You will need to run a local Attestation/Secret provisioning server. This server will be used to provision the SGX enclave with the secret key which is used to decrypt the flow-related data.
The server binary is available in the folder secret-prov-server/secret_prov_server_dcap.
The automation script assumes the server to be running inside a docker container and also it requires the docker container for executing the encryption program.
If you have a x86_64 machine, running ubuntu focal you should be able to run the server and pf_crypt directly on your machine without using docker but that requires some changes to the ansible script in playbook.yaml.
Pull the image from: https://hub.docker.com/repository/docker/adnanjamil/sgx-dcap-server
docker pull adnanjamil/sgx-dcap-serverRun the container once from this directory:
docker run -p 4433:4433 --name dcap_server --platform linux/x86_64 -v ${PWD}:/node-red-sgx -t adnanjamil/sgx-dcap-server bash -c "cd /node-red-sgx/secret-prov-server && LD_LIBRARY_PATH=. RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE=1 RA_TLS_ALLOW_OUTDATED_TCB_INSECURE=1 ./secret_prov_server_dcap"This command immediately starts the server. You can stop the container if you want because the playbook will start the container again using the named reference dcap_server.
The port 4433 is used by the server to communicate with the enclave. You will need to open up this port on your local machine to the internet and also on the remote server.
You can specify the server address and ssh certificate in the inventory.yaml file
The file build.config.json contains all the configuration for the automation playbook, the flow and the enclave.
| Key | Type | Description |
|---|---|---|
| minify | Boolean | Minify the javascript code |
| sourcemap | Boolean | Generate JS source map |
| bundleOnlyRequiredNodes | Boolean | Bundle only the nodes used in the flow |
| outputDir | String | Local output directory for the bundle (recommended: build) |
| configNodesFilePath | String | Absolute path to the config nodes file (normally in ~/.node-red/.config.node.json) |
| flowFilePath | String | Absolute path to the flow specification. See examples of flows in ./flows |
| SSL configuration | ||
| caPath | String | Absolute path to the CA certificate |
| certPath | String | Absolute path to the server certificate |
| keyPath | String | Absolute path to the server key |
| manifestFilePath | String | Absolute path to the manifest file, see [1]. |
| remoteDir | String | Absolute path of remote directory where the bundle and all data will be uploaded |
| uploadBundle | Boolean | Whether to upload the Node-RED bundle to the remote server, see [2]. |
| startEnclave | Boolean | Whether to immidiately start the enclave on the remote server after building |
| encryptUserDir | Boolean | Whether to encrypt the user directory on the remote server, see [3] |
[1] The manifest file is used to specifies the enclave configuration. An example of the manifest is shown in files.toml, and other files in this directory. The manifest file is mandatory otherwise the enclave will not run. See the documentation of Gramine (manifest-syntax.html) for more info on the manifest syntax.
[2] The bundle is a file containing the Node-RED source code and all its dependencies. The bundle is not encrypted and it is not uploaded if the uploadBundle flag is set to false, which is useful for testing a flow with different manifest specifications.
[3] The user directory is the directory where the flow-related data , e.g. flow specification, SSL certificate/keys etc. is stored. If set to false the user directory will not be encrypted and the secret provisioning server will not be started.
It is recommended that you create your flow using the Node-RED editor in a separate place. Later, refer to the JSON file as the flowFilePath in the build.config.json file.
The playbook is written in ansible and it is located in playbook.yaml. You can run it using the following command:
ansible-playbook playbook.yaml -i inventory.yamlThis performs the following steps:
- Build the Node-RED bundle
- Start the secret provisioning server (if
encryptUserDiris set totrue) - Encrypt the user directory (if
encryptUserDiris set totrue) - Upload the bundle and user directory to the remote server (if
uploadBundleis set totrue) - Upload the Makefile to the remote server. This is used to build the enclave.
- Upload manifest file to the remote server
- Upload the libsecret_prov_attest.so to the remote server, this is required by the enclave for remote attestation.
- Upload the secret provisioning servers ca.crt to the remote server, this is required by the enclave for establishing a TLS connection with the secret provisioning server.
- Build the enclave on the remote server
- Start the enclave on the remote server (if
startEnclaveis set totrue)