Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AttestationHashes ¶
type AttestationHashes struct {
// contains filtered or unexported fields
}
AttestationHashes contains hashes over public key material which we embed in the enclave's attestation document for clients to verify.
func (*AttestationHashes) Serialize ¶
func (a *AttestationHashes) Serialize() []byte
Serialize returns a byte slice that contains our concatenated hashes. Note that all hashes are always present. If a hash was not initialized, it's set to 0-bytes.
type Config ¶
type Config struct { // FQDN contains the fully qualified domain name that's set in the HTTPS // certificate of the enclave's Web server, e.g. "example.com". This field // is required. FQDN string // FQDNLeader contains the fully qualified domain name of the leader // enclave, which coordinates enclave synchronization. Only set this field // if horizontal scaling is required. FQDNLeader string // ExtPubPort contains the TCP port that the public Web server should // listen on, e.g. 443. This port is not *directly* reachable by the // Internet but the EC2 host's proxy *does* forward Internet traffic to // this port. This field is required. ExtPubPort uint16 // ExtPrivPort contains the TCP port that the non-public Web server should // listen on. The Web server behind this port exposes confidential // endpoints and is therefore only meant to be reachable by the enclave // administrator but *not* the public Internet. ExtPrivPort uint16 // IntPort contains the enclave-internal TCP port of the Web server that // provides an HTTP API to the enclave application. This field is // required. IntPort uint16 // UseVsockForExtPort must be set to true if direct communication // between the host and Web server via VSOCK is desired. The daemon will listen // on the enclave's VSOCK address and the port defined in ExtPubPort. UseVsockForExtPort bool // DisableKeepAlives must be set to true if keep-alive connections // should be disabled for the HTTPS service. DisableKeepAlives bool // HostProxyPort indicates the TCP port of the proxy application running on // the EC2 host. Note that VSOCK ports are 32 bits large. This field is // required. HostProxyPort uint32 // PrometheusPort contains the TCP port of the Web server that exposes // Prometheus metrics. Prometheus metrics only reveal coarse-grained // information and are safe to export in production. PrometheusPort uint16 // PrometheusNamespace specifies the namespace for exported Prometheus // metrics. Consider setting this to your application's name. PrometheusNamespace string // UseProfiling enables profiling via pprof. Profiling information will be // available at /enclave/debug. Note that profiling data is privacy // sensitive and therefore must not be enabled in production. UseProfiling bool // UseACME must be set to true if you want your enclave application to // request a Let's Encrypt-signed certificate. If this is set to false, // the enclave creates a self-signed certificate. UseACME bool // Debug can be set to true to see debug messages, i.e., if you are // starting the enclave in debug mode by running: // // nitro-cli run-enclave --debug-mode .... // // Do not set this to true in production because printing debug messages // for each HTTP request slows down the enclave application, and you are // not able to see debug messages anyway unless you start the enclave using // nitro-cli's "--debug-mode" flag. Debug bool // FdCur and FdMax set the soft and hard resource limit, respectively. The // default for both variables is 65536. FdCur uint64 FdMax uint64 // AppURL should be set to the URL of the software repository that's // running inside the enclave, e.g., "https://github.com/foo/bar". The URL // is shown on the enclave's index page, as part of instructions on how to // do remote attestation. AppURL *url.URL // AppWebSrv should be set to the enclave-internal Web server of the // enclave application, e.g., "http://127.0.0.1:8080". Nitriding acts as a // TLS-terminating reverse proxy and forwards incoming HTTP requests to // this Web server. Note that this configuration option is only necessary // if the enclave application exposes an HTTP server. Non-HTTP enclave // applications can ignore this. AppWebSrv *url.URL // WaitForApp instructs nitriding to wait for the application's signal // before launching the Internet-facing Web server. Set this flag if your // application takes a while to bootstrap and you don't want to risk // inconsistent state when syncing, or unexpected attestation documents. // If set, your application must make the following request when ready: // // GET http://127.0.0.1:{IntPort}/enclave/ready WaitForApp bool // MockCertFp specifies a mock TLS certificate fingerprint // to use in attestation documents. MockCertFp string }
Config represents the configuration of our enclave service.
Click to show internal directories.
Click to hide internal directories.