Deploy on premise
The docker images used here are prebuilt ones from our dockerhub, you can take a look at the build the server from source section
This section explains how to work with the simulation mode. This simulates Intel SGX in software and enables you to run this on any hardware you want.
Launch the server using the simulation docker image:
Please keep in mind that this image is not secure, since it simulates Intel SGX in software. It is lighter than hardware mode, and should not be used in production.
If you are using Azure DCsV2 VMs, you can ignore all of this. The drivers and the PCCS server are built-in the VMs.
You will need to have an Intel SGX-ready device, with
SGX+FLC (Flexible Launch Control) support. Read this Intel documentation page to see if your Intel processor supports it.
Please make sure to have the
SGX+FLC drivers (preferably with version 1.41) installed on your system before running the docker image.
If you can find the drivers named "enclave" and "provision" (or sgx_enclave and sgx_provision) in /dev/, you are good to go!
If on the other hand, you can find a driver named "isgx", that means your system is not supported. This driver is for the first generation of SGX, which lacks the security features we rely on. You can still boot the server in hardware mode and benefit from the isolation offered by SGX enclaves, but you will need to use the client in simulation mode.
In case you don't have any drivers installed, you can install the drivers with this:
The binary file contains the drivers signed by Intel and will proceed to the installation transparently.
There is no need to do anything, the drivers are already installed.
Running the server
Please make sure you have Docker installed on your machine.
A Quote Provisioning Certificate Caching Service (PCCS) is built-in inside the Docker Image in order to generate the DCAP attestation from the enclave. You need to provide an API Key in order for the PCCS server to function. You can get one from Intel here.
PCCS_API_KEY needs to be replaced with the PCCS API Key.
If you built this image locally you can allow debug by running with -e POLICY_ALLOW_DEBUG=true. Building from sources is documented here
You should only allow debug if your policy.toml allows debug.
Extract Policy and default TLS Certificate from the Hardware docker image
You can extract the policy directly from the prebuilt Docker Image using:
You can also extract the default TLS certificate like this:
Connect to the hardware mode server
You can start from the python code of the quick-start section. You should then replace the instances of :
Your client will use your TLS certificate and will only be able to connect to an enclave generated with the exact same policy.toml.
If you want to deploy for production you should check out the privacy section. You will learn how to check the authenticity of the policy and how to inject your own TLS certificate.