diff --git a/docs/readthedocs/source/_toc.yml b/docs/readthedocs/source/_toc.yml index 4e7e9553..5cd7a972 100644 --- a/docs/readthedocs/source/_toc.yml +++ b/docs/readthedocs/source/_toc.yml @@ -247,6 +247,7 @@ subtrees: subtrees: - entries: - file: doc/PPML/Overview/ppml + - file: doc/PPML/Overview/attestation_basic - file: doc/PPML/Overview/trusted_big_data_analytics_and_ml - file: doc/PPML/Overview/trusted_fl - file: doc/PPML/QuickStart/secure_your_services diff --git a/docs/readthedocs/source/doc/PPML/Overview/attestation_basic.md b/docs/readthedocs/source/doc/PPML/Overview/attestation_basic.md new file mode 100644 index 00000000..8ff7bd95 --- /dev/null +++ b/docs/readthedocs/source/doc/PPML/Overview/attestation_basic.md @@ -0,0 +1,87 @@ +# Ensure Integrity and Build Trust with Attestation + +The process of validating the integrity of a computing device such as a server needed for trusted computing. It is widely used in a Trusted Execution Environment (TEE) or Trusted Platform Module (TPM) for ensuring integrity and building trust. + +### Attestation Basic + +The basic idea of attestation is to verify: +1. The platform is secured. Trusted Computing Base (TCB) is secured. +2. Running in TEE/TPM. +3. Application is as expected (same hash or HMAC). + +Local or remote attestation: + +* Verifying a local enclave (TEE env) on the same node/server is called local attestation. +* Verifying a remote enclave on another node/server is called remote attestation. + +Due to platform differences, Intel SGX has 2 kinds of attestations: + +1. Elliptic Curve Digital Signature Algorithm (ECDSA) Attestation for 3rd generation Intel® Xeon® Scalable processors and selected Intel® Xeon® E3 processors. +2. Intel® Enhanced Privacy ID (Intel® EPID) Attestation for desktop and Xeon E3 processors, and selected Intel® Xeon® E processor. + +*Note that SGX attestation mentioned in BigDL PPML should be ECDSA attestation with DCAP.* + +The basic workflow of attestation: + +```eval_rst +.. mermaid:: + + sequenceDiagram + Verifier->>App in SGX: Challenge(Prove YourSelf) + Note right of App in SGX: Generate Quote(Signed Context) + App in SGX->>Verifier: Evidence(App Quote) + Note left of Verifier: Verify Quote + Verifier ->>App in SGX: Response(Pass/Fail) +``` + +The key steps in attestation: +* Quote Generation. Generate a Quote/Evidence with SDK/API. This quote is signed by a pre-defined key, and it cannot be modified. You can add 128b its user data into a SGX quote. +* Quote Verification. Verify a Quote/Evidence with SDK/API. + +### Attestation in E2E PPML applications + +Attestation is not hard if you are running a new written application. Because you can directly integrate `quote generation` and `quote verification` into your application code. However, if you are migrating an existing application, attestation may cause some additional effort. Especially, when you are running distributed applications like PPML applications in multi-nodes. That means you have to add attestation into your distributed applications or frameworks, e.g., add attestation when modules running on different nodes build connections. + +To avoid such changes, we can utilize a third-party attestation service to offload `quote verification` from your existing applications. This service will help us to verify if a running application is as expected. + +#### Attestation Service + +When working with an attestation service, we can define a policy/requirement for each application. During application initialization (server or worker), we can require each module to generate its quote and send it to an attestation service. This attestation service will check these quotes based on pre-defined policy/requirement, then send back responses (`success/fail`). If we get a `success` result, we keep starting this module. Otherwise, we just quit or kill this module. + +```eval_rst +.. mermaid:: + + graph TD + Admin --Policy--> as(Attestation Service) + subgraph Production Env/Cloud + sgxserver(Server in SGX) -.- sgxworker1 + sgxserver(Server in SGX) -.- sgxworker2 + sgxworker1(Worker1 in SGX) + sgxworker2(Worker2 in SGX) + end + sgxserver --Quote--> as + sgxworker1 --Quote--> as + sgxworker2 --Quote--> as + as --response-->sgxserver + as --response-->sgxworker1 + as --response-->sgxworker2 +``` + +With this attestation service design, we can avoid adding malicious applications or modules to distributed applications. + +#### Attestation Service for Cloud Service Provider (CSP) + + +### Advanced Usage + +During remote attestation, the attestation protocol will build a secure channel. It can help build [TLS connection with integirty](https://arxiv.org/pdf/1801.05863.pdf). Meanwhile, attestation can be [integrated with HTTP protocol to provide trusted end-to-end web service](https://arxiv.org/abs/2205.01052). + +### References + +1. https://sgx101.gitbook.io/sgx101/sgx-bootstrap/attestation +2. https://www.intel.com/content/www/us/en/developer/articles/technical/quote-verification-attestation-with-intel-sgx-dcap.html +3. https://download.01.org/intel-sgx/sgx-dcap/1.9/linux/docs/Intel_SGX_DCAP_ECDSA_Orientation.pdf +4. https://azure.microsoft.com/en-us/products/azure-attestation/ +5. https://en.wikipedia.org/wiki/Trusted_Computing +6. [Integrating Intel SGX Remote Attestation with Transport Layer Security](https://arxiv.org/pdf/1801.05863.pdf) +7. [HTTPA/2: a Trusted End-to-End Protocol for Web Services](https://arxiv.org/abs/2205.01052) diff --git a/docs/readthedocs/source/doc/PPML/Overview/misc.rst b/docs/readthedocs/source/doc/PPML/Overview/misc.rst index a745d689..46fb9ba8 100644 --- a/docs/readthedocs/source/doc/PPML/Overview/misc.rst +++ b/docs/readthedocs/source/doc/PPML/Overview/misc.rst @@ -2,6 +2,7 @@ Advanced Topic ==================== * `PPML User Guide `_ +* `Ensure Integrity and Build Trust with Attestation `_ * `Trusted Big Data Analytics and ML `_ * `Trusted FL (Federated Learning) `_ * `Secure Your Services <../QuickStart/secure_your_services.html>`_