ConfidentialComputing: Gramine GSC Remote Attestation from Azure Machine

5 views
Skip to first unread message

Borello Enrico

unread,
Sep 6, 2022, 11:17:59 AMSep 6
to us...@gramineproject.io

Hello,

 

Looking for Remote Attestation for GSC, I just found this example:

https://github.com/veenasai2/gsc/tree/veenasai/gramine-aks-attestation/examples/aks-attestation

This look interesting but, If I correctly understand, server and client are both on Azure.

 

I would like to ask you two questions:

 

1.       Is it possible to have GSC running on Azure Machine and send the SGX quote to a server running in another machine outside Azure?

 

2.       If yes, do you have any example/documentations?

 

 

Thank you.

 

Best Regards,

 

 

Logo LEONARDO colore small

Enrico Borello
Leonardo Cyber Security

Microservices & Logistic Applications Unit
UO Engineering

Torre Fiumara - Via R. Pieragostini, 80 – 16151 Genova – Italy
Mobile
+39 3666335918
enrico....@leonardo.com


HELICOPTERS / AERONAUTICS / ELECTRONICS, DEFENCE AND SECURITY SYSTEMS / SPACE

 

 

 

Company Restricted


Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati esclusivamente al destinatario indicato e considerarsi dal contenuto strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione del presente messaggio da parte di chi non ne è il destinatario è strettamente proibito e può dar luogo a responsabilità di carattere civile e penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della normativa vigente.

The contents of this email message and any attachments are intended solely for the addressee(s) and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately notify the sender and then delete this message and any attachments from your system. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Unauthorized disclosure and/or use of information contained in this email message may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is digitally signed by the sender

Dmitrii Kuvaiskii

unread,
Sep 7, 2022, 2:45:26 AMSep 7
to Borello Enrico, us...@gramineproject.io
Dear Enrico,

The link that you found is a fork of an official Gramine repo. This
example, in a final and official form, can be found here:
https://github.com/gramineproject/contrib/tree/master/Examples/aks-attestation.
Please use this one.

> This look interesting but, If I correctly understand, server and client are both on Azure.

That's correct. Both run on Azure in this example.

> 1. Is it possible to have GSC running on Azure Machine and send the SGX quote to a server running in another machine outside Azure?

Yes, this is possible. However, the server must run on a machine that
is accessible from the internet (the client must "know" somehow the
location of the server). So you need to run the server on a machine
with some domain name, exposed and reachable from the internet. Note
that you can't run the server in your LAN (in your local network),
because the client will run on Azure (and thus the client is not in
your local network).

So the only reason our "AKS attestation" example runs both the client
and the server inside Azure is because the Azure cloud assigns domain
names to machines, and they are accessible from other Azure machines.

To run your server on another machine you have to register that
machine's domain name somehow, and Gramine examples don't deal with
such orthogonal things.

2. If yes, do you have any example/documentations?

Unfortunately, no. However, the process of running the server on your
own machine is not different from running any other server on your
machine (like, if you want to run your own Nginx/Apache web server).
So you can just follow classic steps of setting up an
internet-accessible platform. A random tutorial from the internet:
https://medium.com/botfuel/how-to-expose-a-local-development-server-to-the-internet-c31532d741cc

I hope this makes sense.


On Tue, Sep 6, 2022 at 5:18 PM 'Borello Enrico' via Gramine Users
<gramin...@googlegroups.com> wrote:
>
> Hello,
>
>
>
> Looking for Remote Attestation for GSC, I just found this example:
>
> https://github.com/veenasai2/gsc/tree/veenasai/gramine-aks-attestation/examples/aks-attestation
>
> This look interesting but, If I correctly understand, server and client are both on Azure.
>
>
>
> I would like to ask you two questions:
>
>
>
> 1. Is it possible to have GSC running on Azure Machine and send the SGX quote to a server running in another machine outside Azure?
>
>
>
> 2. If yes, do you have any example/documentations?
>
>
>
>
>
> Thank you.
>
>
>
> Best Regards,
>
>
>
>
>
>
>
> Enrico Borello
> Leonardo Cyber Security
>
> Microservices & Logistic Applications Unit
> UO Engineering
>
> Torre Fiumara - Via R. Pieragostini, 80 – 16151 Genova – Italy
> Mobile+39 3666335918
> enrico....@leonardo.com
>
> ________________________________
>
> HELICOPTERS / AERONAUTICS / ELECTRONICS, DEFENCE AND SECURITY SYSTEMS / SPACE
>
>
>
>
>
>
>
> Company Restricted
>
>
> Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati esclusivamente al destinatario indicato e considerarsi dal contenuto strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione del presente messaggio da parte di chi non ne è il destinatario è strettamente proibito e può dar luogo a responsabilità di carattere civile e penale punibili ai sensi di legge.
> Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della normativa vigente.
> ________________________________
> The contents of this email message and any attachments are intended solely for the addressee(s) and contain confidential and/or privileged information.
> If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately notify the sender and then delete this message and any attachments from your system. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Unauthorized disclosure and/or use of information contained in this email message may result in civil and criminal liability. “
> This e-mail has legal value according to the applicable laws only if it is digitally signed by the sender
>
> --
> You received this message because you are subscribed to the Google Groups "Gramine Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to gramine-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/gramine-users/5447f78ae8d54169915cd400a929acbb%40leonardo.com.



--
Yours sincerely,
Dmitrii Kuvaiskii
Reply all
Reply to author
Forward
0 new messages