Repository files navigation

Rust-SGX

Rust-SGX: Execute Rust applications in the safest Confidential Compute runtime

packed byenclaive

#intelsgx # confidentialcompute #dont-trust-a-cloud
Contribute ·Report Bug ·Request Feature

docker pull enclaive/rust-sgxdocker-compose up -d

Warning: This quick setup is only intended for development environments. You are encouraged to change the insecure default credentials and check out the available configuration options in thebuild section for a more secure deployment.

Rust is a multi-paradigm, general-purpose programming language. Rust emphasizes performance, type safety, and concurrency. Rust enforces memory safety—that is, that all references point to valid memory—without requiring the use of a garbage collector or reference counting present in other memory-safe languages. To simultaneously enforce memory safety and prevent concurrent data races, Rust's borrow checker tracks the object lifetime and variable scope of all references in a program during compilation. Rust is popular for systems programming but also offers high-level features including functional programming constructs.

Overview of Rust

Intel Security Guard Extension (SGX) delivers advanced hardware and RAM security encryption features, so called enclaves, in order to isolate code and data that are specific to each application. When data and application code run in an enclave additional security, privacy and trust guarantees are given, making the container an ideal choice for (untrusted) cloud environments.

Overview of Intel SGX

Application code executing within an Intel SGX enclave:

• Remains protected even when the BIOS, VMM, OS, and drivers are compromised, implying that an attacker with full execution control over the platform can be kept at bay
• Benefits from memory protections that thwart memory bus snooping, memory tampering and “cold boot” attacks on images retained in RAM
• At no moment in time data, program code and protocol messages are leaked or de-anonymized
• Reduces the trusted computing base of its parent application to the smallest possible footprint

Following benefits come for free with Rust-SGX :

• Protect Rust data, applications, services, APIs, AI models against intelectual property theft/violation irrespectively where the container runs thanks to full fledge memory container encryption and integrity protection at runtime
• Shield container application against container escalation attacks with hardened security against kernel-space exploits, malicious and accidental privilegeinsider attacks,UEFI firmware exploits and other "root" attacks using the corruption of the application to infiltrate your network and system
• Build and deploy rust application as usual while inheriting literally for free security and privacy through containerization including
  • strictly better TOMs (technical and organizatorial measures)
  • privacy export regulations compliant deployment anywhere, such asSchrems-II
  • GDPR/CCPA compliant processing ("data in use") of user data (in the cloud) as data is anonymized thanks to the enclave

The following cloud infrastractures are SGX-ready out of the box

• Microsoft Azure Confidential Cloud
• OVH Cloud
• Alibaba Cloud
• Kraud Cloud

Confidential compute is a fast growing space. Cloud providers continiously add confidential compute capabilities to their portfolio. Pleasecontact us if the infrastracture provider of your preferred choice is missing.

Check forIntel Security Guard Extension (SGX) presence by running the following

grep sgx /proc/cpuinfo

Alternatively have a thorough look at Intel'sprocessor list. (We remark that macbooks with CPUs transitioned to Intel are unlikely supported. If you find a configuration, pleasecontact us know.)

Note that in addition to SGX the hardware module must support FSGSBASE. FSGSBASE is an architecture extension that allows applications to directly write to the FS and GS segment registers. This allows fast switching to different threads in user applications, as well as providing an additional address register for application use. If your kernel version is 5.9 or higher, then the FSGSBASE feature is already supported and you can skip this step.

There are several options to proceed

• If: No SGX-ready hardware
  Azure Confidential Compute cloud offers VMs with SGX support. Prices are fair and have been recently reduced to support thedeveloper community. First-time users get $200 USDfree credit. Other cloud provider likeOVH orAlibaba cloud have similar offerings.

• Elif: Virtualization
  Ubuntu 21.04 (Kernel 5.11) provides the driver off-the-shelf. Read therelease. Go todownload page.

• Elif: Kernel 5.9 or higher
  Install the DCAP drivers from the Intel SGXrepo

  sudo apt updatesudo apt -y install dkmswget https://download.01.org/intel-sgx/sgx-linux/2.13.3/linux/distro/ubuntu20.04-server/sgx_linux_x64_driver_1.41.bin -O sgx_linux_x64_driver.binchmod +x sgx_linux_x64_driver.binsudo ./sgx_linux_x64_driver.binsudo apt -y install clang-10 libssl-dev gdb libsgx-enclave-common libsgx-quote-ex libprotobuf17 libsgx-dcap-ql libsgx-dcap-ql-dev az-dcap-client open-enclave

• Else: Kernel older than version 5.9
  Upgrade to Kernel 5.11 or higher. Follow the instructionshere.

Install the docker engine

 sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io sudo usermod -aG docker$USER# manage docker as non-root user (obsolete as of docker 19.3)

Usedocker run hello-world to check if you can run docker (without sudo).

The recommended way to get the enclaive Rust-SGX Open Source Docker Image is to pull the prebuilt image from theDocker Hub Registry.

docker pull enclaive/rust-sgx:latest

To use a specific version, you can pull a versioned tag. You can view thelist of available versionsin the Docker Hub Registry.

docker pull enclaive/rust-sgx:[TAG]

If you wish, you can also build the image yourself.

docker build -t enclaive/rust-sgx:latest 'https://github.com/enclaive/enclaive-docker-rust-sgx.git#master'

The build process of the image contains two stages

• First Stage ("builder"): uses the official Rust Docker image to compile theproject to an executable using cargo
• Second Stage: Gathers all additional required resources, generates the manifest formtemplate and signs it

During the build,ARG projectName specifies the name of the project directory and executable. FurtherARG webFiles specifies the directory for *.html, *.js, ... . Both are defined in thedocker-compose.yml

If more packages are required during build or runtime, they can be added to thepackage.txt orbuild/package.txtto install them during the build.

After the build is finished, the app environment looks like this by default

/entrypoint/ + app #executable + $webFiles/    + *.html

To run another Rust executable, it is enough to replace thehello_world project with yours and change the argumentprojectName indocker-compose.yml to your project name.The same applies to the argumentwebFiles; if not needed, this part can be removed.

Note: After the image is built the$webFiles are located in/entrypoint/$webFiles/.

Rundocker-compose up -dto start the rust application.

Runcurl http://{your_host_ip}the console printsServer is running.

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make aregreatly appreciated. If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement".

1. Fork the Project
2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
3. Commit your Changes (git commit -m 'Add some AmazingFeature')
4. Push to the Branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

Don't forget to give the project a star! Spread the word on social media! Thanks again!

Distributed under the GPLv3 License. SeeLICENSE for further information.

enclaive.io -@enclaive_io -contact@enclaive.io -https://enclaive.io

This project greatly celebrates all contributions from the gramine team. Special shout out toDmitrii Kuvaiskii from Intel for his support.

• Gramine Project
• Intel SGX
• Rust

This software listing is packaged by enclaive.io. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.