The repository contains building blocks for signer services fitting into the specific architectural pattern: an enclave with no persistent storage and a bidirectional serial link to the host machine for RPC calls. All sensitive information is getting encrypted before sending back to the host for storage. At the moment the only supported platform is AWS Nitro Enclave, a fortified container with no persistent storage and no connection to the outside world other than bidirectional hypervisor-local VSock link to its parent instance.
For prerequisites refer to kmstool setup procedure
From the root of this repo run:
docker build -f docker/nitro_signer.Dockerfile -t nitro-signer --build-arg RELEASE=1 .Build args:
| Name | Default | Description |
|---|---|---|
| PROXY_PORT | 8000 | VSock proxy listening port |
| PROXY_CID | 3 | Context ID of an instance running a VSock proxy. 3 is a parent instance |
| LISTEN_PORT | 2000 | Signer listening port |
| RELEASE | Set non empty to build an optimized production version |
This builds a minimalistic image based on Docker's scratch to fit into Nitro's strict memory requirements. The image contains almost nothing but the binary itself and a few runtime libraries.
Next, you will have to build the EIF (Enclave Image Format) which is the bootable enclave format:
nitro-cli build-enclave --docker-uri nitro-signer --output-file nitro-signer.eifTo run the enclave and see its output:
nitro-cli run-enclave --eif-path nitro-signer.eif --memory 1024 --cpu-count 2 --debug-mode
ENCLAVE_ID=$(nitro-cli describe-enclaves | jq -r .[0].EnclaveID)
# Connect to the enclave's terminal
nitro-cli console --enclave-id $ENCLAVE_IDTo make calls to KMS the enclave needs a VSock proxy service running on a parent instance. One option is to rely on vsock-proxy utility supplied with nitro-cli. To do so in a separate terminal window run:
CMK_REGION=us-west-2 # the region where you created your AWS KMS CMK
vsock-proxy 8000 kms.$CMK_REGION.amazonaws.com 443Also vsock-proxy proxy can be ran as a system service or alternatively one can rely on Signatory nitro backend's built in proxy.
Additionally Signatory nitro backend supplies rpctool utility useful for making RPC requests to the signer for debugging purposes which also provides the proxy functionality.
See the document