Skip to content

enclaive/enclaive-docker-wordpress-sgx

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation


Logo

WORDPRESS-SGX: SGX-ready wordpress

packed by enclaive


#intelsgx # confidentialcompute #dont-trust-a-cloud
Contribute · Report Bug · Request Feature

TL;DR

docker-compose up

What is Wordpress?

WordPress (WP, WordPress.org) is a free and open-source content management system (CMS) written in PHP[4] and paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes

Overview of Wordpress

Intel Security Guard Extension (SGX) delivers advanced hardware and RAM security encryption features, so called enclaves, in order to isolate code and data that are specific to each application. When data and application code run in an enclave additional security, privacy and trust guarantees are given, making the container an ideal choice for (untrusted) cloud environments.

Overview of Intel SGX

Application code executing within an Intel SGX enclave:

  • Remains protected even when the BIOS, VMM, OS, and drivers are compromised, implying that an attacker with full execution control over the platform can be kept at bay
  • Benefits from memory protections that thwart memory bus snooping, memory tampering and “cold boot” attacks on images retained in RAM
  • At no moment in time data, program code and protocol messages are leaked or de-anonymized
  • Reduces the trusted computing base of its parent application to the smallest possible footprint

Why use WORDPRESS-SGX (instead of "vanilla" Wordpress) images?

Following benefits come for free with WORDPRESS-SGX :

  • "Small step for a dev, giant leap for a zero-trust infrastructure"
  • All business benefits from the migration to a (public) cloud without sacraficing on-premise infrastracture trust
  • Hardened security against kernel-space exploits, malicious and accidental privilege insider attacks, UEFI firmware exploits and other "root" attacks using the corruption of the application to infiltrate your network and system
  • Run on any hosting environment irrespectivably of geo-location and comply with privacy export regulation, such as Schrem-II
  • GDPR/CCPA compliant processing ("data in use") of user data in the cloud as data is anonymized thanks to the enclave

How to deploy NGINX-SGX in a zero-trust cloud?

The following cloud infrastractures are SGX-ready out of the box

Confidential compute is a fast growing space. Cloud providers continiously add confidential compute capabilities to their portfolio. Please contact us if the infrastracture provider of your preferred choice is missing.

Getting started

Platform requirements

Check for Intel Security Guard Extension (SGX) presence by running the following

grep sgx /proc/cpuinfo

Alternatively have a thorough look at Intel's processor list. (We remark that macbooks with CPUs transitioned to Intel are unlikely supported. If you find a configuration, please contact us know.)

Note that in addition to SGX the hardware module must support FSGSBASE. FSGSBASE is an architecture extension that allows applications to directly write to the FS and GS segment registers. This allows fast switching to different threads in user applications, as well as providing an additional address register for application use. If your kernel version is 5.9 or higher, then the FSGSBASE feature is already supported and you can skip this step.

Contributing

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated. If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement".

  1. Fork the Project
  2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
  3. Commit your Changes (git commit -m 'Add some AmazingFeature')
  4. Push to the Branch (git push origin feature/AmazingFeature)
  5. Open a Pull Request

Support

Don't forget to give the project a star! Spread the word on social media! Thanks again!

License

Distributed under the Apache License 2.0 License. See LICENSE for more information.

Contact

enclaive.io - @enclaive_io - contact@enclaive.io - https://enclaive.io

Acknowledgments

This project greatly celebrates all contributions from the gramine team. Special shout out to Dmitrii Kuvaiskii from Intel for his support.

Trademarks

This software listing is packaged by enclaive.io. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.