Skip to main content
Version: 1.3

Verifying a deployment

MarbleRun provides a simple HTTP REST API for clients to verify the confidentiality and integrity of the Coordinator and the deployed Marbles.

Requirements

You need to install and configure a quote provider.

Establishing trust in the Coordinator

MarbleRun exposes the /quote endpoint that returns a quote and a certificate chain consisting of a root and intermediate CA. The root CA is fixed for the lifetime of your deployment, while the intermediate CA changes in case you update the packages specified in your manifest.

The simplest way to verify the quote is via the Edgeless Remote Attestation (era) tool.

To verify the coordinator, era requires the Coordinator's UniqueID (or MRENCLAVE in SGX terms) or the tuple ProductID, SecurityVersion, SignerID (MRSIGNER) to verify the quote. era contacts the Coordinator, and receives an SGX quote from it which contains the actual UniqueID or ProductID/SecurityVersion/SignerID tuple of the running instance. The tool verifies it against the expected values defined in coordinator-era.json and can therefore determine if an authentic copy of the Coordinator is running, or if an unknown version is contacted.

In production, the expected values in coordinator-era.json would be generated when building the Coordinator and distributed to your clients. When you build MarbleRun from source, you can find the file in your build directory. For testing with a pre-built release, there's a Coordinator image at ghcr.io/edgelesssys/marblerun/coordinator. You can pull the corresponding coordinator-era.json file from the release page:

wget https://github.com/edgelesssys/marblerun/releases/latest/download/coordinator-era.json

After installing era, you can verify the quote with the following command:

era -c coordinator-era.json -h $MARBLERUN -output-chain marblerun-chain.pem -output-root marblerun-root.pem -output-intermediate marblerun-intermedite.pem

After successful verification, you'll have marblerun-chain.pem, marblerun-root.pem, and marblerun-intermediate.pem in your directory. In case you want to pin against specific versions of your application, using the intermediate CA as a trust anchor is a good choice. Else you can pin against the root CA in which case different versions of your application can talk with each other. However, you may not be able to launch them if they don't meet the minimum SecurityVersion specified in your original or updated manifest.

Verifying the manifest

Establishing trust with the service mesh allows you to verify the deployed manifest in the second step. To that end, MarbleRun exposes the endpoint /manifest. Using the CLI, you can get the manifest's signature and compare it against your local version of the manifest which should have been provided to you by the operator.

You can verify your local manifest.json against the Coordinator's version with the following command:

marblerun manifest verify manifest.json $MARBLERUN