From 37b4f46dd3b7eec61b51b00388c2e5b614621540 Mon Sep 17 00:00:00 2001 From: Zhu Yunge Date: Thu, 23 Jun 2022 10:18:48 +0800 Subject: [PATCH 1/3] Update index.md --- .../docs/source/Solutions/attestation-secret-provision/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documents/readthedoc/docs/source/Solutions/attestation-secret-provision/index.md b/documents/readthedoc/docs/source/Solutions/attestation-secret-provision/index.md index f4b8a2a8..d303a521 100644 --- a/documents/readthedoc/docs/source/Solutions/attestation-secret-provision/index.md +++ b/documents/readthedoc/docs/source/Solutions/attestation-secret-provision/index.md @@ -4,7 +4,7 @@ This solution provides a secret provision service following RA-TLS based remote attestation through gRPC. Secrets are stored in `KMS` that is hosted on tenant side beforehand and secrets distribution is managed by `Policy Manager` according to pre-defined policy. Once the tenant verifies the quote from CSP SGX Enclave successfully, `KMS Agent` retrieves secrets from `KMS` and tenant sends them to the remote CSP SGX Enclave through an established secure gRPC channel.
- +
Remote Attestation with TLS (RA-TLS) process of ASPS: From 6e2c94f334acd0365f2a93786e7cabdd57924e08 Mon Sep 17 00:00:00 2001 From: Zhu Yunge Date: Thu, 23 Jun 2022 10:27:41 +0800 Subject: [PATCH 2/3] Update index.md --- .../source/Solutions/attestation-secret-provision/index.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/documents/readthedoc/docs/source/Solutions/attestation-secret-provision/index.md b/documents/readthedoc/docs/source/Solutions/attestation-secret-provision/index.md index d303a521..ce588af1 100644 --- a/documents/readthedoc/docs/source/Solutions/attestation-secret-provision/index.md +++ b/documents/readthedoc/docs/source/Solutions/attestation-secret-provision/index.md @@ -3,9 +3,7 @@ ## Introduction This solution provides a secret provision service following RA-TLS based remote attestation through gRPC. Secrets are stored in `KMS` that is hosted on tenant side beforehand and secrets distribution is managed by `Policy Manager` according to pre-defined policy. Once the tenant verifies the quote from CSP SGX Enclave successfully, `KMS Agent` retrieves secrets from `KMS` and tenant sends them to the remote CSP SGX Enclave through an established secure gRPC channel. -
- -
+![](img/asps_arch.png) Remote Attestation with TLS (RA-TLS) process of ASPS: From 43a14f57cf40bd844560a9ccc3a7f1a6da9b77b2 Mon Sep 17 00:00:00 2001 From: Zhu Yunge Date: Thu, 23 Jun 2022 10:59:13 +0800 Subject: [PATCH 3/3] Update README.md --- README.md | 1526 +++++++++++++++++++++++++++++++---------------------- 1 file changed, 902 insertions(+), 624 deletions(-) diff --git a/README.md b/README.md index a486a76e..b4199ad6 100644 --- a/README.md +++ b/README.md @@ -15,514 +15,686 @@ document section that explains the corresponding details and then guides you to # Solution List (Solution to Component Correlation) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
  Solution -                                                     Security Components - -

Validated -
- in Public Cloud -

- 		-

Status -

-
-

  TEE -

- 		-

           LibOS -

- 		-

Remote Attestation -

- 		-

    KMS -

- 		-

HE -

- 		-

Crypto -

- 		-

TLS -

-
SGX - TDX - Gramine - Occlum - *RATS-TLS - *RA-TLS gRPC - Vault - eHSM-KMS -
Multi-Party Compute / Federated Learning -
Horizontal Federated Learning -
- (TensorFlow) - 		Yes - - - Yes - - - - - Yes -
- (2-way) - 		- - - - - - Yes - Yes -
- (RA-gRPC) - 		-

Alibaba Cloud, -
- Tencent Cloud -

- 		Published -
Vertical Federated -
- Learning  -
- (TensorFlow) - 		Yes - - - Yes - - - - - Yes -
- (2-way) - 		- - - - - - Yes - Yes -
- (RA-gRPC) - 		-

Alibaba Cloud, -
- Tencent Cloud -

- 		Waiting For Publish -
Private Set -
- Intersection  - 		Yes - - - Yes - - - - - - - - - - - - - - - - - - - In Progress -
Secure Logistic -
- Regression Training -
- Base on TEE & HE  - 		Yes - - - Yes - - - - - - - - - - - Yes - Yes - Yes - Alibaba Cloud, -
- Tencent Cloud - 		Waiting For Publish -
Secure AI Inference & Training -
TensorFlow Serving -
- Cluster PPML -
- (TensorFlow, K8S) - 		Yes - - - Yes - Yes - - - - - - - - - - - Yes - Yes - -

Alibaba Cloud, -
- Tencent Cloud -

- 		Published -
Leveled HE Logical Regression Inference - - - - - - - - - - - - - - - - - Yes - - - - - - - In Progress -
Secure BigDL -
- Recommend System - 		- - Yes - - - - - - - - - - - - - - - - - - - - - Not Start -
Native Application Hosting -
Cross Language -
- framework Based -
- on Gramine - 		Yes - - - Yes - - - - - - - - - - - - - - - - - - - In Progress -
Attestation Server & Key Management Service -
Attestation Server - Yes - Yes - - - - - Yes - Yes - - - Yes - - - Yes - Yes - - - In Progress -
eHSM-KMS - Yes - - - - - - - - - - - - - Yes - - - Yes - Yes - - - Published -
Optimization on Secure Libs -
Private Set -
- intersection -
- Optimization -
- on Xeon​ - 		- - - - - - - - - - - - - - - - Yes - Yes - - - - - Not Start -
Secure Database -
Secure Database -
- Querying Based -
- on HE - 		- - - - - - - - - - - - - - - - Yes - Yes - - - - - Not Start -
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+   Solution + +                                                     Security Components + +

+ Validated
+in Public Cloud +

+ 		+

+ Status +

+
+

+   TEE +

+ 		+

+            LibOS +

+ 		+

+ Remote Attestation +

+ 		+

+     KMS +

+ 		+

+ HE +

+ 		+

+ Crypto +

+ 		+

+ TLS +

+
+ SGX + + TDX + + Gramine + + Occlum + + *RATS-TLS + + *RA-TLS gRPC + + Vault + + eHSM-KMS +
+ Multi-Party Compute / Federated Learning +
+ Horizontal Federated Learning
+(TensorFlow) + 		+ Yes + + - + + Yes + + - + + - + + Yes
+(2-way) + 		+ - + + - + + - + + Yes + + Yes
+(RA-gRPC) + 		+

+ Alibaba Cloud,
+Tencent Cloud,
+ByteDance Cloud
+ +

+ 		+ Published +
+ Vertical Federated
+ Learning 
+(TensorFlow) + 		+ Yes + + - + + Yes + + - + + - + + Yes
+(2-way) + 		+ - + + - + + - + + Yes + + Yes
+(RA-gRPC) + 		+

+ Alibaba Cloud,
+Tencent Cloud,
+ByteDance Cloud +

+ 		+ Published +
+ Private Set
+Intersection  + 		+ Yes + + - + + Yes + + - + + - + + - + + - + + - + + - + + - + + - + + - + + In Progress +
+ Secure Logistic
+Regression Training
+Base on TEE & HE  + 		+ Yes + + - + + Yes + + - + + - + + - + + - + + - + + Yes + + Yes + + Yes + + Alibaba Cloud,
+Tencent Cloud + 		+ Waiting For Publish +
+ Secure AI Inference & Training +
+ TensorFlow Serving
+Cluster PPML
+(TensorFlow, K8S) + 		+ Yes + + - + + Yes + + Yes + + - + + - + + - + + - + + - + + Yes + + Yes + +

+ Alibaba Cloud,
+Tencent Cloud,
+ByteDance Cloud
+ +

+ 		+ Published +
+ Leveled HE Logical Regression Inference + + - + + - + + - + + - + + - + + - + + - + + - + + Yes + + - + + - + + - + + In Progress +
+ Secure BigDL
+Recommend System + 		+ - + + Yes + + - + + - + + - + + - + + - + + - + + - + + - + + - + + - + + Not Start +
+ Native Application Hosting +
+ Cross Language
+ framework Based
+ on Gramine + 		+ Yes + + - + + Yes + + - + + - + + - + + - + + - + + - + + - + + - + + Tencent Cloud + + Published +
+ Attestation Server & Key Management Service +
+ Attestation and Secret Provision Service + + Yes + + Yes + + - + + - + + Yes + + Yes + + - + + Yes + + - + + Yes + + Yes + + - + + Published +
+ eHSM-KMS + + Yes + + - + + - + + - + + - + + - + + - + + Yes + + - + + Yes + + Yes + + - + + Published +
+ Optimization on Secure Libs +
+ Private Set
+intersection
+Optimization
+on Xeon + 		+ - + + - + + - + + - + + - + + - + + - + + - + + Yes + + Yes + + - + + - + + Not Start +
+ Secure Database +
+ Secure Database
+Querying Based
+on HE + 		+ - + + - + + - + + - + + - + + - + + - + + - + + Yes + + Yes + + - + + - + + Not Start +
- --- # Incubating Component Projects @@ -533,45 +705,56 @@ of them is proven useful enough and stable enough via a thorough validation with CCZoo reference solutions running on various public cloud services, it will graduate from CCZoo and evolve to a standalone project. - - - - - - - - - - - - - - - - - - - - - +
Incubating Component Project '*' -                                                                         Description - Status - Validated in Public Cloud -
RATS-TLS - This project provides a proof-of-concept implementation on how to integrate Intel SGX and TDX remote attestation into the TLS connection setup. Conceptually, it extends the standard X.509 certificate with SGX and TDX related information. It also provides two non-SGX clients (Wolfssl and OpenSSL) to show how seamless remote attestation works with different TLS libraries.  - Published - Alibaba Cloud -
RA-TLS Enhanced gRPC - This project provides an enhanced gRPC (Remote Procedure Call) framework to guarantee security during transmission and runtime via two-way RA-TLS (Intel SGX Remote Attestation with Transport Layer Security) based on TEE (Trusted Execution Environment). - Published - Alibaba Cloud, -
- Tencent Cloud -
+ + + + + + + + + + + + + + + + + + + +
+ Incubating Component Project '*' + +                                                                         Description + + Status + + Validated in Public Cloud +
+ RATS-TLS + + This project provides a proof-of-concept implementation on how to integrate Intel SGX and TDX remote attestation into the TLS connection setup. Conceptually, it extends the standard X.509 certificate with SGX and TDX related information. It also provides two non-SGX clients (Wolfssl and OpenSSL) to show how seamless remote attestation works with different TLS libraries.  + + Published + + Alibaba Cloud +
+ RA-TLS Enhanced gRPC + + This project provides an enhanced gRPC (Remote Procedure Call) framework to guarantee security during transmission and runtime via two-way RA-TLS (Intel SGX Remote Attestation with Transport Layer Security) based on TEE (Trusted Execution Environment). + + Published + + Alibaba Cloud,
+Tencent Cloud,
+ByteDance Cloud +
- --- # Cloud Deployment @@ -581,91 +764,186 @@ Solutions and incubating component projects in CCZoo are constantly extended to Below table shows solutions and component projects validated in public clouds. And it will be updated continuously. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
     Public Cloud - Alibaba Cloud - Tencent Cloud -
Instance  - Type - g7t - M6ce.4XLARGE128  -
Kernel - 4.19.91-24 - 5.4.119-19-0009.1 -
OS - Alibaba Cloud Linux 2.1903 - TencentOS Server 3.1 -
Memory - 64G(32G EPC memory) - 64G(32G EPC Memory) -
vCPU - 16 - 16 -
PCCS Server - sgx-dcap-server.cn-hangzhou.aliyuncs.com - sgx-dcap-server-tc.sh.tencent.cn  -
Validated Solution  - - - - -
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+      Public Cloud + + Alibaba Cloud + + ByteDance Cloud + + Tencent Cloud +
+ Instance  + + Type + + g7t
+ 		+
+ ecs.ebmg2t.32xlarge +
+ 		+ M6ce.4XLARGE128  +
+ Kernel + + 4.19.91-24 + +
+ kernel-5.15 +
+ 		+ 5.4.119-19-0009.1
+
+ OS + + Alibaba Cloud Linux 2.1903 + + Ubuntu20.04 + + TencentOS Server 3.1
+
+ Memory + + 64G(32G EPC memory) + +
+ 512GB(256GB EPC memory) +
+ 		+ 64G(32G EPC memory)
+
+ vCPU + + 16 + + 16 + + 16
+
+ PCCS Server + + sgx-dcap-server.cn-hangzhou.aliyuncs.com + + + + sgx-dcap-server-tc.sh.tencent.cn 
+
+ Validated Solution 
+ 		+ + + + + + + + + + + +
- --- # Confidential Computing Zoo Documentation