Merge pull request #1 from acompany-develop/imamura/initial-impl

feat: initial implementation of RAFW-NE

Author: hyperfinitism

.gitignore

@@ -0,0 +1,4 @@
+.DS_Store
+
+target/
+debug/

Cargo.toml

@@ -0,0 +1,7 @@
+[workspace]
+resolver = "3"
+members = [
+    "client",
+	"enclave",
+	"proxy",
+]

Makefile

@@ -0,0 +1,76 @@
+SHELL := /bin/bash
+
+.PHONY: help setup-docker setup-nitro-cli setup-client build-enclave build-proxy build-client run-enclave run-proxy run-client terminate-enclave
+
+ENCLAVE_CID ?= 16
+ENCLAVE_MEMORY ?= 512
+ENCLAVE_CPU_COUNT ?= 2
+
+SERVER_IP ?= 127.0.0.1
+SERVER_PORT ?= 8080
+
+help:
+	@echo "Targets:"
+	@echo "  help              Show this help message"
+	@echo "  For Parent VM:"
+	@echo "    setup-docker      Install Docker (requires Ubuntu + sudo) for Parent VM"
+	@echo "    setup-nitro-cli   Install Nitro Enclaves Driver and CLI for Parent VM"
+	@echo "    build-enclave     Build enclave Docker image and create EIF file"
+	@echo "    build-proxy       Build vsock proxy"
+	@echo "    run-enclave       Run Nitro Enclave"
+	@echo "    run-proxy         Run vsock proxy"
+	@echo "    terminate-enclave Terminate Nitro Enclave"
+	@echo "  For Client:"
+	@echo "    setup-client      Install Rust and AWS Nitro Enclaves root certificate"
+	@echo "    build-client      Build client application"
+	@echo "    run-client        Run client"
+
+setup-docker:
+	@echo "Running scripts/setup-docker.sh"
+	@bash ./scripts/setup-docker.sh
+
+setup-nitro-cli:
+	@echo "Running scripts/setup-nitro-cli.sh"
+	@bash ./scripts/setup-nitro-cli.sh
+
+setup-client:
+	@echo "Running scripts/setup-client.sh"
+	@bash ./scripts/setup-client.sh
+
+build-enclave:
+	@echo "Building Docker image"
+	@docker build -t rafwne-enclave ./enclave
+	@echo "Creating EIF file"
+	@nitro-cli build-enclave --docker-uri rafwne-enclave --output-file ./enclave/rafwne-enclave.eif
+
+build-proxy:
+	@echo "Building vsock proxy"
+	@cargo build -p rafwne-proxy -r
+
+build-client:
+	@echo "Building client crate (release)"
+	@cargo build -p rafwne-client -r
+
+run-enclave:
+	@echo "Running Nitro Enclave"
+	@nitro-cli run-enclave --eif-path ./enclave/rafwne-enclave.eif --memory $(ENCLAVE_MEMORY) --cpu-count $(ENCLAVE_CPU_COUNT) --enclave-cid $(ENCLAVE_CID)
+
+run-proxy:
+	@echo "Running vsock proxy"
+	@cargo run --release -p rafwne-proxy -- --ip $(SERVER_IP) --port $(SERVER_PORT) --cid $(ENCLAVE_CID)
+
+run-client:
+	@echo "Running client"
+	@cargo run --release -p rafwne-client
+
+terminate-enclave:
+	@echo "Terminating Nitro Enclave"
+	@ENCLAVE_ID="$$(nitro-cli describe-enclaves | jq -r '.[] | select(.State == "RUNNING" and .EnclaveCID == $(ENCLAVE_CID)) | .EnclaveID' | head -n1)"; \
+	if [ -z "$$ENCLAVE_ID" ]; then \
+		echo "ERROR: running enclave with CID=$(ENCLAVE_CID) not found"; \
+		nitro-cli describe-enclaves; \
+		exit 1; \
+	fi; \
+	echo "Enclave ID: $$ENCLAVE_ID"; \
+	nitro-cli terminate-enclave --enclave-id "$$ENCLAVE_ID"; \
+	echo "Enclave terminated"

README.md

@@ -1 +1,144 @@
 # Remote Attestation Framework for AWS Nitro Enclaves
+![MSRV](https://img.shields.io/badge/MSRV-1.90.0-blue)
+
+This repository demonstrates a simple end-to-end flow against an AWS Nitro Enclave: **ECDH key exchange & attestation verification → confidential computation (example: adding two integers)**.
+
+- **Parent VM**: An AWS EC2 instance (Ubuntu 24.04) with Nitro Enclaves enabled. Runs the Enclave and the vsock proxy.
+- **Client**: Can run on any machine, but this README assumes you run it on the Parent VM (localhost).
+
+## Tested environment (detailed)
+
+### Parent VM (AWS EC2)
+
+- **Instance type**: `c5.xlarge`
+  - vCPUs: 4
+  - Memory: 8 GiB
+  - CPU arch: `x86_64`
+- **AMI**: Ubuntu Server 24.04 LTS
+  - AMI ID: `ami-06e3c045d79fd65d9`
+- **Storage**: 64 GiB `gp3`
+- **Kernel**: 6.14.0-1018-aws
+- **Nitro Enclaves**: Enabled
+- **Nitro Enclaves CLI / driver**: v1.4.4
+- **Rust toolchain**: v1.90.0
+
+### Enclave
+
+- **OS**: Ubuntu 24.04
+- **Allocated vCPUs**: 2
+- **Allocated Memory**: 512 MiB
+- **OS**: Ubuntu 24.04
+- **Rust toolchain**: v1.90.0
+
+### Client
+
+- Ran on the same Parent VM (localhost).
+
+## Architecture
+
+- `enclave/`: Enclave application (listens on vsock `port=5000`)
+- `proxy/`: **untrusted** HTTP → vsock proxy (listens on HTTP `ip:port`, forwards to vsock `port=5000`)
+- `client/`: Client app (POSTs JSON to the proxy, verifies attestation, then calls the confidential computing API)
+
+## Quick start (all on the Parent VM)
+
+Clone the repository:
+
+```bash
+git clone <THIS_REPOSITORY>
+cd <THIS_REPOSITORY>
+```
+
+### 1. Parent VM setup (Ubuntu 24.04)
+
+```bash
+make setup-docker
+make setup-nitro-cli
+```
+
+### 2. Client setup (this README runs it on the Parent VM)
+
+```bash
+make setup-client
+```
+
+### 3. Build the Enclave image and copy PCRs into `client-configs.json`
+
+```bash
+make build-enclave
+```
+
+When you run `make build-enclave`, PCR measurements are printed like this (example):
+
+```text
+Enclave Image successfully created.
+{
+  "Measurements": {
+    "HashAlgorithm": "Sha384 { ... }",
+    "PCR0": "...",
+    "PCR1": "...",
+    "PCR2": "..."
+  }
+}
+```
+
+Copy **PCR0/1/2** into `"PCRs"` in `client-configs.json`.
+
+### 4. Build the vsock proxy
+
+```bash
+make build-proxy
+```
+
+### 5. Start the Enclave
+
+```bash
+make run-enclave
+```
+
+### 6. Start the vsock proxy
+
+```bash
+make run-proxy
+```
+
+### 7. Build and run the client
+
+```bash
+make build-client
+make run-client
+```
+
+After ECDH key exchange and attestation verification, the client calls the Enclave’s “add two integers” API and then closes the session.
+
+### 8. Stop the Enclave
+
+```bash
+make terminate-enclave
+```
+
+## Configuration
+
+### Change Enclave Memory / vCPU Allocation
+
+- **Update Makefile variables**
+  - `ENCLAVE_MEMORY`（MiB）
+  - `ENCLAVE_CPU_COUNT`
+- **Update allocator config**
+  - Update `/etc/nitro_enclaves/allocator.yaml` accordingly
+- **Restart the allocator**
+  ```bash
+  sudo systemctl restart nitro-enclaves-allocator.service
+  ```
+
+### Change Proxy IP / port
+
+- Update `SERVER_IP` / `SERVER_PORT` in `Makefile`
+- Update `"server-ip"` / `"server-port"` in `client-configs.json`
+
+If you run the client from a different machine, allow inbound access to `SERVER_PORT` in the Parent VM security group / firewall rules.
+
+### Client configuration (`client-configs.json`)
+
+- `"PCRs"`: Expected PCR values. Copy from `make build-enclave` output PCR[0-2].
+- `"print-attestation-json"`: Print the attestation document payload as JSON if `true`

client-configs.json

@@ -0,0 +1,11 @@
+
+{
+	"server-ip": "127.0.0.1",
+	"server-port": 8080,
+	"PCRs": {
+		"0": "ae091d48b468539560a6cb7649fbc70ef5866d20ac82898f7b77eb359c2c23e4ccf2107d9d4d10a198ee7fc1d5541ef3",
+		"1": "0343b056cd8485ca7890ddd833476d78460aed2aa161548e4e26bedf321726696257d623e8805f3f605946b3d8b0c6aa",
+		"2": "7c2b87a4ca3c0cb43d39434b6717806fecd302be3fa742c1a30835ede59799c8cce2eb93e16c7d7dfb8e25fa22c730f5"
+	},
+	"print-attestation-json": true
+}

client/Cargo.toml

@@ -0,0 +1,21 @@
+[package]
+name = "rafwne-client"
+version = "0.1.0"
+edition = "2024"
+rust-version = "1.90.0"
+
+[dependencies]
+anyhow = "1.0.100"
+aws-nitro-enclaves-cose = "0.5.2"
+aws-lc-rs = "1.15.4"
+base64 = "0.22.1"
+hex = "0.4.3"
+openssl = "0.10.75"
+p256 = { version = "0.13.2", features = ["ecdh"] }
+serde = { version = "1.0.228", features = ["derive"] }
+serde_bytes = "0.11.19"
+serde_json = "1.0.149"
+serde_cbor = "0.11.2"
+ureq = "3.1.4"
+x509-parser = "0.18.0"
+p384 = { version = "0.13.1", features = ["ecdsa", "sha384"] }