English

SGX-Ready Server

Server Types

Azure Confidential Computing (Virtual Machine)

The required settings to configure a SGX-ready server are as follows:

  • Select resource group: Ubuntu 20.04 LTS

  • Enter a virtual machine name machine name (e.g. CoboTSSNode)

  • Select the Azure region

  • Choose image: Ubuntu 18.04 LTS - Gen2

  • Select virtual machine size: Standard DC1ds v3 (1 vcpu, 8 GiB memory)

For more information on how to deploy a SGX-ready server using the Azure portal, please click here.

Alibaba Cloud Elastic Compute Service

For more information on how to deploy a SGX-ready server using the Alibaba Cloud Elastic Compute Service, please click here.

The following settings are required to build an encrypted computing environment on a g7t, c7t, or r7t instance (vSGX instance):

  • Version: Ubuntu 20.04 64-bit that works with UEFI

  • Recommended memory: 8GB and above

  • Memory (encrypted data): 4GB

  • Hard disk: 64G SSD

For more information on how to deploy a SGX-ready server using the Alibaba Cloud Elastic Compute Service, please click here.

SGX-Ready Physical Server (On Premise)

Please check the processors that support SGX:

  • Head to https://ark.intel.com/content/www/us/en/ark.html

  • Click on “Find products by feature” at the bottom

  • Select “Intel® Software Guard Extensions (Intel® SGX)” in “Choose a Filter” under “Processors”

  • Select “Yes with both Intel® SPS and Intel® ME”

  • Review the specifications, as displayed below:

Product Name

Total Cores

Max Turbo Frequency

Base Frequency

Cache

Intel® Xeon® E-2278GE Processor

8

4.70 GHz

3.30 GHz

16 MB

Intel® Xeon® E-2278GEL Processor

8

3.90 GHz

2.00 GHz

16 MB

Intel® Xeon® E-2274G Processor

4

4.90 GHz

4.00 GHz

8 MB Intel® Smart Cache

Intel® Xeon® E-2276G Processor

6

4.90 GHz

3.80 GHz

12 MB Intel® Smart Cache

Intel® Xeon® E-2278G Processor

8

5.00 GHz

3.40 GHz

16 MB Intel® Smart Cache

Intel® Xeon® E-2286G Processo

6

4.90 GHz

4.00 GHz

12 MB Intel® Smart Cache

Intel® Xeon® E-2288G Processor

8

5.00 GHz

3.70 GHz

16 MB Intel® Smart Cache

Intel® Xeon® E-2174G Processor

4

4.70 GHz

3.80 GHz

8 MB Intel® Smart Cache

Intel® Xeon® E-2176G Processor

6

4.70 GHz

3.70 GHz

12 MB Intel® Smart Cache

Intel® Xeon® E-2186G Processor

6

4.70 GHz

3.80 GHz

12 MB Intel® Smart Cache

You’ll need to configure the following settings:

  • BIOS Settings:

    • Enable Intel SGX (Software Guard Extension)

    • Enable DCAP (FLC)

    • Disable hyperthreading

  • Operating system: Ubuntu Server 20.04 LTS or 22.04 LTS

  • Recommended memory: 8GB RAM

  • Recommended storage: 128GB SSD

  • Minimum memory (encrypted data): 2GB EPC

SGX Status Check

Once the encrypted SGX environment has been set up, you can check the SGX status via CPUID. Please execute the following shell commands: 

sudo apt update
sudo apt install cpuid
cpuid -1 | grep SGX

If three “true” statues are returned as displayed in the output below, it indicates that the SGX environment has been successfully enabled. All other “false” statues are negligible:

SGX: Software Guard Extensions supported = true
SGX_LC: SGX launch config supported      = true
SGX capability (0x12/0):
SGX1 supported                         = true

SGX Driver Installation

The SGX driver should have already been installed by default. During TSS Node initialization, you'll be prompted to approve the auto installation of the SGX driver (Intel DCAP 1.41).

Execute the following command to double check whether the SGX driver has been installed:

ls /dev/sgx*

If two (inclusive) or more nodes are displayed, it indicates that the SGX driver has already been installed:

/dev/sgx_enclave  /dev/sgx_provision

For more information on the manual installation of a SGX driver, please refer to the following:

By default, the SGX driver has already been merged into the Linux kernel in version 5.1 (inclusive) and above. You are recommended to use Linux 5.1 (inclusive) and above:

Alternatively, you may also install the DCAP driver and OOT (legacy) released by Intel. Please note that the TSS Node only supports the DCAP driver. For installation guide, please refer to the “Driver Installation” chapter.

You can follow the steps below to manually install the Ubuntu 20.04 DCAP 1.41 driver. For other versions, please refer to the guide above.

  • Update the package resource list for APT:

sudo apt update

  • Install dependencies:

sudo apt install build-essential ocaml automake autoconf libtool \
     wget python libssl-dev dkms -y

  • Download the Intel SGX DCAP drive:

wget \ https://download.01.org/intel-sgx/latest/linux-latest/distro/ubuntu20.04-server/sgx_linux_x64_driver_1.41.bin

  • Modify permissions to the driver installation packages of Intel SGX DCAP 

chmod a+x sgx_linux_x64_driver_1.41.bin

  • Install Intel SGX DCAP drive:

sudo ./sgx_linux_x64_driver_1.41.bin

  • Check whether the installation is successful:

$ ls /dev/sgx*
/dev/sgx_enclave  /dev/sgx_provision

Docker Engine Installation

Docker Engine is required for running the TSS Node. After TSS node initialization, you'll be prompted to approve the auto installation of Docker Engine.

You are recommended to manually install and configure the Docker Engine if your organization has related best practices in place.

For more information on how to manually install the Docker Engine on Ubuntu, please click here.

PreviousServer Environment PreparationNextOff-The-Shelf Server

Last updated