You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying out the Occlum Python demo and was able to get it running on an AKS cluster with Standard_DC4s_v3 node pool. I am trying to understand the attestation protocol and need some guidance on the architecture around using Microsoft Azure Attestation (MAA) with secure key release and code integrity checks.
Here's a use case I am trying to implement
Customer X has an encrypted dataset that can only be decrypted in an attested TEE
Python code that needs to run in a TEE and reads X's dataset
The key to decrypt customer X's dataset can only be released if the TEE can attest it is running in an enclave and the code integrity (hash) matches with what X expects
I am able to run Python code in TEE, but couldn't understand the complete flow of how the app can generate a quote, get it attested from MAA, generate a JWT token (only if the code integrity) in the quote matches the one in the policy and then use this token to let X release the key for decryption.
Appreciate any pointers or working examples on the above use case
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hello,
I am trying out the Occlum Python demo and was able to get it running on an AKS cluster with Standard_DC4s_v3 node pool. I am trying to understand the attestation protocol and need some guidance on the architecture around using Microsoft Azure Attestation (MAA) with secure key release and code integrity checks.
Here's a use case I am trying to implement
I am able to run Python code in TEE, but couldn't understand the complete flow of how the app can generate a quote, get it attested from MAA, generate a JWT token (only if the code integrity) in the quote matches the one in the policy and then use this token to let X release the key for decryption.
Appreciate any pointers or working examples on the above use case
Beta Was this translation helpful? Give feedback.
All reactions