Deployment
    • Serverless (FaaS)
      • Knative
  • Confidential Serverless Containers
    • Introduction
    • Intel SGX
      • Threat Model
      • Remote attestation verification
      • Secure Storage
        • HashiCorp's Vault
      • Architecture
        • Confidential Knative
        • Certificates
        • Session Management
      • Confidential Container Configuration
    • AMD SEV-SNP
      • Threat Model
      • Architecture
        • Network communication
        • KMS
        • Updates
        • Key rotation
      • Design Decision
  • Benchmarks
    • Hardware
    • Results
    • Architecture Comparison
  • Getting Started
    • FAQ
    • Intel SGX
    • AMD SEV-SNP
  • Glossary
    • SGX Glossary
    • AMD SEV-SNP Glossary
Powered by GitBook
On this page
  1. Confidential Serverless Containers
  2. Intel SGX

Confidential Container Configuration

PreviousSession ManagementNextAMD SEV-SNP

Last updated 1 year ago

In order for Knative to work with Intel SGX, the enclave must be inside a container. Then the container image with the enclave can be used as a regular image in Knative.

Containerizing an enclaved application differs depending on whether the SDK is used to create the enclave or a Lib-OS. Either way, the container should include the Intel SGX SDK and the SGX Platform Software (PSW), which for Linux can be found at \href{https://github.com/intel/linux-sgx}{here}, and have the kernel's SGX drivers mounted. For Linux, the drivers are available in /dev/sgx_enclave, /dev/sgx_provision and /dev/sgx/enclave. When using the SDK to enclave an application, only the application needs to be included additionally. If a Lib-OS is used, the Lib-OS and the Lib-OS'ed application must be included.

Intel provides a that automatically mounts the drivers and detects Intel-SGX capable nodes. The problem is, that DCAP does not work with the plug-in out of the box. Mounting the earlier mentioned drivers is easier and this is why the plug-in is not used. In addition, the plug-in deploys additional pods into the cluster, which thus take up some of the cluster resources.

After doing the above mentioned steps, Knative is now able to deploy strong serverless confidential containers into your cluster. As the goal is ease-of-deployment, Gramine-OS is used to be able to easily enclave any applications in the getting started examples. Enclaive provides a LibOS built on top of Gramine-OS, which is specifically designed to be included into containers. With the agreement of Enclaive I updated the used Gramine version in their Lib-OS to the latest version. This brings some performance benefits as EDMM is now supported by SGX2 and the lib-OS has been improved. This can significantly reduce the startup time of enclaves by not having to load all EPC pages into the enclave at startup. A demo of an Intel SGX protected nginx-SCSC without a KMS can be found here as reference.

Kubernetes plug-in