{"id":26149206,"url":"https://github.com/distributed-lab/enclave-extras","last_synced_at":"2025-12-08T09:06:20.945Z","repository":{"id":280852083,"uuid":"936593559","full_name":"distributed-lab/enclave-extras","owner":"distributed-lab","description":null,"archived":false,"fork":false,"pushed_at":"2025-03-05T16:46:08.000Z","size":40,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-05T17:39:01.727Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/distributed-lab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-02-21T10:56:16.000Z","updated_at":"2025-03-05T16:46:11.000Z","dependencies_parsed_at":"2025-03-05T17:39:14.912Z","dependency_job_id":"00284bfe-cc30-4c07-8fd9-f401adbcd39f","html_url":"https://github.com/distributed-lab/enclave-extras","commit_stats":null,"previous_names":["distributed-lab/enclave-extras"],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/distributed-lab%2Fenclave-extras","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/distributed-lab%2Fenclave-extras/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/distributed-lab%2Fenclave-extras/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/distributed-lab%2Fenclave-extras/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/distributed-lab","download_url":"https://codeload.github.com/distributed-lab/enclave-extras/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":242979342,"owners_count":20216172,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-03-11T05:29:11.454Z","updated_at":"2025-12-08T09:06:20.817Z","avatar_url":"https://github.com/distributed-lab.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Enclave Extras\n\nUtilities, libraries, templates, tips, and examples for working with AWS Nitro Enclave\n\n## Table of Contents\n- [Overview](#overview)\n- [TCP/IP for Enclaves](#tcpip-for-enclaves)\n- [Mounting persistent volume in Enclave](#mounting-persistent-volume-in-enclave)\n- [GoLang and Nitro Secure Module](#golang-and-nitro-secure-module)\n- [Cryptographic Attestation Module \u0026 KMS Integration](#cryptographic-attestation-module--kms-integration)\n\n## Overview\nTODO\n\n## TCP/IP for Enclaves\nAWS Nitro Enclave does not have the usual communication via the TCP/IP stack that is used everywhere. The only communication channel is vsock, which allows you to communicate with the parent EC2 instance and other Enclaves that are associated with the same parent instance. This makes it impossible to run regular applications because they use TCP/IP.\n\nThere are several solutions to this problem: one solution is to rewrite the application to work with vsock, but this still won't provide Internet access. Another solution is to use a proxy, this approach allows you to not modify the existing code, but still run it in AWS Nitro Enclave.\n\nYou can find vsock-proxy in the [aws-nitro-enclaves-cli](https://github.com/aws/aws-nitro-enclaves-cli) repository, but this is only one half, this proxy listens to the vsock port and redirects traffic to a specified IP address or domain and port. The other half is a reverse vsock proxy, this proxy listens to the IP:Port and redirects traffic to vsock. The implementation of the second half is in the [vscproxy](https://github.com/distributed-lab/enclave-extras/tree/main/vscproxy) package.\n\nInside AWS Nitro Enclave, a loopback interface will be used to interact with the Internet, different IP addresses of this interface will correspond to different domains/IP + Ports from the outside. To work with domains, you need to modify the **/etc/hosts** file. Below is an example of commands to run in parent instace and enclave.\n\n### EC2 Instance\n```bash\n#!/bin/sh\nsudo dnf install aws-nitro-enclaves-cli -y\nsudo dnf install aws-nitro-enclaves-cli-devel -y\n\nsudo usermod -aG ne $USER\nsudo usermod -aG docker $USER\n\nsudo tee -a /etc/nitro_enclaves/vsock-proxy.yaml \u003c\u003cEOF\n- {address: kms.us-west-1.amazonaws.com, port: 443 }\n- {address: 127.0.0.1, port: 2049 }\nEOF\n\n# Connections from Enclave\nvsock-proxy 8000 kms.us-west-1.amazonaws.com 443 \u0026\nvsock-proxy 20000 127.0.0.1 2049 \u0026\n\nvscproxy \n\nnitro-cli run-enclave --eif-path /path/to/enclave.eif --enclave-cid 16 --cpu-count 2 --memory 4000 --debug-mode\n```\n\n### Enclave\n```bash\n#!/bin/sh\nset -e\n\necho \"Up loopback interface\"\nip link set lo up || true\nsleep 15\n\necho \"Setup /etc/hosts\"\necho \"127.0.0.2   kms.us-west-1.amazonaws.com\" \u003e\u003e/etc/hosts\n\necho \"Ensure loopback addresses exist\"\nif ! ip addr show dev lo | grep -q \"127.0.0.2\"; then\n  ip addr add 127.0.0.2/32 dev lo:0\n  ip link set dev lo:0 up\nfi\nif ! ip addr show dev lo | grep -q \"127.0.0.200\"; then\n  ip addr add 127.0.0.200/32 dev lo:0\n  ip link set dev lo:0 up\nfi\nsleep 15\n\necho \"Start vsock proxies\"\n# Connections from Enclave\nvscproxy -parentCID=3 -vsockPort=8000 -localAddr=127.0.0.2:443 \u0026\nvscproxy -parentCID=3 -vsockPort=20000 -localAddr=127.0.0.200:2049 \u0026\nsleep 15\n\necho \"Start main process\"\n# Another code\n```\n\n### Only socat proxy\n```dockerfile\n# Build socat\nFROM debian:bookworm-slim AS socat-builder\nRUN export DEBIAN_FRONTEND=noninteractive \u0026\u0026 \\\n    apt-get update \u0026\u0026 \\\n    apt-get install -y \\\n    wget make gcc\nRUN wget http://www.dest-unreach.org/socat/download/socat-1.7.4.4.tar.gz \u0026\u0026 \\\n    tar -xzf socat-1.7.4.4.tar.gz \u0026\u0026 \\\n    cd socat-1.7.4.4 \u0026\u0026 \\\n    ./configure \u0026\u0026 \\\n    make \u0026\u0026 \\\n    make install\n\nFROM debian:bookworm-slim\nCOPY --from=socat-builder /usr/local/bin/socat /usr/local/bin/socat\nENTRYPOINT [ \"/usr/local/bin/yourprogram\" ]\n```\n\n#### Forward traffic from Enclave to EC2\n```bash\n# listen vsock on EC2 and forward to TCP\nsocat VSOCK-LISTEN:8002,fork,keepalive TCP:iam.amazonaws.com:443,keepalive \u0026\n```\n```bash\n# listen TCP in Enclave and forward to parent vsock (cid 3)\nsocat TCP-LISTEN:443,bind=127.0.0.2,fork,reuseaddr,keepalive VSOCK-CONNECT:3:8002,keepalive \u0026\n```\n\n\n#### Forward traffic from EC2 to Enclave\n```bash\n# listen TCP on EC2 and forward to vsock (enclave cid)\nsocat TCP-LISTEN:2000,bind=127.0.0.1,fork,reuseaddr,keepalive VSOCK-CONNECT:16:2000,keepalive \u0026\n```\n```bash\n# listen vsock in Enclave and forward to TCP\nsocat VSOCK-LISTEN:2000,fork,keepalive TCP:127.0.0.1:2000,keepalive \u0026\n```\n\n\n## Mounting persistent volume in Enclave\nFor mounting persistent volumes in Enclave, we considered such cases as SSHFS, Samba, and NFS. SSHFS was rejected because mounting a file system is only a part of SSH, and such a powerful tool can lead to increased audit complexity and reduced isolation. Samba, although designed for remote file systems, is a SMB protocol that works best with Windows hosts. That leaves Linux native NFSv4. The lack of authorization can lead to the fact that anyone can mount NFS, but properly configured exports solve this problem, and it also removes the need to hardcode remote fs credentials in enclave, as it was necessary to do with SSHFS and Samba. The lack of traffic encryption is a disadvantage, but it also increases speed. Benchmarks showed speeds of 200 MB/s for reading and 130 MB/s for writing (Enclave 2 CPU and 3GB memory).\n\n### Install NFS Server\n```bash\nsudo apt update                                     # sudo yum update\nsudo apt-get install nfs-kernel-server nfs-common   # sudo yum install -y nfs-utils\nsudo echo \"/path/to/exportdir 127.0.0.1/32(rw,insecure,fsid=0,crossmnt,no_subtree_check,sync)\" \u003e\u003e /etc/exports\nsudo systemctl restart nfs-kernel-server            # sudo systemctl restart nfs-server\n```\n\n### Mount NFS\nNFSv4 uses only port 2049. In this example, it is assumed that the vsock proxy is already configured\n```bash\nsudo apt update                 # sudo yum update\nsudo apt-get install nfs-common # sudo yum install -y nfs-utils\nsudo mkdir -p /mnt/pv\nsudo mount -t nfs4 127.0.0.200:/ /mnt/pv\n```\n\n## GoLang and Nitro Secure Module\nNSM library wrap all methods of the [aws-nitro-enclaves-nsm-api](https://github.com/aws/aws-nitro-enclaves-nsm-api) library. CGO must be used at compile time. [Read more](https://github.com/distributed-lab/enclave-extras/tree/main/nsm)\n\n## Cryptographic Attestation Module \u0026 KMS Integration\nTODO\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdistributed-lab%2Fenclave-extras","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdistributed-lab%2Fenclave-extras","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdistributed-lab%2Fenclave-extras/lists"}