CapsuleManager

CapsuleManager is an Authorization Management Service, which is designed to manage metadata of user data and authorization information.

Features

CapsuleManager supports running on different TEE platforms: Intel SGX2, Intel TDX, and Hygon Csv. It will be remote attested by the user who uploads data to ensure that the CapsuleManager has no malicious behavior.
CapsuleManager uses signatures, digital envelopes, etc. to prevent communication data from being tampered, and it also supports mTLS
CapsuleManager manages the data encryption keys and meta-informations. All services which want to get these information must be verified to have the authorization to obtain the data encryption keys and meta-informations, ensuring that the authorization semantics cannot be bypassed
CapsuleManager supports flexible authorization semantics

Run Quickly by Docker Image

If you want to try CapsuleManager quickly, you can use the official Docker image directly.

At present, there are four official images: sim/sgx/tdx/csv, which correspond to Simulation mode, Intel SGX2 mode, Intel TDX mode, and Hygon Csv mode.

Simulation Mode

```bash
# pull docker image
docker pull secretflow/capsule-manager-sim-ubuntu22.04:latest

# enter docker container
docker run -it --name capsule-manager-sim --net host secretflow/capsule-manager-sim-ubuntu22.04:latest bash

# enable TLS(often skip in simulation mode)
# if you want to use the mTLS, you can refer to the mTLS part
# run service
./capsule_manager --tls_config.enable_tls false
```

SGX Mode

Pull and run SGX docker image

# pull docker image
docker pull secretflow/capsule-manager-sgx-ubuntu22.04:latest

# enter docker image

docker run -it --name capsule-manager-sgx --net host \
    -v /dev/sgx_enclave:/dev/sgx/enclave \
    -v /dev/sgx_provision:/dev/sgx/provision \
    --privileged=true \
    secretflow/capsule-manager-sgx-ubuntu22.04:latest \
    bash

Modify PCCS config

Set real pccs_url and set use_secure_cert to false in /etc/sgx_default_qcnl.conf.

Copy /etc/sgx_default_qcnl.conf to occlum instance image

cp /etc/sgx_default_qcnl.conf \
   /home/teeapp/occlum/occlum_instance/image/etc/

Build Occlum

First, you need to generate a pair of public and private keys for signing Occlum instances. If you do not have one, you can refer to the following command to generate:
```
openssl genrsa -3 -out private_key.pem 3072

openssl rsa -in private_key.pem -pubout -out public_key.pem
```

Build occlum with your private key:

occlum build -f --sign-key /path/to/private_key.pem

Run Capsule Manager

By default, --tls_config.enable_tls is true. You can configure mTLS by referring to Mutual TLS：
```
occlum run /bin/capsule_manager --tls_config.enable_tls false
```

TDX Mode

Pull and run TDX docker image

# pull docker image
docker pull secretflow/capsule-manager-tdx-ubuntu22.04:latest

# enter docker image

docker run -it --name capsule-manager-tdx --net host \
    -v /dev/tdx_guest:/dev/tdx_guest \
    --privileged=true \
    secretflow/capsule-manager-tdx-ubuntu22.04:latest \
    bash

Modify PCCS config

Set real pccs_url and set use_secure_cert to false in /etc/sgx_default_qcnl.conf.
Run Capsule Manager By default, --tls_config.enable_tls is true. You can configure mTLS by referring to Mutual TLS：
```
./capsule_manager --tls_config.enable_tls false
```

CSV Mode

Pull and run CSV docker image

# pull docker image
docker pull secretflow/capsule-manager-csv-ubuntu22.04:latest

# enter docker image

docker run -it --name capsule-manager-csv --net host \
    -v /dev/csv-guest:/dev/csv-guest \
    --privileged=true \
    secretflow/capsule-manager-csv-ubuntu22.04:latest \
    bash

Run Capsule Manager

By default, tls_config.enable_tls is true. You can configure mTLS by referring to Mutual TLS：
```
./capsule_manager --tls_config.enable_tls false
```

Mutual TLS

you must generate certificate if you want to use mTLS feature of CapsuleManager

for CapsuleManager, all certificates should be put in the directory whose path is ”capsule-manager/resources“
for CapsuleManager, the required certificates are the Server Key, the Server Certificate, and the Client CA Certificate which is used to verify the Client Certificate
for Client, the required certificates are the Client Key, the Client Certificate, and the Server CA Certificate which is used to verify the Server Certificate
for CapsuleManager, you should modify the field server_cert_path, server_cert_key_path and client_ca_cert_path in the configuration file named config.yaml
when all is ready, you can enable mTLS by modifying the field enable_tls in the the configuration file named config.yaml to true

Build And Run By Source Code

If you want to build from source code, you can refer to the following, which should be noted that the build process does not need to be hardware dependent, but the run process does need to be hardware dependent. So if you need to run the program after build, and you need to mount the device when creating the container, executing the following script will automatically detect the current machine device and mount the device into the container:

# create docker container
./env.sh

# enter docker container
./env.sh enter

Simulation Mode

Remote Attestation is not enabled for this mode

Build
```
./script/build -p sim
```

Run

./target/release/capsule_manager --tls_config.enable_tls false

SGX Mode

Build
```
./script/build -p sgx
```
Run After entering ‘script/occlum_instance’, it runs in the same way as the chapter (Run Quickly by Docker Image#SGX mode)

TDX Mode

Build
```
./script/build -p tdx
```
Modify PCCS config

Set real pccs_url and set use_secure_cert to false in /etc/sgx_default_qcnl.conf.

Run

./target/release/capsule_manager --tls_config.enable_tls false

CSV Mode

Build
```
./script/build -p csv
```

Run

./target/release/capsule_manager --tls_config.enable_tls false

Contributing

Please check CONTRIBUTING.md

License

This project is licensed under the Apache License