There are some third party implementations available, but we'd worry too much about maintenance of those to use them. Something officially supported would really be helpful.
My team and I are deploying a zero trust independently verifiable secret forwarding system on AWS Nitro Enclave, please ask me anything.
The idea is basic secret forwarding - you want to send a secret to many destinations, but find it too cumbersome to encrypt it with each destination’s public key, or you might not have all the public keys in hand.
To address this, we provide you with a code base running inside a Nitro Enclave. You have a KMS account, and you configure it to allow access only to 1) our code base hash AND 2) only when that signed code is running inside a certified Nitro Enclave.
The enclave bootstraps itself on first run by generating a key pair and encrypting the private key with a data key from KMS.
You can then send a secret to the enclave encrypted with its public key, and verifiably know exactly what’s going to happen. Only trusted code running inside the secure confines of the enclave would be able to decrypt and operate on the secret.
There’s lots of gotchas - if you make a server in the enclave remember to use a server that binds on the VSOCK AF and port; on the host run socat or a systemd socket unit to translate HTTP/TCP calls into the enclave’s VSOCK. Make sure you enrich all requests passed into the enclave with all the data and encrypted artefacts it needs to work. Make sure to send the encrypted artefacts out from the enclave and store them safely.
We do this for cinema movie distribution - filmmakers just send their movie’s encryption key to this system, and it sends it out to the public key of each projector in each screen in each theatre in the world. And big studios can verify that their billion dollar movies aren’t going anywhere other than their chosen rules.
How did you verify and validate that a AWS Nitro Enclave actually provides isolation and attestation guarantees?
Do they provide certifications or audits confirming conformance to multi-level security guarantees? Or do they provide you detailed specifications allowing you to evaluate that yourselves? Did you run red team exercises that resulted in no detected deficiencies as would be required by a multi-level security claim?
It seems like everything you have described could be done with TPM: creating a signing key for TLS mutual authentication (against the secret store) with policy that allows using that key only if system configuration did not change (PCR values stay consistent). Additionally TPMs allow remote attestation (via quotes and endorsement keys).
So I'm wondering what's the advantage of Nitro Enclaves? Better out of the box tooling?
Last I looked the NitroTPM product didn't have anything like an Endorsement Key certificate or any mechanism for authenticating a public Endorsement Key. Discrete TPM chips usually have an EKcert. GCP's vTPMs do not have an EKcert but Google provides a facility for looking up a guest's EKpub. It'd be nice if NitroTPM also had this.
Also, it's passingly strange to see PCRs mentioned with no mention of TPMs.
I'd appreciate pointers to adversarial attack models on nitro. I find papers leveraging nitro to build higher order processing models, I think it looks good, but where's the work to certify it in something analogous to FIPS? Nitro+FIPS searches suggest its hand-off to a card, not innately in the s/w system itself so its the usual key leakage issue: the real key might not leak, but ability to operate the key may in some circumstances be as bad as leaking it: if a Nitro instance can be subverted, it can securely sign to the end of time for bad purpose.
Confidential computing is really exciting in terms of software workload identity! As mentioned in the article, the AWS Nitro Enclaves PCR0 is a runtime measurement of the enclave image file, which contains all the code that is running - in other words, a representation of "something you are" rather than "something you have" (a token, a certificate, etc.).
Side note - I work on confidential computing at Anjuna, would love to talk more.
mariojv|2 years ago
There are some third party implementations available, but we'd worry too much about maintenance of those to use them. Something officially supported would really be helpful.
agrinman|2 years ago
sudhirj|2 years ago
The idea is basic secret forwarding - you want to send a secret to many destinations, but find it too cumbersome to encrypt it with each destination’s public key, or you might not have all the public keys in hand.
To address this, we provide you with a code base running inside a Nitro Enclave. You have a KMS account, and you configure it to allow access only to 1) our code base hash AND 2) only when that signed code is running inside a certified Nitro Enclave.
The enclave bootstraps itself on first run by generating a key pair and encrypting the private key with a data key from KMS.
You can then send a secret to the enclave encrypted with its public key, and verifiably know exactly what’s going to happen. Only trusted code running inside the secure confines of the enclave would be able to decrypt and operate on the secret.
There’s lots of gotchas - if you make a server in the enclave remember to use a server that binds on the VSOCK AF and port; on the host run socat or a systemd socket unit to translate HTTP/TCP calls into the enclave’s VSOCK. Make sure you enrich all requests passed into the enclave with all the data and encrypted artefacts it needs to work. Make sure to send the encrypted artefacts out from the enclave and store them safely.
We do this for cinema movie distribution - filmmakers just send their movie’s encryption key to this system, and it sends it out to the public key of each projector in each screen in each theatre in the world. And big studios can verify that their billion dollar movies aren’t going anywhere other than their chosen rules.
Veserv|2 years ago
Do they provide certifications or audits confirming conformance to multi-level security guarantees? Or do they provide you detailed specifications allowing you to evaluate that yourselves? Did you run red team exercises that resulted in no detected deficiencies as would be required by a multi-level security claim?
Thom2000|2 years ago
So I'm wondering what's the advantage of Nitro Enclaves? Better out of the box tooling?
s_dev|2 years ago
cryptonector|2 years ago
Also, it's passingly strange to see PCRs mentioned with no mention of TPMs.
ggm|2 years ago
bobbiechen|2 years ago
Side note - I work on confidential computing at Anjuna, would love to talk more.
giacaglia|2 years ago