In order to take advantage of new security measures appearing in PaaS/IaaS environments, Arcs will take advantage of the Asylo framework to store sensitive information in secure enclaves.
Currently this is a PoC that provides no extra security.
This PoC includes two Docker containers - the first an enclaved application that generates a key in a secure enclave, the second is a CouchDB that uses an encrypted filesystem for storage (encrypted with the key generated by Asylo). The key is exchanged (and stored) in plaintext.
All you'll need to do is:
arcs/enclave> ./start-couch.sh
This will use the Asylo docker image to generate a key (if one doesn't already
exist), build the CouchDB image and start it. Use ^C to exit.
To test within the Arcs system visit http://localhost:8080/shell/apps/couchdb-test/ and reload to see changes. If you see errors on the console about the "Access-Control-Allow-Origin" header, you'll need to enable CORS. One option is to use the add-cors-to-couchdb:
> npm install -g add-cors-to-couchdb
> add-cors-to-couchdb
- The use of
--privilegedas part ofdocker run. This isn't ideal, but is currently required to give the Docker image access to loopback devices. Another approach might be something like--cap-add SYS_ADMIN --device /dev/loop0 --device /dev/loop-control(which limits the amount of additional access required). This may be fixed in a future version of Docker or Linux but the evidence is slim. - Error
Device encrypted already exists.may mean that an image failed to shut down. These are (unfortunately) shared between the host & docker. Check on the host withsudo cryptsetup status encryptedand if there's status shut it downsudo cryptsetup close encrypted. - To detach use
-d. - To jump into a command shell, use a command like
docker run -it --entrypoint "/bin/bash" test-with-asylo -i. - The current version uses CouchDB, but it is intended to be easy to change.
- A Docker that supports multi-stage builds is required (Docker >= 17.05).
- It's sometimes faster to iterate on code without re-building the docker
image. To do that, move the code in question to one of the mounted
directories (in our case,
host/storage) and run it in the docker container from the mapped directory (/opt/storage).
Remaining work:
- Encryption keys should never leave the enclave. One starting point is to
pick up the commented-out work in
Dockerfileto integrate both Asylo & Couch into a single docker container. Once that's working, push encryption/decryption into the enclave. - We should bundle the Arcs application into it's own Docker image, and bind the Couch port to only talk to that container.
To iterate quickly on the enclaved application it may be easier to develop locally (rather than through the container).
First, you'll need to build the Asylo toolchain. More information and directions are available directly from Asylo's INSTALL.MD.
arcs/enclave> git clone https://github.com/google/asylo.git sdk
arcs/enclave> sdk/asylo/distrib/sgx_x86_64/install-toolchain \
--user \
--prefix `pwd`/toolchains/sgx_x86_64
After this completes it'll leave some temporary files and directories in the
current directory, probably arcs/enclave. Those can be removed with a command
like rm -fr binutils* gcc* newlib*.)
Then you can run commands like:
arcs/enclave> bazel run --config=enc-sim //arcs_enclave -- \
--output_file /tmp/foo.tmp && cat /tmp/foo.tmp && echo
<snip>
Writing output (abc) to /tmp/foo.tmp
abc