Skip to main content
Create an Intel® SGX-enabled cloud server
Last update:

Create an Intel® SGX-enabled cloud server

Intel® SGX (Software Guard Extensions) is a technology that provides a set of CPU instructions to enhance the security of application code and data with additional protection against leakage or modification.

With Intel® SGX, an application can create enclaves in RAM — the information in them cannot be read by other applications (untrusted components) running on the same server, including system applications, kernel modules, and the hypervisor.

To see the availability of cloud servers with SGX (fixed configuration line SGX Line) in the regions, you can see the availability matrix Cloud Servers.

For your information

To support Intel® SGX and work with enclaves on a cloud server, you need to install the driver and prepare the application.

Create a cloud server that supports Intel® SGX

  1. In Control Panel, go to Cloud PlatformServers.
  2. Click Create Server.
  3. Select the SGX Line of fixed configurations.
  4. Select the rest of the cloud server settings — see the Create Cloud Server instructions for details.
  5. Click Create Server.
  6. Prepare the cloud server for operation: install the driver and prepare the application.

Install the driver

For your information

If you chose an Ubuntu 22.04 or Windows 2019 image as the source when creating the server, you do not need to install drivers for SGX to work.

One of the three drivers must be installed to support Intel® SGX and work with enclaves:

  • In-kernel Driver — suitable for Linux only, included in Linux kernel versions 5.11 and above;
  • DCAP Driver — suitable for Windows and for Linux kernel versions without in-kernel driver;
  • Out-of-tree Driver is an alternative method. We recommend using In-kernel drivers, for this you can switch to HWE-kernel. Example command for Ubuntu 20.04: apt-get install --install-recommends linux-generic-hwe-20.04

The Intel® Repository contains driver packages for various operating systems.

Example of DCAP driver installation for Ubuntu 20.04

  1. Install Dynamic Kernel Module Support:

    apt install dkms

  2. Install linux-headers (kernel headers):

    apt install linux-headers-$(uname -r)

  3. Install the driver:

    wget https://download.01.org/intel-sgx/sgx-dcap/1.9/linux/distro/ubuntu20.04-server/sgx_linux_x64_driver_1.36.2.bin
    chmod 755 sgx_linux_x64_driver_1.36.2.bin
    ./sgx_linux_x64_driver_1.36.2.bin

  4. Check in the kernel logs that the driver is loaded:

    dmesg | grep sgx

    Example answer:

    [ 2.857457] systemd[1]: Set hostname to <sgx-legacy>.
    [ 3.748684] intel_sgx: loading out-of-tree module taints kernel.
    [ 3.750444] intel_sgx: module verification failed: signature and/or required key missing - tainting kernel
    [ 3.756652] intel_sgx: EPC section 0x140000000-0x1bf2fffff
    [ 3.850249] intel_sgx: Intel SGX DCAP Driver v1.36.2

Use SGX in the application

To work with enclaves and Intel® SGX, you can use:

  • LibOS (library operating system) — allows to not change the code base and run Intel® SGX in an existing application with minor modifications;
  • or SDK — to develop a new application. All packages from the SDK are built for different operating systems, and you just need to install them.

LibOS

Opsensor and commercial versions of LibOS are available to support Intel® SGX.

Opensource:

Commercial:

SDK

All SDKs contain APIs, libraries, source code samples, tools and documentation for a quick start:

Example of Intel SGX SDK installation for Ubuntu 20.04

wget https://download.01.org/intel-sgx/sgx-dcap/1.9/linux/distro/ubuntu20.04-server/sgx_linux_x64_sdk_2.12.100.3.bin
chmod 755 sgx_linux_x64_sdk_2.12.100.3.bin
./sgx_linux_x64_sdk_2.12.100.3.bin --prefix=/opt/intel