Installation
To build an SGX application for our minimal KMS, we will be using OpenEnclave SDK, which builds enclave applications using C and C++.
We will walk you through how to set up everything you need to use it in both simulation mode and hardware mode.
- Simulation mode works on any machine but does not have all the key security features. For example, you won't be able to communicate remotely and secure the enclave. Simulation mode can be useful for running tests but is not intended for production.
- Hardware mode has all the Intel SGX security features but requires specific Intel processors. If you want to complete this tutorial in hardware mode, we recommend using a DCvs3 Azure VM.
Pre-requisites
- We highly recommend a Linux Ubuntu distribution 18.04 or 20.04 LTS.
For the simulation set-up mode, you can technically use any development environment, but we'll be using the Linux distribution in this course. If you use a different setup, the packages might not work and the installation could be different. It might also work less well with OpenEnclaveSDK.
⚠️ Warning
Keep in mind that key security features behind confidential computing are not available in simulation mode!
The simulation mode works in the same way as the hardware mode. The difference is that the Intel instructions are simulated in software rather than using hardware. This is why many security features are not available - since they are inseparable from the hardware.
When building our KMS project we will tell you at the beginning of each section if it is possible to follow along in simulation mode!
Set up your mode
Adding APT sources
To install the Open Enclave SDK packages and its dependencies, we'll first need to add the necessary repos to the package manager APT.
Use the following commands to configure the Intel and Microsoft Azure APT repositories for downloading and installing Intel SGX and Open Enclave:
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
echo "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-11 main" | sudo tee /etc/apt/sources.list.d/llvm-toolchain-focal-11.list
wget -qO - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
echo "deb [arch=amd64] https://packages.microsoft.com/ubuntu/20.04/prod focal main" | sudo tee /etc/apt/sources.list.d/msprod.list
wget -qO - https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
sudo apt update
Intel & OpenEnclave packages
Then, we'll install all the packages needed to simulate a running enclave with OpenEnclave.
sudo apt -y install clang-11 libssl-dev gdb libsgx-enclave-common libsgx-quote-ex libprotobuf17 libsgx-dcap-ql libsgx-dcap-ql-dev az-dcap-client open-enclave
You should now see that OpenEnclave was installed in the folder /opt/openenclave/.
$ ls /opt/openenclave
bin include lib share
ℹ️ Want to know more?
To start exploring the OpenEnclaveSDK once you have it installed, you can go read this
README!
To run OpenEnclave tools directly from our shell without having path issues, we are going to add the following command:
source /opt/openenclave/share/openenclave/openenclavec
Then we'll make our development journey easier, by adding it directly to the .bashrc. It will make this change persistent in every new shell:
echo "source /opt/openenclave/share/openenclave/openenclaverc" >> ~/.bashrc
Next
