Skip to content

Build the server from source

Info

If you're building the client because you want to change it, you should first go to the setting up your dev environment guide and then build without docker.

Using Docker 🐳

Build process

You can build the whole project by using our Docker image. We have set up the Docker image to have a reproducible build no matter the environment. You can start the process with those commands:

cd server
make init # create the TLS certificates and pull teaclave
DOCKER_BUILDKIT=1 docker build \
    --target software \
    -t mithrilsecuritysas/blindai-server-sim:latest \
    -f ./docker/build.dockerfile \
    .

cd server
make init # create the TLS certificates and pull teaclave
DOCKER_BUILDKIT=1 docker build \
    --target hardware \
    -t mithrilsecuritysas/blindai-server:latest \
    -f ./docker/build.dockerfile \
    .
This will create a policy file with allow_debug = false. To change that, use -e POLICY_ALLOW_DEBUG=true when building.

cd server
make init # create the TLS certificates and pull teaclave
DOCKER_BUILDKIT=1 docker build \
    --target hardware-dcsv3 \
    -t mithrilsecuritysas/blindai-server-dcsv3:latest \
    -f ./docker/build.dockerfile \
    .
This will create a policy file with allow_debug = false. To change that, use -e POLICY_ALLOW_DEBUG=true when building.

Info

If your goal is to obtain a policy.toml file to connect to a distant server. You should build the image in hardware mode (sgx support isn't needed for compilation). You can then extract it by running:

docker run --rm <image_name> cat /root/policy.toml > policy.toml

Running

You can use these images by following the instructions of either the deploy on premise guide or the cloud deployment guide.

Without docker

Build process

Make sure to set up a dev environment to easily install the build dependencies.

Then first of all :

make init
It will pull the right version of teaclave, alongside creating the tls certificate

cd server
make SGX_MODE=SW
cd server
make
cd server
make

Two files will be generated after the building process:

  • policy.toml: the enclave security policy that defines which enclave is trusted.
  • host_server.pem: TLS certificate for the connection to the untrusted (app) part of the server.

You will need these two files for running the client in non-simulation mode.

More informations about them on this page

Running

cd bin
./blindai_app

Make sure you have the correct hardware and drivers (see hardware-requirements)

You will also need to install the Provisioning Certificate Caching Service (PCCS) using this documentation.

You will need the SGX Default Quote Provider Library as well. This can be installed with this command:

apt update && apt install -y libsgx-dcap-default-qpl-dev

Once you are sure to have everything ready, you can run BlindAI.

cd bin
./blindai_app

Make sure to have the DCs v3 quote provision library:

curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
sudo apt-add-repository https://packages.microsoft.com/ubuntu/18.04/prod
sudo apt-get update
sudo apt-get install az-dcap-client
ln -s /usr/lib/libdcap_quoteprov.so /usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so.1

Once you are sure to have everything ready, you can run BlindAI.

cd bin
export BLINDAI_AZURE_DCSV3_PATCH=1
./blindai_app