Create an Intel® SGX-enabled cloud server
Intel® SGX (Software Guard Extensions) is a technology that provides a set of CPU instructions to enhance the security of application code and data with additional protection against leakage or modification.
With Intel® SGX, an application can create enclaves in RAM — the information in them cannot be read by other applications (untrusted components) running on the same server, including system applications, kernel modules, and the hypervisor.
To see the availability of cloud servers with SGX (fixed configuration line SGX Line) in the regions, you can see the availability matrix Cloud Servers.
To support Intel® SGX and work with enclaves on a cloud server, you need to install the driver and prepare the application.
Create a cloud server that supports Intel® SGX
- In Control Panel, go to Cloud Platform → Servers.
- Click Create Server.
- Select the SGX Line of fixed configurations.
- Select the rest of the cloud server settings — see the Create Cloud Server instructions for details.
- Click Create Server.
- Prepare the cloud server for operation: install the driver and prepare the application.
Install the driver
If you chose an Ubuntu 22.04 or Windows 2019 image as the source when creating the server, you do not need to install drivers for SGX to work.
One of the three drivers must be installed to support Intel® SGX and work with enclaves:
- In-kernel Driver — suitable for Linux only, included in Linux kernel versions 5.11 and above;
- DCAP Driver — suitable for Windows and for Linux kernel versions without in-kernel driver;
- Out-of-tree Driver is an alternative method. We recommend using In-kernel drivers, for this you can switch to HWE-kernel. Example command for Ubuntu 20.04:
apt-get install --install-recommends linux-generic-hwe-20.04
The Intel® Repository contains driver packages for various operating systems.
Example of DCAP driver installation for Ubuntu 20.04
-
Install Dynamic Kernel Module Support:
apt install dkms
-
Install linux-headers (kernel headers):
apt install linux-headers-$(uname -r)
-
Install the driver:
wget https://download.01.org/intel-sgx/sgx-dcap/1.9/linux/distro/ubuntu20.04-server/sgx_linux_x64_driver_1.36.2.bin
chmod 755 sgx_linux_x64_driver_1.36.2.bin
./sgx_linux_x64_driver_1.36.2.bin -
Check in the kernel logs that the driver is loaded:
dmesg | grep sgx
Example answer:
[ 2.857457] systemd[1]: Set hostname to <sgx-legacy>.
[ 3.748684] intel_sgx: loading out-of-tree module taints kernel.
[ 3.750444] intel_sgx: module verification failed: signature and/or required key missing - tainting kernel
[ 3.756652] intel_sgx: EPC section 0x140000000-0x1bf2fffff
[ 3.850249] intel_sgx: Intel SGX DCAP Driver v1.36.2
Use SGX in the application
To work with enclaves and Intel® SGX, you can use:
- LibOS (library operating system) — allows to not change the code base and run Intel® SGX in an existing application with minor modifications;
- or SDK — to develop a new application. All packages from the SDK are built for different operating systems, and you just need to install them.
LibOS
Opsensor and commercial versions of LibOS are available to support Intel® SGX.
Opensource:
Commercial:
SDK
All SDKs contain APIs, libraries, source code samples, tools and documentation for a quick start:
- Intel SGX SDK for Linux — see installation example
- Intel SGX SDK for Windows
- Fortanix Enclave Development Platform
- Open Enclave SDK
- Teaclave / Teaclave SGX SDK
- MesaTEE
- Edgeless Systems EGo
- Edgeless RT
- Enarx
Example of Intel SGX SDK installation for Ubuntu 20.04
wget https://download.01.org/intel-sgx/sgx-dcap/1.9/linux/distro/ubuntu20.04-server/sgx_linux_x64_sdk_2.12.100.3.bin
chmod 755 sgx_linux_x64_sdk_2.12.100.3.bin
./sgx_linux_x64_sdk_2.12.100.3.bin --prefix=/opt/intel