Skip to content

Spring Boot library for easy creation of AWS Nitro Enclave applications

License

Notifications You must be signed in to change notification settings

mrgatto/spring-boot-nitro-enclaves

Repository files navigation

Spring Boot Nitro Enclave

Java CI with Maven Code Grade

This is a working (and usable) proof of concept Spring Boot library for easy creation of AWS Nitro Enclaves applications.

Objectives:

  • Easy development of Nitro Enclaves applications.
  • Abstraction of the vsock host-enclave communication with a mock mode, TCP implementaion for easy local test/development (even on Windows 😎).
  • Schemaless with automatic serialization/deserialization (JSON, further improvement should be BSON)
  • Ready-to-use integration with the Nitro Security Module (NSM).
  • Ready-to-use integration with the AWS KMS.
* Some ideas came from R3 Conclave

Introduction

An enclave is a protected memory region that provides confidentiality for data and code execution. It is an instance of a Trusted Execution Environment (TEE) which is usually secured by hardware.

An enclave application partitions itself into two components:

  1. An untrusted component (called the host) and
  2. A trusted component (called the enclave).

Overview

Usage

See project examples below.

Enclave Application

@SpringBootApplication
@ComponentScan({ "my.app.package" })
@EnableNitroEnclavesEnclaveSide
public class NitroEnclaveApplication {

  public static void main(String[] args) {
    ApplicationContext ctx = SpringApplication.run(NitroEnclaveApplication.class, args);

    NitroEnclaveServer server = ctx.getBean(NitroEnclaveServer.class);
    server.run();
  }
}

// -----
// Your business logic handlers
// -----

@Component
public class MyActionHandler extends AbstractActionHandler<MyPojoData, MyPojoDataResult> {

  @Override
    public boolean canHandle(String action) {
      return "action_to_execute".equalsIgnoreCase(action);
    }

    @Override
    public MyPojoDataResult handle(MyPojoData data) {
      // my logic
    }
}

Host Application

@SpringBootApplication
@ComponentScan({ "my.app.package" })
@EnableNitroEnclavesHostSide
public class NitroEnclaveHostApplication {

  public static void main(String[] args) {
   ApplicationContext ctx = SpringApplication.run(NitroEnclaveHostApplication.class, args);
   NitroEnclaveClient client = ctx.getBean(NitroEnclaveClient.class);

   // -----
   // Your Enclave interaction
   // -----
   EnclaveRequest<MyPojoData> request = new EnclaveRequest<>();
   request.setAction("action_to_execute");
   request.setData(myPojoData);

   EnclaveResponse<MyPojoDataResult> response = client.send(request);	

   if (response.getIsError()) {
	System.out.println(String.format("Something went wrong: %s", response.getError()));
	System.out.println(response.getErrorStacktrace());
   } else {
	System.out.println(response.getData().getValue());
   }

   System.out.println(String.format("Enclave execution time %sms", response.getDuration()));   
  }
}

Parameters

nitro:
  enclave:
    port: 5000
    network-mode: vsock # default is 'tcp'
    nsm-cli: /app/nsm-cli # default value, for NSM integration
    kmstool-enclave-cli: /app/kmstool_enclave_cli # default value, for KMS integration

Tools / Libs

Build instructions at kmstool-enclave-cli.

  • vsockj

This project uses the vsockj library for vsock communication. Build instructions at vsockj.

For interaction with the Nitro Security Module.

Examples

About

Spring Boot library for easy creation of AWS Nitro Enclave applications

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages