Skip to main content
Version: 1.4

Alibaba Cloud MarbleRun deployment

Alibaba Cloud Container Service for Kubernetes (ACK)

Alibaba Cloud Container Service for Kubernetes (ACK) offers a popular deployment technique relying on Alibaba's cloud resources. ACK hosts Kubernetes pods in SGX-capable Alibaba VMs and exposes the underlying SGX hardware.

Prerequisites

Deploy MarbleRun

See the Kubernetes guide on installing MarbleRun in your ACK cluster.

Alibaba Cloud Elastic Compute Service

With 7th-generation security-enhanced ECS instances, users can use Intel SGX on Alibaba Cloud. You can follow the guide for creating a g7t, c7t, or r7t instance.

The description below uses a VM running Ubuntu 18.04.

Prerequisites

  1. Install Intel DCAP Quote Provider Library

    Add the Intel SGX APT repository:

    wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
    echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list

    Download and install the QPL:

    sudo apt update
    sudo apt install libsgx-dcap-default-qpl

  2. Set configuration for Alibaba Cloud SGX remote attestation service

    Alibaba Cloud provides a PCCS for remote attestation deployed per region. For optimal stability, accessing the service in your instance's region is recommended. The configuration is set in /etc/sgx_default_qcnl.conf.

    • If your instance is assigned a public IP address, change the configuration to the following, where [Region-ID] is the ID of your instance's region:

      PCCS_URL=https://sgx-dcap-server.[Region-ID].aliyuncs.com/sgx/certification/v3/
      USE_SECURE_CERT=TRUE

    • If your instance is in a virtual private cloud and has only internal IP addresses, change the configuration to the following, where [Region-ID] is the ID of your instance's region:

      PCCS_URL=https://sgx-dcap-server-vpc.[Region-ID].aliyuncs.com/sgx/certification/v3/
      USE_SECURE_CERT=TRUE
    note

    Currently, the Alibaba Cloud SGX remote attestation service is only supported within mainland China regions, Singapore, and Indonesia

  3. Update and install EGo

Deploy MarbleRun

You can run MarbleRun standalone on your Alibaba Cloud ECS VM. See the standalone guide. Alternatively, you can install a Kubernetes cluster. Probably the simplest option would be minikube. See the Kubernetes guide on how to install MarbleRun in minikube.