Редагувати

Поділитися через


Open Source Solutions to Build Enclave Applications

This article goes over open-source solutions for building applications that use application enclaves. Before reading, make sure you read the enclave applications conceptual page.

Intel SGX-Compatible Tools

Azure offers application enclaves via confidential virtual machines with Intel Software Guard Extensions (SGX) enabled. After deploying an Intel SGX virtual machine, you'll need specialized tools to make your application "enclave aware". This way, you can build applications that have both trusted and untrusted portions of code.

For example, you can use these open-source frameworks:

If you're not looking to write new application code, you can wrap a containerized application using confidential container enablers

Open Enclave Software Development Kit (OE SDK)

Use a library or framework supported by your provider if you want to write code that runs in an enclave. The Open Enclave SDK (OE SDK) is an open-source SDK that allows abstraction over different confidential computing-enabled hardware.

The OE SDK is built to be a single abstraction layer over any hardware on any CSP. The OE SDK can be used on top of Azure confidential computing virtual machines to create and run applications on top of enclaves. The Open Enclave repository is maintained by Microsoft.

EGo Software Development Kit

EGo is an open-source SDK that enables you to run applications written in the Go programming language inside enclaves. EGo builds on top of the OE SDK and comes with an in-enclave Go library for attestation and sealing. Many existing Go applications run on EGo without modifications.

Intel SGX Software Development Kit

The Intel SGX SDK is developed and maintained by the SGX team at Intel. The SDK is a collection tools allowing software developers to create and debug Intel SGX enabled applications in C/C++.

Confidential Consortium Framework (CCF)

The Confidential Consortium Framework (CCF) is an example of a distributed blockchain framework. The CCF is built on top of Azure confidential computing. Spearheaded by Microsoft Research, this framework uses the power of trusted execution environments (TEEs) to create a network of remote enclaves for attestation. Nodes can run on top of Azure Intel SGX virtual machines and take advantage of the enclave infrastructure. Through attestation protocols, users of the blockchain can verify the integrity of one CCF node, and effective verify the entire network.

In the CCF, the decentralized ledger is made up of recorded changes to a Key-Value store that is replicated across all the network nodes. Each of these nodes runs a transaction engine that can be triggered by users of the blockchain over TLS. When you trigger an endpoint, you mutate the Key-Value store. Before the encrypted change is recorded to the decentralized ledger, it must be agreed upon by more than one node to reach agreement.

Intel® Cloud Optimization Modules for Kubeflow

The Intel® Cloud Optimization Modules for Kubeflow provide an optimized machine learning Kubeflow Pipeline using XGBoost to predict the probability of a loan default. The reference architecture leverages the secure and confidential Intel® Software Guard Extensions virtual machines on an Azure Kubernetes Services (AKS) cluster. It also enables the use of Intel® optimizations for XGBoost and Intel® daal4py to accelerate model training and inference in a full end-to-end machine learning pipeline.

Next steps