Managing Intel SGX on an Infrastructure server

Last updated 22nd September 2020

Objective

Enabling Intel Software Guard Extensions (SGX) on your server allows you to run SGX-ready applications. Intel SGX delivers advanced hardware and RAM security encryption features, in order to isolate parts of code and data that are specific to each application.

This guide explains how to enable the SGX feature, in the OVHcloud Control Panel or via the OVHcloud API.

Requirements

• a dedicated server in the Infrastructure range with the SGX option in your OVHcloud account
• access to the OVHcloud Control Panel / to the OVHcloud API
• root access via SSH on your server

Instructions

From the OVHcloud Control Panel

Log in to the OVHcloud Control Panel, go to the Bare Metal Cloud section and then select the server on which you wish to enable SGX from Dedicated Servers in the left-hand sidebar.

Enabling the option

Scroll down to the "Advanced features" box and click on ... next to "Security - Intel SGX (Software Guard Extensions)". Select Enable SGX from the drop-down menu.

On the following screen, click the Enable button.

You can either choose to enable SGX with a specific amount of reserved memory or enable it by allowing your software to automatically reserve the memory it needs. Once you have made your choice, click Confirm.

Disabling the option

Scroll down to the "Advanced features" box and click on ... next to "Security - Intel SGX (Software Guard Extensions)". Select Modify SGX from the drop-down menu. Choose the Disable option and then click Confirm.

This will cause your server to reboot. Confirm in the popup window and allow a few minutes before accessing your server again.

Continue with Step 4 of the instructions below.

Using the OVHcloud API

Step 1: Logging in to the API console

On the OVHcloud API page click on Login in the top-right corner. On the following page, enter the credentials of your OVHcloud account.

Step 2: Enabling SGX

Retrieve the name of your server from the list returned from this call:

Verify that your service has the SGX option, by calling:

Enable SGX using the server name:

Check the progress of the configuration task by calling this endpoint with the taskId returned by the previous call:

You can verify that the status is set to enabled:

Step 3: Rebooting to apply the new BIOS settings

The server needs to reboot before continuing.

Step 4: Installing the SGX software stack

Use the following commands to install Intel's driver and SDK to be able to develop and run SGX applications.

First, install some dependencies:

sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev debhelper cmake git

Then, download, build and install the SGX software stack:

BASE_DIR=/opt/intel
[[ -d $BASE_DIR ]] || sudo mkdir -p $BASE_DIR && sudo chown `whoami` $BASE_DIR
cd $BASE_DIR

git clone https://github.com/intel/linux-sgx.git

cd linux-sgx
git checkout sgx_2.6
./download_prebuilt.sh
make -j 6
make sdk_install_pkg -j 6
make deb_pkg -j 6
$BASE_DIR/linux-sgx/linux/installer/bin/sgx_linux_x64_sdk_2.6.100.51363.bin --prefix=$BASE_DIR/

sudo dpkg -i $BASE_DIR/linux-sgx/linux/installer/deb/libsgx-urts_2.6.100.51363-bionic1_amd64.deb $BASE_DIR/linux-sgx/linux/installer/deb/libsgx-enclave-common_2.6.100.51363-bionic1_amd64.deb

Download and install the driver:

wget https://download.01.org/intel-sgx/linux-2.6/ubuntu18.04-server/sgx_linux_x64_driver_2.5.0_2605efa.bin
chmod +x sgx_linux_x64_driver_2.5.0_2605efa.bin
sudo ./sgx_linux_x64_driver_2.5.0_2605efa.bin

Step 5: Rebooting to finish the installation

The server needs to reboot before continuing.

Step 6: Validating the installation (optional)

You can use a sample application to validate the installation. Build one of the sample apps provided:

BASE_DIR=/opt/intel
cd $BASE_DIR/sgxsdk/SampleCode/LocalAttestation/
source $BASE_DIR/sgxsdk/environment
make SGX_DEBUG=0 SGX_MODE=HW SGX_PRERELEASE=1

Run the app:

ovh@nsXXXX:/opt/intel/sgxsdk/SampleCode/LocalAttestation$ ./app 

Available Enclaves
Enclave1 - EnclaveID 2
Enclave2 - EnclaveID 3
Enclave3 - EnclaveID 4

Secure Channel Establishment between Source (E1) and Destination (E2) Enclaves successful !!!

Enclave to Enclave Call between Source (E1) and Destination (E2) Enclaves successful !!!

Message Exchange between Source (E1) and Destination (E2) Enclaves successful !!!

Secure Channel Establishment between Source (E1) and Destination (E3) Enclaves successful !!!

Enclave to Enclave Call between Source (E1) and Destination (E3) Enclaves successful !!!

Message Exchange between Source (E1) and Destination (E3) Enclaves successful !!!

Secure Channel Establishment between Source (E2) and Destination (E3) Enclaves successful !!!

Enclave to Enclave Call between Source (E2) and Destination (E3) Enclaves successful !!!

Message Exchange between Source (E2) and Destination (E3) Enclaves successful !!!

Secure Channel Establishment between Source (E3) and Destination (E1) Enclaves successful !!!

Enclave to Enclave Call between Source (E3) and Destination (E1) Enclaves successful !!!

Message Exchange between Source (E3) and Destination (E1) Enclaves successful !!!

Close Session between Source (E1) and Destination (E2) Enclaves successful !!!

Close Session between Source (E1) and Destination (E3) Enclaves successful !!!

Close Session between Source (E2) and Destination (E3) Enclaves successful !!!

Close Session between Source (E3) and Destination (E1) Enclaves successful !!!

Hit a key....

Go further

To go further (develop your own application, register for remote attestation, etc.), here are some useful resources:

• Intel SGX
• Intel SGX Attestation services
• Intel SGX linux-2.6 documentation
• github.com/intel/linux-sgx
• github.com/intel/linux-sgx-driver
• github.com/intel/sgx-ra-sample

Join our community of users on https://community.ovh.com/en/.

These guides might also interest you...