enclaive/java-sgx repository overview

⁠
Java-SGX

⁠Java-SGX: Execute Java applications in the safest Confidential Compute runtime

⁠packed by enclaive⁠

#intelsgx #confidentialcompute #javasecurity
Contribute⁠ · Report Bug⁠ · Request Feature⁠

⁠What is Java and SGX?

Overview of Java⁠

Overview of Intel SGX⁠

Application code executing within an Intel SGX enclave:

• Remains protected even when the BIOS, VMM, OS, and drivers are compromised, implying that an attacker with full execution control over the platform can be kept at bay
• Benefits from memory protections that thwart memory bus snooping, memory tampering and “cold boot” attacks on images retained in RAM
• At no moment in time data, program code and protocol messages are leaked or de-anonymized
• Reduces the trusted computing base of its parent application to the smallest possible footprint

⁠Why use Java-SGX (instead of "vanilla" Java) images?

Following benefits come for free with Java-SGX :

• Protect Java data, files, applications, services, APIs, (AI) models against intelectual property theft/violation irrespectively where the application runs thanks to full fledge memory container encryption and integrity protection at runtime
• Shield container application against container escape attacks with hardware-graded security against kernel-space exploits, malicious and accidental privilege insider⁠ attacks, UEFI firmware⁠ exploits and other "root" attacks using the corruption of the application to infiltrate your network and system
• Build and deploy Java application as usual while inheriting literally for free security and privacy through containerization including
  • strictly better TOMs (technical and organizatorial measures)
  • privacy export regulations compliant deployment anywhere, such as Schrems-II⁠
  • GDPR/CCPA compliant processing ("data in use") of user data (in the cloud) as data is relatively anonymized thanks to the enclave

⁠TL;DR

docker pull enclaive/java-sgx
docker-compose up -d

Warning: This quick setup is only intended for development environments. You are encouraged to change the insecure default credentials and check out the available configuration options in the build⁠ section for a more secure deployment.

⁠How to deploy Java-SGX in a zero-trust cloud?

The following cloud infrastractures are SGX-ready out of the box

• Microsoft Azure Confidential Cloud⁠
• OVH Cloud⁠
• Alibaba Cloud⁠
• Kraud Cloud⁠

Confidential compute is a fast growing space. Cloud providers continiously add confidential compute capabilities to their portfolio. Please contact⁠ us if the infrastracture provider of your preferred choice is missing.

⁠Getting started

⁠Platform requirements

Check for Intel Security Guard Extension (SGX) presence by running the following

grep sgx /proc/cpuinfo

Alternatively have a thorough look at Intel's processor list⁠. (We remark that macbooks with CPUs transitioned to Intel are unlikely supported. If you find a configuration, please contact⁠ us know.)

Note that in addition to SGX the hardware module must support FSGSBASE. FSGSBASE is an architecture extension that allows applications to directly write to the FS and GS segment registers. This allows fast switching to different threads in user applications, as well as providing an additional address register for application use. If your kernel version is 5.9 or higher, then the FSGSBASE feature is already supported and you can skip this step.

There are several options to proceed

• If: No SGX-ready hardware
  Azure Confidential Compute⁠ cloud offers VMs with SGX support. Prices are fair and have been recently reduced to support the developer community⁠. First-time users get $200 USD free⁠ credit. Other cloud provider like OVH⁠ or Alibaba⁠ cloud have similar offerings.

• Elif: Virtualization
  Ubuntu 21.04 (Kernel 5.11) provides the driver off-the-shelf. Read the release⁠. Go to download⁠ page.

• Elif: Kernel 5.9 or higher
  Install the DCAP drivers from the Intel SGX repo⁠

  sudo apt update
  sudo apt -y install dkms
  wget https://download.01.org/intel-sgx/sgx-linux/2.13.3/linux/distro/ubuntu20.04-server/sgx_linux_x64_driver_1.41.bin -O sgx_linux_x64_driver.bin
  chmod +x sgx_linux_x64_driver.bin
  sudo ./sgx_linux_x64_driver.bin
  
  sudo apt -y install clang-10 libssl-dev gdb libsgx-enclave-common libsgx-quote-ex libprotobuf17 libsgx-dcap-ql libsgx-dcap-ql-dev az-dcap-client open-enclave
  

  Copy

• Else: Kernel older than version 5.9
  Upgrade to Kernel 5.11 or higher. Follow the instructions here⁠.

⁠Software requirements

Install the docker engine

 sudo apt-get update
 sudo apt-get install docker-ce docker-ce-cli containerd.io
 sudo usermod -aG docker $USER    # manage docker as non-root user (obsolete as of docker 19.3) 

Use docker run hello-world to check if you can run docker (without sudo).

⁠Get this image

The recommended way to get the enclaive Java-SGX Open Source Docker Image is to pull the prebuilt image from the Docker Hub Registry⁠.

docker pull enclaive/java-sgx:latest

To use a specific version, you can pull a versioned tag. You can view the list of available versions⁠ in the Docker Hub Registry.

docker pull enclaive/java-sgx:[TAG]

⁠Build the image

If you wish, you can also build the image yourself.

docker build -t enclaive/java-sgx:latest 'https://github.com/enclaive/enclaive-docker-java-sgx.git#master'

The build consists of two stages. The first ("builder") stage uses Gradle to build the Gradle-based Java project⁠ and creates a runnable JAR. The second ("gramine") stage gathers all the necessary resources and signs the manifest based on the existing template⁠.

⁠Modify the image

⁠Gradle-based JVM application

Replace the project folder, at src/project, with your Gradle-based project and change the referenced folders and Gradle tasks inside the builder stage in the Dockerfile accordingly.

⁠Non-Gradle-based JVM application

Replace the project folder, at src/project, with your JVM application project and exchange the builder stage inside the Dockerfile with your needed build config. Make sure to copy the resulting jar to the root folder of your builder stage and for convenience name it enclave.jar. This way you most likely won´t have to touch the second stage.

⁠Run the image

Run docker-compose up -d to start the Java application.

⁠Contributing

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated. If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement".

1. Fork the Project
2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
3. Commit your Changes (git commit -m 'Add some AmazingFeature')
4. Push to the Branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

⁠Support

Don't forget to give the project a star! Spread the word on social media! Thanks again!

⁠License

Distributed under the GPLv3 License. See LICENSE for further information.

⁠Contact

enclaive.io - @enclaive_io⁠ - [email protected]⁠ - https://enclaive.io⁠

⁠Acknowledgments

This project greatly celebrates all contributions from the gramine team. Special shout out to Dmitrii Kuvaiskii⁠ from Intel for his support.

• Gramine Project⁠
• Intel SGX⁠
• Java⁠

⁠Trademarks

This software listing is packaged by enclaive.io. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.