All Products
Search
Document Center

Elastic Compute Service:Build an SGX confidential computing environment

Last Updated:Nov 08, 2023

This topic describes how to build a Software Guard Extensions (SGX) confidential computing environment on an Elastic Compute Service (ECS) instance that relies on the Intel® SGX technology, which is known as vSGX instance, and how to run sample code to verify the SGX feature.

Prerequisites

A vSGX instance is created, and you are logged on to the instance.

Note

The SGX feature is available only for the g7t, c7t, and r7t instance families. For more information, see Overview of instance families.

Background information

Intel® SGX sets up a confidential computing environment at the physical level and ensures data security by providing hardware-based protections instead of firmware- or software-based protections. Intel® SGX uses instruction set extensions and an access control mechanism to isolate the runtime environment of SGX programs. This can protect the confidentiality and integrity of key code and data against malware attacks. Compared with other security technologies, Intel® SGX uses the root of trust that contains only hardware. This can avoid defects caused by security vulnerabilities of software on which the root of trust is based, and improve system security.

The g7t, c7t, and r7t security-enhanced instance families provide confidential memory based on Intel® SGX and support the SGX technology applicable to virtual machines. You can develop and run SGX programs on vSGX instances.

Important

If you use keys (such as SGX sealing keys) that are bound to hardware to encrypt the data of an instance within an Intel SGX enclave, the encrypted data cannot be decrypted after the host of the instance is changed. We recommend that you perform data redundancy and backup at the application layer to ensure application reliability.

Procedure

Step 1: Check whether SGX is enabled

Before you build an SGX confidential computing environment, you can use CPUID to check whether SGX is enabled. This section describes how to check whether SGX is enabled. In this example, an Alibaba Cloud Linux 2 (UEFI) image or an Alibaba Cloud Linux 3 (UEFI) image is used.

  1. Install CPUID.

    sudo yum install -y cpuid
  2. Check whether SGX is enabled.

    cpuid -1 -l 0x7 |grep SGX

    A command output similar to the following one indicates that SGX is enabled.sgx_install

    Note

    After SGX is enabled, the SGX driver is required to run SGX programs. The dedicated images provided by Alibaba Cloud have a built-in SGX driver. If you do not use a dedicated image, install the SGX driver.

  3. Check whether the SGX driver is installed.

    ls -l /dev/{sgx_enclave,sgx_provision}

    A command output similar to the following one indicates that the SGX driver is installed.sgx_driver

Step 2: Build an SGX confidential computing environment

Before you develop SGX programs, you must install the SGX runtime and SDK on a vSGX instance and configure the remote attestation service. We recommend that you use dedicated images provided by Alibaba Cloud for a better user experience. Dedicated images are equipped with the SGX driver and provide TEE SDK that is fully compatible with Intel® SGX SDK. This section describes how to build an SGX confidential computing environment. In this example, an Alibaba Cloud Linux 2 (UEFI) image or an Alibaba Cloud Linux 3 (UEFI) image is used. If you use Ubuntu images, CentOS images, or other Linux images, install the SGX driver and Platform SoftWare (PSW). For more information, see Intel® SGX SW Installation Guide for Linux.

  1. (Required) Install the Alibaba Cloud SGX runtime.

    Note

    When you create a vSGX instance in the ECS console, the Alibaba Cloud SGX runtime is automatically installed. You can skip this step and install Alibaba Cloud TEE SDK.

    1. (Required) Enable the Alibaba Cloud experimental repository for the vSGX instance.

      Note

      This operation is required only for vSGX instances that run Alibaba Cloud Linux 2 images.

      sudo rpmkeys --import http://mirrors.cloud.aliyuncs.com/epel/RPM-GPG-KEY-EPEL-7 && \
      sudo yum install -y alinux-release-experimentals
    2. Import the YUM software repository for Alibaba Cloud confidential computing.

      • The public URLs of the repository are in the following format: https://enclave-[Region-ID].oss-[Region-ID].aliyuncs.com/repo/alinux/enclave-expr.repo.

      • The internal URLs of the repository are in the following format: https://enclave-[Region-ID].oss-[Region-ID]-internal.aliyuncs.com/repo/alinux/enclave-expr.repo.

      Replace [Region-ID] in the preceding URLs with the region ID of the vSGX instance. The following example shows the internal URL of a vSGX instance in the China (Hangzhou) region:

      sudo yum install -y yum-utils && \
      sudo yum-config-manager --add-repo \
      https://enclave-cn-hangzhou.oss-cn-hangzhou-internal.aliyuncs.com/repo/alinux/enclave-expr.repo
    3. Install the Alibaba Cloud SGX runtime.

      sudo yum install -y libsgx-ae-le libsgx-ae-pce libsgx-ae-qe3 libsgx-ae-qve \
      libsgx-aesm-ecdsa-plugin libsgx-aesm-launch-plugin libsgx-aesm-pce-plugin \
      libsgx-aesm-quote-ex-plugin libsgx-dcap-default-qpl libsgx-dcap-ql \
      libsgx-dcap-quote-verify libsgx-enclave-common libsgx-launch libsgx-pce-logic \
      libsgx-qe3-logic libsgx-quote-ex libsgx-ra-network libsgx-ra-uefi \
      libsgx-uae-service libsgx-urts sgx-ra-service sgx-aesm-service
      Note

      SGX Architectural Enclave Service Manager (AESM) is used to manage services such as enclave start, key configuration, and remote attestation. The default installation path of SGX AESM is /opt/intel/sgx-aesm-service.

  2. Install Alibaba Cloud TEE SDK.

    sudo yum install -y sgxsdk

    Alibaba Cloud TEE SDK is fully compatible with Intel® SGX SDK. After Alibaba Cloud TEE SDK is installed, you can refer to Intel® SGX Developer Reference to develop SGX programs. For more information, see Intel ®SGX Developer Reference.

    Note

    The default installation path of Intel® SGX SDK in Alibaba Cloud TEE SDK is /opt/alibaba/teesdk/intel/sgxsdk/.

  3. Configure the Alibaba Cloud SGX remote attestation service.

    The Alibaba Cloud SGX remote attestation service is fully compatible with the Intel® SGX Elliptic Curve Digital Signature Algorithm (ECDSA) based remote attestation service and Intel® SGX SDK. vSGX instances provided by Alibaba Cloud can gain trust from remote providers and producers by using remote attestation. For more information, visit Attestation & Provisioning Services.

    The Alibaba Cloud SGX remote attestation service provides the following information for SGX SDK:

    • SGX certificates: the SGX certificates.

    • Revocation list: a list of revoked SGX certificates.

    • Trusted computing base information: information about the root of trust.

    Note

    Intel Ice Lake supports only remote attestation based on Intel Software Guard Extensions Data Center Attestation Primitives (Intel SGX DCAP), and does not support remote attestation based on Intel Enhanced Privacy ID (EPID). You must adapt applications before you can use the remote attestation feature. For more information about remote attestation, visit Attestation & Provisioning Services.

    The Alibaba Cloud SGX remote attestation service is deployed on a per-region basis. We recommend that you access the service that is deployed in the same region as your vSGX instance for optimal stability. After Alibaba Cloud TEE SDK is installed, the default configuration file /etc/sgx_default_qcnl.conf is automatically generated for the remote attestation service. You must use one of the following methods to adapt the file to the Alibaba Cloud SGX remote attestation service in the region in which the vSGX instance is located.

    Note

    The following table lists the regions where the Alibaba Cloud SGX remote attestation service is supported.

    Supported region

    Region ID

    China (Qingdao)

    cn-qingdao

    China (Beijing)

    cn-beijing

    China (Zhangjiakou)

    cn-zhangjiakou

    China (Ulanqab)

    cn-wulanchabu

    China (Hangzhou)

    cn-hangzhou

    China (Shanghai)

    cn-shanghai

    China (Shenzhen)

    cn-shenzhen

    China (Heyuan)

    cn-heyuan

    China (Guangzhou)

    cn-guangzhou

    China (Chengdu)

    cn-chengdu

    China (Hong Kong)

    cn-hongkong

    Singapore

    ap-southeast-1

    Indonesia (Jakarta)

    ap-southeast-5

    • (Recommended) Method 1: Have the /etc/sgx_default_qcnl.conf file configured.

      Run the following command to automatically configure the /etc/sgx_default_qcnl.conf file. For more information, see View instance metadata.

      # View the region of the instance.
      token=$(curl -s -X PUT -H "X-aliyun-ecs-metadata-token-ttl-seconds: 5" "http://100.100.100.200/latest/api/token")
      region_id=$(curl -s -H "X-aliyun-ecs-metadata-token: $token" http://100.100.100.200/latest/meta-data/region-id)
      
      # Specify the URL of the PCCS caching service for the region in which the instance is located.
      PCCS_URL=https://sgx-dcap-server-vpc.${region_id}.aliyuncs.com/sgx/certification/v3/
      sudo bash -c 'cat > /etc/sgx_default_qcnl.conf' << EOF
      # PCCS server address
      PCCS_URL=${PCCS_URL}
      # To accept insecure HTTPS cert, set this option to FALSE
      USE_SECURE_CERT=TRUE
      EOF
    • Method 2: Manually modify the /etc/sgx_default_qcnl.conf file.

      • If the vSGX instance is assigned a public IP address, change the configurations in /etc/sgx_default_qcnl.conf to the following content. Replace [Region-ID] with the ID of the region in which the vSGX instance resides.

        # PCCS server address
        PCCS_URL=https://sgx-dcap-server.[Region-ID].aliyuncs.com/sgx/certification/v3/
        # To accept insecure HTTPS cert, set this option to FALSE
        USE_SECURE_CERT=TRUE
      • If the vSGX instance is in a virtual private cloud (VPC) and has only internal IP addresses, change the configurations in /etc/sgx_default_qcnl.conf to the following content. Replace [Region-ID] with the ID of the region in which the vSGX instance resides.

        # PCCS server address
        PCCS_URL=https://sgx-dcap-server-vpc.[Region-ID].aliyuncs.com/sgx/certification/v3/
        # To accept insecure HTTPS cert, set this option to FALSE
        USE_SECURE_CERT=TRUE

Examples on how to verify the SGX feature

Example 1: Start an enclave

Alibaba Cloud TEE SDK provides SGX sample code to verify the SGX feature. By default, the code is stored in the /opt/alibaba/teesdk/intel/sgxsdk/SampleCode directory.

This section describes an example of how to start an enclave to verify whether the installed SGX SDK works normally. If the enclave is started, the SDK works normally. In this example, the sample code file named SampleEnclave is used.

  1. Install a compiler.

    • If the Alibaba Cloud Linux 2 (UEFI) image is used, install devtoolset.

      1. Install devtoolset.

        sudo yum install -y devtoolset-9
      2. Configure the environment variable related to devtoolset.

        source /opt/rh/devtoolset-9/enable
    • If the Alibaba Cloud Linux 3 (UEFI) image is used, install Development Tools.

      sudo yum groupinstall -y "Development Tools"
  2. Configure the environment variable related to SGX SDK.

    source /opt/alibaba/teesdk/intel/sgxsdk/environment
  3. Compile the sample code in SampleEnclave.

    1. Go to the SampleEnclave directory.

      cd /opt/alibaba/teesdk/intel/sgxsdk/SampleCode/SampleEnclave
    2. Compile SampleEnclave.

      sudo make
  4. Run the compiled executable file.

    sudo ./app

Example 2: Use the SGX remote attestation service

Alibaba Cloud TEE SDK provides SGX sample code to verify the SGX feature. By default, the code is stored in the /opt/alibaba/teesdk/intel/sgxsdk/SampleCode directory.

This section describes an example on how to use the SGX remote attestation service. The expected result is that a quote is generated and verified (QuoteGenerationSample and QuoteVerificationSample). The example involves the challenged party (SGX programs that run in the vSGX instance) and the challenging party (the party that wants to verify whether the SGX programs are trusted). In this example, the sample code file named QuoteGenerationSample is used by the challenged party to generate a quote, and the sample code file named QuoteVerificationSample is used by the challenging party to verify the quote.

  1. Install a compiler.

    • If the Alibaba Cloud Linux 2 (UEFI) image is used, install devtoolset.

      1. Install devtoolset.

        sudo yum install -y devtoolset-9
      2. Configure the environment variable related to devtoolset.

        source /opt/rh/devtoolset-9/enable
    • If the Alibaba Cloud Linux 3 (UEFI) image is used, install Development Tools.

      sudo yum groupinstall -y "Development Tools"
  2. Configure the environment variable related to SGX SDK.

    source /opt/alibaba/teesdk/intel/sgxsdk/environment
  3. Install the dependency package of SGX remote attestation.

    sudo yum install -y libsgx-dcap-ql-devel libsgx-dcap-quote-verify-devel
  4. Compile the sample code in QuoteGenerationSample used by the challenged party.

    1. Go to the QuoteGenerationSample directory.

      cd /opt/alibaba/teesdk/intel/sgxsdk/SampleCode/QuoteGenerationSample
    2. Compile QuoteGenerationSample.

      sudo make
  5. Run the compiled executable file to generate Quote.

    sudo ./app
  6. Compile the sample code in QuoteVerificationSample used by the challenging party.

    1. Go to the QuoteVerificationSample directory.

      cd /opt/alibaba/teesdk/intel/sgxsdk/SampleCode/QuoteVerificationSample
    2. Compile QuoteVerificationSample.

      sudo make
  7. Sign the QuoteVerificationSample enclave.

    To release an official version of an enclave, you must provide the signature key to sign the enclave.

    sudo sgx_sign sign -key Enclave/Enclave_private_sample.pem -enclave enclave.so -out enclave.signed.so -config Enclave/Enclave.config.xml
  8. Run the compiled executable file to verify the quote.

    sudo ./app

Update the SGX SDK, PSW, and DCAP software packages

The Intel® SGX software stack includes SGX SDK, SGX PSW, and SGX Data Center Attestation Primitives (DCAP). We recommend that you update software versions on a regular basis to provide optimal security.

  1. Upgrade the SGX SDK, SGX PSW, and SGX DCAP software packages.

    sudo rpm -qa --qf "%{NAME}\n"|grep -E "sgxsdk|libsgx-|libtdx-|^sgx-|^tdx-"|xargs bash -c '</dev/tty yum update "$@"' _
  2. View the versions of the SGX SDK, SGX PSW, and SGX DCAP software.

    1. View the versions of the SGX SDK and SGX PSW software.

      sudo rpm -qa|grep -E "sgxsdk|sgx-aesm-service|libsgx-(ae-epid|ae-le|ae-pce|aesm|enclave|epid|headers|launch|quote-ex|uae-service|urts)"

      The following figure shows a sample command output.sdk&psw

    2. View the SGX DCAP software version.

      sudo rpm -qa|grep -E "sgx-(dcap-pccs|pck|ra-service)|libsgx-(ae-id-enclave|ae-qe3|ae-qve|ae-tdqe|dcap|pce-logic|qe3-logic|ra-|tdx-)|libtdx-|^tdx-"

      The following figure shows a sample command output.dacp

Known issues

The SGX driver that comes with Alibaba Cloud Linux 2 in the kernel of the 4.19.91-23.al7.x86_64 version experiences memory leaks in some cases. This issue is fixed in the latest version. We recommend that you update the kernel to the latest version. If you want to continue using this kernel version, we recommend that you run the following commands to install patches to avoid this issue:

sudo yum install -y alinux-release-experimentals && \
sudo yum install -y kernel-hotfix-5577959-23.al7.x86_64