SPDX-License-Identifier: Apache-2.0
Copyright (c) 2021 Intel Corporation
Application Security using Intel SGX
Overview
SGX baseline supports following features
- Enabling SGX in BIOS and installation of SGX PSW(Platform software) to run applications in secure SGX enclaves.
- DCAP infrastructure to support Intel SGX attestation using DCAP PCCS service. PCCS should be running on AWS.
- K8s intel SGX plugin/operator support
- Automated installation of SGX components
- End to end example included to demonstrate the SGX based pod deployment and execution flows.
- Application should be based on Graphene/Gramine
- OpenVino based application to demonstrate SGX features
- SGX device plugin should be utilized to monitor EPC(Enclave Page Cache) usage to schedule pods.
How It Works
Workflow
- Customer enters the Secure and trusted environment and prepares for Smart Edge DEK provisioning. Customer downloads the DEK code from SE github repository
- Customer creates a provisionable ISO/Bootable USB
- Customer sets up the ESP server
- Start the DEK provision process
- ESP profile bootstrap process
- (This steps involves operations on the local edge cluster and cloud instance which contains the attestation control plane components)
- ESP and ESP profile pull the OS image, OS package to create the installable OS.
- Customer sets up the AWS Instance with K8s provisioned.
- Customer subscribes to PCS and gets API key
- Customer deploys controller component for SGX feature (PCCS service on this instance)
- End of ESP Phase 1 - enable Intel SGX on the node’s BIOS using Red Fish APIs. Reboot node
- ESP continues deploying the DEK components using the Ansible.
- SGX device is provisioned with PCCS using PCKIDRetrievalTool.
- DEK Cluster is up along with K8s Intel device plugin installed.
- Graphenized app is deployed on the kubenetes node using intel device plugin which exposes SGX memory to pods/jobs running on it.
Figure - ESP based SGX deployment flow
Architecture
Figure - SGX integration into DEK setup
Sequential deployment workflow showing flow of credentials/certificates
Figure - SGX provisioning sequence diagram
How To
Enable Intel SGX in BIOS
Step 1:
Verify memory settings in System Setup of the BIOS. Keys to look out for –
Memory Operating Mode : Optimizer Mode
Node Interleaving : Disabled
Step 2:
Check if Memory Encryption is enabled/disabled in System Security. Save and Reboot after selection.
Keys-
Memory Encryption : Single Key
Note here that if you do not see the Disabled button selected when landing on this section, you first need to disable Memory Encryption and then save changes and reboot. Only then, go ahead and choose Single Key here.
Step 3:
Enable SGX and Factory reset together. On selection, Save and Reboot.
Keys-
Intel(R) SGX : On
SGX Factory Reset : On
Step 4:
Check SGX status on system boot. Use the command
cpuid | grep -i sgx | head
Install cpuid from apt if not available
sudo apt install cpuid
Keys-
SGX: Software Guard Extensions supported : true
SGX_LC: SGX launch config supported : true
SGX1 supported : true
SGX2 supported : true
Step 5:
Only if steps upto #4 are successful, either from iDRAC or BIOS, update PRMRR Size to maximum(64G) in SGX section.
How to subscribe to Intel PCS Service
To subscribe follow the steps below
1.) Visit the page - Intel SGX Software Services page
2.) Sign in or sign up if you are visiting this page for the fist time
3.) Once logged in , browse back to Intel SGX Software Services page.
4.) Under “Intel Provisioning Certification Service for ECDSA Attestation” , click on the link - “Intel® SGX provisioning certification service”
5.) Scroll down to the “Get PCK Certificate/s” section and hit the “Subscribe” button
6.) On being navigated away to the “Subscription summary” page, confirm by clicking on “Add Subscription”
7.) Now on the next page, scroll down to “Intel® Software Guard Extensions Provisioning Certification Service subscription” section and click on any of the “Show” links to reveal your corresponding API key
How to test SGX functionality
Test SGX functionality using gramine based sample OpenVino application