Welcome to the Sentient Enclaves Framework. The framework provides end-to-end infrastructure for building confidential AI applications using TEEs.
Trusted Execution Environments (TEEs, aka Confidential Computing Environments) are a type of hardware-based security mechanism that allows for the secure execution of code in a protected environment (hardware isolated memory area). TEEs are designed to provide a secure and isolated execution environment for applications that handling sensitive data (data-sets), such as AI models, by ensuring that the code and data are protected from any unauthorized external access. This framework provides a comprehensive infrastructure for building confidential AI applications using AWS's Nitro Enclaves offering. The framework enables the creation of confidential enclaves that are isolated from the host machine and operator (cloud provider) infrastructure.
- Seamlessly setup and deploy confidential AI applications in TEEs π
- Generate reproducible builds and verifiable build hashes for enclave image and applications π
- Access internet services inside isolated enclave using forward proxies π
- Deploy internet-facing applications inside enclave using reverse proxies π
- Verify enclave application integrity at runtime using PCR-based attestation π‘οΈ
- Ensure the integrity of external data through hash and VRF proof verification ππ
To allow for the creation of confidential AI applications set of infrastructure components are needed. The framework abstracts these components away from the developer, providing a simple interface for building confidential AI applications. Framework provides following components:
| Component | Description | Functionality | Documentation |
|---|---|---|---|
pipeline |
Implementation of binary protocol over vsock for interacting with enclave |
Controls enclave execution and enables bi-directional file transfers |  |
rbuilds.sh |
Script utilising set of components for building reproducible enclave images | Enables byte-level reproducibility for enclave images and streamlines the build process |  |
pf-proxy |
Transparent vsock proxies for internet-enabled applications |
Provides full networking stack support, enabling outbound TCP connections using forward proxies and inbound TCP connections using reverse proxies for enclaves |  |
ra-web-srv |
Remote Attestation Web Server for verifying integrity of applications | Enables remote attestation of EIF base image and enclave file system, verifying static and run-time integrity via PCR hash comparison and per-file proofs from within the enclave. | |
Note
More details about these components and other framework components that are under development can be found in the Detailed project reference README.
Building the core components of the framework is done using the rbuilds.sh script. This script simplifies the process of building the components and handles all the dependencies. Exact steps are available in the BUILDING.md file.
Once the core components are built, the apps can be built and run using the rbuilds.sh script. Reference apps directory contains example applications that utilize the framework. Each reference application follows the following structure:
reference_apps/
βββ reference_app_name : Name of the reference application
β βββ reference_app_name.dockerfile : Template Dockerfile for building the application with necessary dependencies to run inside enclave
β βββ TEE_rbuilds_setup.md: Application setup guide for building and running the application using rbuilds.sh
β βββ TEE_setup.md: Legacy setup guide
To run any of the reference applications, the steps outlined in the respective TEE_rbuilds_setup.md should be followed.
Ensuring the integrity and authenticity of the code and data running within a confidential computing environment is crucial. The Sentient Enclaves Framework provides built-in mechanisms to verify the state of your application running inside the Nitro Enclave.
This involves two primary aspects facilitated by the ra-web-srv component:
Confirming that any configuration or input files loaded by the enclave application have not been tampered with. The ra-web-srv component, running inside the enclave, can generate cryptographic hashes and Verifiable Random Function (VRF) proofs for specified files.
Important
The RA server runs inside the enclave and is accessible via curl only if reverse proxy is enabled. Make sure to enable reverse proxy by using --network flag while building the enclave and eif file. Otherwise, use pipeline utility to interact with the RA server.
curl -s -i -k -X POST -H 'Content-Type: application/json' -d '{ "path": "/path/to/file" }' https://127.0.0.1:8443/generateNote
While using pipeline utility for requesting proofs, make sure to escape the " using \" in the -d parameter. This escaping might be required for some shells.
curl -s -i -k -X GET https://127.0.0.1:8443/proof/?path=/path/to/fileYou would then compare the received hash with a locally computed hash of your expected file content to verify integrity of enclave's external data.
Verifying that the exact expected Enclave Image File (.eif) is running. This is done by comparing the runtime Platform Configuration Register (PCR) values of the running enclave (obtained via the ra-web-srv) with the PCR values of the .eif file from which the enclave was launched (obtained using nitro-cli).
Note
Make sure that the path is the same as the path to the file used to generate the proof.
curl -s -i -k -X GET https://127.0.0.1:8443/doc/?path=/path/to/file/&view=json_hexnitro-cli describe-eif --eif-path /path/to/your/app.eifAmongst the returned data, the PCR0, PCR1, PCR2 values contains following measurements:
PCR0:
PCR0contains a measurement of all the data influencing the runtime of code in an EIFPCR0=SHA384(KERNEL | Cmdline | Ramdisk(init) | Ramdisk(1:))
Note
The Ramdisk(1:) is the path to the all of user application's data in the .eif file except the init process.
PCR1:
PCR1contains a measurement of all the data influencing the bootstrap and kernel in an EIF.PCR1=SHA384(Kernel | Initramfs | Cmdline | Ramdisk(init))
PCR2:
PCR2contains a measurement of the user application in an EIFPCR2=SHA384(Ramdisk(1:))
Matching these PCRs (PCR0, PCR1, PCR2) confirms the integrity of the base image running in the enclave.
Important
To obtain valid and verifiable attestation results, ensure that your enclave is running in non-debug mode. In debug mode, Platform Configuration Register (PCR) values are not set and will appear as all zeros when queried. This prevents meaningful attestation. Only in non-debug mode are the PCR values computed from the Enclave Image Format (.eif) before boot and set correctly to reflect the enclaveβs configuration and integrity.
For complete, detailed instructions on how to perform these attestation steps for X_Agent, please refer to the X Agent Enclave Attestation Section.
Project follows the directory structure given below:
sentient-enclaves-framework/
βββ pipeline : source code for pipeline component for interacting with enclaves
βββ pf-proxy : Source code for transparent vsock proxies for internet-enabled applications
βββ rbuilds
β βββ*.dockerfile : Dockerfile used for different stages while building enclave images
β βββ rbuilds.sh: Script for building reproducible enclave images
βββ rbuilds.legacy : Legacy build system for building enclave images. Currently not used.
βββ reference_apps : Reference applications that utilize the framework
β βββ fingerprinting_server : A model fingerprinting server that fingerprints models based on OML fingerprinting library
β βββ inference_server : An inference server that uses a local model inference.
β βββ X_Agent : A reference agent that interacting with X users.
βββ ra-web-srv : Web Server for remote attestation of enclaves (WIP)
βββ docs : Detailed documentation for the framework and its components
Important
Contributions are welcome! Contribution guidelines will soon be available.
This project is licensed under the Apache 2.0 License.