Cloud deployment

This guide walks you through setting up MarbleRun on different CSP offerings individually.

Azure confidential computing VMs

Azure confidential computing services provide access to VMs with Intel SGX enabled in DCsv2 VM instances. The description below uses a VM running Ubuntu 18.04.

Prerequisites

• Update and install EGo
• Update and install the Azure DCAP client

Deploy MarbleRun

You can run MarbleRun standalone on your Azure DCsv2 VM, see our standalone guide. Alternatively, you can install a Kubernetes cluster, probably the simplest option would be minikube, see our Kubernetes guide on how to install MarbleRun in minikube.

Alibaba Cloud Elastic Compute Service

With 7th generation security-enhanced ECS instances users can try out and use Intel SGX on Alibaba Cloud. Currently, security-enhanced instances are only available as part of an invitational preview.

The description below uses a VM running Ubuntu 18.04.

Prerequisites

1. Install Intel DCAP Quote Provider Library

   Add the Intel SGX APT repository:

   wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
   echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list

   Download and install the QPL:

   sudo apt update
   sudo apt install libsgx-dcap-default-qpl

2. Set configuration for Alibaba Cloud SGX remote attestation service

   Alibaba Cloud provides a PCCS for remote attestation, deployed on a per-region basis. For optimal stability it's recommended to access the service in your instance's region. The configuration is set in /etc/sgx_default_qcnl.conf.

   • If your instance is assigned a public IP address, change the configuration to the following, where [Region-ID] is the ID of your instance's region:

     PCCS_URL=https://sgx-dcap-server.[Region-ID].aliyuncs.com/sgx/certification/v3/
     USE_SECURE_CERT=TRUE

   • If your instance is in a virtual private cloud and has only internal IP addresses, change the configuration to the following, where [Region-ID] is the ID of your instance's region:

     PCCS_URL=https://sgx-dcap-server-vpc.[Region-ID].aliyuncs.com/sgx/certification/v3/
     USE_SECURE_CERT=TRUE
   note

   Currently, the Alibaba Cloud SGX remote attestation service is only supported within mainland China regions

3. Update and install EGo

Deploy MarbleRun

You can run MarbleRun standalone on your Alibaba Cloud ECS VM, see our standalone guide. Alternatively, you can install a Kubernetes cluster, probably the simplest option would be minikube, see our Kubernetes guide on how to install MarbleRun in minikube.

Azure Kubernetes Services (AKS)

Azure Kubernetes Service (AKS) offers a popular deployment technique relying on Azure's cloud resources. AKS hosts Kubernetes pods in Azure confidential compute VMs and exposes the underlying confidential compute hardware.

Prerequisites

Follow the instructions on the AKS Confidential Computing Quick Start guide to provision an AKS cluster with Intel SGX enabled worker nodes.

Deploy MarbleRun

See our Kubernetes guide on how to install MarbleRun in your AKS cluster.