Skip to content

Network encryption

Christian Priebe edited this page May 30, 2019 · 3 revisions

SGX-LKL provides transparent network encryption for unmodified binaries. While some applications come with support for protecting network traffic, e.g. via TLS, themselves, others require external support. SGX-LKL uses Wireguard to protect arbitrary network traffic. This page provides information how to set up Wireguard for protecting an application's network traffic, in particular through Wireguard.

TLS/application-provided encryption

Applications that come with network encryption capabilities on their own are not required to make use of SGX-LKL's Wireguard support. In general, SGX-LKL exposes two network interfaces inside the enclave. A public-facing one backed by a TAP device on the host, and a Wireguard-backed interface.

If usage of Wireguard is not required, applications should be configured to bind to the external interface. This interface is configurable as described here. SGX-LKL provides a number of configuration options for this interface.

SGXLKL_TAP: Tap for LKL to use as a network interface.
SGXLKL_IP4: IPv4 address to assign to LKL (Default: 10.0.1.1).
SGXLKL_GW4: IPv4 gateway to assign to LKL (Default: 10.0.1.254).
SGXLKL_MASK4: CIDR mask for LKL to use (Default: 24).

The IPv4 address of the in-enclave public facing IP can be configured via SGXLKL_IP4. By default it's 10.0.1.1. Therefore, to make an application publicly it should bind to this address. In addition, it might be necessary to add a forwarding rule on the host, to allow external traffic to be forwarded to the application inside the enclave.

# Forward traffic from host's public interface (eth0) port 60000 to SGX-LKL port 60000
sudo iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 60000 -j DNAT --to-destination 10.0.1.1:60000

Wireguard VPN

Wireguard is a simple (and fast) VPN and is used by SGX-LKL to make it possible to communicate with an SGX-LKL enclave securely over the network. It's used to provide enclave secrets such as disk encryption keys and root hashes, and application-specific secrets, as well as protecting arbitrary application traffic if required. Wireguard itself does not provide capabilities for exchanging public keys of VPN participants. SGX-LKL solves this by integrating the key exchange in the attestation process. This is described in detail here.

SGX-LKL sets up the in-enclave Wireguard interface (wg0) automatically. Wireguard traffic is routed through the public-facing TAP interface (eth0) within the enclave. Therefore, any SGX-LKL enclaves has two network interfaces (besides a loopback interface).

# Create a disk image with an ifconfig executable. We use a standard Alpine root image for this.
$ ./tools/sgx-lkl-disk create --size=20M --alpine="" disk.img
# Run `ifconfig` inside an SGX-LKL enclave
$ SGXLKL_TAP=sgxlkl_tap0 ./build/sgx-lkl-run ./disk.img /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr CA:FE:00:00:00:01  
          inet addr:10.0.1.1  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: fe80::c8fe:ff:fe00:1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:110 (110.0 B)  TX bytes:0 (0.0 B)
[...]
wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.0.2.1  P-t-P:10.0.2.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Setup

By default the Wireguard interface is assigned the IP address 10.0.2.1. This is the IP address of the enclave within the VPN between it and other trusted nodes/enclaves. All Wireguard traffic is routed through the eth0 interface through UDP port 56002 by default. SGX-LKL provides a number of configuration options to configure its use of Wireguard.

SGXLKL_WG_IP: IPv4 address to assign to Wireguard interface (Default: 10.0.2.1).
SGXLKL_WG_PORT: Port to use on eth0 interface for the Wireguard endpoint (Default: 56002).
SGXLKL_WG_KEY: Private Wireguard key. Will be ignored in release mode in which a new key pair is generated inside the enclave on startup.
SGXLKL_WG_PEERS: Comma-separated list of Wireguard peers in the format "key1:allowedips1:endpointhost1:port1, key2:allowedips2:...".

In order to route an application's network traffic through the Wireguard VPN, it should bind to the Wireguard IP (10.0.2.1 by default). Make sure to follow the network setup instructions here. As Wireguard traffic is sent through the public interface over UDP, external traffic must be routed through to UDP port 56002 (default, configurable via SGXLKL_WG_PORT) of the public interface.

# Forward traffic to enclave Wireguard endpoint (from the SGX-LKL network setup instructions)
sudo iptables -t nat -I PREROUTING -p udp -i eth0 --dport 56002 -j DNAT --to-destination 10.0.1.1:56002

Deployment/Key exchange

When an SGX-LKL enclave launches, it automatically generates a private/public key pair. The private key never gets exposed outside of the enclave. The public key can be retrieved through (remote) attestation. The process of receiving the enclave's public key and registering public keys of other trustworthy nodes with the enclave is described in detail here: Remote Attestation and Remote Control. In non-release mode, a private key can also be provided to an SGX-LKL via SGXLKL_WG_KEY.