|
packed by enclaive
#intelsgx # confidentialcompute #dont-trust-a-cloud
Contribute · Report Bug · Request Feature
docker pull enclaive/mosquitto-sgx
# or
docker compose upWarning: This quick setup is only intended for development environments. You are encouraged to change the insecure default credentials and check out the available configuration options in the build section for a more secure deployment.
Mosquitto is an open source implementation of a server for version 5.0, 3.1.1, and 3.1 of the MQTT protocol. It also includes a C and C++ client library, and the mosquitto_pub and mosquitto_sub utilities for publishing and subscribing.
Intel Securuty Guard Extension (SGX) delivers advanced hardware and RAM security encryption features, so called enclaves, in order to isolate code and data that are specific to each application. When data and application code run in an enclave additional security, privacy and trust guarantees are given, making the container an ideal choice for (untrusted) cloud environments.
Application code executing within an Intel SGX enclave:
- Remains protected even when the BIOS, VMM, OS, and drivers are compromised, implying that an attacker with full execution control over the platform can be kept at bay
- Benefits from memory protections that thwart memory bus snooping, memory tampering and “cold boot” attacks on images retained in RAM
- At no moment in time data, program code and protocol messages are leaked or de-anonymized
- Reduces the trusted computing base of its parent application to the smallest possible footprint
Following benefits come for free with MOSQUITTO-SGX :
- "Small step for a dev, giant leap for a zero-trust infrastructure"
- All business advantages from the migration to a (public) cloud without sacraficing on-premise infrastracture trust
- Hardened security against kernel-space exploits, malicious or accidental privileged insider attacks, UEFI firmware exploits and other "root" attacks corrupting the application to infiltrate the network and system
- Run on any hosting environment irrespectivably of geo-location and comply with privacy export regulations, such as Schrems-II
- GDPR/CCPA compliant processing of user data ("data in use") in the cloud as data is anonymized thanks to the enclave
The following cloud infrastractures are SGX-ready out of the box
Confidential compute is a fast growing space. Cloud providers continiously add confidential compute capabilities to their portfolio. Please contact us if the infrastracture provider of your preferred choice is missing.
Check for Intel Security Guard Extension presence by running the following
grep sgx /proc/cpuinfo
Alternatively have a thorough look at Intel's processor list. (We remark that macbooks with CPUs transitioned to Intel are unlikely supported. If you find a configuration, please contact us know.)
Note that in addition to SGX the hardware module must support FSGSBASE. FSGSBASE is an architecture extension that allows applications to directly write to the FS and GS segment registers. This allows fast switching to different threads in user applications, as well as providing an additional address register for application use. If your kernel version is 5.9 or higher, then the FSGSBASE feature is already supported and you can skip this step.
There are several options to proceed
-
If: No SGX-ready hardware
Azure Confidential Compute cloud offers VMs with SGX support. Prices are fair and have been recently reduced to support the developer community. First-time users get $200 USD free credit. Other cloud provider like OVH or Alibaba cloud have similar offerings. -
Elif: Virtualization
Ubuntu 21.04 (Kernel 5.11) provides the driver off-the-shelf. Read the release. Go to download page. -
Elif: Kernel 5.9 or higher
Install the DCAP drivers from the Intel SGX reposudo apt update sudo apt -y install dkms wget https://download.01.org/intel-sgx/sgx-linux/2.13.3/linux/distro/ubuntu20.04-server/sgx_linux_x64_driver_1.41.bin -O sgx_linux_x64_driver.bin chmod +x sgx_linux_x64_driver.bin sudo ./sgx_linux_x64_driver.bin sudo apt -y install clang-10 libssl-dev gdb libsgx-enclave-common libsgx-quote-ex libprotobuf17 libsgx-dcap-ql libsgx-dcap-ql-dev az-dcap-client open-enclave
-
Elif: Kernel older than version 5.9
Upgrade to Kernel 5.11 or higher. Follow the instructions here.
Install the docker engine
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
sudo usermod -aG docker $USER # manage docker as non-root user (obsolete as of docker 19.3) Use docker run hello-world to check if you can run docker (without sudo).
The recommended way to get the enclaive MOSQUITTO-SGX MQTT Broker Image is to pull the prebuilt image from the Docker Hub Registry.
$ docker pull enclaive/mosquitto-sgx:latestTo use a specific version, you can pull a versioned tag. You can view the list of available versions in the Docker Hub Registry.
$ docker pull enclaive/mosquitto-sgx:[TAG]Run docker
docker run -it -p 1883:1883 -p 8883:8883 --device=/dev/sgx_enclave -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket enclaive/mosquitto-sgx
Install the clients
sudo apt-get update
sudo apt-get install mosquitto-clients
Run Mosquitto subscriber and subscribe to a topic as follows
mosquitto_sub -h 10.5.0.5 -p 1883 -t /home/sensors/temp/kitchen
Note: The subscriber is listening and awaits a message from the publisher. Don't worry if command line is empty before a message arrives.
Run Mosquitto publisher and send a message to a topic
mosquitto_pub -h 10.5.0.5 -p 1883 -t /home/sensors/temp/kitchen -m "Kitchen Temperature: 26°C"
If you wish, you can also build the image yourself.
docker build -t enclaive/mosquitto-sgx:latest . As part of the build process gen-cert.sh establishes SSL/TLS authentication. You have two options
- Use your own certificates signed by a trusted Certificate Authority.
- Generate self-signed certificates. Follow the instrusctions in here.
Warning: We do not recommend the usage of self-signed certificates in production.
Edit conf/default.conf to eanble the ports the broker should listen as follows
# Plain MQTT protocol
listener 1883
# MQTTS protocol
listener 8883
Edit conf/default.conf to eanble password authentication as follows
allow_anonymous false
password_file /etc/mosquitto/passwd
Note: Password file passwd is a list of user:pass tuples where the pass is hashed with crypt(3). We recommend the mosquitto password manager manual for additional details.
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated. If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement".
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Don't forget to give the project a star! Spread the word on social media! Thanks again!
Distributed under the Apache License 2.0 License. See LICENSE for more information.
enclaive.io - @enclaive_io - contact@enclaive.io - https://enclaive.io
This project greatly celebrates all contributions from the gramine team. Special shout out to Dmitrii Kuvaiskii from Intel for his support.
This software listing is packaged by enclaive.io. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.