This topic describes sgx-device-plugin and lists the latest changes to sgx-device-plugin.

Overview

sgx-device-plugin is a plug-in developed by Alibaba Cloud and Ant Financial for Alibaba Cloud Container Service for Kubernetes (ACK). sgx-device-plugin facilitates the use of Intel (R) Software Guard Extensions (SGX) in containers. Intel (R) SGX is a set of CPU instructions provided by Intel. Intel (R) SGX increases the security of application code and data, and protects them from disclosure and malicious tampering. For more information, see software-guard-extensions.

Features
sgx-device-plugin provides the following features:
  • Supports Intel (R) SGX without the need to enable the privilege mode.
  • Automatically retrieves the size of the Enclave Page Cache (EPC).
  • Supports declarative EPC resource allocation.
Prerequisites
sgx-device-plugin is reliant on the following components and tools:
FAQ
  • Can I deploy sgx-device-plugin in Kubernetes clusters that are deployed off Alibaba Cloud?

    Yes. sgx-device-plugin can be deployed in all types of Kubernetes clusters. However, you can run sgx-device-plugin on only SGX-enabled nodes.

  • Can I use sgx-device-plugin to control the EPC size for SGX-enabled containers?

    No. TheEPC size limit specified by the alibabacloud.com/sgx_epc_MiB parameter is applicable to only kube-scheduler. Intel (R) SGX Driver does not support this parameter.

  • Is sgx-device-plugin open source?

    Yes. For more information, see sgx-device-plugin.

Release notes

Version Image address Release date Description Impact
v1.0.0-5f5b5ef-aliyun registry.cn-hangzhou.aliyuncs.com/acs/sgx-device-plugin:v1.0.0-5f5b5ef-aliyun February 21, 2020
  • Supports Intel (R) SGX without the need to enable the privilege mode.
  • Supports the feature of automatically retrieving the Enclave Page Cache (EPC) size.
  • Supports declarative EPC resource allocation.
No impact on workloads.