This is a working (and usable) proof of concept Spring Boot library for easy creation of AWS Nitro Enclaves applications.
Objectives:
- Easy development of Nitro Enclaves applications.
- Abstraction of the vsock host-enclave communication with a mock mode, TCP implementaion for easy local test/development (even on Windows 😎).
- Schemaless with automatic serialization/deserialization (JSON, further improvement should be BSON)
- Ready-to-use integration with the Nitro Security Module (NSM).
- Ready-to-use integration with the AWS KMS.
* Some ideas came from R3 Conclave
An enclave is a protected memory region that provides confidentiality for data and code execution. It is an instance of a Trusted Execution Environment (TEE) which is usually secured by hardware.
An enclave application partitions itself into two components:
- An untrusted component (called the host) and
- A trusted component (called the enclave).
See project examples below.
@SpringBootApplication
@ComponentScan({ "my.app.package" })
@EnableNitroEnclavesEnclaveSide
public class NitroEnclaveApplication {
public static void main(String[] args) {
ApplicationContext ctx = SpringApplication.run(NitroEnclaveApplication.class, args);
NitroEnclaveServer server = ctx.getBean(NitroEnclaveServer.class);
server.run();
}
}
// -----
// Your business logic handlers
// -----
@Component
public class MyActionHandler extends AbstractActionHandler<MyPojoData, MyPojoDataResult> {
@Override
public boolean canHandle(String action) {
return "action_to_execute".equalsIgnoreCase(action);
}
@Override
public MyPojoDataResult handle(MyPojoData data) {
// my logic
}
}@SpringBootApplication
@ComponentScan({ "my.app.package" })
@EnableNitroEnclavesHostSide
public class NitroEnclaveHostApplication {
public static void main(String[] args) {
ApplicationContext ctx = SpringApplication.run(NitroEnclaveHostApplication.class, args);
NitroEnclaveClient client = ctx.getBean(NitroEnclaveClient.class);
// -----
// Your Enclave interaction
// -----
EnclaveRequest<MyPojoData> request = new EnclaveRequest<>();
request.setAction("action_to_execute");
request.setData(myPojoData);
EnclaveResponse<MyPojoDataResult> response = client.send(request);
if (response.getIsError()) {
System.out.println(String.format("Something went wrong: %s", response.getError()));
System.out.println(response.getErrorStacktrace());
} else {
System.out.println(response.getData().getValue());
}
System.out.println(String.format("Enclave execution time %sms", response.getDuration()));
}
}nitro:
enclave:
port: 5000
network-mode: vsock # default is 'tcp'
nsm-cli: /app/nsm-cli # default value, for NSM integration
kmstool-enclave-cli: /app/kmstool_enclave_cli # default value, for KMS integration-
kmstool-enclave-cli & libnsm.so
Build instructions at kmstool-enclave-cli.
- vsockj
This project uses the vsockj library for vsock communication. Build instructions at vsockj.
For interaction with the Nitro Security Module.