# Enarx *WebAssembly + Confidential Computing* https://enarx.dev/ Links: [[Organizations/Open-source/Red Hat]], [[Confidential Computing]], [[TEE]] - [Introduction](https://enarx.dev/docs/Start/Introduction) (10 minute read time) - [Docs](https://enarx.dev/docs/Start/Introduction): *Learn more about Enarx. Documentation includes: Getting Started, Installation Guide, Contributing Guide, and Technical Overview.* - [Resources](https://enarx.dev/resources): *Find a list of useful resources: from articles, blog posts, podcasts, to videos. Everything Enarx related gathered in one place.* - [Main repo](https://github.com/enarx/enarx): *The source code of Enarx is available at GitHub. You'll also be able to track issues, bugs, pull requests, and release notes.* - [Meetings](https://enarx.dev/meetings): *You are welcome to join the Enarx Daily meetings. These meetings are open to the public. If you are a newcomer, feel free to join and introduce yourself.* - [Events](https://enarx.dev/events): *The Enarx team is present at the top conferences worldwide, including Linux Security Summit, Open Source Summit, DevConf, and RSA Conference.* - [Chat](https://chat.enarx.dev/): *Join the chat at chat.enarx.dev and come say hi, read the conversations, and ask questions. We are happy to answer any questions you might have.* ## [Docs](https://enarx.dev/docs/Start/Introduction) - [WebAssembly with Rust](https://enarx.dev/docs/WebAssembly/Rust) - [TCP Echo Server](https://enarx.dev/docs/Networking/TCP-Server) ## [Website](https://enarx.dev/) ### 100% Open Source Enarx is the leading open source framework for running applications in TEEs (Trusted Execution Environments). It's part of the Confidential Computing Consortium from the Linux Foundation. ### Easy Deployment Enarx provides a run-time TEE based on [[WebAssembly]], allowing developers to deploy applications without any rewrites from languages like Rust, C/C++, C#, Go, Java, Python, Haskell and many more. ### Cloud Native, Hardware Neutral Enarx is CPU-architecture independent, letting developers deploy the same application code transparently across multiple targets. It provides a single run-time and attestation framework which is hardware vendor and CSP neutral. ## [Trust No One, Run Everywhere–Introducing Enarx](https://next.redhat.com/2019/08/16/trust-no-one-run-everywhere-introducing-enarx/) ### Enarx: Simplifying Trust Relationships Enarx is a framework for running applications in TEE instances–which we refer to as “Keeps” within the project–without the need to implement attestation separately, without the need to trust lots of dependencies and without the need to rewrite your application.  It is designed to work across silicon architectures transparently to the user (you) so that your application can run on AMD silicon just as easily as it can run on Intel silicon, without having to recompile your code. As other TEE types become available, we plan to support them as well. Given that this is a Red Hat project, it is–and will continue to be–open source software.  Given that this is a security-related project, we aim to make it as small and easily auditable as possible. The key components of Enarx are: - The attestation component; - The Enarx API and core; - The Enarx runtime environment; - The management component. We will examine these in detail in a more technical article, but let’s look at what Enarx is trying to achieve.  If we consider one of the stacks we looked at above, here’s what Enarx aims to do: wipe out the need to trust any of the layers above the CPU/Firmware (provided by the silicon vendor, e.g. Intel or AMD), meaning that the next layer below your application that you need to trust during execution is the middleware layer (see picture below).  To be clear–TEEs are, like any other security capability–not guaranteed to be perfect. You can use them to reduce your attack surface and the number of layers that need to be trusted. Enarx has a component which sits at the middleware layer, too–the Enarx runtime environment–and we plan to make this small so that it is easily auditable.  The fact that it is open source means that anybody can look over it and decide whether to trust it. We aim to work with the open source community to encourage them to perform audits to allow  those who are not in a position to perform the analysis themselves to have a high level of trust in the Enarx code. ![[Pasted image 20220215013446.png]] The other pieces allow for attestation, packaging and loading of your application to take place in a way which is transparent to the user.  First, you ask an Enarx component to check that the host to which you’re planning to deploy is starting a genuine TEE instance. Once this is confirmed and the TEE verified, the management component encrypts the relevant part of your application, along with any required data, and sends it along to the host for execution in the Enarx Keep. The vision we have for Enarx goes beyond just on-premises and the public cloud, and out to any systems which are TEE-enabled.  We would love to enable telco-type edge use cases, mobile use cases, IoT use cases and beyond. It’s early days at the moment, but if you’re interested, we urge you to visit the [project website](https://enarx.github.io/) to find out more and, hopefully, to contribute. Enarx aims to make it simple to deploy workloads to a variety of different TEEs in the cloud, on your premises or elsewhere, and to allow you to have confidence that your application workload is as secure as possible.  We will be publishing more details as the project develops. ## [Docs](https://enarx.dev/docs/Start/Introduction) ### Requirements Enarx requires specific hardware to run, namely a CPU with a supported Trusted Execution Environment. Currently, Enarx has support for [[SGX|Intel SGX]] and AMD [[AMD SEV|SEV-SNP]]. ### Running Enarx > Build and run a [[WebAssembly]] module Install the WebAssembly Rust toolchain: ``` $ rustup target install wasm32-wasi ``` Create a simple Rust program. First make sure you're not in the repository you already created: ``` $ cd ~/$ cargo init --bin hello-world$ cd hello-world$ echo 'fn main() { println!("Hello, Enarx!"); }' > src/main.rs$ cargo build --release --target=wasm32-wasi ``` Assuming you did install the `enarx` binary and have it in your `$PATH`, you can now run the WebAssembly program in an Enarx keep. ``` $ enarx run target/wasm32-wasi/release/hello-world.wasm[…]Hello, Enarx! ``` If you want to suppress the debug output, add `2>/dev/null`.