Hello, I'm Sakiyama Hata.In this session, I'd like to discuss about container support for SGX environment.This session is made with great help of my colleague Dmitri and Anno.So, I'd like to thank them here.This three confidential computing is getting momentumso that Linux Foundation found it confidential computing construction.People use this cloud service with quantitiesso only providing basic trusted execution environment is not enoughbut also integration with quantitiesor any other popular container management systemis quite important for wide acceptance.At first, I'd like to discuss about what confidencecomputing over trusted execution environment isand then discuss about taxonomy of container support.And then at last, as concrete example,I'll discuss about graph-in-device shielded container. These days, cloud computing is widely accepted.Usually, data is encrypted in transfer of a networkbut when processing data in CPU, it's not encrypted.On the other hand, usually,machine is managed by cloud service providerand also on the same machineworkloads by someone else may run in the same machine.So, data can be stored.For example, hypervisor or hostOS can serve your data byand hypervisor and hostOS is managed by cloud service provideror someone else running workload on the same machinecan attack your workload.So, there is a gap to protect data while processing.So, the new way of computing is called Confidential Computing.It protects data confidentiality, integrity,and replay protection for computationby encrypting the main memoryand shielding access to the data.So, that's a way to fill the gap for data protection.It requires trusted execution environmentsor TE as a basic building blockto isolate the execution environment.TE is typically implemented as a softwareand in this figure, it means CPU box.The hardware is trusted to isolate the TEfrom other software, other applications,hostOS or hypervisor or even firmware.It protects by denying any accessfrom non-TE execution by hardware. Also, the CPU attests the state of TEto a third party.So, that externally refers to Provision Secretsto the TE.So, when you pass the Provision Secretsto the TE, you'd like to confirmthat the program running inside TEis really yours, not compromised.So, attestation is quite important,is also important, not only in additionto protecting memory itself.So, in the cloud environment,TE is the only building blockin cloud ecosystem.Users typically use Kubernetesto run their workload.There is a high bar for adaptationof TE or confidential computing.So, we'd like to lower the bar for it.It means user should be easily ableto reuse the existing container imageand then user protect their data.Users deploy their workload viacontainer management system like Kubernetes.User can convert their container imageto enable TE.It meansconverter from normal container imageto TE enabled image.Then the user can enable TEcan run TE protectedworkload on the converted image.So, there are two dimensionsto enable TE of container image.One is the scope of protection.Another one is how torun TE or programin within TE.The container workload can becomposed of multiple programs.There are main workload andHILPA programs.One option is to protect all programs running inside container.Another option is to protect only main workloadwhich processes secrets.Another dimension is how to run TE.One way is no specific way.There is no specific wayfor user to specifybecause all the programs are run in TE.Another way is to specify programsto be run in TE.Typically, programs to be run in containeris specified bydoca file or command.It can be convertedby wrapper to TE wrapperso that programs can berun in TE.Typically,to run TE programs in TEsome preparation is neededbecause for attestationsome configuration needs to be passedto TE wrapper.For container support,there are several levels to enable TEin container environment.The right one is the manual wayand the left one is the most automatic way.The right one is to do allin manual way if you arewant to fully optimize it.You can do it in full manual ways.You can install TE software in container imageand update to involve programswith TE.But it's a high costand you have to know everything about what you are doing.The next way is automatically convertcontainer imageand also automatically updateyour scripts.Typicallyin doca file entry pointspecify switch programs to run so convertercan find, can analyze which entry pointcan find that entry pointand then you convert commandsfrom normal commands invocationto wrapte wrapperbut in this casemanual execution will be supportedif user type doca execbush it will want to be protected.The third one isto integrate container runtime with TE.In this casecontainer will be done via dedicated container runtimeso all programs will berun under TE.In this casedoca exec will be covered too.The last one is to usecontainer and protect them as a whole.In this casecontainer will be doneby this model protectedbut this model won't be discussed in this section.I included it herefor completeness of this matrix.Howeverthe integrationwith container runtime takes a long time and it requiresa shortimage conversionas a short term for easy adaptation.After this is achievedwe can attackcombined integration as a long time.Let's move on to concrete example of graphing SCXand graphing associated containers support.SCX stands for software guard extensionand it is one of the TE implementation.SCX enclave is a special memory region in the process of the user processand which is encrypted.On the RAM and memory bus only encrypted data is used.Carnel or VMM or even firmwareBooting enclave in user spacememory is measuredso that its startup state is knownand the integrity is guaranteed.Further, to help enclave securityexecution in enclave is restricted.For example, this code instructionis not allowed to execute.So, for our goalif we simply put inapplicationfinally a modified wayinto SCX enclaveit doesn't workas expected becausefor example this code instruction is not allowedso simply it won't work.Typicallyapplication needs to bemodified at source code level and it willspreadapplication into two componentsone part is componentrunning within SCX enclavewhich is protectedor it can be considered as trustedand other part runs outsideSCX enclaveand which is untrustedbut forautomatic container image conversionthis is not desirableso something needs to be doneso hereGraphin Rebois comes intothe answerthe way to rununmodified binary inside enclaveLibrary OS hooksthe system code from the application within enclaveand it tries to emulatelinux systemlinux system called apiand thenif really necessaryfor example for IO, 5IO or network IOand so on and so onit really needs to requestto hostconso it goes outit goes out of enclaveand then untrusted code is executedand then a final system codea host system code is sentto hostconso nowlet me introduce Graphin Library OSGraphin Rebois is an open sourceproject and hosted in Githuband it's actively developed in the communityand it supports SCXand it loads applicationsunmodified applications into SCX appunclaved and fixed system codeand the part stands for platform abstraction layerand the part is actuallyspread into tool and trusted partwhich runs inside SCXand clipped and untrusted partwhich runs outsideof SCX and clippedwhich means it is untrustednext let me introduceGraphin series that it contains integrationfor automatic conversionGraphin series that containerdeveloped in the communityit's already mustit's already availableat the point of releaseversion 1.1it takes normal docker imageand also optional manifest fileor other configuration filesand thengraphinize docker imageespecially it installsgraphin runtime in the imageand also builds some configuration filewhich is called manifest for each applicationand thendeveloper signs its imageso that sign the imageand then after that we can usedocker run commandso that application will be run insidescx and clippedthis slides depictshow GSC convertsdocker imagefirst step isit installsgraphin runtime in the imageand then it generates a configuration filefor each applicationand thenit analyzesdocker filecontainer enter pointand cmd enter pointso that it converts a command executableto run application insidescxinstead ofrandy running applicationand also it try to access the file systemat the mark pointand also it needs tocalculate dependencybecause many usuallyapplications are linked to manyshared librariesdbOS also needs to loadshared libraries into the enclaveOK, somebodyconfidential computing untrusted execution environment key components to protect secretin cloud environmentscx and graphin dbOSbasic building blocks for TEto enable and modifyGraphin sealed containeror GSC allows user toautomatically convert container imagefor TE-integrated imageso that your user can easilyadaptateconfidential computing environmentOK, at last I'd like to introducethe future work of Graphin Library OS Intercommunity1st one is containeras the next step of GSCcontainer runtime support is very importantso that your user can seamlesslycontainerwith TE enabledand also for protection usehardening of Graphin Library OS is addressedand also more languagecontainer time support is plannedis being developedfor example to support Java orGo languagealso Graphin communityapplied forconfidential computing consortiumand right now we are under legal reviewand hopefully it will be accepted soonfor listeningafter this video, I can take questionsthank you so much