Skip to main content

Architecture

The CLI consists of 2 components:

  • The command-line tool the client uses to establish a connection and verify the enclave.
  • The internal reverse proxy service that listens to client requests.

The design of the CLI - enclave communication is as shown below:

oblv_cli_arch Figure 1: CLI - Enclave Communication Overview

The sequence of steps is as follows:

  • CLI sends a client hello message to the enclave with the public key and digital signature.
  • Receives the attestation document as part of the response.
  • CLI verifies the PCR codes and digital certificate.
  • Once verified, it starts up the client proxy to listen to client application requests on localhost:port.
  • Once the request is received from a client application, the payload is encrypted using the symmetric key to ensure an additional layer of security during communication.
  • The public key is also sent as part of the auth header for authentication.