search

microsoft / oe-engine

ACC template generation engine
MIT License
11 stars 14 forks source link

Support the SGX DCAP scenario for Windows deployments through oe-engine #48

Open johnkord opened 5 years ago

johnkord commented 5 years ago

There is ongoing work to support the SGX DCAP scenario on Windows for Open Enclave and its dependencies (like the Intel SGX DCAP driver, the Azure-DCAP-Client, etc).

Eventually, we'll want a Windows script that installs all of the appropriate dependencies for both runtime (being able to run an enclave that relies on DCAP support) and development scenarios (being able to develop and test an enclave that relies on DCAP support).

This script is currently what gets executed if you deploy a Windows system and probably installs most of the required development tools besides the DCAP dependencies: https://github.com/microsoft/oe-engine/blob/master/parts/windowsProvision.ps1

We'll want to extend this script to support the SGX DCAP scenario. Much of the work to install the DCAP prerequisites appears to have been done by @ionutbalutoiu and the Cloudbase team in an Ansible task here: https://github.com/microsoft/openenclave/blob/master/scripts/ansible/roles/windows/az-dcap-client/tasks/environment-setup.yml

There's some discussion about the work that led to that Ansible task here: https://github.com/microsoft/openenclave/issues/1320

@pushkarcMS can give plenty of more information about the full requirements, and possibly @ionutbalutoiu and I can give some insight as well :)

pushkarcMS commented 5 years ago

Just had a chat with Anita who is working towards resolving problems for windows OE deployment in general.

@Anita Govindarajan (Aditi Staffing LLC)mailto:v-angovi@microsoft.com, can you provide pointers for things you have done so Shruti can leverage the same.

@Shruti Ratnammailto:shratnam@microsoft.com, your work is scoped down to

We will ask Intel and Azure security to eventually publish all these through a link which is guaranteed to be always upto date.

We may also need to account for driver reset or reboots incase we cannot set the reg key in time for WS2019.

Thanks, Pushkar

From: John Kordich notifications@github.com Sent: Friday, June 7, 2019 11:28 AM To: microsoft/oe-engine oe-engine@noreply.github.com Cc: Pushkar V. Chitnis pushkarc@microsoft.com; Mention mention@noreply.github.com Subject: [microsoft/oe-engine] Support the SGX DCAP scenario for Windows deployments through oe-engine (#48)

There is ongoing work to support the SGX DCAP scenario on Windows for Open Enclave and its dependencies (like the Intel SGX DCAP driver, the Azure-DCAP-Client, etc).

Eventually, we'll want a Windows script that installs all of the appropriate dependencies for both runtime (being able to run an enclave that relies on DCAP support) and development scenarios (being able to develop and test an enclave that relies on DCAP support).

This script is currently what gets executed if you deploy a Windows system and probably installs most of the required development tools besides the DCAP dependencies: https://github.com/microsoft/oe-engine/blob/master/parts/windowsProvision.ps1https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmicrosoft%2Foe-engine%2Fblob%2Fmaster%2Fparts%2FwindowsProvision.ps1&data=02%7C01%7Cpushkarc%40microsoft.com%7C20d41e04ce404bd644eb08d6eb75cefc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636955288550565042&sdata=xeGuj1Ddn547YsX7GKA5at73HDTPHQ1rMDwlkLXapBo%3D&reserved=0

We'll want to extend this script to support the SGX DCAP scenario. Much of the work to install the DCAP prerequisites appears to have been done by @ionutbalutoiuhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fionutbalutoiu&data=02%7C01%7Cpushkarc%40microsoft.com%7C20d41e04ce404bd644eb08d6eb75cefc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636955288550565042&sdata=YvIItOTcYEkjroHSdWML4oFGST08%2F9NRwNadlycA9Ig%3D&reserved=0 and the Cloudbase team in an Ansible task here: https://github.com/microsoft/openenclave/blob/master/scripts/ansible/roles/windows/az-dcap-client/tasks/environment-setup.ymlhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fopenenclave%2Fblob%2Fmaster%2Fscripts%2Fansible%2Froles%2Fwindows%2Faz-dcap-client%2Ftasks%2Fenvironment-setup.yml&data=02%7C01%7Cpushkarc%40microsoft.com%7C20d41e04ce404bd644eb08d6eb75cefc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636955288550575046&sdata=G9SbwnujyXqseUqerP7fS2mnnH8zjF6zlowns3Q6vwQ%3D&reserved=0

There's some discussion about the work that led to that Ansible task here: microsoft/openenclave#1320https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fopenenclave%2Fissues%2F1320&data=02%7C01%7Cpushkarc%40microsoft.com%7C20d41e04ce404bd644eb08d6eb75cefc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636955288550585055&sdata=%2BzU%2F8ptlYXWjATCWI7%2BLNWNr0gq7QofF%2FHzBs1carv0%3D&reserved=0

@pushkarcMShttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FpushkarcMS&data=02%7C01%7Cpushkarc%40microsoft.com%7C20d41e04ce404bd644eb08d6eb75cefc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636955288550585055&sdata=Mj0aSQkXrIp76EPNMtgfpNYZV%2FVNthe2bd1hXWFTMCM%3D&reserved=0 can give plenty of more information about the full requirements, and possibly @ionutbalutoiuhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fionutbalutoiu&data=02%7C01%7Cpushkarc%40microsoft.com%7C20d41e04ce404bd644eb08d6eb75cefc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636955288550595067&sdata=aACKElC%2FGaoJbWqm6oBJK2PyjvLJNhVI%2FKMq7je3fcM%3D&reserved=0 and I can give some insight as well :)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmicrosoft%2Foe-engine%2Fissues%2F48%3Femail_source%3Dnotifications%26email_token%3DAHVQSOZMZ2P34YJQNBN23ELPZKSBJA5CNFSM4HVZK25KYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4GYJ75HA&data=02%7C01%7Cpushkarc%40microsoft.com%7C20d41e04ce404bd644eb08d6eb75cefc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636955288550605080&sdata=qEcskJDHE4kMPI3LMtzPgZ5SKGCGnAY1QVRismIvEP4%3D&reserved=0, or mute the threadhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAHVQSOYQDYRL5AYZ2IGTG5DPZKSBJANCNFSM4HVZK25A&data=02%7C01%7Cpushkarc%40microsoft.com%7C20d41e04ce404bd644eb08d6eb75cefc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636955288550605080&sdata=sogDER8u38RlP%2BMe%2FLpniFCv%2FspxQs2OXpqkd6GxRB4%3D&reserved=0.

anitagov commented 5 years ago

John summed up everything very well. To add: 1) Documented cloudbase's semi-automated way of deploying an ACC Windows VM with DCAP libraries using oe-engine and ansible on our internal wiki.

2) PR https://github.com/microsoft/openenclave/pull/1865 currently in review adds support for DCAP libraries to Openenclave which is still experimental. Documented the manual method of installing the DCAP libraries in Getting Started Windows guide (docs/GettingStartedDocs/GettingStarted.Windows.md)

Currently, both 1) and 2) use the same versions of the libraries, etc as these have been done for enabling OE on Windows.

(From @pushkarcMS ) We will ask Intel and Azure security to eventually publish all these through a link which is guaranteed to be always upto date.

The Intel SGX DCAP libraries are already built but we are still building Azure DCAP client for Windows manually. A new script was just created to automate this process (https://github.com/microsoft/Azure-DCAP-Client/blob/master/src/Windows/build.ps1). A few issues/PRs addressed these. It will be great if the Azure DCAP client for Windows libraries were available.

I believe @shruti25ratnam should be able to benefit from this.

shruti25ratnam commented 5 years ago

I've added the support to the oe-engine/tree/oe-engine-win2019 branch. In order to merge those changes to the master, we have to add the Win 2019 object to the master. That includes updating all the checks to accept Win2019 object.