Create an Intel® SGX-enabled cloud server

Last update: September 26 2024

Create an Intel® SGX-enabled cloud server

Intel® SGX (Software Guard Extensions) is a technology that provides a set of CPU instructions to enhance the security of application code and data with additional protection against leakage or modification.

With Intel® SGX, an application can create enclaves in RAM — the information in them cannot be read by other applications (untrusted components) running on the same server, including system applications, kernel modules, and the hypervisor.

To use Intel® SGX, you can cloud server fixed line configuration SGX Line. To see the availability of the line in the regions, please see the availability matrix Cloud servers.

Create an Intel® SGX-enabled cloud server⁠

Use the instructions Create a cloud server.

Select:

• source — ready Ubuntu 22.04 LTS image. The image contains drivers necessary to work with SGX. If you choose another source, you will need to install the drivers yourself;
• fixed line configuration SGX Line.

To support Intel® SGX and work with enclaves, prepare the cloud server for operation after creation: install the driver и prepare the application to work with SGX.

Install driver⁠

For your information

If you chose an Ubuntu 22.04 or Windows 2019 image as the source when creating the server, you do not need to install drivers for SGX to work.

One of the three drivers must be installed to support Intel® SGX and work with enclaves:

• In-kernel Driver — suitable for Linux only, included in Linux kernel versions 5.11 and above;
• DCAP Driver — suitable for Windows and for Linux kernel versions without in-kernel driver;
• Out-of-tree Driver is an alternative way. Instead of this type of driver we recommend using In-kernel drivers, for this you can switch to HWE-kernel. Example command for Ubuntu 20.04: apt-get install --install-recommends linux-generic-hwe-20.04

Driver packages for various operating systems can be viewed at Intel® repositories.

Prepare an application to work with SGX⁠

To work with enclaves and Intel® SGX, you can use:

• LibOS (library operating system) — allows not changing the code base and running Intel® SGX in an existing application with minor modifications;
• or SDK — to develop a new application. All packages with SDKs are built for different operating systems, and you only need to install them.

LibOS⁠

Open source and commercial versions of LibOS are available to support Intel® SGX.

Open Source:

• Gramine;
• Occlum;
• Intel SGX and Linux Kernel Library (LKL) GitHub;
• Mystikos.

Commercial:

• Fortanix;
• Anjuna;
• Decentriq;
• SCONE.

SDK⁠

All SDKs contain APIs, libraries, source code samples, tools and documentation for a quick start:

• Intel SGX SDK for Linux;
• Intel SGX SDK for Windows;
• Fortanix Enclave Development Platform;
• Open Enclave SDK;
• Teaclave / Teaclave SGX SDK;
• MesaTEE;
• Edgeless Systems EGo;
• Edgeless RT;
• Enarx.