Alibaba Cloud MarbleRun deployment
Alibaba Cloud Container Service for Kubernetes (ACK)
Alibaba Cloud Container Service for Kubernetes (ACK) offers a popular deployment technique relying on Alibaba's cloud resources. ACK hosts Kubernetes pods in SGX-capable Alibaba VMs and exposes the underlying SGX hardware.
Prerequisites
- Follow the instructions on the ACK Confidential Computing Quick Start guide to provision an ACK cluster with Intel SGX-enabled worker nodes.
Deploy MarbleRun
See the Kubernetes guide on installing MarbleRun in your ACK cluster.
Alibaba Cloud Elastic Compute Service
With 7th-generation security-enhanced ECS instances, users can use Intel SGX on Alibaba Cloud. You can follow the guide for creating a g7t, c7t, or r7t instance.
The description below uses a VM running Ubuntu 18.04.
Prerequisites
-
Install Intel DCAP Quote Provider Library
Add the Intel SGX APT repository:
wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.listDownload and install the QPL:
sudo apt update
sudo apt install libsgx-dcap-default-qpl -
Set configuration for Alibaba Cloud SGX remote attestation service
Alibaba Cloud provides a PCCS for remote attestation deployed per region. For optimal stability, accessing the service in your instance's region is recommended. The configuration is set in
/etc/sgx_default_qcnl.conf
.-
If your instance is assigned a public IP address, change the configuration to the following, where
[Region-ID]
is the ID of your instance's region:PCCS_URL=https://sgx-dcap-server.[Region-ID].aliyuncs.com/sgx/certification/v3/
USE_SECURE_CERT=TRUE -
If your instance is in a virtual private cloud and has only internal IP addresses, change the configuration to the following, where
[Region-ID]
is the ID of your instance's region:PCCS_URL=https://sgx-dcap-server-vpc.[Region-ID].aliyuncs.com/sgx/certification/v3/
USE_SECURE_CERT=TRUE
noteCurrently, the Alibaba Cloud SGX remote attestation service is only supported within mainland China regions, Singapore, and Indonesia
-
Deploy MarbleRun
You can run MarbleRun standalone on your Alibaba Cloud ECS VM. See the standalone guide. Alternatively, you can install a Kubernetes cluster. Probably the simplest option would be minikube. See the Kubernetes guide on how to install MarbleRun in minikube.