SGX-Ready Server
Server Types
Azure Confidential Computing (Virtual Machine)
The required settings to configure a SGX-ready server are as follows:
Select resource group: Ubuntu 20.04 LTS
Enter a virtual machine name machine name (e.g. CoboTSSNode)
Select the Azure region
Choose image: Ubuntu 18.04 LTS - Gen2
Select virtual machine size: Standard DC1ds v3 (1 vcpu, 8 GiB memory)
For more information on how to deploy a SGX-ready server using the Azure portal, please click here.
Alibaba Cloud Elastic Compute Service
For more information on how to deploy a SGX-ready server using the Alibaba Cloud Elastic Compute Service, please click here.
The following settings are required to build an encrypted computing environment on a g7t, c7t, or r7t instance (vSGX instance):
Version: Ubuntu 20.04 64-bit that works with UEFI
Recommended memory: 8GB and above
Memory (encrypted data): 4GB
Hard disk: 64G SSD
For more information on how to deploy a SGX-ready server using the Alibaba Cloud Elastic Compute Service, please click here.
SGX-Ready Physical Server (On Premise)
Please check the processors that support SGX:
Click on “Find products by feature” at the bottom
Select “Intel® Software Guard Extensions (Intel® SGX)” in “Choose a Filter” under “Processors”
Select “Yes with both Intel® SPS and Intel® ME”
Review the specifications, as displayed below:
You’ll need to configure the following settings:
BIOS Settings:
Enable Intel SGX (Software Guard Extension)
Enable DCAP (FLC)
Disable hyperthreading
Operating system: Ubuntu Server 20.04 LTS or 22.04 LTS
Recommended memory: 8GB RAM
Recommended storage: 128GB SSD
Minimum memory (encrypted data): 2GB EPC
SGX Status Check
Once the encrypted SGX environment has been set up, you can check the SGX status via CPUID. Please execute the following shell commands:
If three “true” statues are returned as displayed in the output below, it indicates that the SGX environment has been successfully enabled. All other “false” statues are negligible:
SGX Driver Installation
The SGX driver should have already been installed by default. During TSS Node initialization, you'll be prompted to approve the auto installation of the SGX driver (Intel DCAP 1.41).
Execute the following command to double check whether the SGX driver has been installed:
If two (inclusive) or more nodes are displayed, it indicates that the SGX driver has already been installed:
For more information on the manual installation of a SGX driver, please refer to the following:
By default, the SGX driver has already been merged into the Linux kernel in version 5.1 (inclusive) and above. You are recommended to use Linux 5.1 (inclusive) and above:
Ubuntu 22.04 LTS server + default kernel
Ubuntu 20.04 LTS server + HWE rolling update model
Alternatively, you may also install the DCAP driver and OOT (legacy) released by Intel. Please note that the TSS Node only supports the DCAP driver. For installation guide, please refer to the “Driver Installation” chapter.
You can follow the steps below to manually install the Ubuntu 20.04 DCAP 1.41 driver. For other versions, please refer to the guide above.
Update the package resource list for APT:
Install dependencies:
Download the Intel SGX DCAP drive:
Modify permissions to the driver installation packages of Intel SGX DCAP
Install Intel SGX DCAP drive:
Check whether the installation is successful:
Docker Engine Installation
Docker Engine is required for running the TSS Node. After TSS node initialization, you'll be prompted to approve the auto installation of Docker Engine.
You are recommended to manually install and configure the Docker Engine if your organization has related best practices in place.
For more information on how to manually install the Docker Engine on Ubuntu, please click here.
Last updated