Automating Deployments of Trusted Execution Environments

Abstract: Hardware-based TEEs (Trusted Execution Environments) are gaining adoption and becoming more prevalent in today’s computing landscape. In a cloud-native world, where everything runs on ephemeral compute, having the luxury of experts setting up computation environments before running a workload is no longer a possibility. A hardware TEE-enabled workload requires the underlying operating system to support the TEE – research shows that these requirements are under-documented, sometimes contradictory, not spelled out, and due to the complex set of independent software components supporting TEEs, hard to figure out and minimise. Minimising the amount of installed software on security-critical systems is desired, and hardware TEEs are generally used in security-critical applications. However, through automation, specifically configuration management, this hurdle can be overcome. Two proposed automation solutions, based on configuration management techniques, implemented using the automation framework Ansible, are presented in this thesis, which can be used for meeting the software dependency requirements and configuration of two distinct widely-used hardware TEE technologies, Intel SGX and AMD SEV (SEV-SNP). The proposed automation solutions are tested and benchmarked against existing work as well as two participants performing the same software dependency installation and configuration tasks manually. The test participants also trial the proposed automation solutions and give their testimony on the user experience and the issues they encountered during the manual installation. Overall, the proposed automation solutions improve an order of magnitude on the runtime, and halve the overall dependencies required over existing work and manual problem solving, while taking advantages of declarative configuration management.