Intel® Software Guard Extensions Data Center Attestation Primitives (Intel® SGX DCAP): A Quick Install Guide

By John P Mechalas

Intel® Software Guard Extensions Data Center Attestation Primitives (Intel® SGX DCAP) is Intel's solution for deploying Intel SGX attestation services into data centers. Because every data center environment has unique needs that require customization, it is distributed as a collection of components rather than a complete, turn-key solution. To help developers, data centers, and cloud service providers (CSP's) get started with Intel SGX DCAP, this article steps through the process of creating a minimal, but complete, Intel SGX DCAP environment. It produces a working infrastructure that is suitable for software developers who are creating Intel SGX solutions, and does so in a manner that mimics a real-world deployment to help data center administrators develop system deployment and management procedures.

For an introduction to Intel SGX DCAP, see the following white papers:

And the following videos from Intel® Network Builders University (free registration required):

The Minimum Environment

An Intel SGX DCAP Environment consists of three, fundamental components:

  1. A subscription to the Intel Provisioning Certification Service (Intel PCS), which provides you with the API keys needed to query the service for Intel SGX attestation collateral.
  2. A data center caching service, which acts as a caching proxy for the Intel PCS.
  3. An Intel SGX enabled platform, which must be provisioned before it can execute runtime Intel SGX workloads.

The goal of this guide is to produce a simplified, but not trivialized, environment with the following requirements:

  • The caching service shall be run on a discreet system. Specifically, it shall not be a system that is used to run Intel SGX workloads.
  • The system that hosts the caching service shall not require Intel SGX.
  • The Intel SGX enabled platform shall be provisioned and then re-imaged with a fresh OS.

This guide will also assume that the Intel SGX enabled platform can be provisioned on a production network. This may not be a valid assumption in a data center’s production environment, but it removes unnecessary complexity from a development and testing setup.

Intel SGX DCAP Installation Procedure

At a high level, the steps to produce the minimum Intel SGX DCAP environment are:

  1. Subscribe to the Intel PCS for ECDSA Attestation and obtain the required API keys.
  2. Set up Intel's reference caching service, the Provisioning Certification Caching Service (PCCS).
  3. Provision the Intel SGX enabled platform for Intel SGX workloads.
  4. Verify the provisioning data.
  5. Reimage the Intel SGX enabled platform.
  6. Load the Intel SGX runtime stack onto the reimaged system.

The last two steps are intended to simulate real-world environments, where system provisioning might occur on a restricted network prior to deployment into production. They also ensure that the runtime system does not retain any of the provisioning components.

Subscribe to the Intel PCS

Each subscription to the Intel PCS Service for ECDSA Attestation issues two API keys: a primary key and a secondary key. Either one can be used. The point of issuing two keys is to provide continuity of service in the event the active key needs to be regenerated.

To subscribe to the service, browse to the Intel SGX Software Services page. If you have an account, sign in using the "Sign In" link in the banner. If you don't have an account, click "Sign Up" to register.

Once you are logged in, return the Intel SGX Software Services page. Under the "Intel Provisioning Certification Service for ECDSA Attestation" header, click on the link titled "Intel® SGX provisioning certification service".

From there, scroll down to the "Get PCK Certificate/s" API and click on the "Subscribe" button.

You'll be taken to a subscription summary page. Confirm your choices by clicking on the "Add subscription" button.

This will load a subscription summary page for your account. Scroll down to the "Intel® Software Guard Extensions Provisioning Certification Service subscription" section and click on the "Show" links to reveal your API keys.

Set up the Intel PCCS

Now that you have your API keys, you can set up the Intel PCCS as your caching service. The following steps assume you are starting from a fresh installation of Ubuntu Linux 18.04 LTS.

The PCCS package in the 1.8 release has a dependency on Node®.js version 14 which is not part of the 18.04 LTS distribution, so the first step is to fetch the Node.js setup script.

$ curl -o setup.sh -sL https://deb.nodesource.com/setup_14.x
$ chmod a+x setup.sh
$ sudo ./setup.sh

Once the script completes, you can add the Node.js package using apt.

$ sudo apt-get -y install nodejs

We'll use Intel's Debian packages for the Intel SGX DCAP installation, but to do that we need to add the repository to the list of sources for apt, and add the key:

# echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' > /etc/apt/sources.list.d/intel-sgx.list
# wget -O - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add -
# apt update

Now we're ready to install the prerequisite software. We'll use SQLite* as the database storage engine (this is the default setting for the PCCS). The PCCS will also need to compile a Node.js module for interfacing with C libraries, so we have to add the build-essential meta-package to the list.

# apt install sqlite3 python build-essential

Once that installation has finished, you can install the PCCS package.

# apt install sgx-dcap-pccs

The installation will run the PCCS setup script, which will ask you several questions.

Do you want to configure PCCS now? (Y/N)

Answer "Y" to this question.

Set HTTPS listening port [8081] (1024-65535)

Accept the default listening port of 8081, or select a non-privileged port number.

Set the PCCS service to accept local connections only? [Y] (Y/N)

Answer "N" to this question. We want the PCCS service to accept connections from other systems.

Set your Intel PCS API key (Press ENTER to skip)

Enter either your primary or secondary key.

Choose caching fill method : [LAZY] (LAZY/OFFLINE/REQ)

Answer "REQ" to this question. This places the caching service in the "on request" mode, which means it will fetch the attestation collateral for hosts as provisioning requests are received. For more information on the PCCS caching modes, see the white paper titled Design Guide for Intel® SGX Provisioning Certificate Caching Service (Intel® SGX PCCS) .

Next it will prompt you for an admin password and a user password. The admin password is used by the administration tool to manage the contents of the caching service's database. The user password is used by the provisioning tool. Create a password for each. Administration of the caching service is outside the scope of this guide.

Last, it will ask you if you want to generate a self-signed certificate for testing. Answer "Y" to this question, and then fill out the certificate request as you see fit. Remember that this is a self-signed certificate for testing and development purposes only. A production environment will require a certificate that is signed by a recognized certificate authority.

Verify the empty cache

We’ll inspect the contents of the PCCS collateral cache using the sqlitebrowser utility, which is a graphical application for working with SQLite databases. Install it using apt and then execute it on the command line, pointing it at the PCCS database:

$ sudo apt -y install sqlitebrowser
$ sqlitebrowser /opt/intel/sgx-dcap-pccs/pckcache.db

Use the “Browse Data” tab to examine the tables. They should all be empty.

Provisioning a system

Now that the PCCS is up and running, it’s time to provision an Intel SGX enabled platform. This guide assumes you have already enabled Intel SGX in the system BIOS, and imaged it with a fresh installation of Ubuntu Server 18.04 LTS.

Before we can install the Intel SGX driver, it’s necessary to add the Dynamic Kernel Module Support package:

$ sudo apt install dkms

Once that’s done, you can fetch the driver for Intel SGX DCAP and install it.

$ wget https://download.01.org/intel-sgx/latest/dcap-latest/linux/distro/ubuntu18.04-server/sgx_linux_x64_driver_1.36.bin
$ chmod 755 ./sgx_linux_x64_driver_1.36.bin
$ sudo ./sgx_linux_x64_driver_1.36.bin

Verify that the driver loaded by checking the kernel log:

$ dmesg | grep sgx
[ 642.620300] intel_sgx: loading out-of-tree module taints kernel.
[ 642.620336] intel_sgx: module verification failed: signature and/or required key missing - tainting kernel
[ 642.621643] sgx: intel_sgx: Intel SGX DCAP Driver v1.36
[ 642.621652] sgx: EPC section 0x70200000-0x7bf7ffff

The messages show that the driver successfully loaded and assigned memory to the Enclave Page Cache (EPC). You can ignore the warnings: they stem from the fact that this is an out-of-tree kernel driver.

Now we can install the provisioning tools. In a production environment, the provisioning binary and its supporting libraries might be incorporated into a minimal kernel image that is loaded via a PXE boot, but for testing purposes we’ll assume a production network and load the Intel SGX support packages directly from Intel’s repository.

The provisioning tool is distributed as a separate package since it won’t typically be installed on a live system. Fetch and install it:

$ wget https://download.01.org/intel-sgx/sgx-dcap/1.7/linux/tools/SGXCertRetrievalTool/ubuntu18.04-server/sgx-pck-id-retrieve-tool_1.7.100.2-1_amd64.deb
$ sudo dpkg -i sgx-pck-id-retrieve-tool_1.7.100.2-1_amd64.deb

Future releases of the provisioning tool will also include the support libraries. For now, install them using apt. Start by adding the Intel repository:

$ echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list > /dev/null
$ wget -O - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
$ sudo apt update

Then install the Intel SGX quoting library:

$ sudo apt install libsgx-dcap-ql

Now the provisioning tool needs to be configured so that it knows how to contact the caching service. Edit the configuration file at /opt/intel/sgx-pck-id-retrieve-tool/network_setting.conf and make the following changes:

  • Change the PCCS_URL to match your caching service’s location.
  • Uncomment the user_token parameter, and set it to the user password you created when configuring the PCCS
  • Set the proxy_type to fit your environment (most likely this will be “direct”)
  • Ensure USE_SECURE_CERT is set to “FALSE” since we’re using a self-signed certificate for testing purposes. In a production environment, this should be set to “TRUE”.

Save your changes and run the provisioning tool:

$ PCKIDRetrievalTool
Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.7.100.2
Warning: If this is a multi-package platform, please install registration agent package.
otherwise, the platform manifest information will NOT be retrieved.
Warning: Couldn't collect platform manifest. If you are using single-package platform, you can ignore this warning.
the data has been sent to the cache service successfully and pckid_retrieval.csv has been generated successfully!

Since this is a single socket system, you can ignore the warnings about the platform manifest. The last line is the most important as it tells us the system has been successfully provisioned.

Verify the provisioned system

We can verify the provisioning by returning to the SQLite database using sqlitebrowser. There should be data present in every table. The screen shot below shows the contents of the table fmspc_tcbs. Note the tcbinfo data structure on the right.

Runtime configuration

Now that the Intel SGX enabled platform has been provisioned, it can be loaded with a production OS image. It can, in fact, be reimaged multiple times: as long as the Intel SGX Trusted Compute Base (TCB) doesn’t change, it will not need to be reprovisioned.

Again, we’ll assume a fresh install of Ubuntu Server 18.04 LTS as the starting point. Install the driver:

$ sudo apt install dkms
$ wget https://download.01.org/intel-sgx/latest/dcap-latest/linux/distro/ubuntu18.04-server/sgx_linux_x64_driver_1.36.bin
$ chmod 755 ./sgx_linux_x64_driver_1.36.bin
$ sudo ./sgx_linux_x64_driver_1.36.bin

Update the apt repositories:

$ echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list > /dev/null
$ wget -O - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
$ sudo apt update

Now you can install the Intel SGX runtime components, and Intel’s reference quoting library and quote provider library.

$ sudo apt-get install libsgx-urts libsgx-dcap-ql libsgx-dcap-default-qpl

This step will also install Intel’s Architectural Enclave Service Manager which needs to be configured for ECDSA-based attestations. Edit the configuration file, /etc/aesmd.conf, and uncomment this line:

default quoting type = ecdsa_256

Since we’re using ECDSA quotes, AESM has no need to connect to the internet and you can leave the proxy settings alone.

Restart AESM for the changes to take effect:

$ systemctl restart aesmd

Next, we need to configure the quote provider library to connect to PCCS to obtain the attestation collateral. Edit the configuration file, /etc/sgx_default_qcnl.conf, and make the following changes:

  • Set the PCCS_URL parameter to the location of our PCCS server
  • Set USE_SECURE_CERT to “FALSE” since we’re using a self-signed certificate for testing purposes. Again, in a production environment, this should be set to “TRUE”.

This system is now ready to run Intel SGX workloads.

 

§

Product and Performance Information

1

Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.

Notice revision #20110804