Managing Intel SGX on an Infrastructure server
Find out how to enable SGX on your dedicated server and install the Linux SGX software stack
Find out how to enable SGX on your dedicated server and install the Linux SGX software stack
Last updated 22nd September 2020
Enabling Intel Software Guard Extensions (SGX) on your server allows you to run SGX-ready applications. Intel SGX delivers advanced hardware and RAM security encryption features, in order to isolate parts of code and data that are specific to each application.
This guide explains how to enable the SGX feature, in the OVHcloud Control Panel or via the OVHcloud API.
Log in to the OVHcloud Control Panel, go to the Bare Metal Cloud
section and then select the server on which you wish to enable SGX from Dedicated Servers in the left-hand sidebar.
Scroll down to the "Advanced features" box and click on ...
next to "Security - Intel SGX (Software Guard Extensions)". Select Enable SGX
from the drop-down menu.
On the following screen, click the Enable
button.
You can either choose to enable SGX with a specific amount of reserved memory or enable it by allowing your software to automatically reserve the memory it needs. Once you have made your choice, click Confirm
.
Scroll down to the "Advanced features" box and click on ...
next to "Security - Intel SGX (Software Guard Extensions)". Select Modify SGX
from the drop-down menu. Choose the Disable
option and then click Confirm
.
This will cause your server to reboot. Confirm in the popup window and allow a few minutes before accessing your server again.
Continue with Step 4 of the instructions below.
On the OVHcloud API page click on Login
in the top-right corner. On the following page, enter the credentials of your OVHcloud account.
Retrieve the name of your server from the list returned from this call:
Verify that your service has the SGX option, by calling:
Enable SGX using the server name:
Check the progress of the configuration task by calling this endpoint with the taskId returned by the previous call:
You can verify that the status is set to enabled:
The server needs to reboot before continuing.
Use the following commands to install Intel's driver and SDK to be able to develop and run SGX applications.
First, install some dependencies:
sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev debhelper cmake git
Then, download, build and install the SGX software stack:
BASE_DIR=/opt/intel
[[ -d $BASE_DIR ]] || sudo mkdir -p $BASE_DIR && sudo chown `whoami` $BASE_DIR
cd $BASE_DIR
git clone https://github.com/intel/linux-sgx.git
cd linux-sgx
git checkout sgx_2.6
./download_prebuilt.sh
make -j 6
make sdk_install_pkg -j 6
make deb_pkg -j 6
$BASE_DIR/linux-sgx/linux/installer/bin/sgx_linux_x64_sdk_2.6.100.51363.bin --prefix=$BASE_DIR/
sudo dpkg -i $BASE_DIR/linux-sgx/linux/installer/deb/libsgx-urts_2.6.100.51363-bionic1_amd64.deb $BASE_DIR/linux-sgx/linux/installer/deb/libsgx-enclave-common_2.6.100.51363-bionic1_amd64.deb
Download and install the driver:
wget https://download.01.org/intel-sgx/linux-2.6/ubuntu18.04-server/sgx_linux_x64_driver_2.5.0_2605efa.bin
chmod +x sgx_linux_x64_driver_2.5.0_2605efa.bin
sudo ./sgx_linux_x64_driver_2.5.0_2605efa.bin
The server needs to reboot before continuing.
You can use a sample application to validate the installation. Build one of the sample apps provided:
BASE_DIR=/opt/intel
cd $BASE_DIR/sgxsdk/SampleCode/LocalAttestation/
source $BASE_DIR/sgxsdk/environment
make SGX_DEBUG=0 SGX_MODE=HW SGX_PRERELEASE=1
Run the app:
ovh@nsXXXX:/opt/intel/sgxsdk/SampleCode/LocalAttestation$ ./app
Available Enclaves
Enclave1 - EnclaveID 2
Enclave2 - EnclaveID 3
Enclave3 - EnclaveID 4
Secure Channel Establishment between Source (E1) and Destination (E2) Enclaves successful !!!
Enclave to Enclave Call between Source (E1) and Destination (E2) Enclaves successful !!!
Message Exchange between Source (E1) and Destination (E2) Enclaves successful !!!
Secure Channel Establishment between Source (E1) and Destination (E3) Enclaves successful !!!
Enclave to Enclave Call between Source (E1) and Destination (E3) Enclaves successful !!!
Message Exchange between Source (E1) and Destination (E3) Enclaves successful !!!
Secure Channel Establishment between Source (E2) and Destination (E3) Enclaves successful !!!
Enclave to Enclave Call between Source (E2) and Destination (E3) Enclaves successful !!!
Message Exchange between Source (E2) and Destination (E3) Enclaves successful !!!
Secure Channel Establishment between Source (E3) and Destination (E1) Enclaves successful !!!
Enclave to Enclave Call between Source (E3) and Destination (E1) Enclaves successful !!!
Message Exchange between Source (E3) and Destination (E1) Enclaves successful !!!
Close Session between Source (E1) and Destination (E2) Enclaves successful !!!
Close Session between Source (E1) and Destination (E3) Enclaves successful !!!
Close Session between Source (E2) and Destination (E3) Enclaves successful !!!
Close Session between Source (E3) and Destination (E1) Enclaves successful !!!
Hit a key....
To go further (develop your own application, register for remote attestation, etc.), here are some useful resources:
Join our community of users on https://community.ovh.com/en/.
Please feel free to give any suggestions in order to improve this documentation.
Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.
Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.
Thank you. Your feedback has been received.
Access your community space. Ask questions, search for information, post content, and interact with other OVHcloud Community members.
Discuss with the OVHcloud community