Skip to main content
Version: 1.1

Cloud deployment

This guide walks you through setting up MarbleRun on different CSP offerings individually.

Azure confidential computing VMs

Azure confidential computing services provide access to VMs with Intel SGX enabled in DCsv2 VM instances. The description below uses a VM running Ubuntu 18.04.

Prerequisites

Deploy MarbleRun

You can run MarbleRun standalone on your Azure DCsv2 VM, see our standalone guide. Alternatively, you can install a Kubernetes cluster, probably the simplest option would be minikube, see our Kubernetes guide on how to install MarbleRun in minikube.

Alibaba Cloud Elastic Compute Service

With 7th generation security-enhanced ECS instances users can try out and use Intel SGX on Alibaba Cloud. Currently, security-enhanced instances are only available as part of an invitational preview.

The description below uses a VM running Ubuntu 18.04.

Prerequisites

  1. Install Intel DCAP Quote Provider Library

    Add the Intel SGX APT repository:

    wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
    echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list

    Download and install the QPL:

    sudo apt update
    sudo apt install libsgx-dcap-default-qpl
  2. Set configuration for Alibaba Cloud SGX remote attestation service

    Alibaba Cloud provides a PCCS for remote attestation, deployed on a per-region basis. For optimal stability it's recommended to access the service in your instance's region. The configuration is set in /etc/sgx_default_qcnl.conf.

    • If your instance is assigned a public IP address, change the configuration to the following, where [Region-ID] is the ID of your instance's region:

      PCCS_URL=https://sgx-dcap-server.[Region-ID].aliyuncs.com/sgx/certification/v3/
      USE_SECURE_CERT=TRUE
    • If your instance is in a virtual private cloud and has only internal IP addresses, change the configuration to the following, where [Region-ID] is the ID of your instance's region:

      PCCS_URL=https://sgx-dcap-server-vpc.[Region-ID].aliyuncs.com/sgx/certification/v3/
      USE_SECURE_CERT=TRUE
    note

    Currently, the Alibaba Cloud SGX remote attestation service is only supported within mainland China regions

  3. Update and install EGo

Deploy MarbleRun

You can run MarbleRun standalone on your Alibaba Cloud ECS VM, see our standalone guide. Alternatively, you can install a Kubernetes cluster, probably the simplest option would be minikube, see our Kubernetes guide on how to install MarbleRun in minikube.

Azure Kubernetes Services (AKS)

Azure Kubernetes Service (AKS) offers a popular deployment technique relying on Azure's cloud resources. AKS hosts Kubernetes pods in Azure confidential compute VMs and exposes the underlying confidential compute hardware.

Prerequisites

Follow the instructions on the AKS Confidential Computing Quick Start guide to provision an AKS cluster with Intel SGX enabled worker nodes.

Deploy MarbleRun

See our Kubernetes guide on how to install MarbleRun in your AKS cluster.