Internal Architecture
An overview of the internal service management.
At the core of Oblivious-based enclaves is a service manager orchestrating internal services' launch and persistence. On this page, we look into the specifics of the server manager and the internal support services.
Service Manager โ S6
The service manager deployed internally to Oblivious-based enclaves is the s6 service manager, which runs as the entry point of the nitro enclave. The s6 supervisor can generally run as an init file or as a process. We use it as an init file for the enclave.
While using s6 is very straightforward for users familiar with Linux-based images, most of this is taken care of for you automatically. You only need to understand how to use s6 while configuring the system to run your application. More details are discussed in the Service Manager page.
Internal Services
The service manager's primary purpose is to launch the supporting services within the enclave. These supporting services are used to bridge functional differences between developing software for regular docker containers versus nitro enclaves.
Entropy Bridge
The entropy bridge acts to periodically refill the /dev/random
with random bytes from the
underlying nitro service manager. If this were not to happen, one would have to manually update
the random pool every time a library dependent on /dev/random
or /dev/urandom
is used. Otherwise, many libraries and packages (particularly cryptography and math-based) would stall or crash.
IP Reconfiguration
This service runs only once on boot and reconfigures the internal routing rules to permit localhost callbacks.
VSock Proxy
The vsock proxy removes the complexity of virtual socket (vsock) communication for the user by converting all incoming and outgoing HTTP(1/2) traffic to vsock. In the parent instance, an equivalent proxy is placed, thus allowing HTTP traffic to be the main channel of communication. This is extremely beneficial if you wish to run a REST or gRPC server within the enclave.
Access Control Manager
This service acts as an authentication and authorization proxy, limiting the traffic from external sources to the sensitive application. For more details, refer to Authentication page.