anjuna-sgxrun

Name

anjuna-sgxrun

Generate and sign a manifest, and run an application in a secure enclave created by the Anjuna SGX Runtime.

SYNOPSIS

anjuna-sgxrun [OPTIONS] <application> [<application arguments>]

DESCRIPTION

anjuna-sgxrun is a utility for quickly testing an application under the Anjuna SGX Runtime by generating an execution manifest using default settings. Running an application under the Anjuna SGX Runtime is as simple as inserting anjuna-sgxrun before the regular command line for the application being run.

Because applications must be signed to run in an enclave, anjuna-sgxrun generates an application execution manifest and signs it with a development certificate created during the Anjuna SGX Runtime installation.

For example, to run Hashicorp Valut, execute:

anjuna-sgxrun vault server -dev

Enclave Signing

For an application to run in SGX, it needs to be signed. The Anjuna installer creates a signing key that can be used for running applications in debug enclaves. Users can specify a different signing key for anjuna-sgxrun by defining the environment variable SGX_SIGNER_KEY:

$ SGX_SIGNER_KEY=<key file path> anjuna-sgxrun vault server -dev

or

$ export SGX_SIGNER_KEY=<key file path>
$ anjuna-sgxrun vault server -dev

A signing key can be generated with the following command:

$ openssl genrsa -3 -out <key file path> 3072

Providing Secrets to the Enclave

Many applications require sensitive input data to perform their function. The sensitive data could be a TLS key, some credentials, or more complex data that contains sensitive information (like a database connection string for example). Leaving such data in the clear on the file system is problematic, and the Anjuna SGX Runtime provides a simple solution to address this problem.

Users can prepare an enclave to receive encrypted data by using the --provision command line option with the Anjuna SGX Runtime. When using this option, the Anjuna SGX Runtime starts an enclave that is identical to the enclave used to run the protected the application, but instead of executing the application, it generates a random RSA key-pair and encrypts the private key using the Intel® SGX sealing capabilities. This operation guarantees that only this specific enclave can access the private key.

The enclave also generates an attestation quote, which can be verified by the Anjuna anjuna-check-attestation tool.

The public key associated with the generated private key can then be transmitted in the clear to a different trusted host that has access to the secrets. Using the public key and the anjuna-encrypt tool, a user can encrypt any sensitive file in a way that guarantees that only the intended enclave can automatically decrypt the sensitive data.

When using the --provision option, the Anjuna SGX Runtime creates three files in the directory ./provision/:

  • ./provision/<application>.pubkey, the public key that should be used to encrypt data for this specific enclave

  • ./provision/<application>.key.sealed, the private key, which is needed to decrypt any data encrypted using the associated public key. This private key is encrypted using the Intel® SGX Sealing capabilities, and can be only be decrypted by this enclave.

  • ./provision/<application>.quote.bin, the SGX Attestation Quote that proves that the public key was generated in this specific enclave.

The files ./provision/<application>.pubkey and ./provision/<application>.quote.bin should be transferred to a trusted host, where they can be used to:

  • verify that the enclave that generated the public key is a genuine Intel® SGX enclave

  • check that the identity of the enclave is correct (using the anjuna-check-attestation tool)

  • encrypt files for this enclave (using the anjuna-encrypt tool).

Encrypted files can then be copied back to the host running the enclave, and the Anjuna SGX Runtime can transparently make the encrypted files readable to the application running in the enclave.

OPTIONS

Usage options:
 anjuna-sgxrun [--provision [--spid value]] <application> [<application args>]
 anjuna-sgxrun --setup
 anjuna-sgxrun --version

Provisioning Option:
  --spid value              Set the Intel Service Provider ID (spid)

Setup Option:
  --setup                   Generates a default manifest file in current directory
                            and creates a link to the Runtime
  --version                 Displays the version of Anjuna Runtime

EXIT STATUS

anjuna-sgxrun returns the target application’s exit code.

EXAMPLE

$ anjuna-sgxrun vault server -config config/vault_config.hcl