Cloud deployment
This guide walks you through setting up MarbleRun on different CSP offerings individually.
Azure confidential computing VMs
Azure confidential computing services provide access to VMs with Intel SGX enabled in DCsv2 VM instances. The description below uses a VM running Ubuntu 18.04.
Prerequisites
Deploy MarbleRun
You can run MarbleRun standalone on your Azure DCsv2 VM, see our standalone guide. Alternatively, you can install a Kubernetes cluster, probably the simplest option would be minikube, see our Kubernetes guide on how to install MarbleRun in minikube.
Alibaba Cloud Elastic Compute Service
With 7th generation security-enhanced ECS instances users can try out and use Intel SGX on Alibaba Cloud. Currently, security-enhanced instances are only available as part of an invitational preview.
The description below uses a VM running Ubuntu 18.04.
Prerequisites
-
Install Intel DCAP Quote Provider Library
Add the Intel SGX APT repository:
wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.listDownload and install the QPL:
sudo apt update
sudo apt install libsgx-dcap-default-qpl -
Set configuration for Alibaba Cloud SGX remote attestation service
Alibaba Cloud provides a PCCS for remote attestation, deployed on a per-region basis. For optimal stability it's recommended to access the service in your instance's region. The configuration is set in
/etc/sgx_default_qcnl.conf
.-
If your instance is assigned a public IP address, change the configuration to the following, where
[Region-ID]
is the ID of your instance's region:PCCS_URL=https://sgx-dcap-server.[Region-ID].aliyuncs.com/sgx/certification/v3/
USE_SECURE_CERT=TRUE -
If your instance is in a virtual private cloud and has only internal IP addresses, change the configuration to the following, where
[Region-ID]
is the ID of your instance's region:PCCS_URL=https://sgx-dcap-server-vpc.[Region-ID].aliyuncs.com/sgx/certification/v3/
USE_SECURE_CERT=TRUE
noteCurrently, the Alibaba Cloud SGX remote attestation service is only supported within mainland China regions
-
Deploy MarbleRun
You can run MarbleRun standalone on your Alibaba Cloud ECS VM, see our standalone guide. Alternatively, you can install a Kubernetes cluster, probably the simplest option would be minikube, see our Kubernetes guide on how to install MarbleRun in minikube.
Azure Kubernetes Services (AKS)
Azure Kubernetes Service (AKS) offers a popular deployment technique relying on Azure's cloud resources. AKS hosts Kubernetes pods in Azure confidential compute VMs and exposes the underlying confidential compute hardware.
Prerequisites
Follow the instructions on the AKS Confidential Computing Quick Start guide to provision an AKS cluster with Intel SGX enabled worker nodes.
Deploy MarbleRun
See our Kubernetes guide on how to install MarbleRun in your AKS cluster.